Re: [W3af-develop] Advisory SE-2008-03: PHP Multibyte Shell Command Escaping Bypass Vulnerability

Mon, 17 Nov 2008 14:29:09 -0800 

IMHO is a very common issue because it seems a 0day vulnerability of PHP,
and it is corrected in the last releases. I understand w3af isn't an
vulnerability explotation framework so it may be out of the scope of the
project.
--
José Ramón Palanco
Hazent Systems S.L.

Turina 59, Las Rozas
28230 Madrid
Tel.: 91 120 18 12 ext.1000
Móvil: 622 229 707



2008/11/18 Andres Riancho <[EMAIL PROTECTED]>

> List,
>
>    In one of the latest PHP changelogs I found a reference to this
> vulnerability [0] discovered by Stefan Esser, which catched my
> attention. Almost instantly I said: "This has to be added to the
> osCommanding plugin in w3af". After some thinking... I'm not sure...
> this is a very specific PHP vulnerability, that will only work on
> *some* installations of the vulnerable PHP versions. Any ideas about
> how many of the systems with old versions of PHP are actually
> vulnerable (lets define vulnerable as: they can be exploited if they
> use any of the buggy functions)? Anyone has exploited this in
> penetration tests? Do you guys think that I should add "exploits" like
> this one to w3af plugins?
>
>    I'm open to ideas, don't be shy and share =)
>
> [0] http://seclists.org/bugtraq/2008/May/0061.html
>
> Cheers,
> --
> Andres Riancho
> http://w3af.sourceforge.net/
> Web Application Attack and Audit Framework
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to