Next Page >>
resulting
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
if ($res->is_success) {
$result = $res->content;
if ($action eq "edit") {
print "Viewing $path$file:\n";
print $1,"\n" if($result =~ /name="ncontent">(.*)<\/textarea>/s);
}
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
"</h3>\n";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "fws_guest=" . $customerid);
$result = curl_exec($ch);
curl_close($ch);
$result = str_replace("\n", "", $result);
preg_match("/(Wat zit er in uw winkelwagen.*)<\/table>/", $result,
$matches);
echo strip_tags($matches[1]);
download: http://open-classifieds.com/download/<br>
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>
If registration is required an extra link in the chain is added:<br>
Exploit chain:blind sqli(select)->captcha bypass->sqli(insert)->persistant xss on front page<br>
sites with SEO url's enabled:<br>
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)<br>
or default urls:<br>
"powered by Open Classifieds" inurl:"item-new.php" (16,500 results)<br>
Total sites: ~100,000<br>
<br>
<br>
could crash xine-lib or possibly execute arbitrary code with the privileges of
the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10,
and 8.04 LTS. (CVE-2008-5233)
It was discovered that the QT demuxer in xine-lib did not correctly handle
an invalid metadata atom size, resulting in a heap-based buffer overflow. If a
user or automated system were tricked into opening a specially crafted MOV file,
an attacker could execute arbitrary code as the user invoking the program.
(CVE-2008-5234, CVE-2008-5242)
It was discovered that the Real, RealAudio, and Matroska demuxers in xine-lib
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
Summary
=======
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances that may result
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
+------------------------------------
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv52239 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1156.
Website: http://www.flatpress.org
Vulnerability Description
-------------------------
The versions 0.804 through 0.812.1 are resulting to be prone to a nasty
LFI vulnerability which can be exploited to have RCE (Remote Command
Execution). The piece of code involved is in the
fp-includes/core/core.users.php directory in the user_get() function
as showed below.
Version 7.0 of the PCRE library featured a major rewrite of the regular
expression compiler, and it was deemed infeasible to backport the
security fixes in version 7.3 to the versions in Debian's stable and
oldstable distributions (6.7 and 4.5, respectively). Therefore, this
update contains version 7.3, with special patches to improve the
compatibility with the older versions. As a result, extra care is
necessary when applying this update.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2009-4537
Fabian Yamaguchi reported a missing check for Ethernet frames larger
than the MTU in the r8169 driver. This may allow users on the local
network to crash a system, resulting in a denial of service.
CVE-2010-0727
Sachin Prabhu reported an issue in the GFS2 filesystem. Local users
can trigger a BUG() altering the permissions on a locked file,
NTLMv1 Authentication Bypass Vulnerability
+-----------------------------------------
Cisco ASA 5500 Series Adaptive Security Appliances contain a
vulnerability that could result in authentication bypass when the
affected appliance is configured to authenticate users against Microsoft
Windows servers using the NTLMv1 protocol.
Users can bypass authentication by providing an an invalid, crafted
username during an authentication request. Any services that use a
Mozilla developer Josh Soref of Nokia reported that documents
failed to call certain security checks when attempting to preload
images. Although the image content is not available to the page, it
is possible to specify protocols that are normally not allowed in a
web page such as file:. This includes internal schemes implemented
by add-ons that might perform privileged actions resulting in
something like a Cross-Site Request Forgery (CSRF) attack against
the add-on. Potential severity would depend on the add-ons installed
(CVE-2010-0168).
Mozilla developer Blake Kaplan reported that the window.location object
Mozilla developer Josh Soref of Nokia reported that documents
failed to call certain security checks when attempting to preload
images. Although the image content is not available to the page, it
is possible to specify protocols that are normally not allowed in a
web page such as file:. This includes internal schemes implemented
by add-ons that might perform privileged actions resulting in
something like a Cross-Site Request Forgery (CSRF) attack against
the add-on. Potential severity would depend on the add-ons installed
(CVE-2010-0168).
Mozilla developer Blake Kaplan reported that the window.location object
=======
Multiple vulnerabilities exist in the Cisco Application Networking
Manager (ANM) and Cisco Application Control Engine (ACE) Device
Manager applications. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
SUMMARY
=======
Two bugs in the RPC library server code, used in the kadmin server,
causes an array overrun if too many file descriptors are opened.
Memory corruption can result.
IMPACT
======
An unauthenticated remote attacker can cause memory corruption in the
SUMMARY
=======
Two bugs in the RPC library server code, used in the kadmin server,
causes an array overrun if too many file descriptors are opened.
Memory corruption can result.
IMPACT
======
An unauthenticated remote attacker can cause memory corruption in the
An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.
An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data. This can result in
privilege escalation against a service that relies on PAC contents to
make authorization decisions.
An unauthenticated remote attacker has a 1/256 chance of swapping a
client-issued KrbFastReq into a different KDC-REQ, if the armor key is
Cisco IOS software configured for IOS firewall Application Inspection
Control (AIC) with a HTTP configured application-specific policy are
vulnerable to a Denial of Service when processing a specific
malformed HTTP transit packet. Successful exploitation of the
vulnerability may result in a reload of the affected device.
Cisco has released free software updates that address this
vulnerability.
A mitigation for this vulnerability is available. See the
+-------------------------------------
Cisco Unified Communications Manager contains two DoS vulnerabilities
that involve the processing of SCCP packets. Each vulnerability is
triggered by a malformed SCCP message that could cause a critical
process to fail, which could result in the disruption of voice
services. All SCCP ports (TCP ports 2000 and 2443) are affected.
The first SCCP DoS vulnerability is documented in Cisco Bug ID
CSCtc38985 and has been assigned the CVE identifier CVE-2010-0587.
This vulnerability is fixed in Cisco Unified Communications Manager
4. now go to "Users":
http://localhost/ravennuke230/admin.php?op=yaUsers
and select "User Details" for any user, click "OK".
Resulting page will display output of the "phpinfo()", done :)
Fragment of vulnerable source code:
-------------------------------------------------------
/* Get Custom Fields and display them in desired order
...
Rsyncrypto[1] is a file encryption tool. It has a single RSA key that
encrypts symmetric AES keys per file. The files themselves are subject
to an encryption method that is based on CBC, but does a
security-performance trade off. In particular, the files are encrypted
in such a way that re-encrypting, using the same key, a file that was
slightly modified will result in slightly modified cypher text. This is
needed so that the file will retain wire efficiency when transferred
using rsync[2].
Rsyncrypto does not generate the RSA itself. Instead, the rsyncrypto
manual instructs the user to use openssl in order to generate a private
@rename($tmpfilename, "mkportal/blog/images/$image");
--------------------[/source code]---------------------
What's the possibilities? Attacker can upload picture file with php code
inside with filename like "pic.php.pjpg" and it will be stored in remote
server as result. And when attacker issues direct request to uploaded
picture:
http://localhost/mkportal.1.2.1/mkportal/blog/images/1pic.php.pjpg"
.. then in case of Apache webserver php code inside of picture will
'get_access' => 1
);
$users = CUser::get($options);
$user = reset($users);
if($user['api_access'] != GROUP_API_ACCESS_ENABLED){
self::$result = array('error' => ZBX_API_ERROR_NO_AUTH, 'data' =>
'No API access');
return self::$result;
}
This lack of sanitization leads to an SQL Injection vulnerability which
Details follow:
It was discovered that Apache did not sanitize the Expect header from
an HTTP request when it is reflected back in an error message, which
could result in browsers becoming vulnerable to cross-site scripting
attacks when processing the output. With cross-site scripting
vulnerabilities, if a user were tricked into viewing server output
during a crafted server request, a remote attacker could exploit this
to modify the contents, or steal confidential data (such as passwords),
within the same domain. This was only vulnerable in Ubuntu 6.06.
The motivation to produce this document is explained in the Preface of the
document as follows:
- ---- cut here ----
The TCP/IP protocols were conceived during a time that was quite different
from the hostile environment they operate in now. Yet a direct result of
their
effectiveness and widespread early adoption is that much of today's
global economy remains dependent upon them.
While many textbooks and articles have created the myth that the Internet
Summary
=======
Unified Contact Center and Intelligent Contact Management products
contain a vulnerability that may result in unauthorized access to the
web-based reporting and script monitoring tool (Web View) and the
web-based configuration tool (Web Admin).
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20071017-IPCC.shtml.
Summary
=======
Two crafted packet vulnerabilities exist in the Cisco Firewall
Services Module (FWSM) that may result in a reload of the FWSM. These
vulnerabilities can be triggered during the processing of HTTPS
requests, or during the processing of Media Gateway Control Protocol
(MGCP) packets.
A third vulnerability may cause access control list (ACL) entries to not
This is useless, I don't know what the author wanted to
do but this can be bypassed easily. After some conditions,
the write_comment() function is called:
219| $result = write_comment( $_POST[ 'y' ], $_POST[ 'm' ],
| $_POST[ 'entry' ],
220| $comment_name,
221| $comment_email,
222| $comment_url,
223| $comment_text,
Next Page>>
|
