lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Oct 2006 16:59:17 -0000 (GMT) From: simo@...x.org To: bugtraq@...urityfocus.com Subject: Re: phpAdsNew-2.0.8 <= (adlayer.php) Remote File Include Already reported a year ago by Maksymilian Arciemowicz. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2635 http://www.securityfocus.com/bid/14584 http://securityreason.com/achievement_securityalert/21 > Sorry this report is bogus.. > the only require/include statement that utilizes that variable is line > 188: > require(phpAds_path.'/libraries/layerstyles/'.$layerstyle.'/layerstyle.inc.php'); > > The only possibility is local file include, with null byte bug in php > interpreter. > > But local file include is thwarted with a regular expression. > -- Simo Ben youssef MorX Security Research Team www.morx.org