It doesn't matter what file was included. The problem is that a local file can be included, irrelevant to the choice of file.
Ryan Dewhurst blog www.ethicalhack3r.co.uk twitter www.twitter.com/ethicalhack3r projects www.dvwa.co.uk | www.webwordcount.com | code.google.com/p/wpscan On Sat, Nov 5, 2011 at 7:30 PM, Ed Carp <[email protected]> wrote: > Password file, yawn. Shadow password file, that would be a much bigger > deal... > > On Nov 5, 2011 11:46 AM, <[email protected]> wrote: >> >> On Sat, 05 Nov 2011 18:58:20 BST, =?ISO-8859-1?Q?Buher=E1tor?= said: >> >> > "Oracle NoSQL Database is intended to be installed in a secure >> > location where physical and network access to the store is restricted >> > to trusted users. >> >> Which any savvy sysadmin knows really means "It's your problem to set >> up iptables to restrict this sucker..." >> >> And of course, *that* usually means "avoid this product like the plague" >> ;) >> >> > $ curl -v >> > http://127.0.0.1:5001/kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd >> >> OK as far as it goes. But take it a step further. Does the >> LogDownloadService >> process do any sanity checking and only let you download world-readable >> files? >> If so, it's quite the yawner of an "exploit". >> >> Or does it let you snarf up /etc/shadow, or other ways to get a system >> privilege escalation. Remember - you could have users trusted with the >> data in >> the database, but not other content on the system. A *lot* of shops have >> policy >> where the DBAs do *not* have the root password - can you use this to >> bypass >> that policy? Can you get it to cough up a file containing the database >> config >> or access passwords? Can you get it to cough up the logfile where it logs >> the >> fact you accessed it (and can you abuse that into an infinite loop filling >> the >> log space?) What other creative failure modes can you come up with for >> this >> "fee-chur"? :) >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
