[TOOL] LiLith - Web Application Auditing

From: SecuriTeam (support_at_securiteam.com)
Date: 04/11/04

  • Next message: SecuriTeam: "[NT] McAfee FreeScan ActiveX Buffer Overflow and Information Disclosure" 
    To: list@securiteam.com
Date: 11 Apr 2004 15:25:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      LiLith - Web Application Auditing
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

    LiLith is a tool written in Perl to audit web applications. This tool
    analyses web pages and looks for HTML <form> tags , which often refer to
    dynamic pages that might be subject to sql injection or other flaws.

    It works as an ordinary web spider and analyses any grabbed web pages
    digging out <form> tags and following hyperlinks. It dissects <form>'s in
    a web page and if requested (default, can be switched off using "-i")
    inject special characters that have a special meaning to any underlying
    platform.

    It doesn't care about default installed programs and/or scripts. To audit
    these vulnerabilities, please use a scanner like Nikto or N-Stealth.

    Since the nature of the differences in Web Applications, a scanner can
    never perform a full 100% audit. Therefore, a manual recheck is necessary.
    Also, be aware that LiLith might come up with several false positives.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:michael@scanit.be> Michael
    Hendrickx.

    The tool can be downloaded from: <http://angelo.scanit.biz/>
    http://angelo.scanit.biz/

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] McAfee FreeScan ActiveX Buffer Overflow and Information Disclosure"

    Relevant Pages

    • [EXPL] phpBB Remote PHP Code Execution (viewtopic.php 2)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The following exploit code utilizes a vulnerability in phpBB to cause ... This bulletin is sent to members of the SecuriTeam mailing list. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [EXPL] TinyWeb Server DoS Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [EXPL] 3Com FTP Server Buffer Overflow (CD)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... overflow in its parsing of the 'CD' command. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [TOOL] Automagic SQL Injector
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Automagic SQL Injector is part of the Sec-1 Exploit Arsenal provided ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NEWS] PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... June 03 PeopleSoft contacted ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)