[Full-disclosure] Django admin list filter data extraction / leakage

to exploit this vulnerability. Here's looking at you CMS apps! CREDIT: This vulnerability was discovered by Adam Baldwin mailto:adam_bald...@ngenuity-is.commailto:adam_bald...@ngenuity-is.com REFERENCES: [1] - http://www.djangoproject.com [2] - http://www.djangoproject.com/weblog/2010/dec/22/security

[Full-disclosure] Nagios XI users.php SQL Injection

of this query. Credits This vulnerability was discovered by Adam Baldwin Original Advisory: http://ngenuity-is.com/advisories/2010/aug/24/nagios-xi-usersphp-sql-injection/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure

[Full-disclosure] Nagios XI Login XSS

. Technical Description Here is a non-malicious example. The input after login.php is inserted into the permalink_base variable without being sanitized. http://example.com/nagiosxi/login.php?%22;alert%281%29;// Credits This vulnerability was discovered by Adam Baldwin Original Advisory http

[Full-disclosure] Nagios XI 2009R1.2B Multiple CSRF

Advisory Information Advisory ID: NGENUITY-2010-006 Date published: Aug. 7, 2010 Class: Cross-Site Request Forgery (CSRF) Software Description Nagios XI is the commercial / enterprise version of the open source Nagios project. Vulnerability Description Nagios XI 2009R1.2B

[Full-disclosure] McAfee UTM Firewall Help Reflected Cross-Site Scripting

Advisory Information Advisory ID: NGENUITY-2010-005 Date published: 6/9/2010 Vulnerability Information Class: Reflected Cross-Site Scripting (XSS) Software Description McAfee UTM Firewall (Firmware 3.0.0 to 4.0.6) (formerly SnapGear) is the affected product line. More

Re: [Full-disclosure] Sprint / Verizon MiFi CSRF+CSS Gives up GPS info to attacker

On 1/16/10 8:13 AM, A. Ramos wrote: Hello all, Just another one: you can access to the configuration backup without authentication at: /config.xml.sav If you have the Sprint MiFi with the latest firmware rev (AP 11.47.17 Router 018.0101) The correct path is /config.xml.savefile -Adam

[Full-disclosure] Zenoss Multiple Admin CSRF

nGenuity Information Services - Security Advisory Advisory ID: NGENUITY-2010-002 - Zenoss Multiple Admin CSRF Application: Zenoss 2.3.3 Vendor: Zenoss Vendor website: http://www.zenoss.com Author: Adam Baldwin (adam_bald...@ngenuity-is.com) I. BACKGROUND Zenoss

[Full-disclosure] Zenoss getJSONEventsInfo SQL Injection

nGenuity Information Services -- Security Advisory Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection Application: Zenoss 2.3.3 Vendor: Zenoss Vendor website: http://www.zenoss.com Author: Adam Baldwin (adam_bald...@ngenuity-is.com) Authentication: Valid

[Full-disclosure] [NGENUITY] - Ticket Subject Persistent XSS in Kayako SupportSuite

nGenuity Information Services – Security Advisory Advisory ID: NGENUITY-2009-008 - Ticket Subject Persistent XSS in Kayako SupportSuite Application: SupportSuite v3.50.06 Vendor: Kayako Vendor website: http://www.kayako.com Author: Adam Baldwin (adam_bald...@ngenuity-is.com

[Full-disclosure] [NGENUITY] - Spiceworks Multiple Vulnerabilities (XSS CSRF)

nGenuity Information Services - Security Advisory Advisory ID: NGENUITY-2009-009 - Spiceworks Multiple Vulnerabilities (XSS CSRF) Application: Spiceworks 3.6.31847 Vendor: Spiceworks Vendor website: http://www.spiceworks.com Author: Adam Baldwin (adam_bald...@ngenuity

[Full-disclosure] Zabbix Multiple Frontend CSRF (Password reset command execution)

nGenuity Information Services - Security Advisory Advisory ID: NGENUITY-2009-006 - Zabbix Multiple Frontend CSRF Application: Zabbix 1.6.2 Vendor: Zabbix Vendor website: http://www.zabbix.com Author: Adam Baldwin (adam_bald...@ngenuity-is.com) I. BACKGROUND ZABBIX

[Full-disclosure] ExpressionEngine Persistent Cross-Site Scripting

://www.transparent-tech.com/ Author: Adam Baldwin (adam_bald...@ngenuity-is.com) I. BACKGROUND ExpressionEngine is a flexible, feature-rich content management system that empowers thousands of individuals, organizations, and companies around the world to easily manage their website. [1] II

[Full-disclosure] NGENUITY-2009-005 OpenCart Order By Blind SQL Injection

nGenuity Information Services - Security Advisory Advisory ID: NGENUITY-2009-005 - OpenCart Order By Blind SQL Injection Application: OpenCart 1.1.8 Vendor: OpenCart Vendor website: http://www.opencart.com http://www.chambermaster.com Author: Adam Baldwin (adam_bald