| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 24 Aug 2005 10:57:53 -0000
From: ali202@...termail.com
To: bugtraq@...urityfocus.com
Subject: Foojan PHP Weblog Information Disclosure - Refferer Html Injection
Vendor : http://foojan.soltoononline.com
A complete Persian PHP Weblog (WMS)
Example Information Disclosure:
http://[target]/[foojan]/adminmodules/daylinks/index.php
http://[target]/[foojan]/index.php?daylinkspage=-1
Refferer Html Injection
Where : in gmain.php
$Weblog-> query ("INSERT INTO `visits` ( `id` , `ip` , `refferer` , `date` , `time` )
VALUES (
'', '".$_SERVER['HTTP_USER_AGENT']."', '".$_SERVER['HTTP_REFERER']."', '$num', '$num2'
);");
So Attacker Can Inject HTML code in refferer field with HTTP HEADER and it will be executed in the index.php and admin.php .
Powered by blists - more mailing lists