OCS Inventory NG 1.02 - Directory Traversal
OCS Inventory NG - Directory Traversal (May 30 2009) ___ * Product Open Computer and Software (OCS) Inventory NG (http://www.ocsinventory-ng.org) * Vulnerable Versions OCS Inventory NG 1.02 (Unix) * Vendor Status Vendor has been notified and the vulnerability has been fixed in version 1.02.1. * Details The Open Computer and Software (OCS) Inventory Next Generation (NG) provides relevant inventory information about system configurations and software on the network. The server can be managed using a web interface. It is possible for unauthenticated users to extract arbitrary files from the hosting system due to inadequate file handling in cvs.php. cvs.php: } elseif (isset($_GET['log'])){ if (file_exists($_GET['rep'].$_GET['log'])){ $tab = file($_GET['rep'].$_GET['log']); while(list($cle,$val) = each($tab)) { $toBeWritten .= $val.\r\n; } $filename=$_GET['log']; } } * Impact Attackers may be able to read arbitrary files from the hosting system. * Exploit The vulnerability can be exploited by just using a web browser: http://example.org/ocsreports/cvs.php?log=/etc/passwd ___ http://www.leidecker.info/advisories/2009-05-30-ocs_inventory_ng_directory_traversal.shtml Nico Leidecker - http://www.leidecker.info
OCS Inventory NG 1.02 - Multiple SQL Injections
OCS Inventory NG - Multiple SQL Injections (May 30 2009) ___ * Product Open Computer and Software (OCS) Inventory NG (http://www.ocsinventory-ng.org/) * Vulnerable Versions OCS Inventory NG 1.02 (Unix) * Vendor Status Vendor has been notified and the vulnerability has been fixed. * Details The Open Computer and Software (OCS) Inventory Next Generation (NG) provides relevant inventory information about system configurations and software on the network. The server can be managed using a web interface. It was found that the application does not properly sanitize user input which results into multiple SQL injections. Affected are the following scripts: - download.php (parameters `N', `DL', `O' and `V') - group_show.php (parameter `SYSTEMID'); * Impact Attackers may be able to manipulate SQL statements in such a way that they can retrieve, create or modify information stored in the database. Furthermore, the SQL injection might allow attackers to get a foothold on the underlying system. * Exploit The vulnerability can be exploited by just using a web browser: http://example.org/ocsreports/download.php?n=1dl=2o=3v=4'union+all+select+concat(id,':',passwd)+from+operators%23 ___ http://www.leidecker.info/advisories/2009-05-30-ocs_inventory_ng_sql_injection.shtml Nico Leidecker - http://www.leidecker.info
Papoo CMS 3.6 - Access Restriction Bypass
Papoo Content Management System Backend Access Restriction Bypass Jun 24 2007 ___ * Product Papoo Content Management System * Vulnerable Versions Papoo 3.6 and maybe prior * Vendor Status The Vendor was notified and the issue was fixed. A patch is available at http://www.papoo.de/index/menuid/204/reporeid/215 * Details The Papoo Content Management System provides several administration plugins in order to switch the application into debug mode or to create a database backup, for instance. By default, the plugins are only available to the administrator. The application however fails to check the user's privileges and allows any userwith access to the backend to access these administration pages. the database backup plugin dumps the whole database into a file that can be reviewed afterwards. The dump can also include the complete user table with all usernames and password hashes. The backup page can be directly accessed via: http://example.org/interna/plugin.php? template=devtools/templates/newdump_backend.html * Impact Attackers may be able to access the administration plugins and for instance create or remove plugins or to dump the database and get password hashes from the backup file. * Exploit No exploit required. ___ Nico Leidecker - http://www.leidecker.info _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066
Papoo CMS 3.6 - SQL Injection
Papoo Content Management System Backend SQL Injection Jun 24 2007 ___ * Product Papoo Content Management System * Vulnerable Versions Papoo 3.6 and maybe prior * Vendor Status The Vendor was notified and the issue was fixed. A patch is available at http://www.papoo.de/index/menuid/204/reporeid/215 * Details The Papoo Content Management System is prone to an SQL Injection that can be exploited by any user with access to the backend system and with privileges to modify the navigation menu. The application will get the read and publish privileges for every usergroup and for every menu item that is meant to be edited and specified by the `selmenuid' GET parameter. It fails to sanitize the value of the parameter. * Impact Attackers may be able to execute arbitrary SQL queries. * Exploit No exploit required. ___ Nico Leidecker - http://www.leidecker.info _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066
Having Fun With PostgreSQL
Dear list, I'd like to present a paper about security issues with PostgreSQL. The paper describes weaknesses in the configuration that may allow attackers to escalade privileges, execute shell commands and to upload arbitrary (binary) files via SQL injections. You can either get the TXT version from http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt Or as PDF at at http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf The paper comes with a tool called `pgshell' that can be downloaded at http://www.leidecker.info/pgshell/ Cheers, Nico _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066
Papoo CMS - Multiple Cross Site Scripting
Papoo Content Management System Multiple Cross Site Scriptings Jun 12 2007 --- * Product Papoo Content Management System * Vulnerable Versions Papoo Light 3.6 * Vendor Status The Vendor was notified and the issue fixed. A patch is available at: http://www.papoo.de/index/menuid/204/reporeid/215 * Details The Papoo Content Management System is prone to multiple Cross Site Scripting vulnerabilities. The application fails to sanitize user input from certain characters in three cases: 1) The argument list of GET requests is shown in the page source and may contain script code. 2) Visitor comments will appear in a message list in the internal administra- tion interface. The Title can contain script code that will be executed in the administrator's browser. 3) Internally sent messages between CMS users are shown unfiltered in the message overview. (This requires a minimal set of privileges) * Impact An attacker might be able to gain administrator privileges. * Exploit No exploit required. --- Copyright (C) Nico Leidecker 2007 - http://www.leidecker.info Permission is hereby granted for the electronic redistribution of this informa- tion. It is not to be edited or altered in any way without the express written consent of the author. The information herein contained may change without notice. Use of this infor- mation constitutes acceptance for use in an AS IS condition. There are NO war- ranties, implied or otherwise, with regard to this information of its use. Any use of this information is at the user's risk. In no event shall the au- thor/distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066
Elxis CMS = 2006.4 - banner module - sql injection
Elxis Content Management System Banner Mod SQL InjectionJun 14 2007 --- * Product Elxis Content Management System * Vulnerable Versions All versions to 2006.4 of the Elxis CMS. * Vendor Status The Vendor was notified and the issue fixed. A patch can be found at: http://www.elxis.org/index.php?option=com_mtreetask=viewlinklink_id=98Itemid=140 * Details The banner module of the Elxis Content Management System is vulnerable to an SQL injection. The module keeps track of already displayed banners and stores their ID's in a cookie named `mb_tracker'. The cookie value is then used in an SQL query to get the next, not yet shown banner. * Impact By modifying the cookie value, an attacker might be able to execute SQL queries. * Exploit No exploit required. --- Copyright (C) Nico Leidecker 2007 [EMAIL PROTECTED]. Permission is hereby granted for the electronic redistribution of this informa- tion. It is not to be edited or altered in any way without the express written consent of the author. The information herein contained may change without notice. Use of this infor- mation constitutes acceptance for use in an AS IS condition. There are NO war- ranties, implied or otherwise, with regard to this information of its use. Any use of this information is at the user's risk. In no event shall the au- thor/distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. __ Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach! Mehr Infos unter http://produkte.web.de/club/?mc=021131