FYI, I will probably try and upload this on Thursday (Dec. 14th), in
the hopes of eventually getting included back into Etch. Unless of
course there are any more problems that come up, or problems pointed
out with the fixes I have here.
Thanks,
Cameron
--
To UNSUBSCRIBE, email to [EMAIL
I've prepared an updated fix for this (and other) problems. I split
the previous patch into 2, and created 2 other new ones to fix other
problems. All 4 are attached, and my repository contains the updated
packages. Here's a description of the patches:
11_missed_security_fixes.dpatch:
This
forwarded 400582 http://www.torrentflux.com/contact.php
thanks
Thanks for the additional info Stefan, I've forwarded this information
to upstream. Unfortunately I have no time right now, so it will be a
couple of days before I get to this. One question though (below).
On 12/4/06, Stefan Fritsch
On Wednesday 06 December 2006 09:00, Cameron Dale wrote:
In index.php and dir.php, urldecode() is called after the
htmlentities escaping is done by getRequestVar(). This allows to
bypass the escaping. In dir.php this could be used for a XSS.
Replace $dir by htmlentities($dir) in the error
On 12/4/06, Stefan Fritsch [EMAIL PROTECTED] wrote:
In index.php and dir.php, urldecode() is called after the htmlentities
escaping is done by getRequestVar(). This allows to bypass the
escaping. In dir.php this could be used for a XSS. Replace $dir by
htmlentities($dir) in the error message. Or
Hi Cameron,
I have looked a bit more, but haven't found many issues. Let's hope
that this means that there aren't many left ;-)
On Friday 01 December 2006 00:15, Cameron Dale wrote:
I don't think this will work, because the local user would need to
be the www-data user to create the
Unless there are any more problems found with the fix I created, I'm
going to try and get this uploaded by Monday the 4th so I can start
working on the soon-to-be-released new upstream version.
Cameron
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
On 11/29/06, Stefan Fritsch [EMAIL PROTECTED] wrote:
I didn't have time yet to look at it thoroughly (or test it), but
AFAICS you now check the file for existance before passing it to the
shell. This should convert the remote command execution vuln into a
local priviledge escalation. A local
On Thursday 30 November 2006 22:57, Cameron Dale wrote:
hostname:~$ touch '/tmp/`touch /tmp/hello`'
touch: cannot touch `/tmp/`touch /tmp/hello`': No such file or
directory
My fault. The slashes are still path separators and the
directory '/tmp/`touch /tmp/' does not exist. So you would have
On 11/29/06, Stefan Fritsch [EMAIL PROTECTED] wrote:
I didn't have time yet to look at it thoroughly (or test it), but
AFAICS you now check the file for existance before passing it to the
shell. This should convert the remote command execution vuln into a
local priviledge escalation. A local
I didn't have time yet to look at it thoroughly (or test it), but
AFAICS you now check the file for existance before passing it to the
shell. This should convert the remote command execution vuln into a
local priviledge escalation. A local user can do
touch '/tmp/`touch /tmp/hello`'
and pass
I was able to exploit the problem mentioned above to execute shell
commands. $cfg[enable_file_priority] must be false.
Try
http://xxx/torrentflux/details.php?torrent=`touch /tmp/hello`
Cheers,
Stefan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
tags 400582 + pending
thanks
On 11/27/06, Stefan Fritsch [EMAIL PROTECTED] wrote:
I was able to exploit the problem mentioned above to execute shell
commands. $cfg[enable_file_priority] must be false.
Ahh, that's why I couldn't get it to work. Looking at it now it seems
obvious, but then
13 matches
Mail list logo
