.
7. VENDOR
Wuxi Elootec Technology Co., Ltd.
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-04-22: Contacted the vendor through email
2012-04-29: Vendor replied and the vulnerability detail was sent
2013-01-04: Vulnerability not fixed
5.x only
On Sat, Dec 29, 2012 at 11:02 AM, Sean Jenkins s...@bluehost.com wrote:
Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or
just 5.0.[0..6]?
Sean Jenkins
Sr. System Administrator
On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
1. OVERVIEW
CubeCart
. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-12-22: Vulnerability disclosed
2012-12-24: The vendor replied that the fix would not be implemented.
2013-01-01: Vulnerability disclosed
(review[title] parameter)
/admin.php (report[date][from] parameter)
6. SOLUTION
The vendor has chosen not to fix the issue.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-12-22
]
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
Inc.
http://www.transparent-support.com
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-11-17: Vulnerability Reported
2012-12-25: Vulnerability Disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bopen
///
6. SOLUTION
The vendor has not responded to the report since 2012-11-17.
It is recommended that an alternate software package be used in its place.
7. VENDOR
Transparent Technologies Inc.
http://www.transparent-support.com
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group
)
/index.php (town parameter)
6. SOLUTION
The CubeCart 3.0.x version family is no longer maintained by the vendor.
Upgrade to the currently supported CubeCart version - 5.x.
7. VENDOR
CubeCart Development Team
http:/cart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group
Page: http://cubecart.com/
#yehg [2012-12-22]
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
version family is no longer maintained by the vendor.
Upgrade to the currently supported CubeCart version - 5.x.
7. VENDOR
CubeCart Development Team
http:/cart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-02-10: CubeCart 3.0.x in End
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-06-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http
/admin.php (redir parameter)
/admin.php?redir=//yehg.net/%3f (Redirect after login)
6. SOLUTION
Upgrade to the latest CubeCart version - 5.x.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE
, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4.4.6%5D_csrf
CubeCart Home Page: http
The CubeCart 4.x version family is no longer maintained by the vendor.
Upgrade to the currently supported latest CubeCart version - 5.x.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
. SOLUTION
The CubeCart 4.x version family is no longer maintained by the vendor.
Upgrade to the currently supported latest CubeCart version - 5.x.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE
://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories
The vendor has chosen not to fix the issue.
Workaround is to remove setup directory after installation.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-03-24: Vulnerability Reported
this product and
therefore has no patch or upgrade that mitigates this problem.
It is recommended that an alternate software package be used in its place.
7. VENDOR
Transparent Technologies Inc.
http://www.transparent-support.com
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group
=http://yehg.net/
6. SOLUTION
We have not been informed of the fix.
We believe this issue should be fixed by the time of releasing our advisory.
7. VENDOR
F5 Networks, Inc.
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9
/login?BackURL=//yehg.net
6. SOLUTION
Upgrade to the latest 3.x version.
7. VENDOR
SilverStripe Development Team
http://www.silverstripe.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-02-06
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-02-06: notified vendor
2012-10-15: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BSilverStripe_2.4.7%5D_xss
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-07-29: notified vendor, vendor did not plan to release fix
because of default deployed referer check
2012-08-19: vulnerability disclosed
10. REFERENCES
Original Advisory URL
for the option, Enforce IP addresses for
sessions.
7. VENDOR
ocPortal Development Team
http://www.ocportal.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-07-29: notified vendor, vendor did
/index.php?page=logintype=miscredirect=http://attacker.in
6. SOLUTION
Upgrade to the latest version.
7. VENDOR
ocPortal Development Team
http://www.ocportal.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-03-06: notified vendor
2012
http://www.thecollective.com.au/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-05-20: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal
!) %
-6dc3a236402e2--
[/REQUEST]
6. SOLUTION
The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.
7. VENDOR
The Collective
http://www.thecollective.com.au/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical
/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-04-15: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bfastpath-webchat
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-03-01: notified vendor
2012-04-15: vulnerability disclosed
10. REFERENCES
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
#yehg [2012-04-15]
, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-03-05: Open-Realty 2.5.8 in End-of-Support/Maintenance circle
2012-03-05: Vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_2.5.8_2.x%5D_lfi
Open-Realty
://www.datemill.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-06-21: notified vendor
2012-03-05: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Betano_1.2.x%5D_xss
#yehg [2012-03-05]
=L2N1YmUvaW5kZXgucGhwP2FjdD1sb2dpbg%3D%3D
6. SOLUTION
The CubeCart 3.0.x version family is no longer maintained by the vendor.
7. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-02-10: CubeCart 3.0.x in End
%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22onmouseover=alert%28%27XSS%27%29;%22x=
6. SOLUTION
Upgade to the latest version of Oxwall.
7. VENDOR
Oxwall Foundation
http://www.oxwall.org/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE
. VENDOR
BoonEx Pty Ltd
http://www.boonex.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-06-09: notified vendor
2011-10-24: fixed version, 7.0.8, released
2012-02-20: vulnerability disclosed
10. REFERENCES
Original Advisory URL
. VENDOR
CubeCart Development Team
http://cubecart.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle
2012-02-10: Vulnerability disclosed
10. REFERENCES
Original Advisory URL
)
6. VENDOR
Vastgota-Data
7. CREDIT
This vulnerability was discovered by Myo Soe, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
8. DISCLOSURE TIME-LINE
2011-06-19: notified vendor through email
2011-10-17: vendor released fixed version, 2011-10-17
2011-10-25: vulnerability disclosed
9
,
escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender));
395: $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail));
7. VENDOR
vTiger Development Team
http://www.vtiger.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group
they acknowledged
the report.
7. VENDOR
vTiger Development Team
http://www.vtiger.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-08: notified vendor
2011-10-05: no fixed version released yet
! Developer Team
http://www.joomla.org
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2011-07-29: notified vendor
2011-09-26: patched version, 1.7.1-stable, released
2011-09-29: vulnerability disclosed
11
=downloadattachatid=59
7. VENDOR
Electron Inc.
http://www.anelectron.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-14: notified vendor through email, website contact form submission
2011-05-17
Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-06-03: notified vendor
2010-06-03: vendor replied fix would be available within 48hrs
2011-08-24: vendor released fixed version, jcow.4.3.1.ce
2011-08-26: vulnerability disclosed
10. REFERENCES
Original
Team
http://www.jcow.net
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-06-03: notified vendor
2010-06-03: vendor replied fix would be available within 48hrs
2011-08-24: vendor released fixed versions
CMS 5.4.1.1 XSS /
/form
6. SOLUTION
Upgrade to 5.4.2 or higher.
7. VENDOR
Concrete CMS Developers
http://www.concrete5.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-04-14: vulnerability
. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-08-01: vulnerability reported
2011-08-15: vendor released fixed version
2011-08-18: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-01-26: notified vendor
2011-08-01: vendor released fix
2011-08-13: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js
. VERSIONS AFFECTED
2.8.1 =
5. SOLUTION
Upgrade to 2.8.2 or higher
6. VENDOR
WebsiteBaker Org e. V.
http://www.websitebaker2.org/
7. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
8. DISCLOSURE TIME-LINE
2011-01-26: notified
(javascript:alert(/XSS/)) x=s /
6. SOLUTION
Upgrade to 1.7.10 or higher.
7. VENDOR
Curverider Ltd
http://www.curverider.co.uk/
http://elgg.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-06
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2011-07-02: notified vendor
2011-07-19: patched version, 1.7.0, released
2011-07-22: vulnerability disclosed
11. REFERENCES
Original Advisory URL:
http
Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2011-05-26: notified vendor
2011-06-28: vendor released fix
2011-06-28: vulnerability disclosed
11. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3
AFFECTED
Joomla! 1.6.0
5. PROOF-OF-CONCEPT/EXPLOIT
http://attacker.in/joomla160/libraries/phpmailer/language/phpmailer.lang-joomla.php
6. SOLUTION
Upgrade to Joomla! 1.6.1 or higher
7. VENDOR
Joomla! Developer Team
http://www.joomla.org
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker
/data/definitions/352.html
#yehg [2010-03-23]
keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, csrf
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
is NOT recommended because of long lack of update
and vendor negligence about security reports.
7. VENDOR
PHP-Nuke Developers
http://phpnuke.org/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-01-01: contacted author through emails
2011-01-25
. VENDOR
php-Nuke Developers
http://phpnuke.org/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-01-01: contacted author through emails
2011-01-25: contacted author through web site contact form
2010-03-23: no replies from author
2010-03-23
, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-03-10: notified vendor
2011-03-16: vendor released fixed version
2011-03-18: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[xoops_2.5.0]_cross_site_scripting
Vendor Announcement
://bbpress.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-23: notified vendor
2011-02-24: vendor released fixed version
2011-03-13: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http
by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-01-24: notified vendor
2011-03-08: vendor released fix
2011-03-14: vulnerability disclosed
10. REFERENCES
Vendor Advisory URL:
http://developer.joomla.org/security/news/328-20110201-core-sql-injection
to Joomla! 1.6.1 or higher
8. VENDOR
Joomla! Developer Team
http://www.joomla.org
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2011-01-24: notified vendor
2011-03-08: vendor released fix
2011-03-14
/index.php?p=/entry/;scriptalert(/XSS/)/script
6. SOLUTION
Upgrade to Vanilla Forums 2.0.17.6 or higher
7. VENDOR
Vanilla Forums Development Team
http://vanillaforums.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9
/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-24: notified vendor
2011-01-25: vendor released fix
2011-02-01: vulnerability disclosed
10. REFERENCES
Original Advisory URL: http://yehg.net/lab
. SOLUTION
Upgrade to Vanilla Forums 2.0.17 or higher
7. VENDOR
Vanilla Forums Development Team
http://vanillaforums.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-14: notified vendor
2011-01
Full HTML formatting for sites that allow public user registration.
8. VENDOR
Drupal Development Team
http://drupal.org
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2010-12-30: notified vendor
2010-12
for it.
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
6. SOLUTION
Joomla 1.0.x series has been at end of life since 2009-07-22.
Upgrade to Joomla! 1.5.x family (1.5.22 as of 2011-01-05)
7. VENDOR
Joomla! Developer Team
http://www.joomla.org
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group
://www.geeklog.net/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-31: notified vendor
2011-01-02: vendor released fixed version
2011-01-04: vulnerability disclosed
10. REFERENCES
Original Advisory URL
=Preview
Post
6. SOLUTION
Upgrade to 1.6.1
7. VENDOR
MyBB Development Team
http://www.mybb.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-09: notified vendor
2010-12-15: vendor released fixed
(February 2011) and 3.7 (June 2011).
8. VENDOR
Eclipse Developers Team
http://www.eclipse.org/
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2010-11-04 : vulnerability discovered
2010-11-05 : notified vendor
This public disclosure has achieved its aim.
Joomla! Team finally patched this hole.
http://developer.joomla.org/security/news/9-security/10-core-security/323-20101101-core-sqli-info-disclosurevulnerabilities.html
Upgrade to the latest Joomla! version (1.5.22 or later).
1. VULNERABILITY
: Notified Joomla! Security Strike Team
2010-11-01 : Vulnerability disclosed
4. VENDOR
Joomla! Developer Team
http://www.joomla.org
http://www.joomla.org/download.html
# YGN Ethical Hacker Group
# http://yehg.net
# 2010-11-1
://cwe.mitre.org/data/definitions/79.html
-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
untrusted sources to Desktop location
8. VENDOR
Adobe Inc (http://www.adobe.com)
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
09-02-2010: vulnerability discovered
09-03-2010: notified vendor
09-10-2010
, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
09-09-2010: vulnerability discovered
09-09-2010: notified vendor
09-09-2010: vulnerability disclosed
11. REFERENCES
Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[pgp_desktop]_9x
I found this Microsoft Internet explorer 8 DLL Hijacking at Inject0r db
http://inj3ct0r.com/exploits/13898
This one is a similar variant of IE 7
http://www.exploit-db.com/exploits/2929/
It can be triggered only if attackers can put a IESHIMS.DLL file in
user's desktop.
However, there are
The fixed version KeePass 2.13 has been released.
http://keepass.info/news/n100906_2.13.html
But failure to describe DLL Hijacking was fixed.
http://www.moovida.com/
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
08-28-2010: vulnerability discovered
08-28-2010: notified vendor via support ticket
09-02-2010: notified vendor via support forum
09
://keepass.info
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
08-29-2010: vulnerability discovered
08-29-2010: notified vendor
08-29-2010: patch released
09-01-2010: vulnerability disclosed
11. REFERENCES
Original
http://logic-ware.net/
http://www.qtweb.net/
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
08-29-2010: vulnerability discovered
08-29-2010: notified vendor
08-29-2010: vulnerability disclosed
11
Limited
http://www.maxthon.com/
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
08-28-2010: vulnerability discovered
08-28-2010: notified vendor
08-28-2010: vulnerability disclosed
11. REFERENCES
Original
service
Please see workaround solution links in References section.
8. VENDOR
Notepad++ Developers Team
http://notepad-plus-plus.org/
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
08-28-2010
at 08-15-2010. It is now supposed to be safe.
It is suggested that any web sites that use this component ask the
vendor for the updated version.
8. VENDOR
Blastchat
http://www.blastchat.com
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group
, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
08-11-2010: discovered vulnerability
08-11-2010: notified vendor
08-11-2010: vendor fixed vulnerability
08-14-2010: vendor released patched version - 3.4
08-26-2010: vulnerability disclosed
11. REFERENCES
Original
8. VENDOR
phpMyAdmin (http://www.phpmyadmin.net)
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
08-09-2010: vulnerability discovered
08-10-2010: notified vendor
08-20-2010: vendor released fix
08-20
2wire support just replied that this has been fixed and new version
(6.x.x.x) has been released.
The advisory has been updated accordingly.
http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
section.
8. VENDOR
2Wire Inc
http://www.2wire.com
About 2Wire - http://www.2wire.com/index.php?p=486
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
07-25-2010: vulnerability discovered
07-29-2010: notified
Hi Cru3l.b0y
We've been seeing you keep mistakenly assuming RFI for constant variables.
For next releases of your great bug hunting journey, please note:
1. Constant variables are usually written Capital letter such as
ABSPATH, DB_USER, DB_PASSWORD, DB_HOST
2. Programmers define them in config
Great!
We should fill up %20 as many as possible to hide the payloads in
some wider screens.
The JavaScript Test 2 example is great for stealth phishing attacks
while status bar spoofing is great for hiding our attack payload.
I also made a record for hiding XSS payload.
84 matches
Mail list logo