<< Previous Next >>
found
pw_chars.extend([x for x in range(97, 103)])
pw_chars.sort()
todo = [('', 0, 255)]
while len(todo):
(found, start, end) = todo.pop()
if start == 0 and end == 255 and check("WHERE user_name = '" + found +
"'"):
sys.stdout.write(found + " ")
sys.stdout.flush()
for i in range(35):
Hello Bugtraq!
I want to warn you about security vulnerabilities in eSitesBuilder. It's
Ukrainian CMS which used particularly for e-commerce sites.
These vulnerabilities I found in 2007-2008 years at one online shop site
(and later I found some of these vulnerabilities at another site on this
engine). And recently I found, that this engine for online shops - it's
eSitesBuilder.
-----------------------------
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
***********
Multiple Linked XSS and XSRF vulnerabilities found in Adobe Coldfusion Server 8. Attacker can create evil link and steal administrators cookie
Details
*******
> Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
>
> Description
> ***********
>
> Multiple Linked XSS and XSRF vulnerabilities found in Adobe Coldfusion Server 8. Attacker can create evil link and steal administrators cookie
>
>
> Details
> *******
>
1. SiXSS in POST, attacker can inject XSS code in SQL Error.
1.1 Vulnerabilities found in script index.php?do=myprofile.
POST parameters "tasks_perpage", "time_zone", "account_enabled", "notify_own".
Example:
CVE Name: CVE-2009-0920, CVE-2009-0921
3. *Vulnerability Description*
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
4. *Vulnerable packages*
Details
*******
1. Local File Include vulnerability found in script /module.php
Vulnerable GET parameter "link".
First discovered by Zero_X [http://secunia.com/advisories/10604/].
Vendor fixed vulnerability in version 2.0.3 by adding verification for this parameter.
---------------------------------------------------------------------
2. Multiple SQL Injections
2.1 Vulnerability found in script index.php in header parameter "Referer"
Example:
GET /dokeos/index.php HTTP/1.0
Affected: 2007.0, 2007.1, 2008.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
A number of vulnerabilities were found and fixed in the Apache 2.2.x
packages:
A flaw found in the mod_imagemap module could lead to a cross-site
scripting attack on sites where mod_imagemap was enabled and an
imagemap file was publically available (CVE-2007-5000).
Aaron Plattner discovered a buffer overflow in the Composite extension
of the X.org X server, which if exploited could lead to local privilege
escalation (CVE-2007-4730).
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
This release fixes a security vulnerability in which Workstation
was starting registered Windows services in an insecure manner.
This vulnerability could allow a malicious user to escalate user
privileges.
Thanks to Foundstone for discovering this vulnerability.
Hosted products
---------------
VMware Workstation 6.0.0 upgrade to version 6.0.1 (Build# 55017)
VMware Workstation 5.5.4 upgrade to version 5.5.5 (Build# 56455)
Firefox at my site. I made full disclosure because Mozilla completely
ignored similar vulnerability, which I informed them in August 2009, like
all other vulnerabilities in Firefox which I wrote in 2009 in my article
Cross-Site Scripting attacks via redirectors
(http://websecurity.com.ua/3386/). After that release I made additional
checks of this vulnerability in different browsers and found that Opera
10.53 is vulnerable (to new and old holes), at that version Opera 9.52 was
not vulnerable. It looks like Opera ignored my article Cross-Site Scripting
attacks via redirectors and those two vulnerabilities (two attack vectors
via redirectors), which I told them about in 2009, and added two new attack
vectors via redirectors.
Affected: 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in imagemagick:
Untrusted search path vulnerability in configure.c in ImageMagick
before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows
local users to gain privileges via a Trojan horse configuration file
in the current working directory (CVE-2010-4167).
Affected: 2011.
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in imagemagick:
A flaw was found in the way ImageMagick processed images with malformed
Exchangeable image file format (Exif) metadata. An attacker could
create a specially-crafted image file that, when opened by a victim,
would cause ImageMagick to crash or, potentially, execute arbitrary
16.05.2010 - found vulnerability.
17.05.2010 - disclosed at my site.
18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
Found on the 16th
Blogged on the 17th
Told vendors on the 18th
Posted here on the 18th
You can confirm it by yourself. Just find a site on XAMPP (Google can help
you with it) and check the holes using PoCs which I provided.
> and what target of xampp is it ? win32 ? linux ?
As far as I remember last year when I found all these vulnerabilities in
XAMPP, it was XAMPP on Windows servers on all those sites where I found
these holes.
In 99% of cases I'm researching vulnerabilities in the Web at real sites,
not at localhost (at localhost I can check for holes only in software which
default.
C) "JSP Dump" reflected XSS
(Affected versions: Any)
It has been found that the demo "JSP Dump" feature is vulnerable to
reflected Cross Site Scripting attacks. This can be replicated by
issuing a GET request to the "/test/jsp/dump.jsp" page:
"/test/jsp/dump.jsp?%3Cscript%3Ealert(%22hello%20world%22)%3C/script%3E"
Any GET key and value that reach the remote is reflected unencoded.
different domains and any files stored on local filesystems.
The bug is related to a lack of enforcement of security policies
assigned to URL Security Zones [2] when content from the corresponding
zone is loaded and rendered from a local file. These issues have been
found in the way that security policies are applied when a URI is
specified in the UNC form (i.e., '\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'):
1. When a remote site attempts to access a local resource, IE will
fail to enforce the Zone Elevation restrictions.
2. When browsing a remote site, IE will not properly enforce the
options. Please visit www.torrenttrader.org for the support forums.
http://sourceforge.net/projects/torrenttrader
List of found vulnerabilities
===============================================================================
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$exit=0;
$i=0;
while($exit==0){
my $searchinjected="searchterm=".$_[2]."')>'1')/*y3nh4ck3r*/AND/*y3nh4ck3r*/(SELECT/*y3nh4ck3r*/length(mail)/*y3nh4ck3r*/FROM/*y3nh4ck3r*/users/*y3nh4ck3r*/WHERE/*y3nh4ck3r*/id=".$_[1].")=".$i++."#"; #injected code
$output=&request($_[0],$searchinjected);
if ( $output =~ (/No Results Found./))
{
$exit=0;
}else{
$exit=1;
}
specified within each form, meaning you don't need programming knowledge
or multiple scripts for multiple forms. This also makes FormMail the
perfect system-wide solution for allowing users form-based user feedback
capabilities without the risks of allowing freedom of CGI access. There
are several downloading options available below and more information on
this script can be found in the Readme file. FormMail is quite possibily
the most used CGI program on the internet, having been downloaded over
2,000,000 times since 1997.
II. DESCRIPTION
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
I Introduction
====================================================
Mime or Content Type sniffing[1] is a standard functionality in browsers to find
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Several remotely exploitable bugs have been found in CUPS, which allow
remote execution of arbitrary code.
Background
==========
I found and reported this back in 2005/2006. Microsoft told me that it
had been reported previously and that it would be fixed in the next
release, which I'm guessing they meant 2007. I do not know if they
have fixed it in Exchange 2007.
On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti
<piergiorgio@gigasec.org> wrote:
> Hi all,
> also I've found this vulnerability 1 year ago during a pt and work fine
> with url obfuscation. I've read that with owa 2007 this vulnerability is
Cisco has released free software updates that address this
vulnerability. There is a workaround for this vulnerability.
Note: This vulnerability is not related in any way to CVE-2008-1447 -
Cache poisoning attacks. Cisco Systems has published a Cisco Security
Advisory for that vulnerability, which can be found at
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
Risk: CRITICAL
________________________________________________________________________
Vendor communication:
2008/03/07 Initial notification to Apple Inc. n.runs AG has found
a
considerable amount of vulnerabilities in Apple most
up-to-date Default Systems and Default Installed
Products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4,
and intends to send them in several phases to Apple Inc.
bit of code in question can be seen below.
if(empty($UNTRUSTED['department'])){ $department=0; } else {
$department=$UNTRUSTED['department']; }
// Get department information. First found if no specific department
assigned
$qQry = "SELECT
recno,messageemail,colorscheme,leavetxt,creditline,onlineimage,leaveamessage,offlineimage,speaklanguage
FROM livehelp_departments "
. (($department==0)? 'LIMIT 1': "WHERE recno=$department");
Affected: Corporate 3.0
_______________________________________________________________________
Problem Description:
A number of vulnerabilities were found and fixed in the Apache 1.3.x
packages:
A flaw found in the mod_autoindex module could lead to a cross-site
scripting attack on sites where mod_autoindex was enabled and the
AddDefaultCharset directive was removed from the configuration,
Affected: 2007.0, 2007.1, 2008.0
_______________________________________________________________________
Problem Description:
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
Affected: Corporate 3.0
_______________________________________________________________________
Problem Description:
A flaw was found in the XFree86 server's XC-SECURITY extension that
could allow a local user to verify the existence of an arbitrary file,
even in directories that are not normally accessible to that user
(CVE-2007-5958).
A memory corruption flaw was found in the XFree86 server's XInput
<<Previous Next>>
|
