|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1002 CVE : CVE-2006-2734 CVE : CVE-2006-2733 CVE : CVE-2006-2732 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : Mustafa Can Bjorn IPEKCI (nukedx nukedx com) Published : 01.06.2006
Advisory Text : Dökümanlar ?? Döküman oku --Security Report-- Advisory: MiniNuke v2.x Multiple Remote Vulnerabilities --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 27/05/06 03:16 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: MiniNuke (http://www.miniex.net/) (http://www.mini-nuke.info/) Version: 2.3 and prior versions must be affected. About: Via this method remote attacker can inject arbitrary SQL query to Your_Account.asp. The problem is that yas_1,yas_2 and yas_3 parameters did not sanitized properly before using them on SQL query.This can be caused to remote attacker could change the SQL query line and change his rights on MiniNuke. Vulnerable codes can be found at lines 39-79.. -Code/39&79- yas = Request.Form("yas_1") & "." & Request.Form("yas_2") & "." & Request.Form("yas_3") ... ... ... Connection.Execute("UPDATE MEMBERS SET yas = '"&yas&"' WHERE uye_id = "&Session("Uye_ID")&"") -Code/39&79- Fixing this vulnerability is so easy change the line 39 to this. -Fixed/39- yas = duz(Request.Form("yas_1")) & "." & duz(Request.Form("yas_2")) & "." & duz(Request.Form("yas_3")) -Fixed/39- Another SQL injection in Your_Account.asp is that change theme for user, theme parameter did not sanitized properly before using it on SQL query. Vulnerable code can be found at line 229.. -Code/229- Connection.Execute("UPDATE MEMBERS SET u_theme='"&Request.Form("theme")&"' WHERE uye_id = "&Session("Uye_ID")&"") -Code/229- Fixing this vulnerability is so easy change the line to this -Fixed/229- fixedtheme = duz(Request.Form("theme")) Connection.Execute("UPDATE MEMBERS SET u_theme='"&fixedtheme&"' WHERE uye_id = "&Session("Uye_ID")&"") -Fixed/229- duz() function is special for MiniNuke it cleans the malicious characters on based variable. Second problem is on membership.asp.The security code is made as text format so it can be easily readable by remote attacker, and can be used for mass-register so mass-register can make D.o.S for MiniNuke. Third problem is on enter.asp the gguvenlik and guvenlik parameters used in login can be changeable by remote attacker, this can be cause remote attacker makes a dictionary-attack to specified user. Level: Critical Solution: Given --- How&Example: POST -> http://[site]/mndir/enter.asp?gguvenlik=1&guvenlik=1&kuladi=victim&passw ord=pass With this example remote attacker could make dictionary attack for getting victim's password. POST -> http://[site]/mndir/Your_Account.asp?op=RegTheme&theme=default',seviye=' 1 And other example for SQL injection in yas params like this. Login to your account on MiniNuke go to /Your_Account.asp?op=UpdateProfile and open the source code of page find yas_3 and change value like YEAR',seviye='1 and edit source correctly dont forgot to edit Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=31 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=31  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |