Next Page >>
results
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
if ($res->is_success) {
$result = $res->content;
if ($action eq "edit") {
print "Viewing $path$file:\n";
print $1,"\n" if($result =~ /name="ncontent">(.*)<\/textarea>/s);
}
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
"</h3>\n";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "fws_guest=" . $customerid);
$result = curl_exec($ch);
curl_close($ch);
$result = str_replace("\n", "", $result);
preg_match("/(Wat zit er in uw winkelwagen.*)<\/table>/", $result,
$matches);
echo strip_tags($matches[1]);
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Date 20090725
I) Introduction
II) PHP arbitrary Local File Inclusion testing
III) PHP arbitrary Local File Inclusion results
IV) PHP arbitrary File Open testing
V) PHP arbitrary File Open results
VI) PHP arbitrary Remote File Upload testing
VII) PHP arbitrary Remote File Upload results
VIII) Conclusions
download: http://open-classifieds.com/download/<br>
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>
If registration is required an extra link in the chain is added:<br>
Exploit chain:blind sqli(select)->captcha bypass->sqli(insert)->persistant xss on front page<br>
sites with SEO url's enabled:<br>
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)<br>
or default urls:<br>
"powered by Open Classifieds" inurl:"item-new.php" (16,500 results)<br>
Total sites: ~100,000<br>
<br>
<br>
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "route"
Preconditions:
1. Windows platform
2. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
Source code snippet from script "index.php":
-----------------[ source code start ]---------------------------------
// Router
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
Details:
========
1.1
A SQL Injection vulnerability is detected in DIY v1.0 Content Management System.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
Vulnerable Module(s):
[+] Mod - Poll
1.2
+------------------------------------
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv52239 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1156.
Summary
=======
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances that may result
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
// Insert data
$sqlquery = "UPDATE " . usersdb . " SET "
."Password ='" .$Password2 ."' WHERE ID ='" .$ID ."'";
$results = mysql_query($sqlquery);
-----------------[ source code end ]-----------------------------------
Example exploit:
-------------------------------------------------------------------------------
<html>
NTLMv1 Authentication Bypass Vulnerability
+-----------------------------------------
Cisco ASA 5500 Series Adaptive Security Appliances contain a
vulnerability that could result in authentication bypass when the
affected appliance is configured to authenticate users against Microsoft
Windows servers using the NTLMv1 protocol.
Users can bypass authentication by providing an an invalid, crafted
username during an authentication request. Any services that use a
Website: http://www.flatpress.org
Vulnerability Description
-------------------------
The versions 0.804 through 0.812.1 are resulting to be prone to a nasty
LFI vulnerability which can be exploited to have RCE (Remote Command
Execution). The piece of code involved is in the
fp-includes/core/core.users.php directory in the user_get() function
as showed below.
=======
Multiple vulnerabilities exist in the Cisco Application Networking
Manager (ANM) and Cisco Application Control Engine (ACE) Device
Manager applications. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
-------------------
When you have a look on the code generated by the compiler you will
see that it first multiplies the timestamp, process identifier and
the numerical factor. This is performed in modular integer arithmetic.
It was therefore evaluated how likely it is that the multiplication
will result in a zero, because then the seed will be zero, too.
(on older PHP versions the seed will be 1 for mt_rand() because the
lowest bit will be forced to be 1)
1000000 is a number with its lowest 6 bits set to zero. Therefore
the multiplication will result in zero if the timestamp and process
This is useless, I don't know what the author wanted to
do but this can be bypassed easily. After some conditions,
the write_comment() function is called:
219| $result = write_comment( $_POST[ 'y' ], $_POST[ 'm' ],
| $_POST[ 'entry' ],
220| $comment_name,
221| $comment_email,
222| $comment_url,
223| $comment_text,
###############################################################################
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
Tests:
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
HP Tru64 UNIX v 5.1B-4 PK6 (BL27)
T64KIT1001630-V51BB27-ES-20090803
https://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001630-V51BB27-ES-20090803
MD5 results:
639bf32e22db9ca317b0e91818a100fb
SHA1 results:
53d4010e7e982b57f2e4f4fb5aa33ac1f5114ff3
'get_access' => 1
);
$users = CUser::get($options);
$user = reset($users);
if($user['api_access'] != GROUP_API_ACCESS_ENABLED){
self::$result = array('error' => ZBX_API_ERROR_NO_AUTH, 'data' =>
'No API access');
return self::$result;
}
This lack of sanitization leads to an SQL Injection vulnerability which
3. *Vulnerability Description*
DNS spoofing and cache poisoning attacks have been known security
threats that result from design weaknesses of the DNS protocol since the
early 1990s as described by Christopher Schuba [1] and Paul Vixie [2].
In 1997 a practical implementation of a blind remote DNS cache poisoning
attack that relies solely on exploiting the predictability of the ID
field of DNS query packets was described by Arce and Kargieman [3]. This
was followed up by further refinements and advancement of attack
+-------------------------------------
Cisco Unified Communications Manager contains two DoS vulnerabilities
that involve the processing of SCCP packets. Each vulnerability is
triggered by a malformed SCCP message that could cause a critical
process to fail, which could result in the disruption of voice
services. All SCCP ports (TCP ports 2000 and 2443) are affected.
The first SCCP DoS vulnerability is documented in Cisco Bug ID
CSCtc38985 and has been assigned the CVE identifier CVE-2010-0587.
This vulnerability is fixed in Cisco Unified Communications Manager
@rename($tmpfilename, "mkportal/blog/images/$image");
--------------------[/source code]---------------------
What's the possibilities? Attacker can upload picture file with php code
inside with filename like "pic.php.pjpg" and it will be stored in remote
server as result. And when attacker issues direct request to uploaded
picture:
http://localhost/mkportal.1.2.1/mkportal/blog/images/1pic.php.pjpg"
.. then in case of Apache webserver php code inside of picture will
Cisco IOS software configured for IOS firewall Application Inspection
Control (AIC) with a HTTP configured application-specific policy are
vulnerable to a Denial of Service when processing a specific
malformed HTTP transit packet. Successful exploitation of the
vulnerability may result in a reload of the affected device.
Cisco has released free software updates that address this
vulnerability.
A mitigation for this vulnerability is available. See the
The motivation to produce this document is explained in the Preface of the
document as follows:
- ---- cut here ----
The TCP/IP protocols were conceived during a time that was quite different
from the hostile environment they operate in now. Yet a direct result of
their
effectiveness and widespread early adoption is that much of today's
global economy remains dependent upon them.
While many textbooks and articles have created the myth that the Internet
#2008-008 multiple heap overflows in xine-lib
Description:
The xine free multimedia player suffers from a number of vulnerabilities
ranging in severity. The worst of these vulnerabilities results in
arbitrary code execution and the least, in unexpected process
termination.
Five heap buffer overflows exist in parsing of real audio files, id3
tags, qt mov files, and matroska headers which all can result in
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Improper implementation of the shellescape() function and lack of
documentation can result in untrusted data being insufficiently
sanitized, possibly leading to arbitrary code execution.
2. Background
Rsyncrypto[1] is a file encryption tool. It has a single RSA key that
encrypts symmetric AES keys per file. The files themselves are subject
to an encryption method that is based on CBC, but does a
security-performance trade off. In particular, the files are encrypted
in such a way that re-encrypting, using the same key, a file that was
slightly modified will result in slightly modified cypher text. This is
needed so that the file will retain wire efficiency when transferred
using rsync[2].
Rsyncrypto does not generate the RSA itself. Instead, the rsyncrypto
manual instructs the user to use openssl in order to generate a private
SUMMARY
=======
Two bugs in the RPC library server code, used in the kadmin server,
causes an array overrun if too many file descriptors are opened.
Memory corruption can result.
IMPACT
======
An unauthenticated remote attacker can cause memory corruption in the
SUMMARY
=======
Two bugs in the RPC library server code, used in the kadmin server,
causes an array overrun if too many file descriptors are opened.
Memory corruption can result.
IMPACT
======
An unauthenticated remote attacker can cause memory corruption in the
Next Page>>
|
