BugTraq
Puntal (index.php) Remote File Inclusion Vulnerabilities May 03 2010 06:10PM
eidelweiss cyberservices com (1 replies)
RE: Puntal (index.php) Remote File Inclusion Vulnerabilities May 03 2010 08:39PM
Tom Walsh - lists (mailinglist expresshosting net) (1 replies)
Re: Puntal (index.php) Remote File Inclusion Vulnerabilities May 04 2010 05:15PM
Justin C. Klein Keane (justin madirish net)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've found similar deficiencies in other "vulnerabilities" listed by
inj3ct0r sh3ll.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 05/03/2010 04:39 PM, Tom Walsh - lists wrote:
> Both variables ($app_path and $puntal_path) are defined in the index.php
> file. As such they will never be overridden when the variables are passed
> via POST or GET. POST and GET variables are populated and placed into the
> global scope before the page is processed by the PHP processor engine
> (assuming register globals is enabled, which it hasn't been in a default PHP
> install in a long time).
>
> Line 29 of index.php: $app_path = '/';
> Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;
>
> Additionally the following line (Line 43 of Index.php) calls a function
> specifically designed to unregister global variables in the global scope of
> the application.
>
> This is not an exploit. Never was.
>
> Nothing to see here... Move along.
>
>> -----Original Message-----
>> From: eidelweiss (at) cyberservices (dot) com [email concealed] [mailto:eidelweiss (at) cyberservices (dot) com [email concealed]]
>> Sent: Monday, May 03, 2010 1:10 PM
>> To: bugtraq (at) securityfocus (dot) com [email concealed]
>> Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities
>>
>> Puntal could allow a remote attacker to include malicious PHP files. A
> remote
>> attacker could send a specially-crafted URL request to the "index.php"
> script
>> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
> PHP
>> file from a remote system, which would allow the attacker to execute
> arbitrary
>> code on the vulnerable system.
>>
>> Puntal 2.1.0 is vulnerable; other versions may also be affected.
>>
>> An attacker can exploit these issues via a browser.
>>
>> -=[P0C]=-
>>
>> http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
>> or
>> http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkvgVk8ACgkQkSlsbLsN1gC7HAb9FX3dMwlXSrXnnKboL9Bvy4Ty
S5xqbRUNFLVd06PmedXZ/Rx8OmFWR8YZpsLE39PZ+ri1hX8huQDFBm301iMFU+Q9
UeyiIBkra6jlf/WgSu5ZIFecHvd/GOU36rluV8CYSJhxoFh69UxihYSA9II2DeVv
nJIR1WAGeo0QJs4liaIoUE6YR6wy7ZEAg8/MLcR8RKlnQc3xyY0s0KIZ56TuFOUk
olKsvQBg3Wsw1DvPiOT5bdoOcXQjDr4ism/WUvZk1mub/g1Vlwj+d7mw61zuBp8v
eJjHF8pyQ+U4awRp5Rc=
=PoyY
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus