Re: Puntal (index.php) Remote File Inclusion Vulnerabilities

From: Justin C. Klein Keane <justin@madirish.net>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: Puntal (index.php) Remote File Inclusion Vulnerabilities
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've found similar deficiencies in other "vulnerabilities" listed by
inj3ct0r sh3ll.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 05/03/2010 04:39 PM, Tom Walsh - lists wrote:
> Both variables ($app_path and $puntal_path) are defined in the index.php
> file. As such they will never be overridden when the variables are passed
> via POST or GET. POST and GET variables are populated and placed into the
> global scope before the page is processed by the PHP processor engine
> (assuming register globals is enabled, which it hasn't been in a default PHP
> install in a long time).
> 
> Line 29 of index.php: $app_path = '/';
> Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;
> 
> Additionally the following line (Line 43 of Index.php) calls a function
> specifically designed to unregister global variables in the global scope of
> the application.
> 
> This is not an exploit. Never was.
> 
> Nothing to see here... Move along.
> 
>> -----Original Message-----
>> From: eidelweiss@cyberservices.com [mailto:eidelweiss@cyberservices.com]
>> Sent: Monday, May 03, 2010 1:10 PM
>> To: bugtraq@securityfocus.com
>> Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities
>>
>> Puntal could allow a remote attacker to include malicious PHP files. A
> remote
>> attacker could send a specially-crafted URL request to the "index.php"
> script
>> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
> PHP
>> file from a remote system, which would allow the attacker to execute
> arbitrary
>> code on the vulnerable system.
>>
>> Puntal 2.1.0 is vulnerable; other versions may also be affected.
>>
>> An attacker can exploit these issues via a browser.
>>
>> -=[P0C]=-
>>
>> http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
>>             or
>> http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkvgVk8ACgkQkSlsbLsN1gC7HAb9FX3dMwlXSrXnnKboL9Bvy4Ty
S5xqbRUNFLVd06PmedXZ/Rx8OmFWR8YZpsLE39PZ+ri1hX8huQDFBm301iMFU+Q9
UeyiIBkra6jlf/WgSu5ZIFecHvd/GOU36rluV8CYSJhxoFh69UxihYSA9II2DeVv
nJIR1WAGeo0QJs4liaIoUE6YR6wy7ZEAg8/MLcR8RKlnQc3xyY0s0KIZ56TuFOUk
olKsvQBg3Wsw1DvPiOT5bdoOcXQjDr4ism/WUvZk1mub/g1Vlwj+d7mw61zuBp8v
eJjHF8pyQ+U4awRp5Rc=
=PoyY
-----END PGP SIGNATURE-----





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.