If you're going to start posting this shit. I suggest you visit http://www.exploit-db.com/google-dorks/ and try appending site:edu to all of them.
2013/8/29 Vulnerability Lab <resea...@vulnerability-lab.com> > Title: > ====== > UTA EDU University ENG - SQL Injection Vulnerability > > > Date: > ===== > 2013-08-28 > > > References: > =========== > http://www.vulnerability-lab.com/get_content.php?id=256 > > > VL-ID: > ===== > 256 > > > Common Vulnerability Scoring System: > ==================================== > 8.4 > > > Introduction: > ============= > The University of Texas at Arlington´s College of Engineering provides one > of the most comprehensive engineering programs in > North Texas and the nation, with eight baccalaureate programs, 13 master`s > and 9 doctorates. It is the fourth largest engineering > college in Texas, with about 3,900 students. > > (Copy of the Homepage: http://www.uta.edu ) > > > Abstract: > ========= > The Vulnerability Laboratory Research Team discovered a SQL Injection web > vulnerability in the famous Arlington Engeneering University in Texas. > > > Report-Timeline: > ================ > 2011-12-26: Researcher Notification & Coordination (Chokri Ben Achour) > 2012-11-27: Vendor Notification (Support Team) > 2012-**-**: Vendor Response/Feedback (Support Team) > 2013-08-22: Vendor Fix/Patch (No Response, verify by Check] > 2013-08-28: Public Disclosure (Vulnerability Laboratory) > > > > Status: > ======== > Published > > > Exploitation-Technique: > ======================= > Remote > > > Severity: > ========= > Critical > > > Details: > ======== > A critical SQL Injection web vulnerability is detected in the famous > Arlington Engeneering University in Texas. > The vulnerability allows remote attackers to inject or execute own sql > commands to compromise the web-application or web-server dbms. > > The vulnerability is located in the engineeringnews module when processing > to request ID parameter with own SQL commands. > Remote attackers are able to inject the commands to compromise the > web-application and affected database management system. > The flaw is result of the wrong validation of the id value when processing > to load the engineeringnews.php file. > > > Vulnerable Module(s): > [+] > ../engineeringnews/ > > Vulnerable File(s): > [+] > engineeringnews.php > > Vulnerable Parameter(s): > [+] id > > > Proof of Concept: > ================= > The remote sql injection vulnerability can be exploited by remote > attackers without user interaction or privileged user account. > For demonstration or reproduce ... > > PoC: > http://www.uta.edu/engineering/engineeringnews/engineeringnews.php?id= > > -1337+union+select+1,2,3,concat_ws(0x3a3a,id,username,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+adlogin+limit+0,1-- > > > Solution: > ========= > 2013-08-22: Vendor Fix/Patch (No Response, verify by Check] > > > Risk: > ===== > The security risk of the remote sql injection web vulnerability is > estimated as critical. > > > Credits: > ======== > Vulnerability Laboratory [Research Team] - Chokri Ben Achour ( > cho...@evolution-sec.com) > > > Disclaimer: > =========== > The information provided in this advisory is provided as it is without any > warranty. Vulnerability Lab disclaims all warranties, > either expressed or implied, including the warranties of merchantability > and capability for a particular purpose. Vulnerability- > Lab or its suppliers are not liable in any case of damage, including > direct, indirect, incidental, consequential loss of business > profits or special damages, even if Vulnerability-Lab or its suppliers > have been advised of the possibility of such damages. Some > states do not allow the exclusion or limitation of liability for > consequential or incidental damages so the foregoing limitation > may not apply. We do not approve or encourage anybody to break any vendor > licenses, policies, deface websites, hack into databases > or trade with fraud/stolen material. > > Domains: www.vulnerability-lab.com - www.vuln-lab.com > - www.evolution-sec.com > Contact: ad...@vulnerability-lab.com - > resea...@vulnerability-lab.com - ad...@evolution-sec.com > Section: www.vulnerability-lab.com/dev - > forum.vulnerability-db.com - > magazine.vulnerability-db.com > Social: twitter.com/#!/vuln_lab - > facebook.com/VulnerabilityLab - > youtube.com/user/vulnerability0lab > Feeds: vulnerability-lab.com/rss/rss.php - > vulnerability-lab.com/rss/rss_upcoming.php - > vulnerability-lab.com/rss/rss_news.php > > Any modified copy or reproduction, including partially usages, of this > file requires authorization from Vulnerability Laboratory. > Permission to electronically redistribute this alert in its unmodified > form is granted. All other rights, including the use of other > media, are reserved by Vulnerability-Lab Research Team or its suppliers. > All pictures, texts, advisories, source code, videos and > other information on this website is trademark of vulnerability-lab team & > the specific authors or managers. To record, list (feed), > modify, use or edit our material contact (ad...@vulnerability-lab.com or > resea...@vulnerability-lab.com) to get a permission. > > Copyright © 2013 | Vulnerability > Laboratory [Evolution Security] > > > > > > > > -- > VULNERABILITY LABORATORY RESEARCH TEAM > DOMAIN: www.vulnerability-lab.com > CONTACT: resea...@vulnerability-lab.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
