[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: HACKED [mv] eWeek using Minivend in our openhack project

To: minivend-users@minivend.com
Subject: Re: HACKED [mv] eWeek using Minivend in our openhack project
From: "Barry Treahy, Jr." <Treahy@mmaz.com>
Date: Wed, 05 Jul 2000 22:01:14 -0700
Organization: Midwest Microwave
References: <6014.962613209@www8.gmx.net>
Reply-To: minivend-users@minivend.com
Sender: owner-minivend-users@minivend.com

******    message to minivend-users from "Barry Treahy, Jr." <Treahy@mmaz.com>     ******

I haven't tested this on MV 4, but on MV 3, I cannot reproduce it.  Anyone else?

Barry


> ... minivend file view_page.html:
>
> ---cut here---
> [elsif session arg =~ /^\/|\.\./]
> ---cut here---
>
> does no proper input validation checks (they forgot about the "|" :)
>
> these two problems do allow http-request like:
>
> https://www.openhack.com/cgi-bin/eweekorcl/view_page.html?mv_arg=|ls|
>

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

Follow-Ups:
- Re: HACKED [mv] eWeek using Minivend in our openhack project
  - From: Ryan Hertz <rhertz@gyb.baits.com>

References:
- Re: HACKED [mv] eWeek using Minivend in our openhack project
  - From: Alexander Lazic <all@gmx.at>

Prev by Date: Re: [mv] Lose session id on receipt page
Next by Date: Re: [mv] Cyber Cash 3.2.0.6
Prev by thread: Re: HACKED [mv] eWeek using Minivend in our openhack project
Next by thread: Re: HACKED [mv] eWeek using Minivend in our openhack project
Index(es):
- Date
- Thread