[VIM] Re: [Change Request] 17460: Whois.Cart language Variable
Traversal Arbitrary File Access (fwd)
security curmudgeon
jericho at attrition.org
Fri Jul 8 01:24:26 EDT 2005
Removed attachment per his request, but both Whois.Cart vulnerabilities
are being disputed. I am editing the OSVDB entries shortly to reflect
this.
---------- Forwarded message ----------
From: S. Alexandre M. Lemaire <saeven at saeven.net>
To: security curmudgeon <jericho at attrition.org>
Date: Fri, 8 Jul 2005 01:11:25 -0400
Subject: Re: [Change Request] 17460: Whois.Cart language Variable Traversal
Arbitrary File Access
[..]
Thank you also for having pointed out the second listed vulnerability -
I'd missed that one entirely! Please find an unencoded profile.php (sent
with all trust that it shant be disclosed) attached to this email as sign of
good will, you will see between lines 69-72 that the input is
well-sanitized, removing all but alphanumericals and underscores with :
if( postAssert( 'page' ) )
$template = ereg_replace( "[^[:alnum:]_]", "", $_POST['page'] );
else if( isset( $_GET['page'] ) )
$template = ereg_replace( "[^[:alnum:]_]", "", $_GET['page'] );
The architecture was left open as such, in order to leave users the
ability to call other pages from the template directory directly
(profile.php is a driving page for client profiles in whois.cart) - the
sanitization prevents the obvious.
[..]
More information about the VIM
mailing list