[Full-Disclosure] Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!

From: Rudolf Polzer (divzero_at_gmail.com)
Date: 07/03/04

Next message: Merkur John Maclang: "Re: [Full-Disclosure] Successful in blocking all known exploits"

Previous message: J.A. Terranson: "Re: [Full-Disclosure] Successful in blocking all known exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Sat, 3 Jul 2004 18:19:59 +0200

On Sat, 3 Jul 2004 06:40:55 +0200, Frog M@n <frogman@bonbon.net> wrote:
> This is IHCTEAM material. We *** blackhats and we own the planet.
> This is a leet advisory, s0 l33t. Just read it and be quiet.

Not at all. But it's always good to mention the Nr. 1 security
nightmare people produce with scripting language. Good job.

> There is a BIGBUG in all php versions, in the include() function.
> If this function is badly used, a roxor hax0r (like us) can compromise
> a box remotely. He can execute commands with apache rights.

If it's badly used, the author of the script should get another job.

> index.php:
> ...
> include($page); // <--- fucking lame
> ...

Just because many PHP programmers are fucking idiots you cannot blame
that on PHP.

> <?
> system("$cmd");
> ?>

So your next advisory will be about a BIGBUG in system() - when badly
used, an attacker can execute arbitrary code on your webserver?

We all already know that. Really.

> Don't use the include() function, it is coded by idiots, like THEO@openbsd.

No. Do not use the include() function with unchecked untrusted input,
for it will do what the documentation says.

> We owned everything and everywhere with this exploit:
> www.apache.org
> www.debian.org
> www.nasa.gov

If that is true (proof?), it should appear in the news soon.

> WE ARE LOOKING FOR A JOB IN THE SECURITY RESEARCH

lol, after THIS el-cheapo "security advisory"? Get a life. Find a real bug.

--
< polzer> besonders krank ist jedoch Kenny nach einer Basistransformation...
< polzer> Zcssczcssszszsz cscccczzzzzz zcszzc ccczsczcs.
< polzer> (ROT13)^{-1} Kenny ROT13
< polzer> .oO( fpbecker sucht das inverse Programm zu ROT13 )
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Merkur John Maclang: "Re: [Full-Disclosure] Successful in blocking all known exploits"

Previous message: J.A. Terranson: "Re: [Full-Disclosure] Successful in blocking all known exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]