Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature

["Siegfried" <admin () zone-h fr>]

Yes like you said there is no check, because the stripslashes is a joke.
And yes this script isn't famous at all, but it was just to show a recent
example of an error in the advisory, even if this one is just a detail

There are some people who publish really many xss/sql injection
advisories, but really MANY, you all saw it, i'm quite sure some of them
just use their browser to "audit" them (like other people use fuzzers for
other stuff), i don't criticize their work, but i'm more than sure that
some of them provide incomplete and/or incorrect informations because they
didn't look well.

if they audit with their browser and have a php version installed older
than php 5.1.2, they may post a xss advisory while it was something really
different, or just _nothing_ because it was the xss in the php error
message, like that example of the Guppy directory traversal.

well there is no need to talk more about it in my opinion
end of thread for me :)

Siegfried

> From: ascii <ascii_at_katamail.com>
> Date: Sun, 02 Apr 2006 04:06:18 +0200
>
> Siegfried wrote:
>
> > if(!empty($chemin)) $chemin = stripslashes($chemin);
> > else $chemin = $depart;
> [..]
> > $chemintotal = $chemin;
> [..]
> > $handle = @opendir($chemintotal);
> > $file = @readdir($handle);
>
> > This poor check doesn't secure anything as it doesn't check slashes, and
> > it's useless, BUT this isn't just a directory traversal as you can do
> > http://[target]/dir.php?chemin=/etc/
> > and it works as well..
>
> hi Siegfried,
>
> imho there is no check at all (and stripslashes() is called only to
> make the script work smooth with magic_quotes on environments)
>
> the error suppression shows the poor quality of this code
>
> also this code seems to relay on register_globals on..
>
> anyway i found only one location mentioning this script and on the
> comment board there is a post dated 21/04/03 23:14 about $chemin
> security
>
> > je propose de mettre ces 2 ligne (&#65533; la ligne 12 de dir.php)
> > $chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace
> > ("..\%2F", "", $chemin); normalement ca devrait bloquer les petits
> > malins :)
>
> http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933
>
> so this bug is pretty old and the script seems to be unmaintained
> > regards, ascii, http://www.ush.it
>
> ps: i haven't verified nor downloaded "ExplorerXP", but obviously i
> completely trust your code snippet : )

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/