Tamer Sahin [EMAIL PROTECTED] said:
This vulnerability already discovered in January of this year.
http://www.securityoffice.net/articles/sambar/
http://www.securityfocus.com/bid/3885
According to the vendor's security page
(http://www.sambar.com/security.htm), this is a different issue.
The
KF asked:
How is this different from what we disclosed?
http://packetstorm.decepticons.org/advisories/misc/TRU64_advisory.txt
This advisory does not have specific details, besides the overflow
through the NLSPATH environment variable, and it isn't clear whether
NLSPATH affects *all* the
On the full-disclosure list, low halo asked:
Could someone please give me the security contact address for Oracle
Corporation? It seems as though their marketing department's
Unbreakable slogan makes them think that its OK to bury their
security advisories contact info deep within their site
For a small data point regarding the need to (somehow) address XSS
vulnerabilities: according to CVE statistics, XSS issues are the
second most frequently reported vulnerability type this year [1],
behind buffer overflows (though new flavors of overflows help to
maintain that #1 position.) Note:
While this thread has been focused on scripting languages and cookie
theft, that's not the only issue to be concerned about with XSS.
Being able to place arbitrary HTML into an intermediate web page is
dangerous for other reasons (this is sometimes called HTML
injection, but I view it as another
David Litchfield said:
I warned MS of this back in on September 6th 1999 whilst 2k was still
in BETA (See the bottom of the following mail)
http://security-archive.merton.ox.ac.uk/bugtraq-199909/0145.html
I wonder if this is the longest time it has taken for a fix to be
made public after
___ Summary __
Title: Directory Traversal Vulnerabilities in FTP Clients
Date: December 10, 2002
Author: Steve Christey ([EMAIL PROTECTED])
Revision: 1.3
Product: Multiple FTP and web clients
Recently, there has been a bit of commentary on certain
vulnerabilities that have been reported for the PHP language. Whether
these issues should be blamed on PHP itself or not, they may be of
some concern to PHP *application* developers and auditors.
This is a bit pointless, IMHO.
[snip]
If
Matt Moore said:
I also reported this to Microsoft - sometime around May or June
2002... I copied Steve Christey at Mitre on a couple of the emails
I can confirm that on July 19, 2002, Matt CC'ed me on an email to the
Microsoft Security Response Center in which Matt asked about when his
There are so many variants to directory traversal vulnerabilities,
especially in web servers and other software where encoding and
canonicalization is such a factor, that I have seen a number of
confusing cases such as this.
It definitely helps when the researcher who discovers a new variant
In a post SEC-CONSULT-SA-20051021-0: Yahoo/MSIE XSS, Bernhard
Mueller said:
SEC-Consult believes that input-validation thru blacklists can just be
a temporary solution to problems like this. From our point of view
there are many other applications vulnerable to this special type of
problem where
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Format String Vulnerabilities in Perl Programs
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Author: Steve Christey
Date: December 2, 2005
**
Table
substr(strtolower($_REQUEST['start']), 0, 1)
So, the string is set to lower case, and then only the FIRST letter is
used within the query. How can anyone exploit the database with a one
character insertion? Of course this is within single quotes as well,
so it cannot even be a command.
This
I was just browsing the Red Hat bug report for the mod_imap XSS issue
(CVE-2005-3352).
In it, they included a disclosure timeline (possibly from Apache, this
is not clear).
I've only seen a handful of disclosure timelines by a vendor. But in
my opinion, it should be more widely adopted by
Hello,
IMOEL CMS has the weakness to download the plain text sql password in
the setting.php file
*/*
$setting['host']['username'] = 'sqlusername';
$setting['host']['password'] = 'sqlpassword';
***
so u can download the
I try this request in my mailbox
http://.com/roundcube/?_auth=3Dcf559dcf52d8801ccd51cd1f3ba3eca08d1b0
bce= _task=3Dma%60il then roundcube shows this warning
For the 3 people who might care about the distinction (e.g. vuln DBs
who exclude path disclosure), this appears to be a custom error
Open Letter on the Interpretation of Vulnerability Statistics
---
Author: Steve Christey, CVE Editor
Date: January 4, 2006
All,
As the new year begins, there will be many temptations to generate,
comment, or report on vulnerability
This appears to be the same vulnerability as that reported to Bugtraq
by trueend5 of KAPDA on January 1:
BUGTRAQ:20060106 [KAPDA::#19] - Html Injection in vBulletin 3.5.2
URL:http://www.securityfocus.com/archive/1/archive/1/420663/100/0/threaded
In fact, the text is exactly the same, as is
Throughout all this discussion, we should not forget that it was not
just Microsoft, but other developers who appear to have implemented
and preserved this same WMF functionality over the years, e.g. Wine.
The problem might have originated with Microsoft's design choices way
back when, but few
David Litchfield recently provided a detailed description of a number
of vulnerabilities in Oracle PLSQL Gateway. He showed how, each time
the blacklist defense was modified, he was able to find a new variant
that worked around the more restrictive blacklist.
This type of pattern has emerged
The advisory says:
Status: patched in 1.0.3
...
?Solution???
No Patch available.
(bug reported to vendor today)
I'm confused. One part of this advisory says there's a patch
available, one part says there isn't. (By the way, this is an example
of the inconsistent property of security
In the Internet Explorer dragdrop 0day thread, Gadi Evron said:
In my opinion, this comes to prove 0days are USUALLY a myth (WMF
being a good example of a real 0day),
It's not necessarily that 0-days are a myth, it's that people have
been using the term 0-day to mean two separate things:
-
This is a series of open questions to people who consider themselves
to be vulnerability researchers. Hopefully this will open a number of
fruitful public discussions.
1) What is the state of vulnerability research?
2) What have researchers accomplished so far?
3) What are the greatest
The http-equiv and Gandalf examples are very similar, but I think
there might be some important distinctions.
1) The http-equiv example (CVE-2004-1104) uses a BASE tag with an href
attribute. In the form, the A tag has an href= without a value.
The value of the BASE HREF is displayed on
A buffer overflow in DELE was originally reported to Bugtraq by CorryL
in March 2005, for ArGoSoft FTP 1.4.2.8 (CVE-2005-0696):
http://www.securityfocus.com/archive/1/392653
According to CorryL's disclosure timeline, no patch had been released
by the disclosure date.
So, is this a
There are two main takeaways from this advisory:
1) PHP application programmers can and will misuse this function
(CVE-2008-4096, CVE-2007-5423), but most PHP code auditors probably
don't check for it yet. So it's good for awareness.
2) Any language that has an equivalent capability for
Adrian P said:
Regarding the paper, well, it can be useful for people who want to
find a similar issue in their firewall/proxy appliances. Don't you
think?
Aleph One's paper on stack smashing, Tim Newsham's on format strings,
Shaun Clowes' on PHP issues - not to mention a bunch of others -
retard said:
as you see line 19 raises suspision of the possibility of rming 0777
dirs i've tried it on on my personal server with no sucess, if someone
knows of a way let me know.
According to the PHP manual, rmdir only works on empty directories.
Did you try to remove an empty directory?
-
So, in other words, all you need in order to get root access is a
rootkit, your shell script, and root access? Ummm... I don't get it.
I was also confused by this. However, one guess is that by
compromising an unprivileged account and creating command aliases to
run trojaned su and sudo
In a post-disclosure analysis [1] of a security issue announced by
rgod [2], Siegfried observed that the reported XSS actually originated
from a file inclusion vulnerability, in which the XSS was reflected
back from an error message when the file inclusion failed:
About the xss, it is an xss in
On Mon, 3 Apr 2006, Gadi Evron wrote:
Looking at Microsoft's software of today, it is extremely well-written
and professional. Far beyond that of most others. Finding
vulnerabilities in them is extremely difficult. Most vulnerabilities you
will find will be logical in nature and not easy.
A
Hello botan,
I have some questions about this report.
Web: http://www.ahbruinsma.nl
This web site requires a login. Even the front page is not
accessible.
FleXiBle Development (FXB)
Is this a product, service, or a single web site? There is very
little information in Google.
//Defining
Michal Zalewski asked:
...but how come there's no CVE entry for the bash script in my
signature?
To which I'll answer the underlying question, i.e. why assign a CVE
identifier to what appears to be a non-vulnerability?
1) To clarify: while we changed the CVE naming scheme in October 2005
so
The XSS issue in the shard parameter appears to be resultant from a
more serious file inclusion vulnerability. This is the kind of
diagnosis error that I have mentioned in the past [1].
Notice that the error message shows that it took the shard parameter
and directly inserted it into a filename
This is yet another case where XSS is resultant from a more serious
issue. The primary issue here involves local file inclusion.
retrogod-style attacks might be feasible by injecting PHP code into
text-based data files within the application, then including those
text files using this issue;
Exploit:
http://www.example.com/index.php?mod=editnewsaction=editnewsid=1145397112source=[XSS]
This XSS is likely resultant from a more serious issue in which the
$source variable is not being validated, so it is subject to attacks
such as directory traversal. Given the program's assumption of
sources/action_public/search.php line 1261
$this-output = preg_replace(
#(value=[\']{$this-ipsclass-input['lastdate']}[\'])#i, \\1
selected='selected',
$this-output );
...
an #e modifier is added and then %00 used which will be parsed as a
null byte and truncate the string thus
security curmudgeon mentioned:
/portfolio.php?cat_id=[XSS]
Based on source inspection of 1.0.2, this parameter is cleansed.
line 31 of portfolio.php says:
$catId = $dbFilter-db_clean_input($_GET['cat_id'], 'integer');
which looks like it's going to do input validation as an integer.
The recent Oracle exploit posted to Bugtraq
(http://www.securityfocus.com/archive/1/431353) is actually an 0day
and has no patch.
The referenced exploit seems to use GET_DOMAIN_INDEX_METADATA with a
TYPE_NAME that references an attacker-defined package with a
(modified?) ODCIIndexGetMeta
--
Dynamic Evaluation Vulnerabilities in PHP applications
--
Following is a brief introduction to a growing class of serious
vulnerabilities in PHP applications. They can allow execution of
There is a Log Manipulation vulnerability in Microsoft ISA Server
2004, which when exploited will enable a malicious user to manipulate
the Destination Host parameter of the log file.
...
We were able to insert arbitrary characters, in this case the ASCII
characters 1, 2, 3 (respectively) into
You can insert the 'tab' value and possibly break 3rd party log
analyzers.
OK, this makes sense - if ISA supports tab-separated format, then tab
is a special character within such a log file, and attackers should be
prevented from injecting it (by filtering, quoting, whatever...)
Other
google dork : Phil's Bookmark
This doesn't return anything except copies of the original Bugtraq
post and a reference to a person's web site.
Searching for Phil's Bookmarks found a lot of sites by people named
Phil who listed their favorite bookmarks.
Is there an actual product here? Or was
foud by: BoNy-m
Also apparently found by durito in September 2004, as identified in
the Turbo Seek product.
/tseekdir.cgi?id=1055location=/etc/passwd%00
This is the same exploit vector as what was reported in Secunia
SA12500 and BID 11163:
http://www.securityfocus.com/bid/11163/exploit
David Litchfield said:
When Oracle 10g Release 1 was released you could spend a day looking
for bugs and find thirty. When 10g Release 2 was released I had to
spend two weeks looking to find the same number.
This increasing level of effort is likely happening for other major
widely audited
Foud By: Brh CrAzY CrAcKeR
$comma = - ;
...
$title .= $comma.$forum['name'];
...
$comma = , ;
This code snippet sets the $comma variable to static values, so it
doesn't look like the attacker can control them.
Example:
/rss.php?...$comma=[SQL]
Given the previous code snippet, how can
Webmaster at destiney said:
I pasted the following example XSS code into both form fields, and saw
no evidence of XSS vulnerabilities:
DIV STYLE=background-image: url(javascript:alert('XSS'))
According to the XSS cheat sheet at http://ha.ckers.org/xss.html,
STYLE attributes in DIV tags are
str0ke asked:
Is this the same vulnerability?
http://www.securityfocus.com/bid/5954
Well, let's see. Short answer is probably not because they don't
seem to be the same product.
The most recent disclosure points to MY Web Server at
http://eitsop.s5.com/, which links to source code in a ZIP
include(../../../mainfile.php);
include($phpbb_root_path.'common.'.$phpEx);
...
in mainfile.php at lines 54-56
...
import_request_variables('GPC');
Oh, OK - now that makes sense. This looks like one aspect of the
globals overwrite problem as originally documented by Stefan Esser
in the
nukedx said:
This is not vulnerable,PHP-Nuke having a special in their files and
when includes mainfile.php it overwrites the global variables and it
caused to make an arbitrary file inclusion.
But in MyBloggie there is no common vulnerability like it.
In the source code for 2.1.1, many files
Paul Schmehl said:
This is the second bug I've seen in the past week that requires
register_globals to be on. Yet register_globals has been off by
default for the past four years.
But after a disclosure of a PHP issue with a functioning exploit, many
sites are regularly hacked soon afterward.
Exploit: http://www.example.com/showtopic.php?threadid=1pagenum=[SQL]
The same program and parameter were already reported to Bugtraq by Qex
on April 19 for version 3 beta 2.84 (CVE-2006-1926).
- Steve
# if ($path){
# $ips = file($path/lists/bannedips.php);
# } else {
# $ips = file(lists/bannedips.php);
# }
# if (in_array($REMOTE_ADDR,$ips)) {
# echo($bannedmessage);
# die;
There might be a terminology problem here.
I don't see how this can be used to execute code. Yes, the file()
call could
This post appears to have some errors.
What PHP version, environment, and operating system did you use to
test this? Did you use a real web site, or did you just look at the
source code?
When a variable is used in a require or include statement, you must
make sure that the variable can be
SpC-x said:
# Amr Talkbox talkbox.PHP - Remote File Include Vulnerabilities
...
# if ($lang == eng) {
# include ($direct/lang_eng.txt);
# } elseif ($lang ==ita) {
# include ($direct/lang_ita.txt);
However, looking at the source code as available on
Darren Reed said:
From my own mail archives, PHP appears to make up at least 4% of the
email to bugtraq I see - or over 1000 issues since 1995, out of the
25,000 I have saved.
Do you mean the PHP interpreter? Or applications written in PHP?
I'm not sure how many vulnerabilities were in
The same executable (viewposts.cfm) and parameter (startrow) was
reported by r0t at 13:49 June 15, 2006, probably Finland time:
http://pridels.blogspot.com/2006/06/axentforum-ii-xss-vuln.html
In fact, the Bugtraq post contains the following text, which is
exactly the same as r0t's blog entry
* Advisories:
* http://www.microsoft.com/technet/security/advisory/921365.mspx
* http://www.securityfocus.com/bid/18422/
There are at least three separate Excel issues that were published in
the past week. These references suggest that it's the zero-day
exploit from last Friday
Successful exploitation requires that register_globals= Off .
That seems very strange, doesn't it?
Especially if you look at the source code.
Let's start with search.php, one of the vulnerable vectors:
?php
...
require (init.inc);
and in init.inc:
require (globals.inc);
...
Researcher fads, differences in vendor disclosure practices, and
vulnerability database editorial policies will heavily influence
vulnerability statistics, to the point where comparing them is not
very informative (at least, you're not getting the whole picture).
You also have the challenge of
function invalideregtest($input)
script just check $topic by invalideregtest function
I think this function just *tries* to check inputs, but doesn't
succeed. Did you do any live testing using $topic ?
We should expect to see more erroneous cleansing/checking functions as
programmers attempt
Alexander Sotirov said:
Descriptions of vulnerabilities, especially ones that are found in the
wild, should include enough information to allow researchers to
uniquely identify the new vulnerability and differentiate it from all
other bugs, both known ones and 0days.
I say this periodically,
Remote file inclusion does not seem possible - the only relevant
code is this:
require_once(languages/$language.php);
Since the languages/ string will always appear first, you can't
inject an http://; or similar to the front of the string, so remote
file inclusion is not possible.
OK, so we
On Fri, 12 Jan 2007, Ben Bucksch wrote:
Steven M. Christey wrote:
The US Department of Homeland Security's Vulnerability Disclosure
Framework document here:
http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
*cough*
Full Disclosure Policy (RFPolicy) v2.0
http://www.wiretrip.net
Which Oracle Vuln# does this map to?
There are 2 substantial discrepancies with the most likely candidate.
According to the Jan 2007 CPU:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
the only issue related to sys.dbms_capture_adm_internal is DB09.
Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_LOGREP_UTIL can exploit this vulnerability. Exploitation of
this vulnerability allows an attacker to execute arbitrary code.
This statement is inconsistent with Oracle's CPU, which states that
DB08 (CVE-2007-0274) has
Michal,
iFTPAddU is for adding users, and iFTPAddH is for adding virtual
hosts. These sound like administator-level controls. Presumably, the
same admin already had the access to install WS_FTP in the first
place. So, it doesn't seem like these cross any privilege boundaries,
so they don't
On Mon, 29 Jan 2007, Simple Nomad wrote:
On Mon, 2007-01-29 at 13:00 -0600, Gadi Evron wrote:
How can we all automate the testing process for fake vulns in and
list
them as such without overburdening OSVDB, CVE, Milworm and SecuriTeam?
How about letting them get posted to bugtraq as ppl
Interesting paper, Gadi.
Some thoughts:
1) It seems obvious that RFI is equivalent to remote code execution,
but it's worth repeating.
2) A PHP exploit is much easier to write than a shellcode exploit.
Plus, with the file inclusion, the payload is not limited in size,
and you have a
In a Solaris telnet vulnerability thread, Casper Dik said:
It's not still in Solaris; it's the first time it occurred in
Solaris; it is stupid it did but it's a typical programming error:
passing unchecked arguments to a program without escaping special
characters.
The emerging terminology for
Cromar Scott said:
I know that my initial reaction was haven't I seen this before?
but the above two are what I found in my notes when I looked back.
There are at least 20 FTP server implementations that have had buffer
overflows with a long USER command. HTTP GET directory traversals are
A few notes on this advisory and IBM's IY94817.
1) The real IY94817 document (not the stub) requires registration to
even access in the first place, which is an unfortunate practice
that too many vendors undertake. The URL was also broken for some
time. Now that I've registered, I
Stefano Di Paola said:
1. I search on google for import_request_variables advisories
(nothing found)
2. I search on php.net in changeLog for fixes (nothing found).
I can see why you weren't able to find anything. However, there have
been a number of disclosures that are probably related - but
3APA3A said:
I. There is no symlinks under Windows. Symlink attacks are not
possible.
I'm not a Windows expert, but... There have been some past
vulnerabilities where an attacker could upload a shortcut (.lnk) file
and access files outside of the intended directory. In cases of FTP
servers or
Hasadya Raed:
from versions 0.3.2.6 (http://www.phpalbum.net/dw) and Beta
0.4.1-beta9 and beta8 (http://www.phpalbum.net/):
1) There is no file named common.php
2) There is no string db_file in any file
Are you sure that your report is correct?
- Steve
Tom Walsh said:
So... either it is patched in the version I am looking at (unlikely)
or this is a bogus report (like god knows how many others).
In this case, it looks legitimate for OLDER versions. See informal
analysis below.
The cause was dynamic variable evaluation, which is one of the
On Tue, 27 May 2008, security curmudgeon wrote:
No mention of CVE-2008-1035 in the [CORE] advisory other than the header
CVE name reference. BID seems to have split the three vulnerabilities,
but given two of them the same CVE. CVE does not have descriptions open
yet.
The descriptions are
On Fri, 25 Jul 2008, [UTF-8] Jan Miná�^Y wrote:
The commands do not have to be written there between (1) and (2), they
can be in the file long before the ./configure was started -- just
because the script does care whether it can write to the file at all.
So unlike stated in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE requests can be sent to [EMAIL PROTECTED] or to me directly. My PGP
key is below, or accessible from the MIT public key server.
Alternately, you can request them from Candidate Numbering Authorities
(CNAs) which include the security teams at Red
Hello,
Pardon me for being dense, but what exactly does cookie manipulation
mean in this context? What is the vulnerability?
Looking at the following exploit code:
input name=id size=75
value=meta+http-equiv='Set-cookie'+content='cookiename=cookievalue'
The (apparent) injection of a META
This advisory is an incomplete cut-and-paste from of a post to Bugtraq
in April 2000 by Joe at BLARG.NET:
Back Door in Commercial Shopping Cart
http://archives.neohapsis.com/archives/bugtraq/2000-04/0051.html
CVE-2000-0252
BID:1115
XF:dansie-shell-metacharacters(4975)
- Steve
Nice find, although it's not really clear to me whether this is
intended functionality or not. I assume it's not intended by
Hardened-PHP and Suhosin, at least :)
You didn't mention this, but even if register_globals is disabled,
this seems to work, at least in my PHP 4.4.4.
Try the code below
Joanna Rutkowska said:
Dear all, this is not a 0day, it is a public release of a responsibly
disclosed vulnerability.
Yes, indeed it *seems* so:
http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx
The kinds of discrepancies you list are an almost daily occurrence with
many
Scott MacVicar said:
There is a much more significant issue than executing an XSS if you
can upload a file to a remote site...
XSS could be put into an image that's allowed to be uploaded, then
directory traversal could be used to reference that image. The image
data could be very small and
Magnus Holmgren said:
[the superglobals] shadow everything - you cannot define your own
$_SERVER array, nor can it be overridden with HTTP GET or POST
values. If that were possible, using the superglobals would be
useless; all scripts would be vulnerable unless register_globals is
off.
This
The outage being experienced by Skype was apparently due to massive
simultaneous reboots and reconnects after systems installed their
Windows patches.
from http://heartbeat.skype.com/2007/08/what_happened_on_august_16.html:
The disruption was triggered by a massive restart of our users'
On Tue, 21 Aug 2007, 3APA3A wrote:
6. Ivan Nl (http://uNkn0wn.eu) reports vulnerabilities in
Linkliste 1.2, Butterfly online vistors counter 1.08, mcLinksCounter
1.2, My_REFERER 1.08.
Original messages in English are available from
The n.runs-SA-2007.027 advisory claims code execution through a UPX
file. This claim is inconsistent with the vendor's statement that
it's only a theoretical DoS:
http://www.sophos.com/support/knowledgebase/article/28407.html
A corrupt UPX file causes the virus engine to crash and Sophos
The mentioned SQL injection vulnerability is not possible. Please
remove it.
Could you explain this further?
In 1.5.3, edit_forum() in forums.inc.php has the following:
$sql= UPDATE .TABLE_PREFIX.forums SET title='$_POST[title]',
description='$_POST[body]' WHERE
--==CRLF injection==--
GET /mybloggie/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
This demonstration code does not contain any carriage return / line
feed sequences. What is the
Xss in MttKe-php v2.6
What product or web site is this? A Google search returns mostly
references to the original post.
- Steve
There was discussion last week in the Full-Disclosure about XSS
vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron
suggested creation of a separate mailing list for just XSS
vulnerabilities.
This is definitely a growing gap in our current knowledge. I don't
think it's being tracked
Carsten Eilers said:
Take a look at the top of cal_config.inc.php:
# adjust the '$calpath'.
# hardcode it if detection does not work and comment out the remaining
# code.
#
# $calpath = C:\\PHP\\calendarix\\demo\\ ;
$calpath = dirname(__FILE__) ;
When doing post-disclosure analysis
Some interesting work.
For those who haven't made the connection yet - concurrency issues
probably go far beyond just web browsers. It's a safe bet that *any*
software that's multi-threaded, multi-process, event-based, or
asynchronous could have these sorts of issues. Traditional data
Frank Reissner said:
//comments
function phpdigSearch(){
Line: 423 ?php include $relative_script_path.'/libs/htmlheader.php'
?
...
}
Please explain us how that should be exploited.
While this statement appears to be in a function declaration, there
would be nested ?php
This vulnerability is not that dangerous because, firstly, if you want
to exploit it, you must have exact file tree and correct name of the
malicious script because that variable is never used alone but always
in concatanation with script name and generic extension
In a typical PHP exploit
In Re: IE ActiveX 0day? to Bugtraq on September 18, Alexander
Sotirov asked:
What is your definition of memory corruption? How can a buffer
overflow not be a memory corruption error?
The term buffer overflow continues to be too general for the variety
of issues out there. Array index/offset
These vectors were previosuly reported in June 2006 (CVE-2006-2860) by
Kacper in a milw0rm post (http://milw0rm.com/exploits/1871), for
version 3.0.1.
Www.Site.coM/[Path]/inc/mainheder.inc.php
This appears to be a mis-spelling of mainheader.inc.php.
- Steve
There are some important errors in this post that appear to stem from
incomplete editing of a previous advisory for an unrelated product,
webnews (CVE-2006-5100).
The subject line says 1.4, but the version referenced at the end of
the post is 1.2.3, which is dated October 2, 2006; so there
securfrog said:
i guess you should learn some PHP before posting on bugtracks ...
net2ftp: a web based FTP client :) = Remote File Inclusion
=== you should try your PoC before posting , there's no remote file
include in that code ...
You are probably looking at recent versions, which don't
1 - 100 of 111 matches
Mail list logo
