[39764] in bugtraq
Re: UPB: Discussion Board/Web-Site Takeover
daemon@ATHENA.MIT.EDU (rgod@autistici.org)
Wed Jul 20 19:58:30 2005
Date: 19 Jul 2005 05:41:18 -0000
Message-ID: <20050719054118.24032.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: rgod@autistici.org
To: bugtraq@securityfocus.com
this is probably a hoax or an error, the system command is not executed, it's invisibile and inside the html... :) you can put a javascript instead and steal cookies. This is my proof of concept exploit:
http://www.rgod.altervista.org/upbgold196poc.php.txt
(if you have troubles with this script set allow_call_time_pass_reference = on
and register_globals = On)
otherwise you can make with telnet but in the user agent field you can make something like:
<script>alert(document.cookie)</script>
and when admin open ip log file the javascript will run in the security contest of his system...
however, you can craft some special urls, (look at this link: http://www.rgod.altervista.org/upbgold196xssurlspoc.txt ) to have same results...
sorry for my bad English
rgod
email: rgod@autistici.org
site: http://rgod@altervista.org
