Next Page >>
inject
each component of the solution is addressed independently in its own
advisory. This advisory addresses Cisco TelePresence endpoint devices
and details the following vulnerabilities:
* Unauthenticated Common Gateway Interface (CGI) Access
* CGI Command Injection
* TFTP Information Disclosure
* Malicious IP Address Injection
* XML-Remote Procedure Call (RPC) Command Injection
* Cisco Discovery Protocol Remote Code Execution
Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,
Yaws and Boa log escape sequence injection
Name Nginx, Varnish, Cherokee, thttpd, mini-httpd,
WEBrick, Orion, AOLserver, Yaws and Boa log escape
sequence injection
Systems Affected nginx 0.7.64
Varnish 2.0.6
Cherokee 0.99.30
mini_httpd 1.19
List of found vulnerabilities
===============================================================================
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
transferring data across domains, allowing them to interact with each other.
The Anti-XSS filter has been found to have some security holes in the
current implementation. Microsoft decided to filter "Type 1 XSS" which is
free text send to the server being reflected to the user and therefore
injecting HTML code into the website's page. They chose not to handle
certain situations such as injection into a JavaScript tag space, which
would be extremely difficult to filter. The software giant also chose not
to filter injection into HTTP headers, which will drive hackers to focus on
discovering CRLF vulnerabilities.
Vulnerabilities
CVE IDs in this security advisory:
1) Authentication bypass - CVE-2010-4279
2) OS Command Injection - CVE-2010-4278
3) SQL Injection - CVE-2010-4280
4) Blind SQL Injection - CVE-2010-4280
5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283
_='`"``=.
presents..
Multiple Adobe Products
XML External Entity And XML Injection Vulnerabilities
CVE: CVE-2009-3960
Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html
Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
Dear all,
I have found a SQL injection vulnerability in Blogs manager <= 1.101
It seems to be version 1.101 as you can see in the files section of sourceforge.
I reported the vulnerability to the vendor but no response as stated
in the advisory.
Best,
muuratsalo
-- ADVISORY --
------------------------------------------------------------------------
Description:
Pligg is a popular open source, full featured, content management
system written in php. There are a number of vulnerabilities
within Pligg that allow for remote file enumeration, file inclusion,
cross site scripting, and sql injection. When combined these issues
allow for remote code execution on the affected installation
via arbitrary php code placed within template files once admin
credentials are gained via SQL Injection.
AdPeeps Ad Rotator - XSS and HTML Injection Vulnerabilities
Version Affected: 8.5d1 (3-18-09) (newest)
Info: Ad Peeps is a banner rotator and text ad rotator - all in one that allows you to track, sell and manage banner ads, rich-media/flash ads and text ads on your website. Built using PHP/MYSQL, Ad Peeps provides you and your advertisers with highly detailed real-time statistics and is capable of delivering millions of impressions per day on a typical shared web server. - Plus, you can try it right now on your website with our 7 day trial.
Ad Peeps is so versatile that it can even show your text ads Yahoo! Style or Google AdWords Style. Unlike many other banner ad rotator programs, Ad Peeps was skillfully designed to use minimal server resources while maintaining speed and unparalleled performance. Built on a highly scalable and versatile database architecture, Ad Peeps works without fuss even on high traffic web sites and won't crash your high powered website..
Opinion: AdPeeps, along with many others should really hire people to audit their code.
####################
2. Vulnerabilities:
####################
2.1. Absolute Live Support XE (ASP version 5.1) (admin)
2.1.1. SQL Injection in "search.asp" by "orderby" parameter.
POC:
http://[URL]/xlaabsolutels/search.asp?orderby=[SQL INJECTION]
2.1.2. XSS in "search.asp" (all fields are vulnerable).
POC:
multiple data acquisition methods, and user management features out of
the box".
II. DESCRIPTION
Multiple vulnerabilities exist in Cacti software (XSS, SQL Injection,
Path Disclosure, HTTP Response Splitting).
III. ANALYSIS
Summary:
# +-+-+-+-+ #
# |C|r|e|w| #
# +-+-+-+-+ #
##################################################################
##################################################################
# [#] Theeta CMS (Cross Site Scripting,SQL Injection) Multiple Vulnerabilities #
# [#] Discovered By c0dy #
# [#] http://r00tDefaced.net #
# [#] Greetz: sHoKeD-bYte, syst0x1c & r00tDefaced Members #
##################################################################
#
Summary
=======
The Management Center for Cisco Security Agents is affected by a
directory traversal vulnerability and a SQL injection vulnerability.
Successful exploitation of the directory traversal vulnerability may
allow an authenticated attacker to view and download arbitrary files
from the server hosting the Management Center. Successful
exploitation of the SQL injection vulnerability may allow an
authenticated attacker to execute SQL statements that can cause
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: Pooya Site Builder (PSB) SQL Injection Vulnerabilities
# Vendor: www.paridel.com
# Vulnerable Version: 6.0 (Assembly Version)
# Exploit: Available
# Impact: High
# Fix: N/A
Dear all,
I have found a SQL injection vulnerability in Valid tiny-erp <= 1.6.
It seems to be version 1.6 as you can see in the 'project' section of
www.valid.gr.
Anyway there is not any specific number version in the sourceforge page.
I reported the vulnerability to the vendor but no response as stated
in the advisory.
Best,
muuratsalo
08-10-22_Opera_Stored_Cross_Site_Scripting.pdf
== Issue Details ==
Opera browser is vulnerable to stored Cross Site
Scripting. A malicious attacker is able to inject
arbitrary browser content through the
websites visited with the Opera browser. The code
injection is rendered into the Opera History Search
page which displays URL and a short
description of the visited pages.
good example of this. Its impossible to account for all the ways a variable can be mangled once it
enters a program and if you Sanitize input when it first enters the program there will be cases where it
will become dangerous again. This isn't only a problem for SQLi, its also a problem for XSS. I am
inserting JS into the database, which isn't a vulnerablity, but printing it, is persistant XSS.
The blind sql injection is a bit strange. I can't use white space or commas, which is a pain. I had to
rewrite my general purpose Blind SQLi Class to accommodate. A binary search is used to greatly
speed up the blind sqli attack.
(which I also used in my php-nuke exploit: http://www.exploit-db.com/exploits/12510/)
Special thanks to Reiners for this sqli filter evasion cheat sheet:
software is free of flaws, and b) clients verify the server's TLS
certificate, so that there can be no "man in the middle" (servers
usually don't verify client certificates).
The problem discussed in this writeup is caused by a software flaw.
The flaw allows an attacker to inject client commands into an SMTP
session during the unprotected plaintext SMTP protocol phase (more
on that below), such that the server will execute those commands
during the SMTP-over-TLS protocol phase when all communication is
supposed to be protected.
SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >
=======================================================================
title: Multiple SQL Injection Vulnerabilities
product: WordPress
vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
fixed version: 3.1.4/3.2-RC3
impact: Medium
homepage: http://wordpress.org/
found: 2011-06-21
by: K. Gudinavicius
On Fri, Jul 01, 2011 at 11:23:40AM +0200, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >
> =======================================================================
> title: Multiple SQL Injection Vulnerabilities
> product: WordPress
> vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
> fixed version: 3.1.4/3.2-RC3
> impact: Medium
> homepage: http://wordpress.org/
> found: 2011-06-21
contains others dangerous extension like phtml, pwml, php4, php5, inc... But the really problem is that at line 3152
the uploaded file extension is simply compared with == operator, so an attacker could be able to upload for e.g. an
avatar with .PHP extension. This is possible only if 'file_white_list' configuration is blank (such as by default).
+-----------------------------------+
| SQL Injection in UPDATE statement |
+-----------------------------------+
First look at the getUserTimeTarget() function defined into /libraries/tools.php
2776. function getUserTimeTarget($url) {
Time-Based Blind NoSQL Injection - Detecting server-side JavaScript
injection vulnerabilities
In July 2011, Bryan Sullivan, a senior security researcher at Adobe
Systems, demonstrated server-side JavaScript injection vulnerabilities
in web applications using MongoDB and other NoSQL database engines. He
demonstrated how they could be used to perform Denial of Service, File
System, Remote Command Execution, and many other attacks, including the
easy extraction of the entire contents of the NoSQL database -- a blind
NoSQL injection attack (paper here at
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection
II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has
[waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10
===============================================================================
Author: Janek Vind "waraxe"
Date: 16. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-62.html
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
================= IUT-CERT =================
Title: Eshopbuilde CMS SQL Injection Vulnerability
Vendor: www.eshopbuilder.ir
Dork: Design by Satcom Co
Type: Input.Validation.Vulnerability (SQL Injection)
Fix: N/A
#!/usr/bin/perl
#-----------------------------------------------------------------
#BLIND SQL INJECTION (GET var 'AlbumID')--RTWebalbum 1.0.462-->
#-----------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://rtwebalbum.x12.pl/
#-->DOWNLOAD: http://sourceforge.net/projects/rtwebalbum/
#-->DEMO: http://rtwebalbum.x12.pl/
#!/usr/bin/perl
#
#-------------------------------------------------
# (module custompage.php) BLIND SQL INJECTION
#-------------------------------------------------
#
# CMS INFORMATION:
#
#-->WEB: http://www.clantiger.com
#-->DOWNLOAD: http://www.clantiger.com/download-clan-cms
Released on: 2007/12/16
Changelog: 2007/12/16
Summary: [HT] Remote File Inclusion
[MT] SQL Injection
[MT] SQL Injection Protection Bypass
[__] Conclusion
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
Next Page>>
|
