lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 30 Aug 2006 06:01:43 -0000
From: Hessamx@...samx.net
To: bugtraq@...urityfocus.com
Subject: Ezportal/Ztml v1.0 Multiple vulnerabilities

:: Ezportal/Ztml v1.0 Multiple vulnerabilities ::
------------------------------------------------
Software : Ezportal/Ztml
Website  : http://www.ztml.org
Bug Discover : Hessam-x / www.hessamx.net

I. Multiple Cross Site Scripting Vulnerabilities
-------------------------------------------------
Parameters :
About , Again , Lastname , Email , password , album,
id , table , desc , doc , mname , max , htpl ,pheader , & more...
are not properly sanitized in "Index.php".
This can be used to post arbitrary HTML or web script code. 
Attacker can be execute this url :
index.php?about=[XSS]
index.php?username=GUEST&again=[XSS]
& ...

II. SQL Injection Vulnerabilities
-------------------------------------------------
Parameters:
about , album , id , use , desc , doc , max , mname , & Other ...
is not properly sanitized before being used in SQL query.
vulnerable Page is : "index.php".
This can be used make any SQL query by injecting arbitrary SQL code.
Attacker can be execute this url :
index.php?about=[SQL Query]&use=ezportal.home.about.this.template
index.php?doc=[SQL Query]&etpl=ezp.home.update.status&ukey=_zdoc.zdoc.group
& other ...

III. Authentication Bypass Vulnerability
-------------------------------------------------
"Administration Area" script has no any authentication. 
Any user can get access to administrator's area.Just need to know script name

Powered by blists - more mailing lists