move_uploaded_file breaks safe_mode restrictions in PHP

Hey Its possible to circumvent probadly spelled wrong PHP safemode restrictions by using moveuploadedfile. You take this nasty script and you have domain whatever.com and your directory path is /domains/whatever.com/ ? $file = $HTTPPOSTFILES'file''name'; $type = $HTTPPOSTFILES'file''type'; $size ...

wwwthreads-5.5.txt

---------- Forwarded message ---------- Date: 30 Jan 2002 22:12:17 -0000 From: Root Extractor To: [email protected] Subject: WWWThreads, UBBThreads Security Hole in upload system WWWThreads, UBBThreads Security Hole in upload system Author: RootExtractor, CompuMe [email protected],...

[ WWWThreads, UBBThreads ] Security Hole in upload system

WWWThreads, UBBThreads Security Hole in upload system Author: RootExtractor, CompuMe [email protected], [email protected] I. Details II. Vulnerable ver's III. Example, Xploit IV. Solution Details : ..: config.inc.php :.. ------------------------- snip ------------------------------ //...

sniffit-exp1.txt

/ Remote overflow in sniffit.0.3.7.beta tested on slackware 7.1 found/coded by g463 -18th january 2002- The vulnerability is triggered when the option -L is called from the command line with 'normmail' ie : ./sniffit -c ./sampleconfigfile -L normmail It calls a piece of code where the buffer is...

Brian Dorricott MAILTO 1.0.7-9 - Unauthorized Mail Server Use

Brian Dorricott MAILTO 1.0.7-9 - Unauthorized Mail Server Use source: https://www.securityfocus.com/bid/3669/info MAILTO is a program maintained by Brian Dorricott. It enables web servers to allow forms to be converted into mail messages that can be sent to numerous recipients. An issue exists in...

Microsoft Internet Explorer 5.5/6.0 - Spoofable File Extensions

source: https://www.securityfocus.com/bid/3597/info It is possible for a malicious webmaster, hosting files on an website, to spoof file extensions for users of Internet Explorer. For example, an .exe file can be made to look like a .txt or other seemingly harmless file type file in the Download...

CVE-2001-0535

Example applications Exampleapps in ColdFusion Server 4.x do not properly restrict prevent access from outside the local host's domain, which allows remote attackers to conduct upload, read, or execute files by spoofing the "HTTP Host" CGI.Host variable in 1 the "Web Publish" example script, and ...

CVE-2001-0535

Example applications Exampleapps in ColdFusion Server 4.x do not properly restrict prevent access from outside the local host's domain, which allows remote attackers to conduct upload, read, or execute files by spoofing the "HTTP Host" CGI.Host variable in 1 the "Web Publish" example script, and ...

directorymanager bug

Directory Manager Execute Command !BUG! Version Affected : Directory Manager 0.9 Directory Manager is a directory manager ; i realy don't know what he does. it has a serious security flaw, which allows any person to execute commands on attacked system as webserver-user. From editimage.php : if !$...

ISSalert: ISS Advisory: Remote Vulnerabilities in Macromedia ColdFusion Example Applications

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to [email protected] Contact [email protected] for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security...

PHP local DoS: self-fetching throught HTTP

PHP scripting allows "opening" files througth HTTP: $file=fopen"http://host/page.html","r"; If script opening itself throught HTTP, it will result in DoS attack: as much as possible HTTP connections and great number of executing PHP scripts. Timeout settings are useless. Possible solutions: -...

Debian 2.2 /usr/bin/pileup - Local Privilege Escalation

/ pileup-xpl.c - local root exploit by core Friday the 13th, July 2001 based almost entirely on code by Cody Tubbs loophole of hhp $ ./pileup-xpl pileup-xpl by core 2001 - beep beep root! usage: ./pileup-xpl offset align0..3 Ret-addr: 0xbfffe09c, offset: 0, align: 0. How many voices 1 to 9 Starti...

dqs 3.2.7 local root exploit.

Subject: dqs 3.2.7 local root exploit. Hello. DESCRIPTION: I found a buffer overflow vunerability on the /usr/bin/dsh dqs 3.2.7 package. I really don't know if this bug was discovered already. if thats right, then sorry =. If a long line on the first argument is gived, the program gives a SIGSEGV...

WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / BeroFTPD 1.3.4 FTP - glob Expansion

source: https://www.securityfocus.com/bid/2496/info Many FTP servers are vulnerable to a denial of service condition resulting from poor globbing algorithms and user resource usage limits. Globbing generates pathnames from file name patterns used by the shell, eg. wildcards denoted by and ?,...

WFTPD Pro 3.00 R1 Buffer Overflow

When sending a command cwd followed by a long argument 500 char '.' the server crashes with: Anwendungspopup: WFTPD Service Control: WFTPD.EXE - Fehler in Anwendung: Die Anweisung in "0x2e2e2e2e" verweist auf Speicher in "0x2e2e2e2e". Der Vorgang "read" konnte nicht auf dem Speicher durchgefЭhrt...

Progress Database Server 8.3b - prodb Local Privilege Escalation

Progress Database Server 8.3b - prodb Local Privilege Escalation / progress database server v8.3b local root compromise. for sco-unix and linux on linux redhat 6.2 and SCOSV scosysv 3.2 5.05 this is just one of it, advisory about the bug discovery grabbed from packetstorm, which was originally...

Slackware 7.1 - '/usr/bin/mail' Local Privilege Escalation

/ Slackware 7.1 /usr/bin/Mail Exploit give gid=1 bin if /usr/bin/Mail is setgid but it is not setgid, setuid for default. tested on my box sl 7.1 crazy exploited by kengz. GID.... \x01 = 1 bin \x02 = 2 , \x03 = 3 , ... \x0a = 10 \x0b = 11 .... / include include define GID "\x03" int mainint argc,...

BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit

Exploit for linux platform in category remote exploits ==================================================== BIND 8.2.x TSIG Remote Root Stack Overflow Exploit ==================================================== / tsig0wn.c Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisena...

ISC BIND 8.2.x - TSIG Remote Stack Overflow (1)

ISC BIND 8.2.x - TSIG Remote Stack Overflow 1 / tsig0wn.c Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau [email protected] The author is not and will not be held responsible for the action of other people using this code. provided for informational purposes only sin...

Tru64 5 (su) Env Local Stack Overflow Exploit

Exploit for tru64 platform in category local exploits ============================================= Tru64 5 su Env Local Stack Overflow Exploit ============================================= / Copyright c 2000 ADM / / All Rights Reserved / / THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM / / T...