Author Topic: PtokaX 0.4.2.0 Win32 GUI => path traversal, read files, execute files  (Read 1909 times)

0 Members and 1 Guest are viewing this topic.

Offline Rahim

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0

PtokaX forum


Offline PPK

  • Administrator
  • Emperor
  • *****
  • Posts: 1 475
  • Karma: +209/-22
  • PtokaX developer
Fixed... but i don't count that as exploit. From Lua is possible to read and execute everything  :P
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Offline Rahim

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
« Last Edit: 15 October, 2011, 16:44:24 by Rahim »

Offline bastya_elvtars

  • Forum God
  • ****
  • Posts: 3 725
  • Karma: +173/-7
  • The rock n' roll doctor
    • The FreshStuff3 Site
The first two PoC's contain:
Quote
now go to Settings "Scripts" tab

which requires access to the GUI itself. If you have access to the GUI, you have access to the whole OS, then why try via PtokaX? :)
Lua code execution (PoC3) also requires that you place the 'malicious' Lua code to the machine running PtokaX, which also requires privileges.
Everything could have been anything else and it would have just as much meaning.

Offline Rahim

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
 
The first two PoC's contain:
which requires access to the GUI itself. If you have access to the GUI, you have access to the whole OS, then why try via PtokaX? :)
Lua code execution (PoC3) also requires that you place the 'malicious' Lua code to the machine running PtokaX, which also requires privileges.

Yes but can be used to privileges escalation in local machine, PoC3:  if you have apache in server and some www/forum can upload evil lua code into server and run, or in linux run any file from /tmp
« Last Edit: 15 October, 2011, 18:19:09 by Rahim »

PtokaX forum