Re: UPB: Discussion Board/Web-Site Takeover

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: UPB: Discussion Board/Web-Site Takeover
From: rgod@xxxxxxxxxxxxx
Date: 19 Jul 2005 05:41:18 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

this is probably a hoax or an error, the system command is not executed, it's 
invisibile and inside the html... :) you can put a javascript instead and steal 
cookies. This is my proof of concept exploit:

http://www.rgod.altervista.org/upbgold196poc.php.txt

(if you have troubles with this script set allow_call_time_pass_reference = on
and register_globals = On)

otherwise you can make with telnet but in the user agent field you can make 
something like:

<script>alert(document.cookie)</script>

and when admin open ip log file the javascript will run in the security contest 
of his system...

however, you can craft some special urls, (look at this link: 
http://www.rgod.altervista.org/upbgold196xssurlspoc.txt ) to have same 
results...

sorry for my bad English

rgod

email: rgod@xxxxxxxxxxxxx
site: http://rgod@xxxxxxxxxxxxxx

Prev by Date: Re: On classifying attacks
Next by Date: PeanutHull Local Privilege Escalation Vulnerability
Previous by thread: FreeBSD Security Advisory FreeBSD-SA-05:17.devfs
Next by thread: PeanutHull Local Privilege Escalation Vulnerability
Index(es):
- Date
- Thread