[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Foojan PHP Weblog Information Disclosure - Refferer Html Injection
From:       ali202 () fastermail ! com
Date:       2005-08-24 10:57:53
Message-ID: 20050824105753.8467.qmail () securityfocus ! com
[Download RAW message or body]

Vendor : http://foojan.soltoononline.com
A complete Persian PHP Weblog (WMS)


Example Information Disclosure:
http://[target]/[foojan]/adminmodules/daylinks/index.php
http://[target]/[foojan]/index.php?daylinkspage=-1


Refferer Html Injection

Where : in gmain.php

$Weblog-> query ("INSERT INTO `visits` ( `id` , `ip` , `refferer` , `date` , `time` ) \
 VALUES (
'', '".$_SERVER['HTTP_USER_AGENT']."', '".$_SERVER['HTTP_REFERER']."', '$num', \
'$num2' );");

So Attacker Can Inject HTML code in refferer field with HTTP HEADER and it will be \
executed in the index.php and admin.php .


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic