exploit? 'set' parameter

kazu2012 / get-simple-cms

Automatically exported from code.google.com/p/get-simple-cms

GNU General Public License v3.0

0 stars 0 forks source link

exploit? 'set' parameter #215

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

See:
http://get-simple.info/forum/topic/2028/exploit-set-parameter/

Original issue reported on code.google.com by carnav on 1 Jun 2011 at 3:03

GoogleCodeExporter commented 9 years ago

it was already fixed in the SVN with a prior commit

Original comment by ccagle8 on 3 Jun 2011 at 12:08

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Don't know if this is a vulnerability or just a small bug, but the fact is that 
/index.php processes the 'set' parameter (intended for /admin/plugins.php). 
This has -I believe- nothing to do with that upload.php fix that Mike mentions.

Try to browse any GetSimple site adding ?set=whatever to the URL.

Original comment by carnav on 4 Jun 2011 at 8:40

GoogleCodeExporter commented 9 years ago

r492 has finally fixed this.

Original comment by carnav on 12 Jun 2011 at 8:36