lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060406180246.16721.qmail@securityfocus.com>
Date: 6 Apr 2006 18:02:46 -0000
From: king_purba@...oo.co.uk
To: bugtraq@...urityfocus.com
Subject: MAXDEV CMS Multiple vulnerabilities


Full Path disclosure
---------------------
This hole is caused by direct access to file includes/legacy.php not protected

PoC :
http://site.co.id/maxdev/includes/legacy.php

Fix :
Turn off display error in php.ini can fix this security issue

Blind sql inject
-----------------
This hole is caused by filtered script not implemented to $topicid variable in file modules/Topics/pnuserapi.php

PoC :
http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=0
http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=1

Fix :
Maxdev cms have a filtered script to protect all request but i'm so lazy to analyze the code, then i just add this code 
in modules/Topics/pnuserapi.php

if(isset($_GET['topicid']))
{
        $topicid=$_GET['topicid'];
        validate($topicid);
}
function validate($char)
{
        if(!is_numeric($char))
        {
                die("i have received an error request");
        }
}


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ