Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability

To: maric_sasa@xxxxxxxxx
Subject: Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability
From: "Steven M. Christey" <coley@xxxxxxxxx>
Date: Wed, 6 Sep 2006 19:19:13 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

>This vulnerability is not that dangerous because, firstly, if you want
>to exploit it, you must have exact file tree and correct name of the
>malicious script because that variable is never used alone but always
>in concatanation with script name and generic extension

In a typical PHP exploit scenario, the attacker could merely add a
null byte ("%00") to the phpbb_root_path parameter, which would then
cause the include call to ignore this extra file tree/name
information.  Is there some reason why a null byte wouldn't work in
this situation?

- Steve

Follow-Ups:
- Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability
  - From: str0ke

Prev by Date: [USN-342-1] PHP vulnerabilities
Next by Date: SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities
Previous by thread: [USN-342-1] PHP vulnerabilities
Next by thread: Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability
Index(es):
- Date
- Thread