Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!
Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!
Do you remember FormMail? I hope so. It's PERL code belonging to the past, the glorious 1995 Internet era. FromMail is a CGI script used to create contact forms, but not a common one, it's historical with millions of downloads and has a dedicated Wikipedia page (http://en.wikipedia.org/wiki/FormMail). By the way it's still used in both small and big deployments. FromMail development stopped in 1996, with the exception of security updates and the last security issue is from April 19, 2002. Now one could expect a software to be bugfree after 13 years of feature freeze and "stable" status. Well.. this is why we are here : ) Don't expect code execution, just enjoy the reading.
Multiple Vulnerabilities exist in Zabbix front end software ranging from Remote Code Execution (RCE), to Cross Site Request Forgery (CSRF) and Local File Inclusion (LFI).
On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it "secret" [4], this was a good idea cause my analisys was mostly incomplete and erroneous but the idea was good and the bug was real and disposable.
Finally back from CCC Conference 2008, thanks Berlin you always provide heaps of fun!
Last week we released on Bugtraq and FD an advisory about a remote command execution in Moodle 1.9.3. Unluckily the vendor refused to issue a security release to allow an easy fix of the problem since there are too many issues related to register_globals On in Moodle. We strongly advise end users to manually disable the vulnerable code removing the file "filter/tex/texed.php" ad exploits are emerging in the wild.
@System ha organizzato il giorno 11 Dicembre 2008, presso il Dipartimento di Informatica dell'Universita' di Pisa, un workshop al quale abbiamo contribuito come relatori proponendo due diversi seminari. Di seguito potete trovare entrambe le presentazioni in formato PDF.
Luckily sometimes there's the time to publish advisories and do the lengthy "responsible"-disclosure process. Antonio discovered multiple vulnerabilities in Collabtive, a project management software, ranging from a stored XSS, an authentication bypass that lead to the creation of additional administrative users to an arbitrary file upload vulnerability mixed with weak seeding. Have a good reading.
[Note: safely skip the descriptive part and go directly to the tool if you already know how PHP does session handling.] Sessions are a great feature as they allow developers to store sensitive data for a limited amount of time (the session lifetime) without having to ping-pong the whole dataset to and from the client. A session mechanism can be implemented at the "user" level in the application code but most of the languages used to develop web applications provide various build-ins to accomplish the task. This is the case of PHP and its famous "session" module (Session Support in phpinfo()). The $_SESSION array can be used transparently and the session has just to be started with session_start() (or even automatically started at the configuration level with session.auto_start).
http://dl.google.com/update2/installers/ChromeSetup.exe (It's - naturally - just the loader.)