On Sun, 2003-01-12 at 16:03, sonyyat_private wrote: > - Product : w-agora > - Tested version : version 4.1.5 > - Vendor Status: informed > The bug : > ========== > > index.php : > $cfg_file = "${cfg_dir}/${bn}.${ext}"; > > http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00 > http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1 AFAIK, the Null-byte attack doesn't work with PHP. It works with Perl and some Java apps, yes, but not PHP ... Furthermore, I've briefly audited this software 3 or 4 weeks ago, and I check every include() call. Now (the editor is very reactive), there's everywhere some concatenation with $ext, which is defined as ".php" in some init files. There's probably some place where you can read some files ending in ".php", but no more ... As a side note, there's probably some room in PHP exploitation in the init files (in general, ,not particulary for this app). A "well known good practice" is too set a ".php" extension to init files in order to protect them against bad ACL at the web-server level allowing attackers to read their content (credentials, authentification). But these files are not developped in the idea that they will be call directly, and some code can probaly be subverted because of this. No working example, it's just something I was thinking about ... By the way, what does the editor answer to your mail ? Nicob
This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 09:06:55 PST