From: Jason Muskat (Jason@TechDude.Ca)
Date: Wed Jun 08 2005 - 19:49:10 EDT
Hello,
This is just a type of code injection. Treat it as such.
Regards,
Jason Muskat
Jason@TechDude.Ca
PGP Key: 7B447CD9 Fingerprint: 29A2 63C5 F623 EE9D 2453 B840
2818 5CA7 7B44 7CD9
Linux Guru Since 2002 Without security there can be no privacy.
>-----Original Message-----
>From: Frederic Charpentier [mailto:fcharpen@xmcopartners.com]
>Sent: Wednesday, June 08, 2005 8:38 AM
>To: pen-test@securityfocus.com
>Subject: Injecting commands into a mainframe through a servlet
>
>hi all,
>I'm conducting a pentest and I found a url with something like AS400 or
>OS390 command in a url parameter.
>
>sample :
>www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01)
>
>I saw a multiple web site that I could add command like :
>www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01)+DATA(stuff)
>
>Anyone have I idea about howx I could exploit this ? like default
>application, ...
>
>Fred.
>
>--
>Frederic Charpentier - Xmco Partners
>Security Consulting / Pentest
>web : http://www.xmcopartners.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:23 EDT