Re: Wood's Infinity Project 3.69a Remote Command Execution

["morning_wood" <se_cur_ity () hotmail com>]

----- Original Message -----
From: "badpack3t" <badpack3t () security-protocols com>
To: <full-disclosure () lists netsys com>
Sent: Thursday, June 12, 2003 3:49 PM
Subject: [Full-disclosure] Wood's Infinity Project 3.69a Remote
Command Execution


> There is a massive xss problem in the 404 script mrwood uses.  here
is PoC
> for this 0day advisory: http://exploit.wox.org/<b>a</b>

huh? like I care that my 404 has xss. anything that is on my webroot
is public info ( its on the net ).

I dont get it..? going through alot of trouble for uuhh, make yourself
look bad?
and if this is your grand sploit
<?PHP
passthru("ls");
?>
uploaded to me.. umm i dont store the upload in the webroot, very far
from it actually, so unless you compromise me with a phpshell exploit
or something else that allows below webroot directory transversal, im
not caring to much. I hold no password databases or any other material
i would miss anyway.

wood
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html