Next Page >>
personal blog
List of found vulnerabilities
===============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
3. *Vulnerability Description*
WordPress is a web application written in PHP that allows the easy
installation of a flexible weblog on any computer connected to the
Internet. WordPress 2.7 reached more than 6 million downloads during
June 2009 [9].
A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
SUBJECT: Microsoft SWI blog inaccuracies
Hello BugTraq
As you know, 3 weeks ago I published my paper, "Microsoft
Windows DNS Stub Resolver Cache Poisoning"
(http://www.trusteer.com/docs/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf),
simultaneously with Microsoft's release of MS08-020
(http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx).
- Severity: 6.8/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
Simple PHP Blog <= 0.5.1 Local File Include vulnerability
II. BACKGROUND
-------------------------
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR08-13: Persistent Cross-site Scripting (XSS) on Moodle via blog entry
title
Vulnerability found: 20/06/2008
Vendor informed: 25/06/2008
I've found that funny result when i try to input some miscellaneous parameters in the query string.
When i try to click the HIGHLIGHTED POSTS in the blog but that entry had no longer exist.
Dear Yahoo,
I've found a bug on your site that i can list all the comments, all the entry belong to the public blog. When i try to click in the HighLighted post in a blog but this entry had no longer existed,
the page result is only the box for comment.
I look at the URL Address, it like this:
http://blog.360.yahoo.com/blog-(blog user encrypted ID)?cq=1&p=
I guest the string that encrypted in the query string is the blog user encrypted ID
Ok so now i try to input the query string paramter like this
http://blog.360.yahoo.com/blog-(blog user encrypted ID)?cq=2&p='
Neuron Blog Admin Permission Bypass and Remote File Upload Vulnerability
------------------------------------------------------------------------
Script : Neuron Blog
Version : 1.1
Site : http://dev.localhost.be/?q=detail-script&id=11
Founder : Rizgar
During research on MySQL Column Truncation Vulnerabilities it was
discovered that the user registration system of Wordpress is not
protected against this kind of attack. Further research then
discovered that this vulnerability can be used to reset the passwords
of users to a random string when user registration is activated
in the blog.
In addition to this it was discovered that Wordpress uses mt_rand()
to create passwords and reset tokens, which is not secure enough
for cryptographic secrets. The use of mt_rand() allows predicting
the randomly generated passwords when the PRNG is freshly seeded
.OR.ID
ECHO_ADV_100$2008
-----------------------------------------------------------------------------------------
[ECHO_ADV_100$2008] Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability
-----------------------------------------------------------------------------------------
Author : M.Hasran Addahroni
Date : July, 14 th 2008
Location : Jakarta, Indonesia
BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability
JosS, Jose Luis Gngora Fernndez
Spanish Hackers Team
www.spanish-hackers.com
[+] Info:
[~] Software: bp blog
[~] HomePage: http://blog.betaparticle.com/
******* Salvatore "drosophila" Fresta *******
[+] Application: RitsBlog
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/
[+] Bugs: [A] SQL Injection
[B] XSS Persistent
[+] Exploitation: Remote
Subject: FC2 BLOG Cross-Site Scripting Vulnerabilities
Application: FC2 BLOG
Vendor:BLOG.FC2.COM
Corporation: FC2, Inc.
DATE : 9 Oct 2008
Description: FC2 BLOG Cross-Site Scripting Vulnerabilities
Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
H - Security Labs
Eggblog v3.1.0 Security Advisory
ID : HSEC#20071111
General Information
--------------------------
Name : EggBlog v.3.1.0
Vendor HomePage :http://sourceforge.net/projects/eggblog/
Platforms : PHP && MySQL
Vulnerability Type : Input Validation Error
Secure Network - Security Research Advisory
Vuln name: Simple PHP Blog Multiple Vulnerabilities
Systems affected: simplePHPBlog 0.5.0.1, simplePHPBlog 0.4.8 and all previous versions
Systems not affected: -
Severity: Medium
Local/Remote: Remote
Vendor URL: http://www.simplephpblog.com/
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Luca "Daath" De Fulgentis - daath@webapptest.org
Vendor disclosure: 14th September 2007
Update:
Aladdin responded and posted a blog post, please read the timeline and
then the blog post.
http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx
It is said that :
-----------------
"This means that in case a customer receives such a specially crafted
Additional Drawing
- ------------------
If you help us to spread the word about the Month of PHP Security
and the open CFP by writing a blog posting about it, you have the
chance to win one of ten 33 USD/25 EUR Amazon Coupons. To participate
you have to write a blog posting about the Month of PHP Security CFP
and send a link to your blog posting to drawing@php-security.org
The winners will be announced on May 1, 2010.
Microsoft has issued a patch to fix the vulnerability and a detailed
description of how to implement the workarounds on IE. It is available
as Security Bulletin http://go.microsoft.com/fwlink/?LinkID=150860.
Microsoft's Research and Defense blog has further discussion about the
vulnerability, workarounds and mitigations [3].
7. *Credits*
Additional Drawing
- ------------------
If you help us to spread the word about the Month of PHP Security
and the open CFP by writing a blog posting about it, you have the
chance to win one of ten 33 USD/25 EUR Amazon Coupons. To participate
you have to write a blog posting about the Month of PHP Security CFP
and send a link to your blog posting to drawing@php-security.org
The winners will be announced on May 1, 2010.
----------------------------------------------------------------------
(PT-2009-14) Positive Technologies Security Advisory
BLOG:CMS Cross-Site Scripting vulnerability
----------------------------------------------------------------------
---[ Affected Software ]
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
what you use when you want to work with your blogging software, not fight it.
III. DESCRIPTION
-------------------------
Wordpress allows authorised users to add an attachment to a blog post.
Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
from the Kartenhaus.de web site between October 24, 2006 and September 30,
2007 were affected.
WHID 2007-60: The blog of a Cambridge University security team hacked
=====================================================================
Reported: 19 December 2007, Occurred: 27 October 2007
Classifications:
Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
from the Kartenhaus.de web site between October 24, 2006 and September 30,
2007 were affected.
WHID 2007-60: The blog of a Cambridge University security team hacked
=====================================================================
Reported: 19 December 2007, Occurred: 27 October 2007
Classifications:
> Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
> from the Kartenhaus.de web site between October 24, 2006 and September 30,
> 2007 were affected.
>
>
> WHID 2007-60: The blog of a Cambridge University security team hacked
> =====================================================================
> Reported: 19 December 2007, Occurred: 27 October 2007
>
> Classifications:
>
Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
from the Kartenhaus.de web site between October 24, 2006 and September 30,
2007 were affected.
WHID 2007-60: The blog of a Cambridge University security team hacked
=====================================================================
Reported: 19 December 2007, Occurred: 27 October 2007
Classifications:
Hi All,
I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.
The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the database is 80 bits too long. Its also obvious from other testing I documented on my blog that a salt is indeed used. Once these facts are known the algoritm can be guessed. The algorithm is simply SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4.
To create a simple function to test a verifier you simply need to do:
SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || substr(sys.user$.spare4,43,10)
Hi All,
I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.
The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the database is 80 bits too long. Its also obvious from other testing I documented on my blog that a salt is indeed used. Once these facts are known the algoritm can be guessed. The algorithm is simply SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4.
To create a simple function to test a verifier you simply need to do:
SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || substr(sys.user$.spare4,43,10)
TZ>> once the material has been analysed.
TZ>> 10.04.2009 - Sending another POC file (ZIP)
TZ>> 10.04.2009 - The third person ergo the "Cyber
TZ>> Incident & Vulnerability Handling PM" is taking over coorindation
TZ>> 14.04.2009 - A comment was made to my blog that indicated IBM did
TZ>> answer the Bugtraq posting and negate my findings, having
TZ>> received no response from them personaly I ask
TZ>> "Dear Peter, I was refered to this url in a comment posted to my blog:
TZ>> http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5417
TZ>> can you confirm this ?"
- - The victim's user ID ('id') parameter and course ID ('course'
parameter) are required for a successful attack. However, such values
are public as they can be obtained from many sections of the site such as:
user blogs ('/blog/')
chats
public profiles. i.e.: '/user/view.php?id=2&course=1',
'/user/index.php?id=1',
'/user/index.php?id=1&group=&perpage=20&teachers=1&accesssince=0&search=0&perpage=500'
Conference 2008 | _ | | | | | (__| () | |
|_| |_|_| |_| \____|____|_|\__|
http://www.hitcon.org
Title =======:: DCFM Blog 0.9.4 (comments) Remote SQL Injection Vulnerability
Author ======:: unohope [at] chroot [dot] org
IRC =========:: irc.chroot.org #chroot
Conference 2008 | _ | | | | | (__| () | |
|_| |_|_| |_| \____|____|_|\__|
http://www.hitcon.org
Title =======:: Insanely Simple Blog 0.5 (index) Remote SQL Injection Vulnerabilities
Author ======:: unohope [at] chroot [dot] org
IRC =========:: irc.chroot.org #chroot
Next Page>>
|
