Next Page >>
Full path
I want to warn you about security vulnerabilities in WordPress which I
published at 30.07.2010 during my Day of bugs in WordPress 2 project.
------------------------------
Advisory: Day of bugs in WordPress 2: Information Leakage and Full path
disclosure vulnerabilities in WordPress
------------------------------
URL: http://websecurity.com.ua/4419/
------------------------------
$i = 0;
while (false !== ($file = readdir($handle)))
{
$full_path = "$path/$file";
$perms = substr(sprintf('%o', fileperms($full_path)), -4);
if ((is_dir($full_path)) && ($perms == '0777'))
{
if (!file_exists('.*')) {
published at 30.07.2010 during my Day of bugs in WordPress 2 project. This
is second advisory for this project.
------------------------------
Advisory: Day of bugs in WordPress 2: CSRF, Information Leakage and Full
path disclosure vulnerabilities in WordPress
------------------------------
URL: http://websecurity.com.ua/4420/
------------------------------
These are Cross-Site Request Forgery vulnerability which I found at
Hello Bugtraq!
I want to warn you about Cross-Site Scripting, Full path disclosure,
Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
of Service vulnerabilities in WordPress.
For all these attacks it's needed to have access to admin account, or to
have account with rights for working with plugins. Or to attack admin or
other user with required rights via XSS, to find out token which designed to
protect against CSRF attacks.
!dork
Dork: intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping cart is empty!" + "Products Search" +"Advanced Search" + "All Categories"
===============================================================
===============================================================
!risk 1 - Full Path Disclosure
Low
Attackers can use this vulnerability to leverage another attack
after the full path has been disclosed.
===============================================================
25.04.2010 - informed developers.
10.06.2010 - disclosed at my site.
-----------------------------
Details:
These are Information Leakage and Full path disclosure vulnerabilities.
Information Leakage and Full path disclosure:
http://site/wp-content/uploads/my-md5.txt
INSTALLATION
------------
1. Copy shellexecutefiasco.dll anywhere; %windir%\system32 will do.
2. Run the command:
A. "regsvr32 <full path to shellexecutefiasco.dll>" or "regsvr32 /n
/i:s <full path to shellexecutefiasco.dll>" to install for all
users
B. "regsvr32 /n /i:u <full path to shellexecutefiasco.dll>" to
install for the current user only.
3. A message box will report whether the installation was successful.
Changing the URL of a linkto URl results in end-user denial of
service conditions if ASCII characters are injected.
===============================================================
===============================================================
!risk 2 - Full Path Disclosure
Medium
Attackers can use this vulnerability to leverage another attack
after the full path has been disclosed.
===============================================================
26.04.2010 - found vulnerabilities.
30.04.2010 - announced at my site.
01.05.2010 - informed developer.
07.05.2010 - developer released WP-UserOnline 2.70. In version 2.70 the
developer fixed XSS, but not Full path disclosure vulnerabilities.
01.07.2010 - disclosed at my site.
-----------------------------
Details:
These are Cross-Site Scripting and Full path disclosure vulnerabilities.
Miniweb 2.0 Full Path Disclosure
Name Miniweb 2.0
Vendor http://www.miniweb2.com
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-12
> I am continue informing you about multiple vulnerabilities in XAMPP.
>
> -----------------------------
> Advisory #7
> -----------------------------
> CSRF, SQL Injection and Full path disclosure vulnerabilities in XAMPP
> -----------------------------
> URL: http://websecurity.com.ua/3285/
> -----------------------------
> Timeline:
>
Advisory]PBBoard <=2.0.2 - Full Path Disclosure
Details
=======
Product: PHP <= PBBoard
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.pbboard.com
Credits
============
======================================================================
Advisory : WoltLab(R) Community Framework XSS and Full Path Disclosure
Vulnerability
Release Date :
Application : WoltLab(R) Community Framework
Version : WCF 1.0.6 and lower
Platform : PHP
Vendor URL : http://community.woltlab.com/
Authors : Jessica Hope ( jessicasaulhope@googlemail.com )
I am continue informing you about multiple vulnerabilities in XAMPP.
-----------------------------
Advisory #7
-----------------------------
CSRF, SQL Injection and Full path disclosure vulnerabilities in XAMPP
-----------------------------
URL: http://websecurity.com.ua/3285/
-----------------------------
Timeline:
16.08.2009 - found vulnerabilities.
04.03.2010 - announced at my site. And after making of announcement of these
vulnerabilities, I found that already in 2008 this SQLi vulnerability was
found by boom3rang (before I found it in 2009). Which disclosed exploit for
it at milw0rm.com (http://www.milw0rm.com/exploits/6792). So boom3rang first
found SQLi, and I first found Full path disclosure in this plugin.
09.03.2010 - informed developer (and at developer's site I found that he'd
no more support of this plugin, after his site on Joomla was hacked).
21.05.2010 - disclosed at my site.
-----------------------------
Details:
<<< CROSS SITE SCRIPTING THROUGH ECHO >>>
XSS in [form.php], folder [demo].
(Full Path:
$user = $_REQUEST['user'];
$pw = $_REQUEST['password'];
if($user && $pw && $pw == "foobar")
#################################################
Drupal 7.14 <= Full Path Disclosure Vulnerability
#################################################
Discovered by: Jean Pascal Pereira <pereira@secbiz.de>
About Drupal:
"Drupal is an open source content management platform powering millions of websites and
applications. It's built, used, and supported by an active and diverse community of people
example
elseif/utilisateurs/vousetesbannis.php?repertimage="><script>alert(document.cookie);</script><"
elseif/utilisateurs/votesresultats.php?elseifvotetxtresultatduvote=<script>alert(document.cookie);</script>
elseif/moduleajouter/depot/adminforum.php?elseifforumtxtmenugeneraleduforum=<script>alert(document.cookie);</script>
Full Path
elseif/utilisateurs/votesresultats.php
Upload Exploits:
#!/usr/bin/php -q -d short_open_tag=on
<?
1. News Pages must be activated (inactive by default)
2. At least one news must exist
3. MySQL FILE Privileges needed (rare in real-world attack scenarios)
4. Php setting magic_quotes_gpc=off needed (usually it's "On")
5. attacker must have News editing privileges
6. full path must be know to the directory, which is writable by MySQL UID/user
Impact: limited SQL Injection - if all conditions above are met, then it may be
possible writing files to the remote system, where MySQL daemon/service is installed
Source code snippet from "includes/classes/news.inc.php":
-----------------[ source code start ]---------------------------------
As described in the document CTX106052
(http://support.citrix.com/kb/entry.jspa?entryID=6032), the Citrix
company created a Hotfix for MetaFrame Presentation Server 3.0 and a
workaround for MetaFrame XP, because Windows 2003 SP1 doesn't allow
anymore the startup via RUN registry key without full path.
However this patch from Citrix company doesn't enquote the binary full
path stored in the RUN registry key, an attacker can abuse of the old
8.3 notation in the binary search and consequently can be used to
escalate privilege in some circumstances.
I conducted the project Day of bugs in WordPress
(http://websecurity.com.ua/1685/) at 30.12.2007 and already long time ago
planned to conduct new project, but only now found the time. In that project
I disclosed 81 vulnerabilities - these are Arbitrary file edit
(http://websecurity.com.ua/1686/), Local File Include, Directory Traversal
and Full path disclosure (http://websecurity.com.ua/1687/) vulnerabilities.
Among them there are 49 Full path disclosure, 1 Arbitrary file edit and 31
Local File Include and Directory Traversal (CVE-2008-0195, CVE-2008-0196).
If I'd decided to make not "day of bugs" but "month of bugs" (with
publishing one by one hole), then these vulnerabilities were enough for
almost three projects :-).
framework and at his site.
06.08.2010 - disclosed at my site.
-----------------------------
Details:
These are Cross-Site Scripting and Full path disclosure vulnerabilities.
XSS:
http://site/admin.php?-table=pages&-search=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&-action=search_index
Hello Bugtraq!
I want to warn you about Cross-Site Scripting, Insufficient Anti-automation
and Full path disclosure vulnerabilities in plugin Register Plus Redux for
WordPress. Register Plus Redux is a fork of plugin Register Plus.
-------------------------
Affected products:
-------------------------
Hello Bugtraq!
I want to warn you about Cross-Site Scripting, Insufficient Anti-automation
and Full path disclosure vulnerabilities in plugin Register Plus for
WordPress.
-------------------------
Affected products:
-------------------------
23.04.2010 - informed developers.
04.06.2010 - disclosed at my site.
-----------------------------
Details:
These are Cross-Site Scripting and Full path disclosure vulnerabilities.
XSS:
http://site/?%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E
Information Disclosure 1 (up to 5.2.1)
--------------------------
Disclosure of full path of the application sources when you put a
negative number at the ’start’ parameter.
POC: /index.php?a=search&q=psstt&start=-4
[MajorSecurity Advisory #59]PHP <=5.3 - mysqli_real_escape_string() full
path disclosure
Details
=======
Product: PHP <=5.3
Security-Risk: low
Remote-Exploit: yes
Vendor-URL: http://www.php.net/
Vendor-Status: informed
Afian is an application that can add, in just minutes, powerful document management capabilities to any Web server. It provides an Web-based interface for documents residing on the Web server's file system.
This software has a secutity hole allow attackers download any files if they know the path.
Vendor: afian.com
Vulnerabilities: Bypass + Fullpath Disclosure + Local File Inclusion.
Version: Unknown (maybe 2.x.x)
Demo: http://demo.afian.com
Exploit:
Google Dork: Afian document manager
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Original article (in Russian): http://securityvulns.ru/Sdocument755.html
Additional details (in Ukrainian): http://websecurity.com.ua/1676/
2.4 Local file include, Directory traversal and Full path disclosure
(WordPress <= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x)
Full path disclosure:
http://site/wp-admin/admin.php?import=\..\..\wp-config
- Severity: 5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities
II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
Next Page>>
|
