PtokaX 0.4.2.0 Win32 GUI => path traversal, read files, execute files
 

News:

29 December 2022 - PtokaX 0.5.3.0 (20th anniversary edition) released...
11 April 2017 - PtokaX 0.5.2.2 released...
8 April 2015 Anti child and anti pedo pr0n scripts are not allowed anymore on this board!
28 September 2015 - PtokaX 0.5.2.1 for Windows 10 IoT released...
3 September 2015 - PtokaX 0.5.2.1 released...
16 August 2015 - PtokaX 0.5.2.0 released...
1 August 2015 - Crowdfunding for ADC protocol support in PtokaX ended. Clearly nobody want ADC support...
30 June 2015 - PtokaX 0.5.1.0 released...
30 April 2015 Crowdfunding for ADC protocol support in PtokaX
26 April 2015 New support hub!
20 February 2015 - PtokaX 0.5.0.3 released...
13 April 2014 - PtokaX 0.5.0.2 released...
23 March 2014 - PtokaX testing version 0.5.0.1 build 454 is available.
04 March 2014 - PtokaX.org sites were temporary down because of DDOS attacks and issues with hosting service provider.

Main Menu

PtokaX 0.4.2.0 Win32 GUI => path traversal, read files, execute files

Started by Rahim, 15 October, 2011, 15:05:44

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.


PPK

Fixed... but i don't count that as exploit. From Lua is possible to read and execute everything  :P
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Rahim

DEVIL TEAM - http://devilteam.pl/

bastya_elvtars

The first two PoC's contain:
Quotenow go to Settings "Scripts" tab

which requires access to the GUI itself. If you have access to the GUI, you have access to the whole OS, then why try via PtokaX? :)
Lua code execution (PoC3) also requires that you place the 'malicious' Lua code to the machine running PtokaX, which also requires privileges.
Everything could have been anything else and it would have just as much meaning.

Rahim

 
Quote from: bastya_elvtars on 15 October, 2011, 17:40:19
The first two PoC's contain:
which requires access to the GUI itself. If you have access to the GUI, you have access to the whole OS, then why try via PtokaX? :)
Lua code execution (PoC3) also requires that you place the 'malicious' Lua code to the machine running PtokaX, which also requires privileges.

Yes but can be used to privileges escalation in local machine, PoC3:  if you have apache in server and some www/forum can upload evil lua code into server and run, or in linux run any file from /tmp
DEVIL TEAM - http://devilteam.pl/

SMF spam blocked by CleanTalk