Re: etomite xss

[dean]

For information on this threat, please visit

http://www.etomite.com/forums/index.php?showtopic=7647


The information posted by the finder is inaccurate.

Re: etomite xss

[ralph]

After researching this threat it appears that this is not a direct issue with 
Etomite itself but, rather, an exploit which server security lets through... I 
have tested several different scripts on several servers and have found this to 
be the case...


The variable is actually $_SERVER['PHP_SELF'] and not $_SERVER['PHP_INFO'] 
which doesn't exist... While running $_SERVER['PHP_SELF'] through 
htmlentities() is a round-about solution, this fix would need to be present in 
virtually every PHP script opening accessible on the internet unless the 
exploit possibility is handled at the server level...


Final disposition... This is not an Etomite specific exploit and I would like 
the report rescinded...


Ralph Dahlgren

Lead Developer - The Etomite Project

etomite xss

[th3 . r00k . nospam]

Homepage: http://www.etomite.com/

Tested Version: 0.6.1 Final

Exploit:http://localhost/etomite0614/index.php/%22%3E%3Cscript%3Ealert(%22test%22)%3C/script%3E/fill

This is a flaw because $_SERVER['PHP_INFO'] is being  trusted.

$_SERVER['PHP_INFO'] will contain this value when the exploit url is used:

/index.php/">alert("test")/fill

/fill is removed.


Trust no one.

Michael Brooks