Vulnerabilities digest

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Vulnerabilities digest
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Wed, 10 Oct 2007 22:19:25 +0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear bugtraq@xxxxxxxxxxxxxxxxx,

  Vulnerabilities  reported  by  different  Russian  speaking authors to
  http://securityvulns.ru

1.  Elekt(Antichat.ru)  reports protection bypass vulnerability in PHP 4
and 5.

disable_functions  feature  can  be bypassed by using functions alias. A
list  of  aliases  is  given  in  http://php.net/aliases/.  For example,
ini_alter() may be used instead of ini_set() and vice versa.

SecurityVulns issue: http://securityvulns.com/news/PHP/alias-pb.html
Original  message (in Russian): http://securityvulns.ru/Sdocument67.html

2.   MustLive   reports  Crossite-Cripting  vulnerability  in  WordPress
MultiUser 1.0

XSS is possible via Username form field.

Additional information (in Ukranian): http://websecurity.com.ua/1269/
Original message (in Russian): http://securityvulns.ru/Rdocument875.html

3. durito [NGH Group] reports multiple SQL injections in ActiveKB 1.5

Example:

  http://www.example.com/activekb/index.php?ToDo=browse&catId=[SQL]
  
http://www.example.com/activekb/admin/index.php?ToDo=hideQuestion&questId=[SQL]

Original message (in Russian): http://securityvulns.ru/Rdocument901.html

4. MustLive reports Cross-Site Scripting vulnerability in Joomla! <= 1.0.13

An example of vulnerability is

http://site/index.php?option=com_search&searchword=';alert('XSS')//

Additional information (in Ukranian): http://websecurity.com.ua/1203/
Original message (in Russian): http://securityvulns.ru/Rdocument919.html

5.  durito  [NGH  Group]  reports  crossite-scripting  vulnerability  in
ActiveKB NX 2.5.4

Example: http://www.example.com/activekb/ActiveKB/?page=[XXS]

Original message (in Russian): http://securityvulns.ru/Rdocument956.html

6. "noname indexed" reports vulnerability in UMI CMS (http://uni-cms.ru)

Vulnerability example:

http://example.com/search/search_do/?search_string=%22%20onmouseover=%22javacript:alert();

Original message (in Russian): http://securityvulns.ru/Rdocument957.html

7. MustLive reports cross-site scripting vulnerability in Nucleus.

Example: 
http://site/index.php?blogid=1&archive=2007-01-01%3Cscript%3Ealert(document.cookie)%3C/script%3E

Additional information (in Ukranian): http://websecurity.com.ua/1347/
Original message (in Russian): http://securityvulns.ru/Sdocument3.html

8.  durito  [NGH  Group]  reports

   8.1 multiple SQL injections in Stride v1.0 Content Management System,
   Merchant, Courses. Examples:

 Content Management System

  http://www.example.com/main.php?p=[SQL]
  
 Merchant
 
  http://www.example.com/shop.php?cmd=sto&id=[SQL]
  
 Courses
 
  http://www.example.com/detail.php?course=[SQL]
  http://www.example.com/detail.php?provider=[SQL]

  8.2  Information  leak  (FTP access account) with MyFTPUploader within
  same applications. Example:

  http://www.example.com/include/imageupload.js

  contains

  document.writeln('<param name="uploadDirectory" 
value="/public_html/dbimages/process">');
  document.writeln('<param name="successURL" 
value="admin_imagemulti.php?action=process">');
  document.writeln('<param name="host" value="www.target.com">');
  document.writeln('<param name="userName" value="target">');
  document.writeln('<param name="password" value="target">');

  8.3 Default administrator's password for same applications.

Original message (in Russian): http://securityvulns.ru/Sdocument4.html

9.  MustLive  reports  multiple  crossite  scripting  vulnerabilities in
Site-Up <= 2.64

Via "search" and "search mask" fields of http://site/siteuprus/index.cgi:

Additional information (in Ukranian): http://websecurity.com.ua/1210/
Original message: (in Russian): http://securityvulns.ru/Sdocument12.html

10. MustLive reports crossite scripting in Google Search Appliance.

Example: 
http://site/search?ie=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&site=x&output=xml_no_dtd'&client=x&proxystylesheet=x'

Additional information (in Ukranian): http://websecurity.com.ua/1368/
Original message (in Russian): http://securityvulns.ru/Sdocument32.html

10. MustLive reports crossite scripting in PRO-search

Example: http://site/?q=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Additional information (in Ukranian): http://websecurity.com.ua/1224/
Original message (in Russian): http://securityvulns.ru/Sdocument68.html

10.   MustLive  reports multiple vulnerabilities in Urchin Web Analytics
5.7.03.
In   addition   to  re-discovered  XSS  vulnerability,  there  is  also
authentication bypass (access without username/password).

Example: 
http://site:10000/report.cgi?profile=x&rid=42&prefs=x&n=10&vid=1301&bd=20070703&ed=20070703&dt=4&gtype=5

Additional information (in Ukranian): http://websecurity.com.ua/1283/
Original message: (in Russian): http://securityvulns.ru/Sdocument90.html

11. MustLive reports crossite scripting vulnerability in Mozilla Firefox
<=  2.0  with  gopher:  protocol URL if UTF-7 if page content is displayed as
UTF-7. Examples:

For Firefox before 2.0:

gopher:///1+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-

gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-

For Firefox 2.0:

gopher:///1+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-

gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-

According  to author, it's possible to execute script in both local zone
and context of gopher site.

12.  ShAnKaR  reports  PHP  Zend Hash vulnerability exploitation vector
with Drupal <= 5.2.

Example: 
http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();

Original message (in Russian): http://securityvulns.ru/Sdocument137.html

13. ShAnKaR reports PHP injection vulnerability in TikiWiki 1.9.8.

Example: 
http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=

Original message (in Russian):

http://securityvulns.ru/Sdocument162.html

Also, multiple vulnerabilities were reported in English by

:: iNs @ uNkn0wn.eu :: http://securityvulns.com/source26994.html
and
r0t: http://securityvulns.com/source12948.html










  

-- 
http://securityvulns.com/
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/

Prev by Date: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
Next by Date: iDefense Security Advisory 10.10.07: Kaspersky Web Scanner ActiveX Format String Vulnerability
Previous by thread: Re: Vulnerabilities digest
Next by thread: AST-2007-020: Resource Exhaustion Vulnerability in Asterisk SIP channel driver
Index(es):
- Date
- Thread