Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Foojan PHP Weblog Information Disclosure - Refferer Html Injection
From: ali202 () fastermail com
Date: 24 Aug 2005 10:57:53 -0000
Vendor : http://foojan.soltoononline.com
A complete Persian PHP Weblog (WMS)


Example Information Disclosure:
http://[target]/[foojan]/adminmodules/daylinks/index.php
http://[target]/[foojan]/index.php?daylinkspage=-1


Refferer Html Injection

Where : in gmain.php

$Weblog-> query ("INSERT INTO `visits` ( `id` , `ip` , `refferer` , `date` , `time` ) 
VALUES (
'', '".$_SERVER['HTTP_USER_AGENT']."', '".$_SERVER['HTTP_REFERER']."', '$num', '$num2'
);");

So Attacker Can Inject HTML code in refferer field with HTTP HEADER and it will be executed in the index.php and 
admin.php .

  By Date           By Thread  

Current thread:
  • Foojan PHP Weblog Information Disclosure - Refferer Html Injection ali202 (Aug 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]