Re: Noguska Nola 1.1.1 [ Intranet Business Management Software ]

From: Ryan Fox (rfoxat_private)
Date: Thu Jun 27 2002 - 09:14:37 PDT

  • Next message: KF: "Re: Java and buffer overflows"

    On Tue, 2002-06-25 at 02:54, sindhiat_private wrote:
    > Noguska Nola 1.1.1 [ Intranet Business Management Software ]
    > 
    > Exploit: Document Management Module allows php script upload. How simple can it get ?
    
    Though I'm no longer employed by Noguska, my name is still in the
    software and on the site (I imagine), so I feel compelled to respond. 
    I've attached a patch that defines a set of disallowed file extensions
    (though it's probably better reworked to be a set of allowed
    extensions).  This vulnerability also appears in the Inventory Item
    Add/Update sections, as a file can be attached there in the same method
    as in the document manager.  
    
    The original message made no indication that you tried to contact the
    vendor.  Did you?
    
    Cheers,
    Ryan Fox
    
    
    



    This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 12:57:26 PDT