[Full-Disclosure] Malicious post by "Manip"

• Previous message: Maarten: "Re: [Full-Disclosure] VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Sat, 3 Jul 2004 04:07:33 -0500

The Security Alert on Centre by the Miller Group seems to have been
posted maliciously.

Two of the three vulnerabilities do not exist, and the first one is an
obvious fabrication.

The link posted demonstrating the first vulnerability actually portrays
the correct behavior of the program.
http://demo.miller-group.net/index.php?
modfunc=create_account&staff&username=admin&staff_id=new points to a
page that allows parents and teachers to request access to the program.
  This program was meant to be open to the public, and, in fact, the
extra information at the end of the URL
(&staff&username=admin&staff_id=new) does not affect the program's
performance. As you can see,
http://demo.miller-group.net/index.php?modfunc=create_account functions
the same as the URL provided by Manip.
http://demo.miller-group.net/index.php?modfunc=create_account is also a
link from the Centre login screen titled "Create Account." There is no
way to run any other program in Centre without being authenticated.

Also, the third "vulnerability" is not an issue. All variables in SQL
statements are encapsulated by single quotes, and Centre expects PHP's
magic quotes to be on. Furthermore, single quotes are replaced by
double single quotes (which cancels the single quote -- same behavior
as \'). So, SQL injection is impossible in every module of Centre.
This is obvious throughout the code.

Finally, Manip's second vulnerability did exist in Centre up until
Version 1.0. This was not a major vulnerability, since the malicious
code had to be somewhere on the server running Centre. However, this
vulnerability has been dealt with in Version 1.01, released today. Any
program not allowed to a user (or any program not in Centre) cannot be
run. And, the username and IP address of whomever attempts to run it
are captured by the system.

--Andrew Schmadeke
The Miller Group
schmad@miller-group.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Maarten: "Re: [Full-Disclosure] VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Punbb <= 1.2.13 Multiple Vulnerabilities ... Type of vulnerability: SQL Injection and Local File Inclusion ... "PunBB is a fast and lightweight PHP powered discussion board. ... (Bugtraq) Jupiter CMS 1.1.5 Multiple Vulnerabilities ... against SQL Injection attacks) in several SQL request. ... is that the script do not check for file extensions when a user upload ... Risk level: Medium ... simple poc illustrate how an attacker can exploit this vulnerability: ... (Bugtraq) [Full-disclosure] DGNews version 2.1 SQL Injection Vulnerability ... DGNews version 2.1 SQL Injection Vulnerability ... DGNews is small and simple but powered news publishing. ... (Full-Disclosure) SecurityFocus Microsoft Newsletter #137 ... MICROSOFT VULNERABILITY SUMMARY ... BitchX Mode Change Denial Of Service Vulnerability ... Cerberus FTP Server Plaintext User Password Weakness ... Snitz Forums 2000 Register.ASP SQL Injection Vulnerability ... (Focus-Microsoft) [Full-disclosure] [TKADV2005-12-001] Multiple SQL Injection vulnerabilities in MyBB ... Version MyBB PR2 Rev.686 and prior contain multiple SQL Injection ... vulnerability see reference. ... Successful exploitation could result in a compromise of the ... (Full-Disclosure)