[FD] [RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite

2015-02-18 Thread RedTeam Pentesting GmbH
Advisory: Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite During a penetration test, RedTeam Pentesting discovered a Directory Traversal vulnerability in hybris Commerce software suite. This vulnerability allows attackers to download arbitrary files

[FD] CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-18 Thread Jing Wang
*CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities Product: InstantForum.NET Vendor: InstantASP Vulnerable Versions: v4.1.3 v4.1.1

[FD] DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-18 Thread Jing Wang
*DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v5 v4.6 v4.5 Tested Version: v5 v4.6 Advisory Publication: Feb 18, 2015

[FD] DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities

2015-02-18 Thread Jing Wang
*DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities* Exploit Title: DLGuard /index.php c parameter Full Path Disclosure Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v4.5 Tested Version: v4.5 Advisory Publication: Feb 18, 2015 Latest

[FD] Bug in TradeWinds

2015-02-18 Thread Juan Martinez
Hi, I turn to you because I want to make public a bug, a web server called Trade Winds, by which much compromising information of internal servers exposed ... Through a Dork on google: inurl: cgi-shl / twserver.exe run?. They are vulnerable server, injecting this url: http:

[FD] DLGuard SQL Injection Security Vulnerabilities

2015-02-18 Thread Jing Wang
DLGuard SQL Injection Security Vulnerabilities Exploit Title: DLGuard /index.php c parameter SQL Injection Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v4.5 Tested Version: v4.5 Advisory Publication: Feb 18, 2015 Latest Update: Feb 18, 2015 Vulnerability Type:

[FD] Crushftp 7.2.0 - Multiple CSRF XSS Vulnerabilities

2015-02-18 Thread Rehan Ahmed
I. Overview Multiple CSRF Cross-Site Scripting (XSS) vulnerabilities have been identified in Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows