Next Page >>
error
# Lokasi : Indonesia | http://newhack.org
# Penjelasan :
#
# Kutu pada berkas "user.php" direktori "/content"
#---//---
# 59. if (!$nama || preg_match("/[^a-zA-Z0-9_-]/", $nama)) $error .= "Karakter Username tidak diizinkan kecuali a-z,A-Z,0-9,-, dan _<br />";
# 60. if (strlen($nama) > 10) $error .= "Username Terlalu Panjang Maksimal 10 Karakter<br />";
# 61. if (strrpos($nama, " ") > 0) $error .= "Username Tidak Boleh Menggunakan Spasi";
# 62. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";
# 63. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM temp_useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";
# 64. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />";
I cannot reproduce, what you have tested. Whenever I enter
the following URL (hz is my test host):
http://hz/isapi/users.txt
I get the HTTP error 500 and a normal error page
as the response:
"500 Internal server error
The server encountered an internal error while processing this request."
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
instance, attacking http://www.google.com/ will not block
http://www.google.com./ (notice the dot before the last slash), nor
http://www.google.com/whatever neither. However, it is clear enough
-------------------------------------------------------------------------------
// Lets merge those selected posts!
case "do_mergeposts":
if(is_moderator($fid, "canmanagethreads") != "yes")
{
error_no_permission();
}
$plugins->run_hooks("moderation_do_mergeposts");
$mergepost = $mybb->input['mergepost'];
if(count($mergepost) <= 1)
{
In the following case, register ecx is user controled and allows
direct modification of the control flow:
gdb $ r ./testz.2184122398.pdf
Error (817488): Dictionary key must be a name object
Error (817492): Dictionary key must be a name object
Error (37300): Unknown operator 'lc'
Error (37385): Unknown operator 'lh'
Error (37504): Too few (5) args to 'c' operator
Error (37514): Too few (5) args to 'c' operator
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
IBM SolidDB invalid error code vulnerability
1. *Advisory Information*
===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in an Oracle E-Business Suite deployment.
Further research has identified that a web interface showing user errors are
vulnerable to reflected cross site scripting attacks.
A friendly formatted version of this advisory is available in:
http://www.hacktics.com/content/advisories/AdvORA20100209.html
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
HP Openview NNM 7.53 Invalid DB Error Code vulnerability
1. *Advisory Information*
After receiving the LDAP request, the AD server returns a partial list
of the requested data to the client. After an additional minute or so,
the Windows initiates a controlled restart with a 60-second countdown
timer. The shutdown dialog box displays status code -1073741819.
After restarting, errors similar to the following are found in the
application event log:
Type: Error
Source: Application Error
Category: (100)
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
$ocdb->insert(TABLE_PREFIX."posts (idCategory,type,title,description,price,idLocation,place,name,email,phone,password,ip,hasImages)","".
cP("category").",".cP("type").",'$title','$desc',$price,$location,'".cP("place")."','".cP("name")."','$email','".cP("phone")."','$post_password','$client_ip',$hasImages");
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*/
set_time_limit(0);
error_reporting(0);
function main(){
if($_REQUEST['target'] && $_REQUEST['xss']){
if(xssFrontPage($_REQUEST['target'],$_REQUEST['xss'])){
print("<b>Persistant XSS attack was sucessful.</b>");
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
> centre application. This flag switches the help centre into a restricted mode,
> which will only permit a whitelisted set of help documents and parameters.
>
> This design, introduced in SP2, is reasonably sound. A whitelist of trusted
> documents is a safe way of allowing interaction with the documentation from
> less-trusted sources. Unfortunately, an implementation error in the whitelist
> allows it to be evaded.
>
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
centre application. This flag switches the help centre into a restricted mode,
which will only permit a whitelisted set of help documents and parameters.
This design, introduced in SP2, is reasonably sound. A whitelist of trusted
documents is a safe way of allowing interaction with the documentation from
less-trusted sources. Unfortunately, an implementation error in the whitelist
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
centre application. This flag switches the help centre into a restricted mode,
which will only permit a whitelisted set of help documents and parameters.
This design, introduced in SP2, is reasonably sound. A whitelist of trusted
documents is a safe way of allowing interaction with the documentation from
less-trusted sources. Unfortunately, an implementation error in the whitelist
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
Secunia Research has discovered multiple vulnerabilities in Novell
iPrint Client, which can be exploited by malicious people to
compromise a user's system.
1) A boundary error in the Novell iPrint ActiveX control (ienipp.ocx)
when handling the "GetDriverFile()" method can be exploited to cause a
stack-based buffer overflow by passing an overly long string as the
third argument.
2) Two boundary errors in the Novell iPrint ActiveX control
file/function handling the breakpoint. This adds to the feature
present since the first version of uhooker that allows runtime rewriting
of the handler's code).
-Errors in the code of the handlers (written in python) are now
correctly handled.
-Previously, if you had an error in the code you wrote to handle
certain breakpoint, this caused the 'uhooker's python server' to
'crash', and you needed to restart your debugging session all over
algo = ipcomp_algorithm_lookup(cpi);
/* ... */
error = (*algo->decompress)(m, m->m_next, &newlen);
/* ... */
if (nxt != IPPROTO_DONE) {
if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
User: easy
Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)
Blind SQL Injection
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 1=1 AND ('a'='a&key= <- error
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 1=0 AND ('a'='a&key= <- no error
User-Guessing
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 AND ('a'='a <- error (e)
This can be triggered remotely any time MapServer is hosted on
a web server that does not sanitize the "CONTENT_LENGTH" field into a
non-negative value before passing it on to the CGI layer. Apache v2.x
is known to perform this sanitization (it rejects the request before
executing the "mapserv" CGI binary with HTTP error 413: "Request Entity
Too Large", presumably because it interprets the "Content-Length" header
as an unsigned value), and thus protects MapServer from being exploited
in this way. Because a comprehensive survey of web server software is
beyond the scope of this report, it is not known what web servers will
expose this vulnerability to a remote attacker.
Failing RPC calls might interfere with e.g.
- network connectivity (no IP address acquired, no IP address release/renew, …)
- applications utilizing COM/DCOM interfaces
- machine’s sound system
The error has been found to occur on reception of DHCPv6 Reply (message type 7)
packets, containing the option “Domain Search List” (option type 24) with an empty domain.
Affected Systems
Product URL: http://www.cisco.com/en/US/products/ps7314/
Author: nitrus [ Alejandro Hernandez H. ]
Discovery Date: 24/Aug/2009
Attack Vector: Remote
CVSS v2 Base Score: 5 (Medium) [ AV:N/AC:L/Au:N/C:P/I:N/A:N ]
Class: I think, it's a Design problem on the error messages' handling
Product Information
=======================================
> hardware which does not provide the isolation they promised in their
> white papers and documentation.
Quoting from <http://www.sun.com/servers/sparcenterprise/SPARCEnt-ResMan-Final.pdf>:
| Fault isolation and error management
|
| Domains are protected against software or hardware failures in other
| domains. Failures in hardware shared between domains cause failures only
| in the domains that share the hardware. When a domain encounters a fatal
| error, a domainstop operation occurs that cleanly and quickly shuts down
its size (args.fhsize) are completely user-controllable. The unbounded copy
operation is in file src/sys/nfsclient/nfs_vfsops.c (the excerpts are from
8.0-RELEASE):
1094: if (!has_fh_opt) {
1095: error = copyin((caddr_t)args.fh, (caddr_t)nfh,
1096: args.fhsize);
1097: if (error) {
1098: goto out;
1099: }
This is also part of the vector discovered by barbarianbob, while he
uses it for different purposes from what I initially thought.
But with vanilla PHP (the official source tree) it will not work and
you'll get an error complaining about the fact that the target is not
a directory. Why? Because barbarianbob, everybody who ran it succesfully,
and me in my initial disclosure [4] were using a patched PHP (for example
Suhosin, both loaded as .so or "build-in", Ubuntu PHP, that is patched
with Suhosin, etc).
Secunia Research has discovered vulnerabilities in HP OpenView Network
Node Manager, which can be exploited by malicious people to compromise
a vulnerable system.
1) Various boundary errors in the OpenView5.exe CGI application when
processing parameters can be exploited to cause stack-based buffer
overflows via HTTP requests to the CGI application with overly long
parameter strings.
2) A boundary error in ov.dll can be exploited to cause a stack-based
Multiple stack buffer overflow vulnerabilities have been discovered in
Amaya web editor/browser [1], which can be exploited by unauthorized
people using crafted web pages to compromise a user's system.
A boundary error when processing 'input' HTML tags can be exploited to
cause a stack-based buffer overflow via an overly long 'type' parameter
(Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals
multiple unchecked buffers declared on the stack, one of which is used
in the function 'EndOfXmlAttributeValue()':
continue to be running malicious file without restrictions.
In the latter case exceptions vary depending on the type of characters which are used
for example here there are two different results.
Aplicacin con errores: acs.exe, versin: 6.5.2358.9115, mdulo con error: ntdll.dll, versin 5.1.2600.2180, direccin de error 0x000111de.
Aplicacin con errores: acs.exe, versin: 6.5.2358.9115, mdulo con error: kernel32.dll, versin 5.1.2600.3119, direccin de error 0x0000bd85.
Aplicacin con errores: acs.exe, versin: 6.5.2358.9115, mdulo con error: firewall.ofp, versin 6.5.2358.9115, direccin de error 0x000350b3.
------------------------------------------------------
POC/EXPLOIT
3.4.2.4.2. Exploit
Our exploit is not feature-full -- we can open the file and see the contents
listing, but an attempt to open a member, etc., will fail with an error.
Completing the exploit would be just a matter of adapting from our ``tar.vim''
exploit.
$ cd zipplugin
$ make -s clean sploit
A reflected xss flaw exists in the w3-msql error page.
google dork : "W3-mSQL Error! - Can't stat script file (/"
Just insert a script from the start of /
like if u get a URL like:-
http://localhost/cgi-bin/w3-msql/journal/ijcd/index.html
Next Page>>
|
