On Tue, 2002-06-25 at 02:54, sindhiat_private wrote: > Noguska Nola 1.1.1 [ Intranet Business Management Software ] > > Exploit: Document Management Module allows php script upload. How simple can it get ? Though I'm no longer employed by Noguska, my name is still in the software and on the site (I imagine), so I feel compelled to respond. I've attached a patch that defines a set of disallowed file extensions (though it's probably better reworked to be a set of allowed extensions). This vulnerability also appears in the Inventory Item Add/Update sections, as a file can be attached there in the same method as in the document manager. The original message made no indication that you tried to contact the vendor. Did you? Cheers, Ryan Fox
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 12:57:26 PDT