Re: Noguska Nola 1.1.1 [ Intranet Business Management Software ]

From: Ryan Fox (rfoxat_private)
Date: Thu Jun 27 2002 - 09:14:37 PDT

Next message: KF: "Re: Java and buffer overflows"

Previous message: Dave Aitel: "Re: Java and buffer overflows"
In reply to: sindhiat_private: "Noguska Nola 1.1.1 [ Intranet Business Management Software ]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2002-06-25 at 02:54, sindhiat_private wrote:
> Noguska Nola 1.1.1 [ Intranet Business Management Software ]
> 
> Exploit: Document Management Module allows php script upload. How simple can it get ?

Though I'm no longer employed by Noguska, my name is still in the
software and on the site (I imagine), so I feel compelled to respond. 
I've attached a patch that defines a set of disallowed file extensions
(though it's probably better reworked to be a set of allowed
extensions).  This vulnerability also appears in the Inventory Item
Add/Update sections, as a file can be attached there in the same method
as in the document manager.  

The original message made no indication that you tried to contact the
vendor.  Did you?

Cheers,
Ryan Fox

text/x-patch attachment: nola.vuln.patch__charset_ISO-8859-1

Next message: KF: "Re: Java and buffer overflows"
Previous message: Dave Aitel: "Re: Java and buffer overflows"
In reply to: sindhiat_private: "Noguska Nola 1.1.1 [ Intranet Business Management Software ]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 12:57:26 PDT