Bugtraq mailing list archives
Re: Puntal (index.php) Remote File Inclusion Vulnerabilities
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Tue, 04 May 2010 13:15:59 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've found similar deficiencies in other "vulnerabilities" listed by inj3ct0r sh3ll. Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 05/03/2010 04:39 PM, Tom Walsh - lists wrote:
Both variables ($app_path and $puntal_path) are defined in the index.php file. As such they will never be overridden when the variables are passed via POST or GET. POST and GET variables are populated and placed into the global scope before the page is processed by the PHP processor engine (assuming register globals is enabled, which it hasn't been in a default PHP install in a long time). Line 29 of index.php: $app_path = '/'; Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path; Additionally the following line (Line 43 of Index.php) calls a function specifically designed to unregister global variables in the global scope of the application. This is not an exploit. Never was. Nothing to see here... Move along.-----Original Message----- From: eidelweiss () cyberservices com [mailto:eidelweiss () cyberservices com] Sent: Monday, May 03, 2010 1:10 PM To: bugtraq () securityfocus com Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities Puntal could allow a remote attacker to include malicious PHP files. Aremoteattacker could send a specially-crafted URL request to the "index.php"scriptusing the "app_path=" OR "puntal_path=" parameter to specify a maliciousPHPfile from a remote system, which would allow the attacker to executearbitrarycode on the vulnerable system. Puntal 2.1.0 is vulnerable; other versions may also be affected. An attacker can exploit these issues via a browser. -=[P0C]=- http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll] or http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkvgVk8ACgkQkSlsbLsN1gC7HAb9FX3dMwlXSrXnnKboL9Bvy4Ty S5xqbRUNFLVd06PmedXZ/Rx8OmFWR8YZpsLE39PZ+ri1hX8huQDFBm301iMFU+Q9 UeyiIBkra6jlf/WgSu5ZIFecHvd/GOU36rluV8CYSJhxoFh69UxihYSA9II2DeVv nJIR1WAGeo0QJs4liaIoUE6YR6wy7ZEAg8/MLcR8RKlnQc3xyY0s0KIZ56TuFOUk olKsvQBg3Wsw1DvPiOT5bdoOcXQjDr4ism/WUvZk1mub/g1Vlwj+d7mw61zuBp8v eJjHF8pyQ+U4awRp5Rc= =PoyY -----END PGP SIGNATURE-----
Current thread:
- Puntal (index.php) Remote File Inclusion Vulnerabilities eidelweiss (May 03)
- RE: Puntal (index.php) Remote File Inclusion Vulnerabilities Tom Walsh - lists (May 03)
- Re: Puntal (index.php) Remote File Inclusion Vulnerabilities Justin C. Klein Keane (May 04)
- <Possible follow-ups>
- Re: RE: Puntal (index.php) Remote File Inclusion Vulnerabilities donald00 (May 04)
- RE: Puntal (index.php) Remote File Inclusion Vulnerabilities Tom Walsh - lists (May 03)