[Full-Disclosure] Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!

[Rudolf Polzer <divzero@xxxxxxxxx>]

On Sat, 3 Jul 2004 06:40:55 +0200, Frog M@n <frogman@xxxxxxxxxx> wrote:
> This is IHCTEAM material. We fuck blackhats and we own the planet.
> This is a leet advisory, s0 l33t. Just read it and be quiet.

Not at all. But it's always good to mention the Nr. 1 security
nightmare people produce with scripting language. Good job.

> There is a BIGBUG in all php versions, in the include() function.
> If this function is badly used, a roxor hax0r (like us) can compromise
> a box remotely. He can execute commands with apache rights.

If it's badly used, the author of the script should get another job.

> index.php:
> ...
> include($page); // <--- fucking lame
> ...

Just because many PHP programmers are fucking idiots you cannot blame
that on PHP.

> <?
> system("$cmd");
> ?>

So your next advisory will be about a BIGBUG in system() - when badly
used, an attacker can execute arbitrary code on your webserver?

We all already know that. Really.

> Don't use the include() function, it is coded by idiots, like THEO@openbsd.

No. Do not use the include() function with unchecked untrusted input,
for it will do what the documentation says.

> We owned everything and everywhere with this exploit:
> www.apache.org
> www.debian.org
> www.nasa.gov

If that is true (proof?), it should appear in the news soon.

> WE ARE LOOKING FOR A JOB IN THE SECURITY RESEARCH

lol, after THIS el-cheapo "security advisory"? Get a life. Find a real bug.


--
< polzer> besonders krank ist jedoch Kenny nach einer Basistransformation...
< polzer> Zcssczcssszszsz cscccczzzzzz zcszzc ccczsczcs.
< polzer> (ROT13)^{-1} Kenny ROT13
< polzer> .oO( fpbecker sucht das inverse Programm zu ROT13 )

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html