[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection

To: h4cky0u.org@xxxxxxxxx
Subject: Re: HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection
From: "Steven M. Christey" <coley@xxxxxxxxx>
Date: Thu, 27 Jul 2006 16:32:12 -0400 (EDT)

>--==CRLF injection==--
>
>GET /mybloggie/ HTTP/1.0
>Accept: */*
>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
>Host: 127.0.0.1:80
>Cookie: PHPSESSID=op0-11{}};q, or something like that
>Connection: Close


This demonstration code does not contain any carriage return / line
feed sequences.  What is the nature of the CRLF injection?  Or are you
talking about a different kind of vulnerability?  What source code
shows where the issue is?


Thanks,
Steve

Prev by Date: Oracle 10g R2 and, probably, all previous versions
Next by Date: [USN-327-1] firefox vulnerabilities
Previous by thread: Oracle 10g R2 and, probably, all previous versions
Next by thread: [USN-327-1] firefox vulnerabilities
Index(es):
- Date
- Thread