That looks a lot like a *nuke (PHPNuke & forks like PostNuke).
The "thold" param has a history of issues, XSS and the like, and
I seem to recall it is handled by the "Sections" module in Nuke.
If it's the code I think it is, there are more issues with other
params which are even listed in the exa
" to /admin.
And anyone with read access to wwwlogs.
I'm sure there are many more scenarios than I can
envision, but the math/brute force one was the only
one I could think of to answer the original request
for "quantification".
Thanks for all the polite responses to my muddl
1. This is definitely a pretty common, if not well-known
problem, being "broken access control" that relies on
obscurity or something weak/trivial to forge (like an
HTTP refer field path) to control access to an entry
point in a webapp. Sometimes, no further authorization
checks are made (on pages/
Here, let's make the rendering issue simple:
Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that
To further aggravate the CSRF/'Session Riding' angle, one may
implement two attack mechanisms against Cisco IOS/HTTP (and any
similar platform) with current browsers/javascript injection:
1) img src=[IE only]javascript: and increment through RFC-reserved
IP space; you could focus on .1's and .254'
