[VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering
Web-APP
webapp at web-app.org
Sun Jul 15 21:15:39 UTC 2007
Wow.
----- Original Message -----
From: "str0ke" <str0ke at milw0rm.com>
To: "Vulnerability Information Managers" <vim at attrition.org>
Sent: Saturday, July 14, 2007 4:13 PM
Subject: [VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering
> The plot thickens?
>
> ---------- Forwarded message ----------
> From: info at web-app.net <info at web-app.net>
> Date: 14 Jul 2007 04:56:20 -0000
> Subject: Re: Menu Manager Mod for WebAPP - No Input Filtering
> To: bugtraq at securityfocus.com
>
>
> The issue is not yet secure at http://www.web-app.org
>
> 1.) Guests can edit files on the server by:
> http://victim-domain/cgi-bin/index.cgi?action=menu
> - There are approximately 35 webapporg sites of version 0.9.9.7
> defaced with the issue. So it couldn't possibly be fixed for 0.9.9.7
> as claimed above.
>
> 2.) Members/guests can add $values in the menu form. Allowing $ is
> madness, its it can be exploited to run direct cmd on the Perl shell.
>
> I tried posting a message about it before here but it was unnoticed
> and never published.
>
> Kind regards
> On Elpeleg
> WebAPP
>
More information about the VIM
mailing list