lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 19 Apr 2006 19:01:08 -0000
From: o.y.6@...mail.com
To: bugtraq@...urityfocus.com
Subject: WWWThread RC 3 MultBugs


[code]// --- WWWThread RC 3 MultBugs --- //

	* D3vil-0x1 | Devil-00
    * www.securitygurus.net
    * Gr33tz
    	- HACKERS PAL | n0m3rcy | -

            	&
                		All Others << i forgot them :))

//---------------------------------//

//---------------------------------// [ Bug 1 ] //---------------------------------//

// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection

/* Code
	//
if(isset($_COOKIE["forumreferrer"]))
	{
		$referral_id = $_COOKIE["forumreferrer"];
		$result = $db->query('SELECT referral_count FROM '.$db->prefix.'users WHERE id='.$referral_id) 		  or error(mysql_error(), __FILE__, __LINE__, $db->error());
		list($referral_val) = $db->fetch_row($result);
		$rval = $referral_val[0] + 1;
		$db->query('UPDATE '.$db->prefix.'users SET referral_count='. $rval . ' WHERE id='.$				  referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error());
	}
    //
*/

Fix :-

/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/


//---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------//

//---------------------------------//  [ Bug 2 ] //---------------------------------//

// File name :- message_list.php
// Bug :- Remote SQL Injection

/* Code

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
	if( isset($_POST['delete_messages_comply']) )
	{
		confirm_referrer('message_list.php');
		$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.$_POST['messages'].') AND owner=			\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, $db->error());
		redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
	}

*/

// Fix :-

Replace with this code :D

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
	if( isset($_POST['delete_messages_comply']) )
	{
		confirm_referrer('message_list.php');
		$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.intval($_POST['messages']).') AND owner=			\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, $db->error());
		redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
	}

// Exploit

- Resend This Requsit By HTTPLiveHeaders :D -

messages=[SQL]&box=0&delete_messages_comply=Delete
[/code]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ