| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 16 Jul 2003 17:25:44 -0000 From: G00db0y <G00db0y@...e-h.org> To: bugtraq@...urityfocus.com Subject: ZH2003-10SA (security advisory): Mail System Ver. 0.9 Beta ZH2003-10SA (security advisory): Mail System Ver. 0.9 Beta. Published: 16/07/2003 Released: 16/07/2003 Name: Mail System Ver. 0.9 Beta Affected Systems: All versions (?) Issue: Remote attackers can view all messages (and sql injection vulnerability) Author: G00db0y@...e-h.org Description *********** Zone-h Security Team has discovered a serious security flaw in Mail System Ver. 0.9 Beta. This is a simple internal mail system, originaly developed for an intranet project. Details ******* Mail System Ver. 0.9 Beta is a simple internal mail system in ASP. It's possible to retrieve all messages from it. Everyone can download the database at the following url: http://www.example.com/PATH/message.mdb Moreover there is a sql injection vulnerability in the login authentication form. It's located at: http://www.example.com/PATH/default.htm From there it's possible to login with these strings: Login name: ' or 'a'='a Password: ' or 'a'='a Solution: ********* The vendor has been contacted and a patch is not yet produced Suggestions: ************ Protect the message file, rewrite the login procedure. G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2709/
Powered by blists - more mailing lists