Re: [Full-disclosure] Vulnerabilities digest




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHUT UP VLADIS

On Wed, 10 Oct 2007 14:19:25 -0400 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
wrote:
Dear bugtraq@xxxxxxxxxxxxxxxxx,

Vulnerabilities reported by different Russian speaking
authors to
http://securityvulns.ru

1. Elekt(Antichat.ru) reports protection bypass vulnerability in
PHP 4
and 5.

disable_functions feature can be bypassed by using functions
alias. A
list of aliases is given in http://php.net/aliases/. For
example,
ini_alter() may be used instead of ini_set() and vice versa.

SecurityVulns issue: http://securityvulns.com/news/PHP/alias-
pb.html
Original message (in Russian):
http://securityvulns.ru/Sdocument67.html

2. MustLive reports Crossite-Cripting vulnerability in
WordPress
MultiUser 1.0

XSS is possible via Username form field.

Additional information (in Ukranian):
http://websecurity.com.ua/1269/
Original message (in Russian):
http://securityvulns.ru/Rdocument875.html

3. durito [NGH Group] reports multiple SQL injections in ActiveKB
1.5

Example:


http://www.example.com/activekb/index.php?ToDo=browse&catId=[SQL]

http://www.example.com/activekb/admin/index.php?ToDo=hideQuestion&q
uestId=[SQL]

Original message (in Russian):
http://securityvulns.ru/Rdocument901.html

4. MustLive reports Cross-Site Scripting vulnerability in Joomla!
<= 1.0.13

An example of vulnerability is

http://site/index.php?option=com_search&searchword=';alert('XSS')//


Additional information (in Ukranian):
http://websecurity.com.ua/1203/
Original message (in Russian):
http://securityvulns.ru/Rdocument919.html

5. durito [NGH Group] reports crossite-scripting
vulnerability in
ActiveKB NX 2.5.4

Example: http://www.example.com/activekb/ActiveKB/?page=[XXS]

Original message (in Russian):
http://securityvulns.ru/Rdocument956.html

6. "noname indexed" reports vulnerability in UMI CMS (http://uni-
cms.ru)

Vulnerability example:

http://example.com/search/search_do/?search_string=%22%20onmouseove
r=%22javacript:alert();

Original message (in Russian):
http://securityvulns.ru/Rdocument957.html

7. MustLive reports cross-site scripting vulnerability in Nucleus.

Example: http://site/index.php?blogid=1&archive=2007-01-
01%3Cscript%3Ealert(document.cookie)%3C/script%3E

Additional information (in Ukranian):
http://websecurity.com.ua/1347/
Original message (in Russian):
http://securityvulns.ru/Sdocument3.html

8. durito [NGH Group] reports

8.1 multiple SQL injections in Stride v1.0 Content Management
System,
Merchant, Courses. Examples:

Content Management System

http://www.example.com/main.php?p=[SQL]

Merchant

http://www.example.com/shop.php?cmd=sto&id=[SQL]

Courses

http://www.example.com/detail.php?course=[SQL]
http://www.example.com/detail.php?provider=[SQL]

8.2 Information leak (FTP access account) with MyFTPUploader
within
same applications. Example:

http://www.example.com/include/imageupload.js

contains

document.writeln('<param name="uploadDirectory"
value="/public_html/dbimages/process">');
document.writeln('<param name="successURL"
value="admin_imagemulti.php?action=process">');
document.writeln('<param name="host" value="www.target.com">');
document.writeln('<param name="userName" value="target">');
document.writeln('<param name="password" value="target">');

8.3 Default administrator's password for same applications.

Original message (in Russian):
http://securityvulns.ru/Sdocument4.html

9. MustLive reports multiple crossite scripting
vulnerabilities in
Site-Up <= 2.64

Via "search" and "search mask" fields of
http://site/siteuprus/index.cgi:

Additional information (in Ukranian):
http://websecurity.com.ua/1210/
Original message: (in Russian):
http://securityvulns.ru/Sdocument12.html

10. MustLive reports crossite scripting in Google Search
Appliance.

Example:
http://site/search?ie=%22%3E%3Cscript%3Ealert(document.cookie)%3C/s
cript%3E&site=x&output=xml_no_dtd'&client=x&proxystylesheet=x'

Additional information (in Ukranian):
http://websecurity.com.ua/1368/
Original message (in Russian):
http://securityvulns.ru/Sdocument32.html

10. MustLive reports crossite scripting in PRO-search

Example:
http://site/?q=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3
E

Additional information (in Ukranian):
http://websecurity.com.ua/1224/
Original message (in Russian):
http://securityvulns.ru/Sdocument68.html

10. MustLive reports multiple vulnerabilities in Urchin Web
Analytics
5.7.03.
In addition to re-discovered XSS vulnerability, there is
also
authentication bypass (access without username/password).

Example:
http://site:10000/report.cgi?profile=x&rid=42&prefs=x&n=10&vid=1301
&bd=20070703&ed=20070703&dt=4&gtype=5

Additional information (in Ukranian):
http://websecurity.com.ua/1283/
Original message: (in Russian):
http://securityvulns.ru/Sdocument90.html

11. MustLive reports crossite scripting vulnerability in Mozilla
Firefox
<= 2.0 with gopher: protocol URL if UTF-7 if page content is
displayed as
UTF-7. Examples:

For Firefox before 2.0:

gopher:///1+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-

gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-
SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-

For Firefox 2.0:

gopher:///1+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-

gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-
SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-

According to author, it's possible to execute script in both
local zone
and context of gopher site.

12. ShAnKaR reports PHP Zend Hash vulnerability exploitation
vector
with Drupal <= 5.2.

Example:
http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal
_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();

Original message (in Russian):
http://securityvulns.ru/Sdocument137.html

13. ShAnKaR reports PHP injection vulnerability in TikiWiki 1.9.8.

Example: http://www.example.com/tikiwiki/tiki-
graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png
&title=

Original message (in Russian):

http://securityvulns.ru/Sdocument162.html

Also, multiple vulnerabilities were reported in English by

:: iNs @ uNkn0wn.eu :: http://securityvulns.com/source26994.html
and
r0t: http://securityvulns.com/source12948.html












--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The
Beatles)
+-------------o66o--+ /
|/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcNIXUACgkQ+dWaEhErNvSx3AP8CerSijQ2isO5LY36fadxrILLiQok
XJi0X3Sa+AooEb2m9if9CdMhel7A3a4yyBMqVOWfWF1hbxccpeNS0Fi1OKXNoYwMpRIe
PKST+uLl+dMxMKicDIMkRo4xyVc76+X/uq5b5IAk4vrR27CX/4yFHBboDK3cDptsQ9C6
6LtRXXA=
=tavm
-----END PGP SIGNATURE-----


--
Discount Online Trading - Click Now!
http://tagline.hushmail.com/fc/Ioyw6h4dPYvcpmGb9tTkWB5jLIFiSCd0JeGTaxcz8UO3dwnuZGxWsg/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] Vulnerabilities digest
    ... Original message (in Russian): http://securityvulns.ru/Sdocument67.html ... MustLive reports Crossite-Cripting vulnerability in WordPress ... Original message: http://securityvulns.ru/Rdocument875.html ...
    (Full-Disclosure)
  • Vulnerabilities digest
    ... Original message (in Russian): http://securityvulns.ru/Sdocument67.html ... MustLive reports Crossite-Cripting vulnerability in WordPress ... Original message: http://securityvulns.ru/Rdocument875.html ...
    (Bugtraq)
  • Few issues previously unpublished in English
    ... vulnerability in Microsoft Word 2000 macro processing. ... is triggered regardless of macro security settings. ... Original message (in Russian) and translation (may be ...
    (NT-Bugtraq)
  • [Full-Disclosure] Few issues previously unpublished in English
    ... vulnerability in Microsoft Word 2000 macro processing. ... is triggered regardless of macro security settings. ... Original message (in Russian) and translation (may be ...
    (Full-Disclosure)
  • [Full-Disclosure] Few issues previously unpublished in English
    ... vulnerability in Microsoft Word 2000 macro processing. ... is triggered regardless of macro security settings. ... Original message (in Russian) and translation (may be ...
    (Full-Disclosure)