On Sat, 10 Mar 2007 15:15:54 CST, Paul Schmehl said: > Given the syntax of this function, wgBreakFrames can only have one of two > values: true or false. > > I'd be interested to see some POC that would show how you would exploit > this. The first thing to do is abuse the variable. In addition to true and false, try 3, 0 , -37, "Cabbage", and maybe "true) and (my_evil_function()))". See if you can force it to throw a syntax error that creates a 404 page or something that contains *other* input you control, especially if it finds its way to an eval().
Attachment:
pgpuzX4Cbk8ge.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/