+-->Dtabase Information Disclosure
POC: http://[URL]/chicomas/config.inc
+-->The Latest generated Database backups
POC: http://[URL]/chicomas/backup
+-->Cross Site Scripting (XSS). Reflected XSS attack in "index.php" in
I.Overview
Current firmware version is R1.94p0vTIG (*the latest).
WBR3404TX Broadband Router Web Management
II.Description
http://[routeraddress]/cgi-bin/ddns?RC=%40&DG0=x&DP=D&DD=%22%3E%3Cscript%3Ealert('xss%20detected!');%3C/script%3E%3Ctext%20id=%22&DU=&DW=
http://[routeraddress]/cgi-bin/ddns?RC=%40&DG0=x&DP=D&DD=&DU=%22%3E%3Cscript%3Ealert('xss%20detected!');%3C/script%3E%3Ctext%20id=%22&DW=
Open to XSS atacks via the web management panel.
# due to some complaints by some kids that were having serious
# problems in using winzip, this time I tried with winrar :-)
#
#
#update:
#the latest 5.5 seems patched.
#the winamp version 5.32 reflects the date when I last updated
#this code, 'cause I exploited this one more than an year ago.
#I see that marsu exploited the same bug about six months ago,
#when I did the big mistake to show this one to some "friends"..
#I'm sure that marsu can even give the details on how this bug works :-)
However the number of characters allowed in Real name is limited so it's unlikely too much damage could be done.
If XSS is allowed, it could allow for Session Hijacking.
I found this bug using version 6.1 of NSSboard (the latest as of this writing), and it's likely that all earlier versions are also affected, but I didn't test them. I am using Debian Linux and lighttpd to host it.
The fix would be to make sure HTML tags are filtered regardless of BBcode being enabled, and to filter user profile input data.
If you are using this software, I would recommend having BBcode enabled even if you don't need it.
Hi,
Bogdan Calin schrieb am Mon, 25 Jan 2010 12:58:50 +0200:
>The latest version of e107, version 0.7.17 contains a PHP backdoor.
>http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip
The start page of e107.org, <http://e107.org/news.php>,
contains suspect, probable malicious JavaScript-Code at the
top,followed by many links in the format
How can I know the value of wp_salt()?
--------------------------------------
I am thinking of two ways to get the value of the wp_salt():
1.- Gain access to the WP database by using a SQL injection (such as the
GBK encoding and addslashes() issue) on the WordPress core itself or on
a third party plugin (the latest is more likely to be possible). I din't
find any user-level SQL injection on the WP core.
2.- Register yourself on a WP 2.5 blog, log in and grab the cookie named
wordpress_MD5(SITE_URL), try to crack the value of the wp_salt() with an
offline attack using an specialized program.
site.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Shockwave
Player version 11.5.8.612 and version 11.5.9.615 (the latest version at
the time of testing). A full list of vulnerable Adobe products can be
found in Adobe Security Bulletin APSB11-01.
V. WORKAROUND
2010/1/26 Carsten Eilers <ceilers-lists@gmx.de>:
> Hi,
>
> Bogdan Calin schrieb am Mon, 25 Jan 2010 12:58:50 +0200:
>
>>The latest version of e107, version 0.7.17 contains a PHP backdoor.
>>http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip
>
> The start page of e107.org, <http://e107.org/news.php>,
> contains suspect, probable malicious JavaScript-Code at the
> top,followed by many links in the format
