Next Page >>
Delete
- Comunties
Because the input variants of this function are not carefully checked and filtered, hacker is able to insert pieces of code into the path’s link. When users sign in and click this link, the malicious code (JavaScript) will be executed, and users may lose their cookies, session, etc.
The CSRF vulnerability of the software was found in the following modules:
- Delete category
- Delete style sheet
- Delete template
- Delete layout
- Delete group
- Active Permission
While commenting XSS vulnerability in WordPress 3.0.1
(http://www.securityfocus.com/archive/1/513250), I mentioned additional
information concerning XSS vulnerability. These nuances concern and to
below-mentioned vulnerabilities. It's possible to attack as via parameter
checked[0], as via checked[1] and so on, and also via checked[]. In versions
WP 2.7 and higher it's possible to use parameter action=delete-selected, and
in versions 2.8 and higher it's also possible to use parameter
action2=delete-selected.
XSS (WASC-08):
- Disable/Enable Sidebar
- Feed settings
- Bookmarking
- New post
- Edit a post
- Delete a post
- New page
- Edit a page
- Delete a page
- New navigation item
- Edit a navigation item
* SQL Injection (CVE-2009-3582)
An attacker which is logged into SQL-Ledger (or abuses the missing XSRF protection to execute
requests in the context of a logged-in victim) can modify input variables to perform
SQL injection attacks. One attack is to search for an existing vendor using the »Vendors«
→ »Reports« → »Search« menu. Before submitting the form using the »Delete« button, the
hidden »id« form field is modified to »1 OR 1=1«. This will in turn delete not only one
vendor, but all vendors in the database. As the database table name is also passed in the
form as the hidden »db« form field, data from any database table which has an »id« key can
be deleted using this method.
filtered, hacker is able to insert pieces of code into the path's link.
When users sign in and click this link, the malicious code (JavaScript)
will be executed, and users may lose their cookies, session, etc.
The CSRF vulnerability of the software was found in the following modules:
- Delete category
- Delete style sheet
- Delete template
- Delete layout
- Delete group
- Active Permission
Abstract:
Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /s /f
2) Then use the following 'brute-force' method to delete the "Run" key.
ZoneAlarm 'locks' "ZoneAlarm Client" (zclient.exe), which ultimately controls
& depends on "vsdatant.sys".
NOTE: There is a - prepended to [HKEY] this is intentional. You need to create
a registry file (.reg) with the following entries and execute.
properly sanitised before being used in an SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
5) Input passed to the "datei" parameter in /engine/inc/
galerie_unlink.php is not properly verified before being used to
delete image files. This can be exploited to delete arbitrary files
via directory traversal attacks.
Successful exploitation of this vulnerability requires administrative
privileges.
Administrator Features:
- (NEW) New administrator skin
- (NEW) New server settings (Edit server settings, server rates, specs etc)
- (NEW) New website settings (Title, Note from the management, Contact Email, Rankings Limit)
- (NEW) Ads Management (Add, Edit & Delete)
- News management (add, edit & delete)
- Download management (add, edit & delete)
- Login
- Add administrator
- Logout (of course)
+--> Multiple SQL Injection Vulnerabilities
nc_top.asp Line 59
strDBNTFUserName = Mitoone injection bezane be functione line 60 iani isMbr() >>> test.htm but !??! this function is very crazy!
--------------------------
user can delete all bookmarks
inc_bookmarks.asp line 179
delSQL = "DELETE FROM "& strTablePrefix & "BOOKMARKS WHERE BOOKMARK_ID = " & delBkmk(ib)
this file use from cp_main.asp
---------------------------
VI - FILE DELETION (+CSRF)
There is a CSRF vulnerability which can lead to file
deletion. Let's see the code of "trackback_delete_cgi.php":
22| if ( array_key_exists( 'trackback', $_GET ) ) {
23| $ok = delete_trackback( $_GET[ 'trackback' ] );
24| }
interpolated in and there is no whitelisting to ensure it is always
'ar' or 'ap.' The line where this occurs is 1941, and it reads JOIN
$form->{db} a ON (a.id = ac.trans_id)
So if the query string includes the url encoded equivalent of &db=ar a
join customer n on ar.id=customer.id; delete from audittrail; select *
from ar a join acc_trans ac on ar.id = ac.trans_id
Then the first part of the query would read:
SELECT a.id, a.invoice, $transdate AS transdate,
a.invnumber, n.name, n.${vc}number, a.netamount,
> =================
>
> The Site Management application of dotDefender is reachable as a web
> application (https:site/dotDefender/)
> on the webserver. After passing the Basic Auth login you can
> create/delete applications.
> The mentioned vulnerability is in the 'deletesite' implementation and
> the 'deletesitename' variable.
> Insufficient input validation allows an attacker to inject arbitrary
> commands.
>
II. DESCRIPTION
Remote exploitation of multiple directory traversal vulnerabilities in
Sun Microsystem's Java System Active Server Pages allows attackers to
obtain the contents of, and delete, sensitive files on the system.
Both vulnerabilities exist within ASP applications included with the
product. When accessed via the administration server, the ASP engine
does not prevent directory traversal using the "../" construct. By
supplying a specially crafted HTTP request to one of the affected ASP
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
@chmod("mkportal/blog/images/tmp/$file_name", 0644);
//Validate by mime type
$tmpfilename = "mkportal/blog/images/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size) {
@unlink($tmpfilename);
$message .= "{$mklib->lang['error_filetype']}";
$mklib->error_page($message);
exit;
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Hello,
As a continuation of my advisory about "Sun Java System Communications Express Multiple HTML Injection Vulnerabilities" that can be found here: (http://www.securityfocus.com/bid/34083/info), I would like to introduce another potential security threat in the same product and based on my previous discussion.
This time an attacker can benefit from the HTML injection flaw found in the message subject field to launch a deadly CSRF attack that would delete all the victim's inbox messages permanently and forever. The attack is done via HPP (HTTP Parameter Pollution) in the main queries used by the system.
The URL below would move all the messages with msgid between 0 and 1000000 to the trash:
http[s]://[servername]:[port]/cmd.msc?sid=&mbox=INBOX&cmd=move&argv=0:1000000&argv=Trash&argv=expunge
The URL below would delete all the messages in the trash with msgid between 0 and 1000000:
1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned
1493 $author = $wpdb->get_var("SELECT author_id from
$this->t_posts where id = $id"); // id is used without clean up
...
1503 if($del == "ok"){
1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id
= $id"); <- // id is used without clean up
1505 $this->o .= "<div class='updated'>".__("Post
deleted", "wpforum")."</div>";
1506 }
1507 else
=================
The Site Management application of dotDefender is reachable as a web
application (https:site/dotDefender/)
on the webserver. After passing the Basic Auth login you can
create/delete applications.
The mentioned vulnerability is in the 'deletesite' implementation and
the 'deletesitename' variable.
Insufficient input validation allows an attacker to inject arbitrary commands.
When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from the request. PHP will
create those files regardless if the script can handle file uploading or
not. After the script was executed, the temporary files will be deleted.
The problem is that you can include a very large number of files in the
request. PHP will need to create those files before the script is
executed and delete them afterwards.
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
8- [User] can delete all of gateway information.
9- [User] can enable or disable pay type.
10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
11- [User] can find Hosting Controller setup directory.
12- [User] can import unwanted plan or change the plans.
13- [Remote Attacker] can find web site path.
http://netopia.com/software/products/tb2/
II. DESCRIPTION
Remote exploitation of a directory traversal vulnerability in Motorola
Inc.'s Timbuktu Pro allows attackers to delete or create files with
SYSTEM privileges.
When handling "Send" requests, Timbuktu does not properly check for
directory traversal specifiers. Therefore, by including a sequence such
as "../../../", an attacker is able to write outside of the intended
=======
Cisco Wireless Control System (WCS) contains a SQL injection
vulnerability that could allow an authenticated attacker full access
to the vulnerable device, including modification of system
configuration; create, modify and delete users; or modify the
configuration of wireless devices managed by WCS.
Cisco has released free software updates that address this
vulnerability.
Normally all of the three topics have to be considered, when the server is installed as an remotely accessible (internet) server.
Older versions may be vulnerable under the same condition (installation as a desktop application) but a number of indpendent solutions are available:
- use configuration template internet.pi3 as basis to setup own internet servers
- delete the ISAPI (and other!) examples manually
- apply one (and only one) of the following configuration changes:
1.) supplement the mapping directive for ISAPI:
Mapping Condition="&or(®exp('*.dll*',$U),®exp('*.dll',$f))" ISAPIMapper From="/isapi/" To="Isapi\"
OVERVIEW:
I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated.
the problem is explained quickly:
- email service provider delete inactive accounts after six or twelve months of inactivity and release the adresse (nearly every big email provider does it)
- many platforms (webshops, forums, etc...) do NOT delete inactive accounts
This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms can be hijacked by attackers without any technical difficulties.
The procedure is so simple that it hardly needs to be mentioned:
To obtain the hotfix please email chris@metatrontech.com or download
the latest version of the following file from svn (branches/1.2):
LedgerSMB/CT.pm
In SQL-Ledger (and in LedgerSMB prior to 1.2.0), this injection can be
used to delete an arbitrary set of rows from any table containing an
id field. In LedgerSMB 1.2.x, the vulnerability is more limited.
While arbitrary tables can be selected, one is limited to deleting one
row at a time by the id field. Also in 1.2.0, only the delete
function is believed to be exploitable while the update function might
be as well in past versions.
> a.k.a. c0d3r/c0d3rZ/corelanc0d3r on various forums
> ____________________________________________________
>
>
>
> This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.
________________________________________
Hotmail: Trusted email with powerful SPAM protection. Sign up now.
This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.
#fcms_login_pw=your_real_pass
#
#fcms_login_id=your_real_id+and+1=1
#
#
#(Delete PHPSESSID) Result: True --> Show page
#
#
#fcms_login_user=your_real_name
#
#fcms_login_pass=your_real_pass
Next Page>>
|
