SEE ENGLISH VERSION BELOW
Auf der Zielgeraden zur IPC Spring möchten wir Euch schon jetzt
einladen, Eure Themen, Ideen, Vorschläge für die International PHP
Conference im Oktober einzureichen. Die International PHP Conference
findet vom 9. bis 12. Oktober 2011 in der Rheingoldhalle in Mainz statt
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
Web: http://www.ceilers-it.de
Blog: http://www.ceilers-news.de/
at the
top,followed by many links in the format
a href='/wiki/docs/html/.store/[Spamtext]-[Number].php'medical spam/a,
before the DOCTYPE-Declaration.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
-folders and the folders of
every user.
Solution
None
Credits
Carsten Eilers
Original advisory
http://www.ceilers-it.de/advisories/iantivirus.html
(also as german version)
Regards
Carsten Eilers
[EMAIL PROTECTED] schrieb am Fri, 10 Aug 2007 09:57:48 +:
echo meta http-equiv='refresh' content='0;URL=install.php';
redirecting brotha ;)
Not RFI
Nice try, but you should read the lines above the redirection, too:
| ?php
| session_start();
| include($config[root_ordner].'config.php');
|
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
of
function-declarations.
So in this script is no vulnerability.
Where did you find the vulnerable script/programm?
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
...);
| }
But there is no include() anymore.
Older versions not tested.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
://www.pnphpbb.com/ to Sourceforge, so I would
never looked there.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
?
I used PHP 4.3.10, Apache 1.3.33, Mac OS X 10.3.9.
try it then judge...
BTDT.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
of the currently executing script.
If one of them can be manipulated from remote, than that
may be a vulnerability in PHP or the webserver, but not
in the PHP-scripts.
So there is no vulnerability.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers
Hi Frank,
Frank Reißner schrieb am Fri, 8 Sep 2006 03:14:15 +0200:
You can bypass unset in php 4.4.4 and 5.14. :)
Yes. But that's a vulnerability in PHP, not in
whatever script make use of it.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http
-
No Patch available.
No patch necessary.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
(that one in
setup/inc/database.php) this directory traversal is nearly
useless.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
---
Discovered by: rUnViRuS (worlddefacers.de)
Credit for what? A non-existing vulnerability?
OK: Applaus, applaus, applaus... ;-)
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
/** Ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct access to this location is not
allowed.' );
at the top of the file, so it's impossible to call it
directly and manipulate any variable.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und
script should this vulnerability be?
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
of this script you find
| if (!defined('_IN_PHM_')) die();
So if you call it direct, which hat to be done to
manipulate _PM_[path][lib], it will die without
any code-execution after this line.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
?path_pre=http://cmd.gif?
All of this script intialize $path_pre and I see
no way to manipulate them between initialization
and usage.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
and let this script die
after direct access.
Oh, #3 is always implemented... ;-)
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
of this script the variable is initalized:
| include_once('site.php');
| $tcms_administer_site = $tcms_site[0]['path'];
After that I found no way to manipulate $tcms_administer_site,
so I see no vulnerability.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http
is not
allowed.' );
So there is no vulnerability.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
( $mosConfig_absolute_path./administrator/components/
com_rssxt/class.rssxt.php);
rssxt.php checks for direct calls, if you call it
direct you got a 'die', but no code-execution oder
file inclusion.
No file inclusion at all.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http
a way to call the function.
#mtg_homepage.php?mosConfig_absolute_path=SHELL
There is no such file.
If you mean lmtg_myhomepage.php: This tests for direct
calls und dies. No way to includeexcecute.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http
a look on it.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
in configuration.php,
there is no way to manipulate it between the two
line, so there is no vulnerability.
Please take a look at
http://www.securityfocus.com/archive/1/443225/30/0/threaded
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
sunday here :-)). As I reported
yesterday: All execept one are wrong.
Looking on the mails from last week, I found this one.
Wrong, too, as expected. Shit happens.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
Hey Steve,
Steven M. Christey schrieb am Mon, 14 Aug 2006 17:54:59 -0400:
Carsten Eilers said:
Take a look at the top of cal_config.inc.php:
# adjust the '$calpath'.
# hardcode it if detection does not work and comment out the remaining
# code.
#
# $calpath = C:\\PHP\\calendarix\\demo
/[myEvent]/viewevent.php?myevent_path=[Evil Script]
Did you test all of them? That way?
I don't think so.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
out the remaining code.
#
# $calpath = C:\\PHP\\calendarix\\demo\\ ;
$calpath = dirname(__FILE__) ;
Ups...
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
, PageBottom.php
and PageTop.php at the top of the file, in functions.php at
the top of relevant functions.
No way to include something with cfgLanguage.
Regards
Carste
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
http://www.ceilers-it.de
37 matches
Mail list logo