We recognize that some requesters have experienced delays, and
sometimes lengthy delays, in getting CVE IDs assigned. We apologize
for those delays.
The number of cve-assign requests has been growing dramatically, as
has the number of unique and new requesters. Our goal is always to
provide
On Tue, 21 Jul 2009, Michal Zalewski wrote:
The code created an oversized list, which does not seem to be that far
from creating an overly nested DOM tree, or drawing an oversized CANVAS
shape, or any other creating-too-many-things-for-the-renderer-to-handle
attacks... but really, I'm not
On Tue, 21 Jul 2009, Thierry Zoller wrote:
Yeah, security is too complex. Dude, the fix was to LIMIT the the
number of elements. This is not rocket science.
I believe Michal and I are having the conversation in a larger context.
What you found is valid on its own merit and got addressed,
In disputing the COMRaider unsafe method vulnerability, iDefense Labs
said:
In short, if your machine allows this control to be loaded, then your
browser will load controls regardless of safety designations such as
Safe for Scripting, Safe for Initialization, and IObjectSaftey.
Note that a
Adrian P said:
Regarding the paper, well, it can be useful for people who want to
find a similar issue in their firewall/proxy appliances. Don't you
think?
Aleph One's paper on stack smashing, Tim Newsham's on format strings,
Shaun Clowes' on PHP issues - not to mention a bunch of others -
There are two main takeaways from this advisory:
1) PHP application programmers can and will misuse this function
(CVE-2008-4096, CVE-2007-5423), but most PHP code auditors probably
don't check for it yet. So it's good for awareness.
2) Any language that has an equivalent capability for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE requests can be sent to [EMAIL PROTECTED] or to me directly. My PGP
key is below, or accessible from the MIT public key server.
Alternately, you can request them from Candidate Numbering Authorities
(CNAs) which include the security teams at Red
On Fri, 25 Jul 2008, [UTF-8] Jan Miná�^Y wrote:
The commands do not have to be written there between (1) and (2), they
can be in the file long before the ./configure was started -- just
because the script does care whether it can write to the file at all.
So unlike stated in the
On Tue, 27 May 2008, security curmudgeon wrote:
No mention of CVE-2008-1035 in the [CORE] advisory other than the header
CVE name reference. BID seems to have split the three vulnerabilities,
but given two of them the same CVE. CVE does not have descriptions open
yet.
The descriptions are
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
This CVE does not exist - do you mean
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794
No, CVE-2007-6598 is correct. Sometimes a CVE number is publicly used
before it has been updated on the public CVE web
Throughout this whole discussion on URI handling and IE, let's not
forget that:
1) ANY technology that uses handlers that pass commands and
arguments from one process to another, is likely to have these
kinds of issues. Web browsers are just the first to get this kind
of attention.
The n.runs-SA-2007.027 advisory claims code execution through a UPX
file. This claim is inconsistent with the vendor's statement that
it's only a theoretical DoS:
http://www.sophos.com/support/knowledgebase/article/28407.html
A corrupt UPX file causes the virus engine to crash and Sophos
On Tue, 21 Aug 2007, 3APA3A wrote:
6. Ivan Nl (http://uNkn0wn.eu) reports vulnerabilities in
Linkliste 1.2, Butterfly online vistors counter 1.08, mcLinksCounter
1.2, My_REFERER 1.08.
Original messages in English are available from
The outage being experienced by Skype was apparently due to massive
simultaneous reboots and reconnects after systems installed their
Windows patches.
from http://heartbeat.skype.com/2007/08/what_happened_on_august_16.html:
The disruption was triggered by a massive restart of our users'
Magnus Holmgren said:
[the superglobals] shadow everything - you cannot define your own
$_SERVER array, nor can it be overridden with HTTP GET or POST
values. If that were possible, using the superglobals would be
useless; all scripts would be vulnerable unless register_globals is
off.
This
Scott MacVicar said:
There is a much more significant issue than executing an XSS if you
can upload a file to a remote site...
XSS could be put into an image that's allowed to be uploaded, then
directory traversal could be used to reference that image. The image
data could be very small and
Nice find, although it's not really clear to me whether this is
intended functionality or not. I assume it's not intended by
Hardened-PHP and Suhosin, at least :)
You didn't mention this, but even if register_globals is disabled,
this seems to work, at least in my PHP 4.4.4.
Try the code below
Joanna Rutkowska said:
Dear all, this is not a 0day, it is a public release of a responsibly
disclosed vulnerability.
Yes, indeed it *seems* so:
http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx
The kinds of discrepancies you list are an almost daily occurrence with
many
This advisory is an incomplete cut-and-paste from of a post to Bugtraq
in April 2000 by Joe at BLARG.NET:
Back Door in Commercial Shopping Cart
http://archives.neohapsis.com/archives/bugtraq/2000-04/0051.html
CVE-2000-0252
BID:1115
XF:dansie-shell-metacharacters(4975)
- Steve
Hello,
Pardon me for being dense, but what exactly does cookie manipulation
mean in this context? What is the vulnerability?
Looking at the following exploit code:
input name=id size=75
value=meta+http-equiv='Set-cookie'+content='cookiename=cookievalue'
The (apparent) injection of a META
Tom Walsh said:
So... either it is patched in the version I am looking at (unlikely)
or this is a bogus report (like god knows how many others).
In this case, it looks legitimate for OLDER versions. See informal
analysis below.
The cause was dynamic variable evaluation, which is one of the
3APA3A said:
I. There is no symlinks under Windows. Symlink attacks are not
possible.
I'm not a Windows expert, but... There have been some past
vulnerabilities where an attacker could upload a shortcut (.lnk) file
and access files outside of the intended directory. In cases of FTP
servers or
Hasadya Raed:
from versions 0.3.2.6 (http://www.phpalbum.net/dw) and Beta
0.4.1-beta9 and beta8 (http://www.phpalbum.net/):
1) There is no file named common.php
2) There is no string db_file in any file
Are you sure that your report is correct?
- Steve
Stefano Di Paola said:
1. I search on google for import_request_variables advisories
(nothing found)
2. I search on php.net in changeLog for fixes (nothing found).
I can see why you weren't able to find anything. However, there have
been a number of disclosures that are probably related - but
A few notes on this advisory and IBM's IY94817.
1) The real IY94817 document (not the stub) requires registration to
even access in the first place, which is an unfortunate practice
that too many vendors undertake. The URL was also broken for some
time. Now that I've registered, I
Cromar Scott said:
I know that my initial reaction was haven't I seen this before?
but the above two are what I found in my notes when I looked back.
There are at least 20 FTP server implementations that have had buffer
overflows with a long USER command. HTTP GET directory traversals are
In a Solaris telnet vulnerability thread, Casper Dik said:
It's not still in Solaris; it's the first time it occurred in
Solaris; it is stupid it did but it's a typical programming error:
passing unchecked arguments to a program without escaping special
characters.
The emerging terminology for
Interesting paper, Gadi.
Some thoughts:
1) It seems obvious that RFI is equivalent to remote code execution,
but it's worth repeating.
2) A PHP exploit is much easier to write than a shellcode exploit.
Plus, with the file inclusion, the payload is not limited in size,
and you have a
On Mon, 29 Jan 2007, Simple Nomad wrote:
On Mon, 2007-01-29 at 13:00 -0600, Gadi Evron wrote:
How can we all automate the testing process for fake vulns in and
list
them as such without overburdening OSVDB, CVE, Milworm and SecuriTeam?
How about letting them get posted to bugtraq as ppl
Michal,
iFTPAddU is for adding users, and iFTPAddH is for adding virtual
hosts. These sound like administator-level controls. Presumably, the
same admin already had the access to install WS_FTP in the first
place. So, it doesn't seem like these cross any privilege boundaries,
so they don't
Which Oracle Vuln# does this map to?
There are 2 substantial discrepancies with the most likely candidate.
According to the Jan 2007 CPU:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
the only issue related to sys.dbms_capture_adm_internal is DB09.
Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_LOGREP_UTIL can exploit this vulnerability. Exploitation of
this vulnerability allows an attacker to execute arbitrary code.
This statement is inconsistent with Oracle's CPU, which states that
DB08 (CVE-2007-0274) has
On Fri, 12 Jan 2007, Ben Bucksch wrote:
Steven M. Christey wrote:
The US Department of Homeland Security's Vulnerability Disclosure
Framework document here:
http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
*cough*
Full Disclosure Policy (RFPolicy) v2.0
http://www.wiretrip.net
Remote file inclusion does not seem possible - the only relevant
code is this:
require_once(languages/$language.php);
Since the languages/ string will always appear first, you can't
inject an http://; or similar to the front of the string, so remote
file inclusion is not possible.
OK, so we
Alexander Sotirov said:
Descriptions of vulnerabilities, especially ones that are found in the
wild, should include enough information to allow researchers to
uniquely identify the new vulnerability and differentiate it from all
other bugs, both known ones and 0days.
I say this periodically,
function invalideregtest($input)
script just check $topic by invalideregtest function
I think this function just *tries* to check inputs, but doesn't
succeed. Did you do any live testing using $topic ?
We should expect to see more erroneous cleansing/checking functions as
programmers attempt
Large-scale comparisons using historical data, while suggestive, have
certain limitations. I touched on many of these in my open letter on
the interpretation of vulnerability statistics [1] when talking about
trend analysis in vulnerability databases, but many of the points
apply here.
For
A terminology question for people.
In this reference:
BUGTRAQ:20061115 Re: DragonFlyBSD all versions FireWire IOCTL kernel integer
overflow information disclousure
http://www.securityfocus.com/archive/1/archive/1/451677/100/0/threaded
The issue is being described as an integer overflow.
mfp.c,
In 8.0.2, the surrounding code for this bug is:
function insert_cached_module($module_desc)
{
...
global $lvc_modules_dir;
...
if (!$gloaded_modules[$module_name])
{
include($lvc_modules_dir.'/'.$module_name.'.module.php');
Since this
Vendor response:
http://www.kaspersky.com/technews?id=203038678
This only mentions KLIN.SYS, but the original iDEFENSE advisory lists
both KLIN and KLICK as attack vectors. Has the KLICK vector been
addressed as well?
- Steve
str0ke said:
index.php seems patched to me.
The following code was in 2.15, which also suggests that the issue
might not exist, at least for index.php:
$isearch_path = '.';
define('IN_ISEARCH', true);
require_once $isearch_path/inc/core.inc.php;
require_once
securfrog said:
i guess you should learn some PHP before posting on bugtracks ...
net2ftp: a web based FTP client :) = Remote File Inclusion
=== you should try your PoC before posting , there's no remote file
include in that code ...
You are probably looking at recent versions, which don't
There are some important errors in this post that appear to stem from
incomplete editing of a previous advisory for an unrelated product,
webnews (CVE-2006-5100).
The subject line says 1.4, but the version referenced at the end of
the post is 1.2.3, which is dated October 2, 2006; so there
These vectors were previosuly reported in June 2006 (CVE-2006-2860) by
Kacper in a milw0rm post (http://milw0rm.com/exploits/1871), for
version 3.0.1.
Www.Site.coM/[Path]/inc/mainheder.inc.php
This appears to be a mis-spelling of mainheader.inc.php.
- Steve
In Re: IE ActiveX 0day? to Bugtraq on September 18, Alexander
Sotirov asked:
What is your definition of memory corruption? How can a buffer
overflow not be a memory corruption error?
The term buffer overflow continues to be too general for the variety
of issues out there. Array index/offset
This vulnerability is not that dangerous because, firstly, if you want
to exploit it, you must have exact file tree and correct name of the
malicious script because that variable is never used alone but always
in concatanation with script name and generic extension
In a typical PHP exploit
Frank Reissner said:
//comments
function phpdigSearch(){
Line: 423 ?php include $relative_script_path.'/libs/htmlheader.php'
?
...
}
Please explain us how that should be exploited.
While this statement appears to be in a function declaration, there
would be nested ?php
Some interesting work.
For those who haven't made the connection yet - concurrency issues
probably go far beyond just web browsers. It's a safe bet that *any*
software that's multi-threaded, multi-process, event-based, or
asynchronous could have these sorts of issues. Traditional data
Carsten Eilers said:
Take a look at the top of cal_config.inc.php:
# adjust the '$calpath'.
# hardcode it if detection does not work and comment out the remaining
# code.
#
# $calpath = C:\\PHP\\calendarix\\demo\\ ;
$calpath = dirname(__FILE__) ;
When doing post-disclosure analysis
Xss in MttKe-php v2.6
What product or web site is this? A Google search returns mostly
references to the original post.
- Steve
There was discussion last week in the Full-Disclosure about XSS
vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron
suggested creation of a separate mailing list for just XSS
vulnerabilities.
This is definitely a growing gap in our current knowledge. I don't
think it's being tracked
--==CRLF injection==--
GET /mybloggie/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
This demonstration code does not contain any carriage return / line
feed sequences. What is the
The mentioned SQL injection vulnerability is not possible. Please
remove it.
Could you explain this further?
In 1.5.3, edit_forum() in forums.inc.php has the following:
$sql= UPDATE .TABLE_PREFIX.forums SET title='$_POST[title]',
description='$_POST[body]' WHERE
Researcher fads, differences in vendor disclosure practices, and
vulnerability database editorial policies will heavily influence
vulnerability statistics, to the point where comparing them is not
very informative (at least, you're not getting the whole picture).
You also have the challenge of
Successful exploitation requires that register_globals= Off .
That seems very strange, doesn't it?
Especially if you look at the source code.
Let's start with search.php, one of the vulnerable vectors:
?php
...
require (init.inc);
and in init.inc:
require (globals.inc);
...
* Advisories:
* http://www.microsoft.com/technet/security/advisory/921365.mspx
* http://www.securityfocus.com/bid/18422/
There are at least three separate Excel issues that were published in
the past week. These references suggest that it's the zero-day
exploit from last Friday
The same executable (viewposts.cfm) and parameter (startrow) was
reported by r0t at 13:49 June 15, 2006, probably Finland time:
http://pridels.blogspot.com/2006/06/axentforum-ii-xss-vuln.html
In fact, the Bugtraq post contains the following text, which is
exactly the same as r0t's blog entry
Darren Reed said:
From my own mail archives, PHP appears to make up at least 4% of the
email to bugtraq I see - or over 1000 issues since 1995, out of the
25,000 I have saved.
Do you mean the PHP interpreter? Or applications written in PHP?
I'm not sure how many vulnerabilities were in
SpC-x said:
# Amr Talkbox talkbox.PHP - Remote File Include Vulnerabilities
...
# if ($lang == eng) {
# include ($direct/lang_eng.txt);
# } elseif ($lang ==ita) {
# include ($direct/lang_ita.txt);
However, looking at the source code as available on
This post appears to have some errors.
What PHP version, environment, and operating system did you use to
test this? Did you use a real web site, or did you just look at the
source code?
When a variable is used in a require or include statement, you must
make sure that the variable can be
Exploit: http://www.example.com/showtopic.php?threadid=1pagenum=[SQL]
The same program and parameter were already reported to Bugtraq by Qex
on April 19 for version 3 beta 2.84 (CVE-2006-1926).
- Steve
# if ($path){
# $ips = file($path/lists/bannedips.php);
# } else {
# $ips = file(lists/bannedips.php);
# }
# if (in_array($REMOTE_ADDR,$ips)) {
# echo($bannedmessage);
# die;
There might be a terminology problem here.
I don't see how this can be used to execute code. Yes, the file()
call could
nukedx said:
This is not vulnerable,PHP-Nuke having a special in their files and
when includes mainfile.php it overwrites the global variables and it
caused to make an arbitrary file inclusion.
But in MyBloggie there is no common vulnerability like it.
In the source code for 2.1.1, many files
Paul Schmehl said:
This is the second bug I've seen in the past week that requires
register_globals to be on. Yet register_globals has been off by
default for the past four years.
But after a disclosure of a PHP issue with a functioning exploit, many
sites are regularly hacked soon afterward.
str0ke asked:
Is this the same vulnerability?
http://www.securityfocus.com/bid/5954
Well, let's see. Short answer is probably not because they don't
seem to be the same product.
The most recent disclosure points to MY Web Server at
http://eitsop.s5.com/, which links to source code in a ZIP
include(../../../mainfile.php);
include($phpbb_root_path.'common.'.$phpEx);
...
in mainfile.php at lines 54-56
...
import_request_variables('GPC');
Oh, OK - now that makes sense. This looks like one aspect of the
globals overwrite problem as originally documented by Stefan Esser
in the
Webmaster at destiney said:
I pasted the following example XSS code into both form fields, and saw
no evidence of XSS vulnerabilities:
DIV STYLE=background-image: url(javascript:alert('XSS'))
According to the XSS cheat sheet at http://ha.ckers.org/xss.html,
STYLE attributes in DIV tags are
Foud By: Brh CrAzY CrAcKeR
$comma = - ;
...
$title .= $comma.$forum['name'];
...
$comma = , ;
This code snippet sets the $comma variable to static values, so it
doesn't look like the attacker can control them.
Example:
/rss.php?...$comma=[SQL]
Given the previous code snippet, how can
David Litchfield said:
When Oracle 10g Release 1 was released you could spend a day looking
for bugs and find thirty. When 10g Release 2 was released I had to
spend two weeks looking to find the same number.
This increasing level of effort is likely happening for other major
widely audited
foud by: BoNy-m
Also apparently found by durito in September 2004, as identified in
the Turbo Seek product.
/tseekdir.cgi?id=1055location=/etc/passwd%00
This is the same exploit vector as what was reported in Secunia
SA12500 and BID 11163:
http://www.securityfocus.com/bid/11163/exploit
You can insert the 'tab' value and possibly break 3rd party log
analyzers.
OK, this makes sense - if ISA supports tab-separated format, then tab
is a special character within such a log file, and attackers should be
prevented from injecting it (by filtering, quoting, whatever...)
Other
google dork : Phil's Bookmark
This doesn't return anything except copies of the original Bugtraq
post and a reference to a person's web site.
Searching for Phil's Bookmarks found a lot of sites by people named
Phil who listed their favorite bookmarks.
Is there an actual product here? Or was
There is a Log Manipulation vulnerability in Microsoft ISA Server
2004, which when exploited will enable a malicious user to manipulate
the Destination Host parameter of the log file.
...
We were able to insert arbitrary characters, in this case the ASCII
characters 1, 2, 3 (respectively) into
--
Dynamic Evaluation Vulnerabilities in PHP applications
--
Following is a brief introduction to a growing class of serious
vulnerabilities in PHP applications. They can allow execution of
The recent Oracle exploit posted to Bugtraq
(http://www.securityfocus.com/archive/1/431353) is actually an 0day
and has no patch.
The referenced exploit seems to use GET_DOMAIN_INDEX_METADATA with a
TYPE_NAME that references an attacker-defined package with a
(modified?) ODCIIndexGetMeta
security curmudgeon mentioned:
/portfolio.php?cat_id=[XSS]
Based on source inspection of 1.0.2, this parameter is cleansed.
line 31 of portfolio.php says:
$catId = $dbFilter-db_clean_input($_GET['cat_id'], 'integer');
which looks like it's going to do input validation as an integer.
sources/action_public/search.php line 1261
$this-output = preg_replace(
#(value=[\']{$this-ipsclass-input['lastdate']}[\'])#i, \\1
selected='selected',
$this-output );
...
an #e modifier is added and then %00 used which will be parsed as a
null byte and truncate the string thus
Exploit:
http://www.example.com/index.php?mod=editnewsaction=editnewsid=1145397112source=[XSS]
This XSS is likely resultant from a more serious issue in which the
$source variable is not being validated, so it is subject to attacks
such as directory traversal. Given the program's assumption of
This is yet another case where XSS is resultant from a more serious
issue. The primary issue here involves local file inclusion.
retrogod-style attacks might be feasible by injecting PHP code into
text-based data files within the application, then including those
text files using this issue;
The XSS issue in the shard parameter appears to be resultant from a
more serious file inclusion vulnerability. This is the kind of
diagnosis error that I have mentioned in the past [1].
Notice that the error message shows that it took the shard parameter
and directly inserted it into a filename
Michal Zalewski asked:
...but how come there's no CVE entry for the bash script in my
signature?
To which I'll answer the underlying question, i.e. why assign a CVE
identifier to what appears to be a non-vulnerability?
1) To clarify: while we changed the CVE naming scheme in October 2005
so
Hello botan,
I have some questions about this report.
Web: http://www.ahbruinsma.nl
This web site requires a login. Even the front page is not
accessible.
FleXiBle Development (FXB)
Is this a product, service, or a single web site? There is very
little information in Google.
//Defining
On Mon, 3 Apr 2006, Gadi Evron wrote:
Looking at Microsoft's software of today, it is extremely well-written
and professional. Far beyond that of most others. Finding
vulnerabilities in them is extremely difficult. Most vulnerabilities you
will find will be logical in nature and not easy.
A
In a post-disclosure analysis [1] of a security issue announced by
rgod [2], Siegfried observed that the reported XSS actually originated
from a file inclusion vulnerability, in which the XSS was reflected
back from an error message when the file inclusion failed:
About the xss, it is an xss in
So, in other words, all you need in order to get root access is a
rootkit, your shell script, and root access? Ummm... I don't get it.
I was also confused by this. However, one guess is that by
compromising an unprivileged account and creating command aliases to
run trojaned su and sudo
retard said:
as you see line 19 raises suspision of the possibility of rming 0777
dirs i've tried it on on my personal server with no sucess, if someone
knows of a way let me know.
According to the PHP manual, rmdir only works on empty directories.
Did you try to remove an empty directory?
-
A buffer overflow in DELE was originally reported to Bugtraq by CorryL
in March 2005, for ArGoSoft FTP 1.4.2.8 (CVE-2005-0696):
http://www.securityfocus.com/archive/1/392653
According to CorryL's disclosure timeline, no patch had been released
by the disclosure date.
So, is this a
The http-equiv and Gandalf examples are very similar, but I think
there might be some important distinctions.
1) The http-equiv example (CVE-2004-1104) uses a BASE tag with an href
attribute. In the form, the A tag has an href= without a value.
The value of the BASE HREF is displayed on
This is a series of open questions to people who consider themselves
to be vulnerability researchers. Hopefully this will open a number of
fruitful public discussions.
1) What is the state of vulnerability research?
2) What have researchers accomplished so far?
3) What are the greatest
In the Internet Explorer dragdrop 0day thread, Gadi Evron said:
In my opinion, this comes to prove 0days are USUALLY a myth (WMF
being a good example of a real 0day),
It's not necessarily that 0-days are a myth, it's that people have
been using the term 0-day to mean two separate things:
-
The advisory says:
Status: patched in 1.0.3
...
?Solution???
No Patch available.
(bug reported to vendor today)
I'm confused. One part of this advisory says there's a patch
available, one part says there isn't. (By the way, this is an example
of the inconsistent property of security
David Litchfield recently provided a detailed description of a number
of vulnerabilities in Oracle PLSQL Gateway. He showed how, each time
the blacklist defense was modified, he was able to find a new variant
that worked around the more restrictive blacklist.
This type of pattern has emerged
Throughout all this discussion, we should not forget that it was not
just Microsoft, but other developers who appear to have implemented
and preserved this same WMF functionality over the years, e.g. Wine.
The problem might have originated with Microsoft's design choices way
back when, but few
This appears to be the same vulnerability as that reported to Bugtraq
by trueend5 of KAPDA on January 1:
BUGTRAQ:20060106 [KAPDA::#19] - Html Injection in vBulletin 3.5.2
URL:http://www.securityfocus.com/archive/1/archive/1/420663/100/0/threaded
In fact, the text is exactly the same, as is
Open Letter on the Interpretation of Vulnerability Statistics
---
Author: Steve Christey, CVE Editor
Date: January 4, 2006
All,
As the new year begins, there will be many temptations to generate,
comment, or report on vulnerability
I try this request in my mailbox
http://.com/roundcube/?_auth=3Dcf559dcf52d8801ccd51cd1f3ba3eca08d1b0
bce= _task=3Dma%60il then roundcube shows this warning
For the 3 people who might care about the distinction (e.g. vuln DBs
who exclude path disclosure), this appears to be a custom error
I was just browsing the Red Hat bug report for the mod_imap XSS issue
(CVE-2005-3352).
In it, they included a disclosure timeline (possibly from Apache, this
is not clear).
I've only seen a handful of disclosure timelines by a vendor. But in
my opinion, it should be more widely adopted by
Hello,
IMOEL CMS has the weakness to download the plain text sql password in
the setting.php file
*/*
$setting['host']['username'] = 'sqlusername';
$setting['host']['password'] = 'sqlpassword';
***
so u can download the
substr(strtolower($_REQUEST['start']), 0, 1)
So, the string is set to lower case, and then only the FIRST letter is
used within the query. How can anyone exploit the database with a one
character insertion? Of course this is within single quotes as well,
so it cannot even be a command.
This
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Format String Vulnerabilities in Perl Programs
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Author: Steve Christey
Date: December 2, 2005
**
Table
1 - 100 of 111 matches
Mail list logo
