Next Page >>
Source code
1. Windows platform
2. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
Source code snippet from script "index.php":
-----------------[ source code start ]---------------------------------
// Router
if (isset($request->get['route'])) {
$action = new Action($request->get['route']);
-----------------[ source code end ]-----------------------------------
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
$user = mysql_fetch_assoc($res);
http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal
They can also upload image files to the server. File uploading can be
dangerous without proper security checks. So let's have a closer look
at the source code of "modules/blog/index.php" line ~2452:
---------------------[source code]---------------------
function upload_imm () {
global $mkportals, $DB, $mklib, $Skin, $_FILES;
Attack vectors: user submitted POST parameters "ID" and "Password"
Preconditions: none
Impact: attacker can take over CruxCMS admin account
Php script "manager/passwordreset.php" is directly accessible via web
without any authorization. Source code snippet:
-----------------[ source code start ]---------------------------------
include ("../includes/injectionprevention.php");
$ID = numericquery($_POST["ID"]) ;
Preconditions:
1. attacker must be logged in as valid user
2. PHP must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
Source code snippet from vulnerable script "like.php":
-----------------[ source code start ]---------------------------------
protected function _unsubscribe()
{
/* Fetch data */
$key = trim( IPSText::base64_decode_urlSafe( $this->request['key'] ) );
NukeSentinel 2.5.12 is latest update with multiple security holes pathed,
still there are possibilities to conduct sql injection attacks and compromise
underlying website.
Let's look at script "includes/nukesentinel.php" source code:
------------>[source code]<------------
function write_ban($banip, $htip, $blocker_row) {
global $ab_config, $nuke_config, $db, $prefix, $user_prefix,
Preconditions:
1. target victim must be logged in as admin
Result: XSS attack possibilities
Source code snippet from "sysinfo.php":
-----------------[ source code start ]---------------------------------
function &getInfo()
{
..
$this->info['useragent'] = $_SERVER['HTTP_USER_AGENT'];
Reason: missing input data validation
Attack vector: user submitted GET or POST parameter 'folder'
Preconditions: none
Result: attacker can upload any files to remote system
Source code snippet from script "check.php":
-----------------[ source code start ]---------------------------------
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
Reason: failure to sufficiently sanitize user-supplied input data
Attack vector: user submitted GET parameters "h" and "t"
Preconditions: none
Source code snippet from vulnerable script "help.php":
-----------------[ source code start ]---------------------------------
if ($superCage->get->keyExists('base')) {
$base = $superCage->get->getInt('base');
..
if ($superCage->get->keyExists('h')) {
The CoreTex Team from Core Security is happy to announce the *1st Open
Backdoor Hiding & Finding Contest* to be held at DEFCON 0x12 this year!
Hiding a backdoor in open source code that will be subjected to the
scrutiny of security auditors by the hundredths may not be an easy task.
Positively and unequivocally identifying a cleverly hidden backdoor may
be extremely difficult as well.
But doing both things at DEFCON 0x12 could be a lot of fun!
> against various security-related attacks.
>
> Vulnerabilities: Critical Sql Injection in "nukesentinel.php"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Let's look at script "includes/nukesentinel.php" source code:
>
> ------------>[source code]<------------
>
> function is_god($axadmin) {
> global $db, $prefix, $aname;
Vulnerabilities: Sensitive info disclosure in "search.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's look @ "search.php" source code ~line 158:
-------------------------->[source code]<----------------------------
if($dosearch == "yes")
{
...
Vulnerability title: NetSaro Enterprise Messenger Server Administration Console Null Byte Request Source Code Disclosure
CVSS Risk Rating: 5 (Medium)
Product: NetSaro Enterprise Messenger Server
Application Vendor: SEM Software
Vendor URL: http://www.netsaro.com/
Impacted software : Zabbix Server
Zabbix reference : https://support.zabbix.com/browse/ZBX-1030
Patched version : 1.8
Faulty source code : function node_process_command() in
zabbix_server/trapper/nodecommand.c
Changelog entry : fixed security vulnerability in server allowing remote
unauthenticated users to execute scripts
##############################################################################
Apache ActiveMQ Source Code Disclosure Vulnerability
SecPod Technologies (www.secpod.com)
Author Veerendra G.G
###############################################################################
SecPod ID: 1002 04/18/2010 Issue Discovered
04/20/2010 Vendor Notified
04/21/2010 Fix Available
12/01/2011 -> Vendor reply .- 12/01/2011 -> Adv. sent to vendor.-
12/05/2011 -> Vendor reply .- 12/05/2011 -> Video sent to vendor .-
12/06/2011 -> Vendor reply .- 12/07/2011 -> Published
[Bug Summary]
- Asp source code disclosure
[Impact]
- High
[Affected Version]
- Version:5.10.014
[Bug Description and Proof of Concept]
<input type="submit" value="Test!">
</form>
</center></body></html>
------------------------------------------------------------
Fragment of vulnerable source code:
------------------------------------------------------------
$patterns[0] = '/\.gif/';
$patterns[1] = '/\.png/';
...
$replacements[1] = '';
Impact: low
Preconditions: attacker must have admin account with Human Verification Manager
administer privileges
[---------- source code snippet start ----------]
if ($_POST['do'] == 'updateanswer')
{
$vbulletin->input->clean_array_gpc('p', array(
'answer' => TYPE_STR,
));
========================================================================
== Overview ==
CodeScan Labs (www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.
During the ongoing testing of CodeScan ASP, Xoops was selected as one of
against various security-related attacks.
Vulnerabilities: Critical Sql Injection in "nukesentinel.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's look at script "includes/nukesentinel.php" source code:
------------>[source code]<------------
function is_god($axadmin) {
global $db, $prefix, $aname;
== Overview ==
CodeScan Labs (http://www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.
During the ongoing testing of CodeScan ASP, VP-ASP was selected as one of
4. Simulate Denial-of-Service attacks, validating the Firewall rules and
Intrusion Detection System/Intrusion Prevention System policies.
Further information can be found @ http://fnstenv.blogspot.com (demo video
and source code).
PS: Yes, there are some "anti-kiddo" tricks, so, please, don't blame me for
doing that...
The new version of the "T50 Sukhoi PAK FA Mixed Packet Injector" (v5.2-NG)
Preconditions:
1. "ja_purity" template must be in use
Result: XSS attack possibilities
Source code snippet from "templates/ja_purity/html/modules.php":
-----------------[ source code start ]---------------------------------
function modChrome_jarounded($module, &$params, &$attribs)
{
?>
<div class="jamod module<?php echo $params->get('moduleclass_sfx'); ?>" id="Mod<?php echo $module->id; ?>">
Remarks:
1. authentication is not needed
2. POST parameters or cookies can be used as attack vector
3. Vulnerable are all Vivvo CMS versions >= 4.1.0
-----------------------------[source code start]-------------------------------
if (isset($_REQUEST["file"])) {
$filename = str_replace('..', '', $_REQUEST["file"]);
$filename = str_replace('logs/', '', $filename);
$file = VIVVO_FS_ROOT . 'files/' . $filename;
if (file_exists($file) && !is_link($file) && !is_dir($file)){
Vendor's Website:
http://bassistance.de/jquery-plugins/jquery-plugin-validation/
CodeScan Labs (www.codescan.com), has recently
released a new source code scanning tool,
CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code
for security vulnerabilities. CodeScan utilises
an intelligent source code parsing engine,
traversing execution paths and tracking the flow
In order to develop test tools and the final exploit we used the wonderful
information and tools released at the VM Back project [7]by Ken Kato and
other contributors. Using the project's VMFtp tool with a few
modifications it is trivial to produce a working exploit. Our approach for
a proof-of-concept test was to modify VMFtp's source code to replace all
occurrences of ''+'' with ''\xc2'' in an input pathname.
After doing the above, the following command on a modified VMFtp client
list the contents of the root directory of the Host's file system and then
uploads a file from the Guest system to the root directory of the Host system.
Vulnerabilities: Local File Inclusion in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's take a peek at source code of "index.php":
------------>[source code]<------------
include("header.php");
...
Vulnerabilities: Sql Injection in "search.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's analyze "search.php" source code:
------------>[source code]<------------
if(isset($_GET['search']))
$search = stripslashes($search);
#
# AmnPardaz Security Research Team
#
# Title: MODx CMS Vulnerabilities
# Vendor: http://modxcms.com
# Bugs: Source code disclosure, local file inclusion
# Vulnerable Version: 0.9.6.1 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
################################################################
SOURCE CODE:
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3-src.tgz
BINARIES:
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3.tgz
DOCUMENTATION:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
Next Page>>
|
