<< Previous
control panel
"explorer.exe hcp://CN=Microsoft%20Corporation,L=Re...". You can continue
to use this technique by substituting "explorer.exe hcp://..." for
"helpctr.exe /url hcp://...", without relying on the protocol handler.
* One or two links in explorer, such as selecting "Help" from the Control
Panel category view, may no longer function. If this concerns you, it is
possible to gracefully degrade by replacing the protocol handler with a
command to open a static intranet support page, e.g.
"chrome.exe http://techsupport.intranet".
* As always, if you do not use this feature, consider permanently disabling
-------------------
Webmin is affected by a XSS vulnerability in all versions prior to and
including 1.540.
Webmin fails to sanitize $real in useradmin/index.cgi. $real is the
"Full Name" in the finger information of the user. useradmin/index.cgi
is the control panel of the "Users & Groups" section in webmin.
An attacker that has a normal user on the victim's machine could be
able to change his Full Name with chfn command, inject XSS and execute
commands as root.
Software affected:
Virtualmin < 3.703
Description (from the vendor site):
"Virtualmin is the world's most powerful and flexible web server control
panel.
Manage your virtual domains, mailboxes, databases, applications, and the
entire server, from one comprehensive interface".
Overview:
Virtualmin is prone to multiple vulnerabilities.
# Name : aliboard Beta Upload Shell From ControlPanel
# Download From : http://www.alilg.com/software/free-opensource-bulletin-board/
# Found By : RoMaNcYxHaCkEr [RoMaNTiC-TeaM]
# Home Page : WwW.4RxH.CoM
# Google Dork : Powered by aliboard © 2006, 2007 alilg web-based software
2. BACKGROUND
AEF has a very simple and easy to use Administration Panel and
installing this software is a piece of cake! You can install new
themes, customize themes the way you want. The User Control Panel has
a simple yet beautiful interface where users can set their preferences
for the board.
3. VULNERABILITY DESCRIPTION
-:: Solution ::-
A patch is available from http://members.vbulletin.com
Alternatively, search for "database_ingo" in the Phrase Manager
within the Admin Control Panel, and delete or edit all critical details.
Disclosure Information:
- vBulletin Security Notice & Patch: 22nd July 2010
- Vulnerability Researched and Disclosed: 22nd July
Application : PhpHostBot
version : <= 1.06
Vendor : http://www.idevspot.com/PhpHostBot.php
Description :
PhpHostBot is a webware PHP application which integrates with the popular Cpanel(WHM) web hosting control panel.
PhpHostBot supports Paypal subscriptions, free web hosting, Subdomain and Reseller account setup
and supports both dedicated server and Reseller web hosting companies
---------------------------------------------------------------------------
=======================================================================
Discussion
The XSS in question exists on the log viewing page of the admin control panel.
When a missing page is requested, a log is created in the admin area, however
the inputs to this log lack sanitation. The script name is taken from
basename(PHP_SELF), while the action is taken from _REQUEST['do']. Either one
can be used for introducing XSS vectors.
| Asterisk Open | 1.4.10, available from |
| Source | http://downloads.digium.com/pub/telephony/asterisk |
|---------------+--------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | 0.7.0, available from |
| Appliance | http://downloads.digium.com/pub/telephony/aadk |
| Developer Kit | |
|---------------+--------------------------------------------------------|
-:: Solution ::-
A patch is available from http://members.vbulletin.com
Alternatively, search for "database_ingo" in the Phrase Manager within the
Admin Control Panel, and delete or edit all critical details.
Disclosure Information:
- vBulletin Security Notice & Patch: 22nd July 2010
- Vulnerability Researched and Disclosed: 22nd July
underlying database implementation. The intresting vulnranbility in "ticket_escalate.php"
is that from User side, HTML Injection are shown in Admin CP "admin/ticket_escalate.php"
Such attacks can be crafted were Attacker may inject cod ewere it willsend the Admins
Cookies to Remote Attacker when Admin goes to view "ticket_escalate.php" We also see that
in "/admincp/techs.php" If the attacker Injects Code into the Submit Form, "techs.php" Is
effected in the Admin Control Panel. Also when we Set Workflow in ticket_rules_web.php
with HTML Injection we get a injection result. Than there is "/admincp/user_help.php?do=new_entry"
This simply allows one to inject any code into the PHP file.
Hackers Center Security Group (http://www.hackerscenter.com)
DDMI requires the Windows SNMP service for its operation. If necessary DDMI will install and configure the Windows SNMP service using the Windows default security settings. As a result the SNMP read community string may be set to public .
To modify the default security configuration of the of the Windows SNMP service:
Open the Windows Services Control Panel applet, select Administrative Tools and then select Services.
Select the SNMP Service, right click on it and select Properties and navigate to the Security tab.
Amend the security settings as required to change the default read community string to a value other than public.
Add the updated read community string to the appropriate DDM Inventory SNMP profile.
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
# UAG Client MicrosoftClient.jar
SHA1-Digest-Manifest: dBKbNW1PZSjJ0lGcCeewcCrYx5g=
Remove the affected trusted certificate (see fingerprint above) of
Microsoft Corporation from the Java control panel (jcontrol) from all
clients.
Don't fully trust signed Java applets (in general).
This workaround can be applied to MAC, Linux, and Windows systems by
CVE ID : CVE-2011-3195 CVE-2011-3196 CVE-2011-3197 CVE-2011-3198
CVE-2011-3199
Debian Bug : 637469 637477 637485 637584 637629 637630 637618 637537 637487 637632 637669
Ansgar Burchardt, Mike O'Connor and Philipp Kern discovered multiple
vulnerabilities in DTC, a web control panel for admin and accounting
hosting services:
CVE-2011-3195
A possible shell insertion has been found in the mailing list
Confidentiality Impact: Major
Integrity Impact: Major
Availability Impact: Major
Overview:
SWsoft Plesk is a comprehensive control panel solution used by leading
hosting providers worldwide for shared, virtual and dedicated hosting.
Vulnerability:
A SQL injection vulnerability exists in the Plesk application. Please
see the following:
services protected by plesk authentication modules on at least the
current Plesk 8.6.0 Unix/Linux and could eg. be used for relaying spam
through gained smtp auth priviledges.
Only systems which allow short mail login names (SHORTNAMES=1) are
affected, which is not the default but is eg. effective after migrating
from Confixx control panel or by administrators manual choice.
My curent advice is to disable short login names through control panel
under Server -> E-Mail until the issue is resolved.
| Edition | |
|---------------+--------------------------------------------------------|
| AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/ |
| | |
| | Current users can update using the system update |
| | feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | Asterisk 1.4 revision 109386. Available by performing |
| Appliance | an svn update of the AADK tree. |
| Developer Kit | |
|---------------+--------------------------------------------------------|
| Source | http://ftp.digium.com/pub/asterisk |
|---------------+--------------------------------------------------------|
| AsteriskNOW | Beta6, available from |
| | [LINK][LINK]http://www.asterisknow.org/[LINK][LINK]. |
| | Users can update using the system update feature in |
| | the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | 0.6.0, available for download from |
| Appliance | http://ftp.digium.com/pub/aadk |
| Developer Kit | |
|---------------+--------------------------------------------------------|
In the above topic they try to pass off the XSS as difficult to exploit,
with low exposure and damage. This advisory is here to detail what the
XSS is and how wrong Jelsoft are for assuming that XSS is harmless.
First, the discussion of exactly what the exploit is. The XSS in question
exists on the login page for the ACP (admin control panel). The login
script takes a redirect parameter that lacks sanitation, allowing a
rather easy XSS:
http://localhost/vB3/admincp/index.php?redirect={XSS}
"explorer.exe hcp://CN=Microsoft%20Corporation,L=Re...". You can continue
to use this technique by substituting "explorer.exe hcp://..." for
"helpctr.exe /url hcp://...", without relying on the protocol handler.
* One or two links in explorer, such as selecting "Help" from the Control
Panel category view, may no longer function. If this concerns you, it is
possible to gracefully degrade by replacing the protocol handler with a
command to open a static intranet support page, e.g.
"chrome.exe http://techsupport.intranet".
* As always, if you do not use this feature, consider permanently disabling
Description
-----------
Interspire Shopping Cart (ISC) is ecommerce software that includes everything you need to start, run, promote and profit from your online store. It combines easy-to-customize store designs with marketing tools proven to significantly increase your sales.
In v4.0.1, ISC suffers from an authentication bypass problem. This allows anyone to login to ISC's control panel without knowing the administrator's password.
The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This function sets a HTTPOnly cookie flag ``RememberToken`` too early in the process, even before the user is authenticated. A malicious user could force ``ProcessLogin`` to set this cookie by ticking on ``Remember me`` at the login page, entering targeted username such as ``admin``, and anything as password. This first attemp will fail, but the cookie is already set, and ready to authenticate him/her to the control panel.
Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition being showcased at http://www.interspire.com/shoppingcart/demo.php. It is highly likely that it also exists in older versions.
VaLiuS has reported a vulnerability in Ragnarok Online Control Panel,
which can be exploited by malicious people to bypass certain security
restrictions.
The vulnerability is caused due to an error in the authentication
process when checking page access. This can be exploited to bypass
the authentication process via a specially crafted URL with an
appended non-restricted page.
The /.../ reffers to directory crawling
| Edition | |
|---------------+--------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | Asterisk 1.4 revision 95946. Available by performing |
| Appliance | an svn update of the AADK tree. |
| Developer Kit | |
|---------------+--------------------------------------------------------|
HOW TO USE THIS VULN?
ANSWERE IS BELOW>>>>>>>
1.REG WITH VICTIM FORUM
2.GO TO USER CONTROL PANEL
3.EDIT YOUR SIGNATURE ByTHIS CODE
Code: Select all
<html>
<head>
Debian-specific: no
CVE ID : CVE-2011-0434 CVE-2011-0435 CVE-2011-0436 CVE-2011-0437
Debian Bug : 614302
Ansgar Burchardt discovered several vulnerabilities in DTC, a web
control panel for admin and accounting hosting services.
CVE-2011-0434
The bw_per_moth.php graph contains an SQL injection vulnerability.
CVE-2011-0435
| Asterisk Open | 1.4.11, available from |
| Source | http://downloads.digium.com/pub/telephony/asterisk |
|---------------+--------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | 0.8.0, available from |
| Appliance | http://downloads.digium.com/pub/telephony/aadk |
| Developer Kit | |
|---------------+--------------------------------------------------------|
IV - ADMIN SESSION HIJACKING
When an administrator logs in and go to the Admin Control
Panel (ACP), a session id is generated. Cookies can be
deleted, we just need the SID to be logged in the ACP.
The SID is sent for each request (variable "adsess"),
through the GET method.
When an Admin want to edit a member signature, if he click
print " 1 - PHP code execution\n\n";
print " -url IPB url with ending slash\n\n";
print " -uname targeted username\n";
print " -uid OR the targeted user id (def: 1)\n\n";
print " -prefix sql table prefix (def: ibf_)\n";
print " -acp admin control panel path (def: admin)\n\n\n";
print " 2 - Insecure SQL password usage\n\n";
print " -ip your current IP\n";
print " -dict a wordlist file\n\n";
print " -url IPB url with ending slash\n";
print " -uname a valid member username\n";
=======================================================================
Discussion
The XSS in question exists on the login page for the MCP (moderation
control panel).
The login script takes a redirect parameter that lacks sanitation, allowing a
rather easy XSS:
http://localhost/vB3/modcp/index.php?redirect={XSS}
=======================================================================
Discussion
The XSS in question exists on the login page for the MCP (moderation
control panel).
The login script takes a redirect parameter that lacks sanitation, allowing a
rather easy XSS:
http://localhost/vB3/modcp/index.php?redirect={XSS}
<<Previous
|
