Full Disclosure mailing list archives
Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature
From: "Siegfried" <admin () zone-h fr>
Date: Sun, 2 Apr 2006 08:21:02 +0200 (CEST)
Yes like you said there is no check, because the stripslashes is a joke. And yes this script isn't famous at all, but it was just to show a recent example of an error in the advisory, even if this one is just a detail There are some people who publish really many xss/sql injection advisories, but really MANY, you all saw it, i'm quite sure some of them just use their browser to "audit" them (like other people use fuzzers for other stuff), i don't criticize their work, but i'm more than sure that some of them provide incomplete and/or incorrect informations because they didn't look well. if they audit with their browser and have a php version installed older than php 5.1.2, they may post a xss advisory while it was something really different, or just _nothing_ because it was the xss in the php error message, like that example of the Guppy directory traversal. well there is no need to talk more about it in my opinion end of thread for me :) Siegfried
From: ascii <ascii_at_katamail.com> Date: Sun, 02 Apr 2006 04:06:18 +0200 Siegfried wrote:if(!empty($chemin)) $chemin = stripslashes($chemin); else $chemin = $depart;[..]$chemintotal = $chemin;[..]$handle = @opendir($chemintotal); $file = @readdir($handle);This poor check doesn't secure anything as it doesn't check slashes, and it's useless, BUT this isn't just a directory traversal as you can do http://[target]/dir.php?chemin=/etc/ and it works as well..hi Siegfried, imho there is no check at all (and stripslashes() is called only to make the script work smooth with magic_quotes on environments) the error suppression shows the poor quality of this code also this code seems to relay on register_globals on.. anyway i found only one location mentioning this script and on the comment board there is a post dated 21/04/03 23:14 about $chemin securityje propose de mettre ces 2 ligne (� la ligne 12 de dir.php) $chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace ("..\%2F", "", $chemin); normalement ca devrait bloquer les petits malins :)http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933 so this bug is pretty old and the script seems to be unmaintainedregards, ascii, http://www.ush.itps: i haven't verified nor downloaded "ExplorerXP", but obviously i completely trust your code snippet : )
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature Siegfried (Apr 01)
- Re: Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature Jasper Bryant-Greene (Apr 01)