OCS Inventory NG 1.02 - Directory Traversal

2009-06-03 Thread Nico Leidecker 
OCS Inventory NG - Directory Traversal  (May 30 2009)
___


* Product

  Open Computer and Software (OCS) Inventory NG
  (http://www.ocsinventory-ng.org)


* Vulnerable Versions

  OCS Inventory NG 1.02 (Unix)


* Vendor Status

  Vendor has been notified and the vulnerability has been fixed in
version 1.02.1.


* Details

  The Open Computer and Software (OCS) Inventory Next Generation (NG)
provides relevant inventory information about system configurations and
software on the network. The server can be managed using a web
interface. It is possible for unauthenticated users to extract arbitrary
files from the hosting system due to inadequate file handling in cvs.php.

  cvs.php:

} elseif (isset($_GET['log'])){
if (file_exists($_GET['rep'].$_GET['log'])){
$tab = file($_GET['rep'].$_GET['log']);
while(list($cle,$val) = each($tab)) {
  $toBeWritten  .= $val.\r\n;
}
$filename=$_GET['log'];
}
}


* Impact

  Attackers may be able to read arbitrary files from the hosting system.


* Exploit

  The vulnerability can be exploited by just using a web browser:

http://example.org/ocsreports/cvs.php?log=/etc/passwd

___
http://www.leidecker.info/advisories/2009-05-30-ocs_inventory_ng_directory_traversal.shtml
Nico Leidecker - http://www.leidecker.info

OCS Inventory NG 1.02 - Multiple SQL Injections

2009-06-01 Thread Nico Leidecker 
OCS Inventory NG - Multiple SQL Injections (May 30 2009)
___


* Product

  Open Computer and Software (OCS) Inventory NG
  (http://www.ocsinventory-ng.org/)

* Vulnerable Versions

  OCS Inventory NG 1.02 (Unix)


* Vendor Status

  Vendor has been notified and the vulnerability has been fixed.


* Details

  The Open Computer and Software (OCS) Inventory Next Generation (NG)
provides relevant inventory information about system configurations and
software on the network. The server can be managed using a web
interface. It was found that the application does not properly sanitize
user input which results into multiple SQL injections.

  Affected are the following scripts:

  - download.php (parameters `N', `DL', `O' and `V')
  - group_show.php (parameter `SYSTEMID');

* Impact

  Attackers may be able to manipulate SQL statements in such a way that
they can retrieve, create or modify information stored in the database.
Furthermore, the SQL injection might allow attackers to get a foothold
on the underlying system.

* Exploit

  The vulnerability can be exploited by just using a web browser:


http://example.org/ocsreports/download.php?n=1dl=2o=3v=4'union+all+select+concat(id,':',passwd)+from+operators%23


___
http://www.leidecker.info/advisories/2009-05-30-ocs_inventory_ng_sql_injection.shtml
Nico Leidecker - http://www.leidecker.info

Papoo CMS 3.6 - Access Restriction Bypass

2007-06-25 Thread Nico Leidecker 
Papoo Content Management System Backend Access Restriction Bypass   Jun 24 2007
___


* Product

  Papoo Content Management System


* Vulnerable Versions

  Papoo 3.6 and maybe prior

  
* Vendor Status

  The Vendor was notified and the issue was fixed.
  A patch is available at http://www.papoo.de/index/menuid/204/reporeid/215


* Details

  The Papoo Content Management System provides several administration plugins
  in order to switch the application into debug mode or to create a database 
  backup, for instance. By default, the plugins are only available to the 
  administrator. The application however fails to check the user's privileges 
  and allows any userwith access to the backend to access these administration 
  pages.

  the database backup plugin dumps the whole database into a file that can be 
  reviewed afterwards. The dump can also include the complete user table with 
  all usernames and password hashes. The backup page can be directly accessed 
  via:

http://example.org/interna/plugin.php?
   template=devtools/templates/newdump_backend.html

* Impact

  Attackers may be able to access the administration plugins and for instance 
  create or remove plugins or to dump the database and get password hashes 
  from the backup file.


* Exploit

  No exploit required.


___

Nico Leidecker - http://www.leidecker.info

_
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071distributionid=0066

Papoo CMS 3.6 - SQL Injection

2007-06-25 Thread Nico Leidecker 
Papoo Content Management System Backend SQL Injection   Jun 24 2007
___


* Product

  Papoo Content Management System


* Vulnerable Versions

  Papoo 3.6 and maybe prior

  
* Vendor Status

  The Vendor was notified and the issue was fixed.
  A patch is available at http://www.papoo.de/index/menuid/204/reporeid/215


* Details

  The Papoo Content Management System is prone to an SQL Injection that can be
  exploited by any user with access to the backend system and with privileges
  to modify the navigation menu.
  
  The application will get the read and publish privileges for every usergroup 
  and for every menu item that is meant to be edited and specified by the 
  `selmenuid' GET parameter. It fails to sanitize the value of the parameter.


* Impact

  Attackers may be able to execute arbitrary SQL queries.


* Exploit

  No exploit required.


___

Nico Leidecker - http://www.leidecker.info

_
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071distributionid=0066

Having Fun With PostgreSQL

2007-06-16 Thread Nico Leidecker 
Dear list,

I'd like to present a paper about security issues with PostgreSQL. The paper 
describes weaknesses in the configuration that may allow attackers to escalade 
privileges, execute shell commands and to upload arbitrary (binary) files via 
SQL injections.

You can either get the TXT version from 
http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
Or as PDF at at 
http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf

The paper comes with a tool called `pgshell' that can be downloaded at 
http://www.leidecker.info/pgshell/

Cheers,
Nico

_
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071distributionid=0066

Papoo CMS - Multiple Cross Site Scripting

2007-06-15 Thread Nico Leidecker 
Papoo Content Management System Multiple Cross Site Scriptings  Jun 12 2007
---

* Product

  Papoo Content Management System

* Vulnerable Versions

  Papoo Light 3.6
  
* Vendor Status

  The Vendor was notified and the issue fixed.
  A patch is available at: http://www.papoo.de/index/menuid/204/reporeid/215

* Details

  The Papoo Content Management System is prone to multiple Cross Site Scripting
  vulnerabilities. The application fails to sanitize user input from certain 
  characters in three cases:

  1) The argument list of GET requests is shown in the page source and may 
 contain script code.

  2) Visitor comments will appear in a message list in the internal administra-
 tion interface. The Title can contain script code that will be executed 
 in the administrator's browser.
  
  3) Internally sent messages between CMS users are shown unfiltered in the 
 message overview. (This requires a minimal set of privileges)

* Impact

  An attacker might be able to gain administrator privileges.

* Exploit

  No exploit required.

---
Copyright (C) Nico Leidecker 2007 - http://www.leidecker.info

Permission is hereby granted for the electronic redistribution of this informa-
tion. It is not to be edited or altered in any way without the express  written
consent of the author.

The  information herein contained may change without notice. Use of this infor-
mation constitutes acceptance for use in an AS IS condition. There are NO  war-
ranties, implied or otherwise, with regard to this information of its use.  Any
use of this information is at the user's  risk.  In  no  event  shall  the  au-
thor/distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
_
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071distributionid=0066

Elxis CMS = 2006.4 - banner module - sql injection

2007-06-14 Thread Nico Leidecker 
Elxis Content Management System Banner Mod SQL InjectionJun 14 2007
---

* Product

  Elxis Content Management System

* Vulnerable Versions

  All versions to 2006.4 of the Elxis CMS.
  
* Vendor Status

  The Vendor was notified and the issue fixed.
  A patch can be found at:
  
http://www.elxis.org/index.php?option=com_mtreetask=viewlinklink_id=98Itemid=140

* Details

  The banner module of the Elxis Content Management System is vulnerable to an
  SQL injection. The module keeps track of already displayed banners and stores 
  their ID's in a cookie named `mb_tracker'. The cookie value is then used in 
  an SQL query to get the next, not yet shown banner. 

* Impact

  By modifying the cookie value, an attacker might be able to execute SQL 
  queries.

* Exploit

  No exploit required.

---
Copyright (C) Nico Leidecker 2007 [EMAIL PROTECTED].

Permission is hereby granted for the electronic redistribution of this informa-
tion. It is not to be edited or altered in any way without the express  written
consent of the author.

The  information herein contained may change without notice. Use of this infor-
mation constitutes acceptance for use in an AS IS condition. There are NO  war-
ranties, implied or otherwise, with regard to this information of its use.  Any
use of this information is at the user's  risk.  In  no  event  shall  the  au-
thor/distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.


__
Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach!

Mehr Infos unter http://produkte.web.de/club/?mc=021131