lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4CE527CA.10704@cert.unlp.edu.ar>
Date: Thu, 18 Nov 2010 10:19:06 -0300
From: Soporte CERT <soporte@...t.unlp.edu.ar>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in chCounter <= 3.1.3

Multiple vulnerabilities were found in web application chCounter <= 3.1.3.

Author:
- Matias Fontanini(mfontanini@...t.unlp.edu.ar).

Requirements:
- Downloads must be enabled(this is not default).
- magic_quotes off.
- Access to administration site

=SQLInjection=
Location: administration/index.php?cat=downloads&edit=
Affected parameters: anzahl
Method: POST
Severity: High
Description: When accessing
administration/index.php?cat=downloads&edit=VALID_ID
and using a valid download id, an attacker is able to manipulate the
"anzahl"
parameter to perform queries which only involve returning an integer.
The query
output will be sent back to the client in the "anzahl" text input.
Exploit: An attacker could perform repeated crafted requests to retrieve
any
database records for which the user has access.
Proof of concept: see attached file "chcounter.py"

=XSS=
Location: administration/index.php?cat=downloads&edit=
Affected parameters: anzahl and wert
Method: POST
Severity: Low
Description: When accessing
administration/index.php?cat=downloads&edit=VALID_ID
and using a valid download id, an attacker is able to insert html tags
in the "wert"
parameter. Once the attacker has done that, manupulating "anzahl"
parameter so that
the result sql query is malformed will result in the injected code being
parsed by the
web browser.
Proof of concept: use parameter wert=<script>alert(1);</script>. After
that, use
anzahl=XXX


View attachment "chcounter.py" of type "text/x-python" (9730 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ