[Full-Disclosure] Various Vulnerabilities in OWL Intranet Engine
From: Joxean Koret (joxeankoret_at_yahoo.es)
Date: 01/01/05
- Previous message: Andrew Smith: "Re: [Full-Disclosure] Just a thought (from an autoreply to another thread)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vuln@secunia.com Date: Sat, 01 Jan 2005 19:52:48 +0000
----------------------------------------------------------------------------
Various Vulnerabilities in OWL Intranet Engine
----------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OWL 0.7 and 0.8 - Owl is a multi user document repository
(knowledgebase)
system written in PHP4 for publishing files/documents onto the web for
a
corporation, small business, group of people, or just for yourself.
Web : http://owl.sourceforge.net/
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting Vulnerabilities
A1. In the script browser various parameters, that are used to write the
html code, not are verified.
Test URLS :
http:// http:// B. SQL Injection Vulnerabilities
B1. In the browser.php script the following parameters are vulnerables
Test URLS :
http:// http:// The fix:
All problems are fixed in the CVS.
Disclaimer:
The information in this advisory and any of its demonstrations is
I am not liable for any direct or indirect damages caused as a result of
---------------------------------------------------------------------------
Contact:
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
_______________________________________________
to an
SQL Injection attacks.
~~~~~~~~
~~~~~~~~~~~
provided
"as is" without any warranty of any kind.
using the information or demonstrations provided in any part of this
advisory.
~~~~~~~~
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Relevant Pages
... Cross Site Scripting Vulnerabilities ... In the script browser various parameters, that are used to write the ... SQL Injection Vulnerabilities ... The information in this advisory and any of its demonstrations is ...
(Bugtraq)
... Cross Site Scripting Vulnerabilities ... In the script browser various parameters, that are used to write the ... SQL Injection Vulnerabilities ... The information in this advisory and any of its demonstrations is ...
(Full-Disclosure)
... Live is vulnerable to Sql injection, Script Injection, and Cross Site ... but the most serious of the vulnerabilities mentioned ... There are several script injection vulnerabilities in Help Center Live ... This can be accomplished by an attacker by entering ...
(Bugtraq)
... Multiple vulnerabilities on Absolute News Manager.NET 5.1 ... Multiple vulnerabilities were found on Absolute News Manager.NET 5.1: ... - unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly ... The script '/pages/default.aspx' might also be vulnerable to SQL ...
(VulnWatch)
... Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection ... The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has not been confirmed. ...
(Bugtraq)
