lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0503261328560.8741-100000@bugsbunny.castlecops.com>
Date: Sat, 26 Mar 2005 13:33:25 -0500 (EST)
From: Paul Laudanski <zx@...tlecops.com>
To: Gerardo Astharot Di Giacomo <astharot@...e-h.org>
Cc: vuln@...unia.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, bugs@...uritytracker.com,
	bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
	moderators@...db.org
Subject: Re: ZH2005-03SA -- multiple vulnerabilities in
	NukeBookmarks .6


On 26 Mar 2005, Gerardo Astharot Di Giacomo wrote:
> Product: NukeBookmarks .6
> URL: http://nukebookmarks.sourceforge.net/

> 1) Full path disclosure
> It's possible to retrieve the full installation URL of the website. In "marks.php" file, there are some queries to the database. If some parameters miss or some strange characters are submitted, the functions that get results from the database will return an error.

I can understand how full path disclosure can be an issue, however, in a 
production environment the PHP settings to display errors ought to be 
disabled.  As such, full path disclosure goes away.

> 3) SQL Injection
> It's possible to get any content from the database by exploiting a SQL Injection vulnerability in "marks.php" file.
> 
> This example will get the list of PHPNuke authors and the relative hashes of the passwords.

That is true if the default table names are used.  However it would be 
worth noting that with any web presence that uses a backend database, the 
prefix ought to be changed to something random and non-default.

Does this completely solve the issue, of course not, but it can stop the 
script kiddy attacks.  For more on this:

http://unixwiz.net/techtips/sql-injection.html

Thanks for the disclosure.

-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ