Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

[ascii <ascii () katamail com>]

Siegfried wrote:

> if(!empty($chemin)) $chemin = stripslashes($chemin); 
> else $chemin = $depart;
[..]
> $chemintotal = $chemin;
[..]
> $handle  = @opendir($chemintotal);
> $file    = @readdir($handle);

> This poor check doesn't secure anything as it doesn't check slashes, and
> it's useless, BUT this isn't just a directory traversal as you can do
> http://[target]/dir.php?chemin=/etc/
> and it works as well..

hi Siegfried,

imho there is no check at all (and stripslashes() is called only to
make the script work smooth with magic_quotes on environments)

the error suppression shows the poor quality of this code

also this code seems to relay on register_globals on..

anyway i found only one location mentioning this script and on the
comment board there is a post dated 21/04/03 23:14 about $chemin
security

> je propose de mettre ces 2 ligne (à la ligne 12 de dir.php)
> $chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace
> ("..\%2F", "", $chemin); normalement ca devrait bloquer les petits
> malins :)

http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933

so this bug is pretty old and the script seems to be unmaintained

regards, ascii, http://www.ush.it

ps: i haven't verified nor downloaded "ExplorerXP", but obviously i
completely trust your code snippet : )

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/