Re: index.cgi script XSS + file show

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: index.cgi script XSS + file show
From: "D.C. van Moolenbroek" <xanadu@xxxxxxxxx>
Date: Mon, 25 Apr 2005 22:22:34 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050424210819.29442.qmail@xxxxxxxxxxxxxxxxxxxxx>

Could you please provide some more specific information regarding the
bugs you have found? For example, a simple google query for
"inurl:index.cgi" yields over two million results, and I seriously doubt
that those are all vulnerable - which product(s) are we talking about
here, and which version(s)? This information would greatly enhance the
ability of those who are either writing or using the vulnerable
software, to deal with the problem..

Kind regards,
David van Moolenbroek

"fireboy fireboy" wrote:
>
>
> Tunis 24/04/2005
> BUG found by fireboy
> fireboy@xxxxxxxxxxxx
>
>
>
> THERE ARE SOME BUGS IN index.cgi SCRIPT THAT CAN SHOW SENSILBLES FILES
IN A SYSTEM
>
> IT IS ONLY FOR SECURITY AND EDUCATIONAL PURPOSE
>
>
>
> 1)file showing
> http://www.target.com/index.cgi?/etc/passwd
>
>
> 2)CSS
>
http://www.target.com/index.cgi?&lt;script&gt;alert(document.cookie)&lt;
/script&gt;
>
>
> greetz to all magattack members www.magattack.tk

References:
- index.cgi script XSS + file show
  - From: fireboy fireboy

Prev by Date: RE: Possible XSS in User-Agent
Next by Date: [SECURITY] [DSA 714-1] New kdelibs packages fix arbitrary code execution
Previous by thread: index.cgi script XSS + file show
Next by thread: remote command execution in forum.pl script
Index(es):
- Date
- Thread