lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050318105435.7502.qmail@www.securityfocus.com>
Date: 18 Mar 2005 10:54:35 -0000
From: Terencentanio Enache <terencentanio@...t32.com>
To: bugtraq@...urityfocus.com
Subject: PHP-Post Exploit




~ PHOX: PHP-Post Exploit ~

###
# Content
###

 - Credits
 - BICWAE
 - Solution
 - Contact

###
# Credits
###

Exploit discovered by Phoxpherus (Phorce), Phox (R&P), Terencentanio (Root32)
Thanks to SilentWolf for the name (BICWAE) ... lmao

###
# BICWAE - Bypassing Input Check With Alternate Entries
###

It's possible to 'spoof' your user identity using alternate characters. 

Using the user "Dave" for example (who is an admin at the official site), if we go to the registration page and try to sign up as "Dave"... no dice. However, if we sign up as "&#68;ave"... dice. 

Now, we can login as "&#68;ave" and every time someone views our username, it'll be displayed as "Dave". 

You may ask what use this is, as it can't grant access to anything in particular, but if you were going to SE your way in, this would be a _VERY_ helpful tool. I aren't going to go into the methods, reason speaks for itself.

###
# Solution
###

You can filter the input either by using:

str_replace("&#", "");

or

str_replace("&", "&#38;")

... or anything else, I suppose. These are just 2 that spring to mind.

###
# Contact
###

Email: terencentanio.enache@...penworld.com
MSN: al_bhed_brother@...rosoft.com


Powered by blists - more mailing lists