| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 19 Feb 2006 23:40:32 -0000 From: alex@...ln.com To: bugtraq@...urityfocus.com Subject: [eVuln] Time Tracking Software Multiple Vulnerabilities New eVuln Advisory: Time Tracking Software Multiple Vulnerabilities http://evuln.com/vulns/69/summary.html --------------------Summary---------------- eVuln ID: EV0069 CVE: CVE-2006-0689 CVE-2006-0690 CVE-2006-0691 Vendor: TTS Software Software: Time Tracking Software Sowtware's Web Site: http://schedulingmanagement.com/download-time-tracking-software-now.php Versions: 3.0 Critical Level: Moderate Type: Multiple Vulnerabilities Class: Remote Status: Unpatched. No reply from developer(s) Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) -----------------Description--------------- 1. Unauthorized data modification is possible. Script edituser.php dont checks name and password and allows to modify data of any user. 2. Multiple SQL Injections Most of user defined data isn't properly sanitized. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code. 3. Cross-Site Scripting UserName value in Registration Form is not properly sanitized. This can be used to insert arbitrary HTML or JavaScript code. --------------Exploit---------------------- Available at: http://evuln.com/vulns/69/exploit.html --------------Solution--------------------- No Patch available. --------------Credit----------------------- Discovered by: Aliaksandr Hartsuyeu (eVuln.com) Regards, Aliaksandr Hartsuyeu http://evuln.com - Penetration Testing Services .
Powered by blists - more mailing lists