[40496] in bugtraq
Mantis Bugtracker - Remote Database Scanner and XSS Vulnerabilities
daemon@ATHENA.MIT.EDU (Joxean Guay del Paraguay)
Tue Sep 27 19:05:03 2005
Message-ID: <20050926101735.6047.qmail@web25903.mail.ukl.yahoo.com>
Date: Mon, 26 Sep 2005 12:17:35 +0200 (CEST)
From: Joxean Guay del Paraguay <joxeankoret@yahoo.es>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1512502174-1127729855=:97738"
Content-Transfer-Encoding: 8bit
--0-1512502174-1127729855=:97738
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Content-Id:
Content-Disposition: inline
---------------------------------------------------------------------------
Mantis Bugtracker - Remote Database Scanner and
XSS Vulnerabilities
---------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2005
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mantis Bugtracker - Mantis is a php/MySQL/web based
bugtracking system
Affected versions:
+ 1.0.0a3
+ 1.0.0a2
+ 1.0.0a1
+ 0.19.2
+ 0.19.1
+ 0.19.0
+ 0.19.0RC1
+ 0.19.0a2
+ 0.19.0a1
Partially affected versions:
+ 1.0.0RC1 (A2 Cross Site Scripting Vulnerability)
Not affected versions:
+ 1.0.0RC2
+ 0.18.3 and prior versions
Web : http://mantisbt.sourceforge.net
---------------------------------------------------------------------------
Vulnerabilities Summary
~~~~~~~~~~~~~~~~~~~~~~~
A - Cross Site Scripting Vulnerabilities
A1.- Parameter 'dir' of the script "/view_all_set.php"
is vulnerable to XSS attacks
A2.- XSS in /bug_actiongroup_page.php when deleting a
bug from the /view_all_bug_page.php
B.- Database scanner via variable poisoning in
/core/database_api.php script
Vulnerabilities
~~~~~~~~~~~~~~~
A - Cross Site Scripting Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A1.- Parameter 'dir' of the script "/view_all_set.php"
is vulnerable to XSS attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The parameter 'dir' of the /view_all_set.php script is
not correctly sanitize
and is vulnerable to XSS attacks.
The following is a sample url to check the problem:
http://[target]/view_all_set.php?sort=severity&dir="><script>alert(document.cookie)</script>&type=2
This bug is addressed as #0005959 in the MantisBT bug
database.
A1.- XSS in /bug_actiongroup_page.php when deleting a
bug from the /view_all_bug_page.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A Cross Site Scripting Vulnerability was found in the
script /bug_actiongroup_page.php when deleting a bug
from the /view_all_bug_page.php.
To reproduce behaviour follow these steps:
1.- Report a bug with the following summary:
Test<script>alert(document.cookie)</script>
2.- Enter as administrator and find the bug in
/view_all_bug_page.php script
3.- Select the checkbox correspondient to this bug
and DELETE in the drop down bellow.
4.- Press OK.
5.- In the /bug_actiongroup_page.php you will see the
bug to delete and also a wonderfull
javascript alert.
This bug may be considered as non exploitable but it
is exploitable. If you registers only one bug is
possible that the administrator do not selects for
deletion it from the /view_all_bug_page.php but, what
about if you registers 15 messages? The administrator
surely will delete all the bugs by selecting all
the bugs from the /view_all_bug_page.php.
This bug is addressed as #0006002 in the MantisBT bug
database.
B.- Database scanner via variable poisoning in
/core/database_api.php script
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the 'register_globals' directive is enabled the
script located at /core/database_api.php
is vulnerable to variable poisoning attacks.
By exploiting the vulnerability an attacker can
connect to databases that are in the web server LAN.
To reproduce the behavior simply navigate to any of
these urls:
http://[target]/core/database_api.php?g_db_type=mysql://invaliduser@localhost:3336
[^]
http://[target]/core/database_api.php?g_db_type=mysql://root@localhost:3336
[^]
http://[target]/core/database_api.php?g_db_type=informix://localhost:8080
[^]
Due to this vulnerability an attacker can write a
database scanner or a network scanner by simply
changing the hostname and port and parsing the
responses.
Examples:
1.-
http://[target]/core/database_api.php?g_db_type=mysql://root@localhost
[^]
(Fast response)
2.-
http://[target]/core/database_api.php?g_db_type=mysql://root@192.168.1.1
[^]
(No response in about 30 seconds)
3.-
http://[target]/core/database_api.php?g_db_type=mysql://root@10.x.y.z
[^]
(Response in about 3 seconds)
A remote user can supply a specially crafted URL to
scan arbitrary ports on arbitrary
hosts using a URL with the following form:
http://[target]/core/database_api.php?g_db_type=<database
type>://<hostname>:<port>
Based on the Response Time and the Response returned
by MantisBT, the remote user can
determine whether the specified port on the specified
host is open or closed. As a consecuence,
a remote user can invoke MantisBT to scan arbitrary
ports on arbitrary hosts.
This bug is addressed as #0005956 in the MantisBT bug
database.
Notes about issue #0005956
~~~~~~~~~~~~~~~~~~~~~~~~~~
1.- This vulnerability doesn't allow an attacker to
run SQL commands against the database.
2.- Not all sites running Mantis Bugtracker are
vulnerables. This only works if the 'register_globals'
directive is On. If you're unsure if your site is
vulnerable you can try the provided exploit,
called 'exploit.py'.
Workarounds:
~~~~~~~~~~~~
There is no known workaround for the #0005959 and
#0006002 issues.
For #0005956 issue you only need to DISABLE the f* PHP
directive 'register_globals'.
Patches:
~~~~~~~~
The followings are patches that solves the #0005956,
#0005959 and #0006002 issues.
Patch for issue #0005959
-----------------------------------------------------------------------------------------------------------------------
--- filter_api.orig 2005-07-18 17:07:03.000000000
+0200
+++ filter_api.php 2005-07-18 17:06:15.000000000 +0200
@@ -753,7 +753,7 @@
?>
<br />
- <form method="post" name="filters" action="<?php
PRINT $t_action; ?>">
+ <form method="post" name="filters" action="<?php
PRINT htmlentities($t_action); ?>">
<input type="hidden" name="type" value="5" />
<?php
if ( $p_for_screen == false ) {
@@ -761,10 +761,10 @@
PRINT '<input type="hidden" name="offset"
value="0" />';
}
?>
- <input type="hidden" name="sort" value="<?php PRINT
$t_sort ?>" />
- <input type="hidden" name="dir" value="<?php PRINT
$t_dir ?>" />
- <input type="hidden" name="page_number"
value="<?php PRINT $p_page_number ?>" />
- <input type="hidden" name="view_type" value="<?php
PRINT $t_view_type ?>" />
+ <input type="hidden" name="sort" value="<?php PRINT
htmlentities($t_sort) ?>" />
+ <input type="hidden" name="dir" value="<?php PRINT
htmlentities($t_dir) ?>" />
+ <input type="hidden" name="page_number"
value="<?php PRINT htmlentities($p_page_number) ?>" />
+ <input type="hidden" name="view_type" value="<?php
PRINT htmlentities($t_view_type) ?>" />
<table class="width100" cellspacing="1">
<?php
-----------------------------------------------------------------------------------------------------------------------
Patch for issue #0005956
-----------------------------------------------------------------------------------------------------------------------
--- database_api.orig 2005-07-18 16:43:36.000000000
+0200
+++ database_api.php 2005-07-18 16:49:43.000000000
+0200
@@ -9,6 +9,13 @@
# $Id: database_api.php,v 1.42 2005/02/26
15:16:46 thraxisp Exp $
#
--------------------------------------------------------
+ #
+ # Patch for #0005956: Database system scanner via
variable poisoning
+ #
+
+ if ((isset($_GET["g_db_type"])) ||
(isset($_POST["g_db_type"])))
+ die("");
+
### Database ###
# This is the general interface for all
database calls.
-----------------------------------------------------------------------------------------------------------------------
Patch for issue #0006002
-----------------------------------------------------------------------------------------------------------------------
--- bug_actiongroup_page.orig 2005-07-24
04:14:11.000000000 +0200
+++ bug_actiongroup_page.php 2005-07-24
04:13:31.000000000 +0200
@@ -114,7 +114,7 @@
foreach( $f_bug_arr as $t_bug_id ) {
$t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
$t_bug_rows .= sprintf( "<tr bgcolor=\"%s\">
<td>%s</td> <td>%s</td> </tr>\n"
- , get_status_color( bug_get_field( $t_bug_id,
'status' ) ), string_get_bug_view_link( $t_bug_id ),
bug_get_field( $t_bug_id, 'summary' )
+ , get_status_color( bug_get_field( $t_bug_id,
'status' ) ), string_get_bug_view_link( $t_bug_id ),
htmlentities(bug_get_field( $t_bug_id, 'summary' ))
);
echo '<input type="hidden" name="bug_arr[]" value="'
. $t_bug_id . '" />' . "\n";
}
-----------------------------------------------------------------------------------------------------------------------
The fix:
~~~~~~~~
Issues #0005956 and #0005959 are correcteds in version
1.0.0RC1.
Alternatively, you can use the attacheds non-official
patches.
How to apply the patches:
~~~~~~~~~~~~~~~~~~~~~~~~~
To apply the patches follow these steps:
1.- Download (or copy/paste) the patch (or patches)
that you need (i.e.: 0005956.patch).
2.- Copy the patch to your local '<mantis_dir>/core/'
directory. (i.e.: in my
Debian Sarge distribution this is located under
/usr/local/mantis/gui/core).
3.- Execute the following command:
$ patch -p0 < 0005956.patch
After applying the patch:
~~~~~~~~~~~~~~~~~~~~~~~~~
If you have been applied the patch and you're not sure
if your system is vulnerable
or not, you can run the attached exploit called
(originally...) 'exploit.py' and
follow the instructions.
NOTE: This exploit only probes the issue #0005956.
Notes
~~~~~
Thanks to Victor Boctor, and all the Mantis Bugtracker
guys. The were very kind and
proffessionals.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its
demonstrations is provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of
using the information or demonstrations provided in
any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
--0-1512502174-1127729855=:97738
Content-Type: application/x-tgz; name="mantis-patches.tar.gz"
Content-Transfer-Encoding: base64
Content-Description: 2118143086-mantis-patches.tar.gz
Content-Disposition: attachment; filename="mantis-patches.tar.gz"
H4sICAvLN0MCA21hbnRpcy1wYXRjaGVzLnRhcgDtV1tv2kgU5hV+xZFJBIhL
Zgy2FxJIHpqHvlRtN/vUVNZgD3h2jW15hqTRqv99z9hAgEKKstpUK80n4/Hl
nG/OHM+5QAhxho7by5gKosp/A4LwHEeP1HPI9ljAc90KJbbregNKbXxO+86A
VIBU3gBLqVgOUPkzSHOujsv97P1qLZvxf4JutwshU2zKJPdZJnppLuZVG3dF
l3hd+htQdzToj/pub/21CLQJvq+12+1dzSzK9hWHqPuD4s0NdIcdF9rDDu3D
zU0N1qjD2ftw9ANr5wFob2CDJr8g9oXtAnVGmt8FFeXsm5AZ3H7L4GybqvtK
1KDWrtb1Dz7qoIBZmkOdlHEygncr40A+ScUXIAOWJDyHB8HggeWCTWMOWSpk
mohkXlLhWcygKaTkqnnmf7799Mft73dfrLkfTn31lHHra6uFQtVQ8KZltS5R
5Xkl9frzpHiD9m2t8i4SEvBQEYc5R0NYDCJRPJ+xgBemszjeeBQCvJO92s62
xXUNf2X8231C1/Fve6SM/37fxP9bxf9MxLhhDke/NyJ49A9G/5befuyjjjui
zsHY95x+x4N2Oejwv56A3tTV6tU0h4tJrYtXuHMXsOAqSsOxlaVSWZCwBR9b
5aTSAhYokSZj6+oaJ4ePn99/uIMz5ZePL5HUmuiQeiVTpBYxT5RQgsvmhra1
4tW2iiRbKtDRO7YiEYY8WRMXEY3JIF7ijWPpJWkFza4vilwAZ5mPlvkyyDlP
YDyGGYsxQFvwd+kkl3Yoem01ajehZrU0rvHC5OlshllmMz3R0zcuC+3v+nxd
+vc4gUzzZ/U95+p32gPrr3ScJRT5MRJ8dRpHxubcT5aLKT/ClflbIqdxPgj+
6O98oD3rNgJrvvbrvLW/gbRg6zTOY77bp0S5Exl/5sld5h23njjDy37dt3wj
vWHXAaKK2hnETMqx9ShCFVGC+zfgWLMyFmA5HVu0jL7ngKoY/Mva7GIJ/pX1
n/Yp0fXfI443cAd2Uf8pNfX/rer/dDlf1bd5ni7L6N/tBOwBkMGI4kEPdgIH
GbZ7ghUB/pGgB3sCSge6JygHXeywNnIWRFgnZ37BnmMnK3WC1nci1IVS9wz4
oEgYMAaZ5dj5zppg5elj9zy0OqBzjUD7zsFuQRsotC5LHU2CUhJ623pXKofp
PEjjNB/fW+fy3prAlQon5/LqAofd6wuVT+4TS9ebDrbemOEVU0vpF+rNwiX6
6UzwOGw+G96BRinYwCW0OiAVzl6KaoEiM8Yi+au5vdbOi3TLxYLlT8inc/Qb
2LKTzU8yrLX6z1K4nwdR+mILs/reX75uakkDelsm9KBRdDV4YeEXQM7vpgwY
GBgYGBgYGBgYGBgYGBgYGBgYGBgYbOEfKEJbNgAoAAA=
--0-1512502174-1127729855=:97738
Content-Type: application/x-python; name="exploit.py"
Content-Transfer-Encoding: base64
Content-Description: 3240631599-exploit.py
Content-Disposition: attachment; filename="exploit.py"
IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCgoiIiIKTWFudGlzIEJ1Z3RyYWNrZXIg
UmVtb3RlIERhdGFiYXNlIFNjYW5uZXIgRXhwbG9pdCB2IDEuMAoKQXV0aG9y
OiBKb3NlIEFudG9uaW8gQ29yZXQgKEpveGVhbiBLb3JldCkKRS1tYWlsOiBq
b3hlYW5rb3JldDw8PDw8PDw8PDw8PDw8PDxhdD4+Pj4+Pj4+Pj4+Pj4+Pj4+
PnlhaDAwPDw8PERPVD4+Pj5lcwoKVGhpcyBleHBsb2l0IGlzIHVuZGVyIHRo
ZSBHUEwgTGljZW5zZSwgdmVyc2lvbiAyLgoKVGhpcyBkZW1vbnN0cmF0aW9u
IGlzIHByb3ZpZGVkICJhcyBpcyIgd2l0aG91dCBhbnkgd2FycmFudHkgb2Yg
YW55IGtpbmQuCgpJIGFtIG5vdCBsaWFibGUgZm9yIGFueSBkaXJlY3Qgb3Ig
aW5kaXJlY3QgZGFtYWdlcyBjYXVzZWQgYXMgYSByZXN1bHQgb2YKdXNpbmcg
dGhlIGluZm9ybWF0aW9uIG9yIGRlbW9uc3RyYXRpb25zIHByb3ZpZGVkIGlu
IGFueSBwYXJ0IG9mIHRoaXMKYWR2aXNvcnkuCgoiIiIKCmltcG9ydCBzeXMK
aW1wb3J0IHVybGxpYgoKZGVmIGNoZWNrX3Z1bG5lcmFibGUobWFudGlzX3Np
dGUpOgoJdHJ5OgoJCWRhdGEgPSB1cmxsaWIudXJsb3BlbihtYW50aXNfc2l0
ZSArICcvY29yZS9kYXRhYmFzZV9hcGkucGhwP2dfZGJfdHlwZT10cnlpbmdf
aXQnKS5yZWFkKCkKCQkKCQlpZiBkYXRhLnJmaW5kKCJ0cnlpbmdfaXQiKSA+
IC0xOgoJCQlyZXR1cm4gVHJ1ZQoJCWVsc2U6CgkJCXJldHVybiBGYWxzZQoJ
ZXhjZXB0OgoJCXByaW50ICIiCgkJcHJpbnQgIkVycm9yIGdldHRpbmcgZG9j
dW1lbnQ6ICIgKyBzdHIoc3lzLmV4Y19pbmZvKClbMV0pCgkJc3lzLmV4aXQo
MCkKCQkKZGVmIHRyeV9sb2dpbl9zdGVwKG1hbnRpc19zaXRlLCBob3N0KToK
Cgl0cnk6CgkJZGF0YSA9IHVybGxpYi51cmxvcGVuKG1hbnRpc19zaXRlICsg
Jy9jb3JlL2RhdGFiYXNlX2FwaS5waHA/Z19kYl90eXBlPScgKyBob3N0KS5y
ZWFkKCkKCQkKCQlpZiBkYXRhID09ICIiOgoJCQlyZXR1cm4gVHJ1ZQoJCWVs
c2U6CgkJCXRyeToKCQkJCXByaW50ICIgWy1dIEVSUk9SOiAiICsgZGF0YS5z
cGxpdCgnPGI+V2FybmluZzwvYj46JylbMV0uc3BsaXQoJyBpbiA8Yj4nKVsw
XS5zdHJpcCgnICcpCgkJCWV4Y2VwdDoKCQkJCXByaW50ICIiCgkJCQlwcmlu
dCAiUkVTUE9OU0UgRlJPTSBTRVJWRVI6ICIKCQkJCXByaW50ICItLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSIKCQkJCXByaW50IGRhdGEKCQkJ
CXByaW50ICItLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSIKCgkJ
CXJldHVybiBGYWxzZQoJZXhjZXB0OgoJCXByaW50ICIiCgkJcHJpbnQgIkVy
cm9yIGdldHRpbmcgZG9jdW1lbnQ6ICIgKyBzdHIoc3lzLmV4Y19pbmZvKClb
MV0pCgkJc3lzLmV4aXQoMCkKCmRlZiB0cnlfbG9naW4obWFudGlzX3NpdGUs
IGRiX3R5cGUpOgoKCXRyeToKCQlob3N0cyA9IG9wZW4oImhvc3RzLiIgKyBk
Yl90eXBlLCAiciIpCglleGNlcHQ6CgkJcHJpbnQgIkVycm9yIG9wZW5pbmcg
dXNlcm5hbWUvcGFzc3dvcmQgY29tYmluYXRpb25zIGZpbGUgZm9yIGRhdGFi
YXNlIHR5cGUgIiArIGRiX3R5cGUgKyAiIChob3N0cy4iICsgZGJfdHlwZSAr
ICIpIgoJCXByaW50IHN5cy5leGNfaW5mbygpWzFdCgkJc3lzLmV4aXQoMCkK
Cglmb3IgbGluZSBpbiBob3N0czoKCQlwcmludCAiVHJ5aW5nICIgKyBsaW5l
LnJzdHJpcCgpICsgIiAuLi4gIgoJCWlmIHRyeV9sb2dpbl9zdGVwKG1hbnRp
c19zaXRlLCBsaW5lLnJzdHJpcCgpKToKCQkJcHJpbnQgIiBbIV0gIiArIGxp
bmUucnN0cmlwKCkgKyAiIGFwcGFyZW50bHkgd29ya3MhIgoJCgpwcmludCAi
TWFudGlzIEJ1Z3RyYWNrZXIgRGF0YWJhc2UgU2Nhbm5lciBFeHBsb2l0Igpw
cmludCAiIgpwcmludCAiQXV0aG9yOiBKb3NlIEFudG9uaW8gQ29yZXQiCnBy
aW50ICIiCgoKdHJ5OgoJbWFudGlzX3NpdGUgPSByYXdfaW5wdXQoIk1hbnRp
cyBCdWcgVHJhY2tlciBzZXJ2ZXIgc2l0ZSBbaHR0cDovL2xvY2FsaG9zdC9t
YW50aXNdOiAiKTsKCglpZiBtYW50aXNfc2l0ZSA9PSAiIjoKCQltYW50aXNf
c2l0ZSA9ICJodHRwOi8vbG9jYWxob3N0L21hbnRpcyI7CmV4Y2VwdDoKCXBy
aW50ICJBYm9ydGVkIgoJc3lzLmV4aXQoMCkKCgpwcmludCAiIFsrXSBDaGVj
a2luZyBpZiBpdCBpcyB2dWxuZXJhYmxlIC4uLiAiCmlmIGNoZWNrX3Z1bG5l
cmFibGUobWFudGlzX3NpdGUpOgoJcHJpbnQgIiBbIV0gWWVzLCBpdCBpcyB2
dWxuZXJhYmxlIgplbHNlOgoJcHJpbnQgIiBbLV0gTm8sIGl0IGlzIG5vdCB2
dWxuZXJhYmxlIgoJcHJpbnQgIiBbK10gRXhpdGluZyIKCXN5cy5leGl0KDAp
CgpwcmludCAiIgp0cnk6CglyZXMgPSByYXdfaW5wdXQoIlRyeSBkZWZhdWx0
IHVzZXJuYW1lIGFuZCBwYXNzd29yZCBjb21iaW5hdGlvcyBmb3IgdGhlIGxv
Y2FsIGRhdGFiYXNlICh5ZXMsIGRvIGl0L24pPyBbbl0gIikKZXhjZXB0OgoJ
cHJpbnQgIkFib3J0ZWQiCglzeXMuZXhpdCgwKQoKaWYgcmVzID09ICJ5ZXMs
IGRvIGl0IjoKCXRyeToKCQlyZXMgPSByYXdfaW5wdXQoIkRlZmF1bHQgZGF0
YWJhc2UgdG8gY2hlY2sgKG15c3FsLCBpbmZvcm1peCwgb3JhY2xlLCBmaXJl
YmlyZCwgcGdzcWwsIGFsbCk/IFtteXNxbF0gIikKCgkJaWYgcmVzID09ICIi
OgoJCQlyZXMgPSAibXlzcWwiCgoJCXByaW50ICIiCgkJdHJ5X2xvZ2luKG1h
bnRpc19zaXRlLCByZXMpCglleGNlcHQ6CgkJcHJpbnQgIkFib3J0ZWQiCgkJ
c3lzLmV4aXQoMCkKZWxzZToKCWlmIHJlcyAhPSAiIiBhbmQgcmVzICE9ICJu
IjoKCQlwcmludCAiIgoJCXByaW50ICJFUlJPUjogWW91IG5lZWQgdG8gd3Jp
dGUgJ3llcywgZG8gaXQnLiBDYW5jZWxsZWQuIgoKCXN5cy5leGl0KDApCgpw
cmludCAiIgpwcmludCAiVGVzdCBmaW5pc2hlZCIKCg==
--0-1512502174-1127729855=:97738
Content-Type: application/x-tgz; name="poc.tar.gz"
Content-Transfer-Encoding: base64
Content-Description: 3460654982-poc.tar.gz
Content-Disposition: attachment; filename="poc.tar.gz"
H4sICHoN3EICA2V4cGxvaXQudGFyAO1abW/bNhDO1+hXsNqH2FhqW05sD1zT
vbTesNcOabFhKAKDlmibi0xpFJXU/35HSrJFSXQHbEvWjYeiku45kse740PR
Cn2XxgmTg3R38o/JCGQ2mahrMJuM6lclk2lweRKMxtPpbDoeXYA+uJiNgxM0
OnkAyTNJBEInvyXvKOF2u/fh5WT21w9EPnoyzDMxXDI+pPwOpTu5Sbjn+b7v
/UC4ZBn6Ml9LQcJbKtA13SaSopdEkiXJKHodEs5BPy+KCN2hYDDyvC9y6ERg
9G0CNl9wmXCWoBeJoBL1vtVhRN+pp743f7olLMaoCO6tUj5rCJHPW7Ijm9FI
gS9fvVHPNPO8NxvwlZaOwG3OI/BMbij6+qfv0fcspDyj5+iOiowlHI0HZZMI
5sQzmKFUalCkIrljEY2QTzJ49tE9g+nkEhG+Q/dECAjLDiUr/XzLeAQ9fYPI
FvFEopiRZUzRKhEajpigoUTwBHbFfUS2ZE0zFJI8g0FgDIIEzfIYzFZenjG+
1l4zDp1sC6+gveFmzUnG9UApEao9tGSZR6I7liViNyjy6LFtmgCc7bLqNhdx
zJaeF9EVCjc0vF3c5TFkUjnf2+q8LzImaR97p1Ls4P/TCJKOrsqWA7gkKeV1
W/QxOhuGkMJhVNbHgqRskG7Sz9aLaLmQu5ReQWcwwQWTZ/2BoCTq9aFr+MdW
SLUaiBUEqufvzfw+eo6eBsqBUyiOXHD0RuQUHmmc0br6KwIK75S+C2kqFZAK
xiWC+e9v50JAJNdUShXkKAnzLeUSIx9ch9D2IEADaL9Qoe/13wY3yrlCyWRv
pF1VEQPvFnGyZnyRSZrWY3CONkkmIWp/c9jOwEr33BU0dHUF0zwWotKXfSDQ
26c3aH59/eq6mLwOfZbGMMuzZ8vnvxDBIULPhsvn+EzFocJUtQEOuhHopGAp
6M6UN7W4G5HfP1zPX//06sfXc/TV9asf0Ov59c9zNXjd5OnfKfWe1fT+wYEe
uAjNEjSrr6yXegGqssmgAnXd+fppoHNemJ4jX/j9DpcLP1Ur5SdwleBkS4cp
ybL7REQoTLawaZR0tGIl6VU1jFTfqDYO3Pmo1xpeqfuH6LQm35z7qRokZlzx
o14RWc3lN5o19KjKZCCKEu3rsQeDgS43dnz9Gg37up73i+bJjaVvkgL/QhZj
2CAScZs9gYE8r2zX3kZt+6fv7culvLHvpDVbzytSXSeVKyTIPYQxzWWv5gEw
Q+ECpPNOXZTt242UKR4O4yQksYrpsOjpBoqy/ynEHEJm9F3RjTmgb+nG/9Tb
F1c1rSVsQjSCKBnJ9faR/vgGvVDbkkonjF7s6Ictqkwme//mVc/drzQ7b3Xl
eyVL1qnxx6QyVHt63fi07uIcHAcPm9PYJ6ZIC2zuZjqgTGE7XxG15VfrCjbx
CHWsrUyvKvU+oMN6WF+9nZpNlICfQ97/DL3lUJz9PxtpiJx2C7J26Mc/bPYt
n1+W/h7Wd1LEHvW2u+z3+Lx8X2HvzuFthYQxLKUVvPAsmYjOUbrWJiSOlae6
gfa2WI6VJ9UWpob2tZHm1hqFWlgPmnQx2GHuxuTLfJcDP1ED6+hXT9y3EHex
X/6a5IhTePOCCNwLVfpnhxCeDdALwkMaxzQaKO+7C6PiK5pJiBJn2Ua56T3G
+3/ByJCZk8c7/03guFSc/yaXF8FYnf8mwYU7/z2E6HUGrK2vn++52zP02Iby
ZJlEOyuArbhIEmlRYwtWLHkrgK04ibaM2/TYhq5zWJ02Pbah0q7GFkxtARY1
tmD3dNmtxd3ISqbdWmwimqcB0VebHtvQVrJNAFvxRsLramzBWsk2AWzFm+k2
9NiGNtNt6LENlXY1tmCNhNfV2IKZKa9pcTfSnfJ2MSQh+wQA2MEk3aqAkrUx
vokXlw44TCTMlnW2jZYZ36a4uLRhWy67PSteO7rdamA1n0zEdMjETG86Rzu4
EsY2R2qI4cZB33TigDRdaI1SOtA5dsewnSN2DuZVr3cA7G+rm1pqOsyOo+/p
pMUZLQwfM2mwRwPBdrhVcy0MHzNp8kgTwkcMmmzShPARA3kUwXa4wS0NBNth
k2NMAFtBk2lMoEFD1SlCgdVtdXPc7C910qqqFoaPmTQqq4FgO9yqqhaGj5k0
66oJ4SMGzbpqQviIgTyKYDvcqKwGgu2wWVsmgK2gvbaOFR4QaLQkEHjgUXFL
6zk/+cClOP9Vc32U818wvpjtz3+X0ymc/y4nl1N3/nsIcfTq6NXR6/9XCv6v
3sAeh/+DWbDn/8lM8/80GDv+fwhx5zp3rnuUc52j3n8R/+ufhB/r+08wCiYH
/h9dKv4PgpHjf/f9x33/edDvP44O/6f8X3zNeDT+n+7f/2ez4vef8dj9/vMg
4r7yfbBf+T4vP811utDAak6YiOmGiZmOlJijzP8g/+u/Avh3vP9PNP8HI/f+
/yDi/uTH/cmPe/934sSJEydOnDhx4sSJEydOnDhx4sSJEydO/lvyB4+sApcA
UAAA
--0-1512502174-1127729855=:97738--
