| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5539FB0922D5E544B12A031DBD255E55034E6CAE@rijpat-s-346.europe.shell.com>
Date: Wed Apr 12 06:39:04 2006
From: Andre.VanWinssen at shell.com (Van Winssen, Andre A SITI-ITIBHW5)
Subject: RE: Oracle read-only user can
insert/update/delete data
Alexander,
I have to say it once again: your company is very careless and irresponsible for publishing
so much detail about this new oracle security flaw for which no patch exists yet, endangering
many customer production databases.
I have sent testcases to Oracle too that shows that it works against any oracle version currently
available. I expect oracle to include the fix in the next cpu, but have my doubts.
Kind regards,
Andre van Winssen
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk]On Behalf Of
full-disclosure-request@...ts.grok.org.uk
Sent: dinsdag 11 april 2006 13:00
To: full-disclosure@...ts.grok.org.uk
Subject: Full-Disclosure Digest, Vol 14, Issue 19
Send Full-Disclosure mailing list submissions to
full-disclosure@...ts.grok.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@...ts.grok.org.uk
You can reach the person managing the list at
full-disclosure-owner@...ts.grok.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.
Today's Topics:
1. Oracle read-only user can insert/update/delete data via
specially crafted views (Kornbrust, Alexander)
2. Microsoft Internet Explorer Content-Disposition HTML File
Handling Flaw (Darren Bounds)
3. [MU-200604-01] Cyrus SASL DIGEST-MD5 Pre-Authentication
Denial of Service (noreply@...ecurity.com)
4. SCOSA-2006.18 UnixWare 7.1.4 : MySQL User-Defined Function
Buffer Overflow Vulnerability (SCO Security Advisories)
5. [ MDKSA-2006:069 ] - Updated openvpn packages fix
vulnerability (security@...driva.com)
6. [ MDKSA-2006:070 ] - Updated openvpn packages fix
vulnerability (security@...driva.com)
7. Dokeos 1.6.4 SQL Injection Vulnerability (Alvaro Olavarria)
8. Re: [Apparmor-dev] Re: [Full-disclosure] Re: [SC-L] Re:
[Owasp-dotnet] RE: 4 Questions:Latest IE vulnerability, Firefox
vs IE security, User vs Admin risk profile, and browsers coded in
100% Managed Verifiable code (Crispin Cowan)
9. JetPhoto Multiple Cross-Site Scripting Vulnerabilitie
(0o_zeus_o0 elitemexico.org)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Apr 2006 14:11:38 +0200
From: "Kornbrust, Alexander" <ak@...-database-security.com>
Subject: [Full-disclosure] Oracle read-only user can
insert/update/delete data via specially crafted views
To: <full-disclosure@...ts.grok.org.uk>
Message-ID:
<1C09DF36EB7A3F489633C919E741350162C6A0@...ibe09.exchange.xchg>
Content-Type: text/plain; charset="us-ascii"
Hello Full Disclosure
Last Thursday 6th April 2006, Oracle released a note on the Oracle
knowledgebase Metalink with details about an unfixed security
vulnerability (=0day) and a working test case (=exploit code) which
effects all versions of Oracle from 9.2.0.0 to 10.2.0.3. This note
"363848.1 - A User with SELECT Object Privilege on Base Tables Can
Delete Rows from a View" was available last week to Metalink customers.
The note was also displayed in the daily headlines section of the
Metalink.
That's why this information can be assumed as public knowledge and
DBAs/Developers which missed the note on Metalink should know this
vulnerability in order to avoid/mitigate the risk (if possible) whilst
waiting for a patch from Oracle.
After noticing the note, I informed Oracle secalert that releasing such
information on Metalink is not a wise idea. Oracle normally criticises
individuals and/or companies for releasing information about Oracle
vulnerabilities (like David Litchfield from NGSSoftware for releasing
information an ever not fixed bug in mod_plsql gateway). In this case,
not only Oracle released detailed information on the vulnerability; they
also included the working exploit code on the Metalink.
In an interview few months ago, the Oracle CSO stated: "I've known
customers to terminate contracts ... for releasing exploit code... you
might get applause from hackers... but business will not pay you to slit
their throats. With knowledge comes responsibility."
After my email, Oracle removed the note from Metalink.
Problem:
In Oracle versions (9.2.0.0-10.2.0.3) exists an unpatched vulnerability
which allows users with "SELECT" only privileges on a base table to
insert/update/ delete data via a specially crafted view.
The impact of this vulnerability on the Oracle data dictionary is low
because most data dictionary tables don't have a primary key which is a
requirement for this vulnerability.
The impact on custom applications can be huge and eliminate the entire
role concept because in well designed applications there is normally a
read-only role for low-privilege users (e.g. reporting or external
auditors). If these low-privileged users are able to create a view,
which is standard in Oracle 9.2.x to 10 g R1, they could also insert,
update and delete data via a specially crafted view. Depending on the
architecture, it is possible to modify data, escalate privileges, ...
Test cases:
Oracle provided a complete test case in note 363848.1. I decided not to
publish such code on the internet as long as patches are not available.
If you need additional information you could contact me via email. A
test case (without the specially crafted view) is available on my
website:
http://www.red-database-security.com/advisory/oracle_modify_data_via_vie
ws.html
Patches:
Currently there are no patches available. According to Oracle secalert
Oracle will provide patches in a future critical patch update.
Red-Database-Security is not convinced that the April 2006 CPU will
contain patches against this vulnerability.
Workarounds / Risk Mitigation:
Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and
CREATE DATABASE LINK, ...) privilege from the connect role.
Removing the primary key from the base table solves the problem too. Be
aware that this could cause performance and integrity issues on the
application.
Oracle recommends creating views the option "WITH CHECK OPTION". This
recommendation helps against accidental modification but not against
hackers.
Credits:
Special thanks to Jens Flasche who made Red-Database-Security aware of
the
Metalink note and for the first analysis + additional test cases.
URLs:
Interview: Oracle CSO - Mary Ann Davidson
http://news.com.com/When+security+researchers+become+the+problem/2010-10
71_3-5807074.html
Metalink Hacking
http://www.red-database-security.com/wp/oracle_metalink_hacking_us.pdf
----------------------------------------------------------------------
Are you interested in additional information about Oracle security?
Our next Oracle Anti-Hacker-Training:
23-may - 26-may (4 days (english) - Milano / Italy)
29-may - 2-june (5 days (english) - Cupertino [CA] / U.S.A)
19-june - 23-june (5 days (german) - Oberursel/Frankfurt / Germany)
----------------------------------------------------------------------
------------------------------
Message: 2
Date: Mon, 10 Apr 2006 10:22:43 -0400
From: "Darren Bounds" <dbounds@...il.com>
Subject: [Full-disclosure] Microsoft Internet Explorer
Content-Disposition HTML File Handling Flaw
To: full-disclosure@...ts.grok.org.uk, webappsec@...urityfocus.com
Message-ID:
<26563eca0604100722p4f9878dfjc91a646ed31b80a8@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw
April 10, 2006
Content-Disposition (defined in RFC 2183) is often used by web
application developers as a mechanism to instruct the web browser on
how it should handle a file download. This is commonly used to help
prevent access to the application scope when handling file attachments
and mitigates the ability to leverage client-side attacks, such as
XSS, through file downloads.
While Internet Explorer does handle downloading most file types
correctly with Content-Disposition, it mishandles HTML files and
instead opens them inline, exposing the application scope. As such, it
is strongly advisable that web-based software vendors use alternative
methods to mitigate this class of attack.
A simple PoC is available at the following URL:
http://xs.vc/content-disposition/
Feel free to compare the results of Firefox and IE.
Vulnerable Versions:
All versions up to and including Internet Explorer 7 Beta 2.
References:
http://www.faqs.org/rfcs/rfc2183.html
http://support.microsoft.com/kb/182315/
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/mime_handling.asp
I felt it was necessary to make this flaw public now because while the
weakness results from IEs flawed support of RFC 2183, the exposure is
with the 3rd party applications which support it.
Due to the simplicity of exploitation, it is not unlikely this is
being used in the wild.
Thank you,
Darren Bounds
------------------------------
Message: 3
Date: Mon, 10 Apr 2006 19:05:41 +0100 (BST)
From: noreply@...ecurity.com
Subject: [Full-disclosure] [MU-200604-01] Cyrus SASL DIGEST-MD5
Pre-Authentication Denial of Service
To: full-disclosure@...ts.grok.org.uk
Message-ID: <20060410180541.0EA3CAB@...ts.grok.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyrus SASL DIGEST-MD5 Pre-Authentication Denial of Service [MU-200604-01]
April 7, 2006
http://labs.musecurity.com/advisories.html
Affected Product/Versions:
cyrus-sasl-2.1.18
Product Overview:
SASL (Simple Authentication Security Layer) is an Internet standards-track
method for remote computers to authenticate. The Cyrus SASL library makes
supporting various SASL mechanisms easy for both client and server writers.
Vulnerability Details:
A denial of service condition exists in the SASL authentication library during
DIGEST-MD5 negotiation. This potentially affects multiple products that use
SASL DIGEST-MD5 authentication including OpenLDAP, Sendmail, Postfix, Apple,
etc.
Vendor Response / Solution:
All users of this authentication library are recommended to upgrade to 2.1.21
which fixes these problems.
Hotfix solution to this advisory:
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz
Mu Security would like to thank the SASL team in advance for timely
remediation of these vulnerabilities.
Credit:
This vulnerability was discovered by the Mu Security research team.
http://labs.musecurity.com/pgpkey.txt
Mu Security is an early-stage innovator creating a new class of security
analysis system. The company's mission is to widely deploy security analysis
and reduce product and application vulnerabilities. Mu's founders include
industry-recognized experts in the IDP, open source protocol analysis tools,
ethical hacking, and network management markets. The security analysis process
and product solution provide a rigorous and streamlined methodology for
verifying and improving the security readiness of any IP-based product or
application. Mu Security, headquartered in Sunnyvale, California, is backed
by preeminent venture capital firms including Accel Partners and Benchmark
Capital.
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are no
warranties, implied or express, with regard to this information. In no event
shall the author be liable for any direct or indirect damages whatsoever
arising out of or in connection with the use or spread of this information.
Any use of this information is at the user's own risk.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
iD8DBQFEOptFMl+docYeP+YRAtF3AJ4lonQmv4AafPOU1+890u/o+oiD5wCgh7iw
HcT0MJfwuxFzv5DFqU64zoA=
=plHS
-----END PGP SIGNATURE-----
------------------------------
Message: 4
Date: Mon, 10 Apr 2006 11:41:34 -0700
From: SCO Security Advisories <security@....com>
Subject: [Full-disclosure] SCOSA-2006.18 UnixWare 7.1.4 : MySQL
User-Defined Function Buffer Overflow Vulnerability
To: security-announce@...t.sco.com
Message-ID: <443AA6DE.9040600@....com>
Content-Type: text/plain; charset="iso-8859-1"
--
Dr. Ronald Joe Record
SCO Security Officer
rr@....com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: SCOSA-2006.18.txt
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060410/f9d171e2/SCOSA-2006.18.txt
------------------------------
Message: 5
Date: Mon, 10 Apr 2006 18:50:00 -0600
From: security@...driva.com
Subject: [Full-disclosure] [ MDKSA-2006:069 ] - Updated openvpn
packages fix vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1FT74y-0001PZ-Fq@...cury.mandriva.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:069
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openvpn
Date : April 10, 2006
Affected: 2006.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious server
to execute arbitrary code on the client by using setenv with the
LD_PRELOAD environment variable.
Updated packages have been patched to correct this issue by removing
setenv support.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1629
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
699824d9aa9e42bf579165599268efbb 2006.0/RPMS/openvpn-2.0.1-2.2.20060mdk.i586.rpm
38bb27a8f28546fe9cdf06213a172868 2006.0/SRPMS/openvpn-2.0.1-2.2.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
4e8a99c3997f8ecd7e41aee1594a02dc x86_64/2006.0/RPMS/openvpn-2.0.1-2.2.20060mdk.x86_64.rpm
38bb27a8f28546fe9cdf06213a172868 x86_64/2006.0/SRPMS/openvpn-2.0.1-2.2.20060mdk.src.rpm
Multi Network Firewall 2.0:
04b0406ea806da8e1f941910b0f19659 mnf/2.0/RPMS/openvpn-2.0.1-0.3.M20mdk.i586.rpm
825a02efe56ddc34fcdc49784c50b1e1 mnf/2.0/SRPMS/openvpn-2.0.1-0.3.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEOtIjmqjQ0CJFipgRAqpeAKDqMshbTjMvJ7br1OYItcXPrIOjJQCg3Vxd
Rg6Iai6SktCas/Y/Mpfrguw=
=3uVj
-----END PGP SIGNATURE-----
------------------------------
Message: 6
Date: Mon, 10 Apr 2006 19:40:00 -0600
From: security@...driva.com
Subject: [Full-disclosure] [ MDKSA-2006:070 ] - Updated openvpn
packages fix vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1FT7rM-0001Yo-9k@...cury.mandriva.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:070
http://www.mandriva.com/security/
_______________________________________________________________________
Package : sash
Date : April 10, 2006
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Tavis Ormandy of the Gentoo Security Project discovered a vulnerability
in zlib where a certain data stream would cause zlib to corrupt a data
structure, resulting in the linked application to dump core
(CVE-2005-2096).
Markus Oberhumber discovered additional ways that a specially-crafted
compressed stream could trigger an overflow. An attacker could create
such a stream that would cause a linked application to crash if opened
by a user (CVE-2005-1849).
Both of these issues have previously been fixed in zlib, but sash links
statically against zlib and is thus also affected by these issues. New
sash packages are available that link against the updated zlib packages.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
_______________________________________________________________________
Updated Packages:
Mandriva Linux 10.2:
290e5d895235afaaa1548d4898c5cde8 10.2/RPMS/sash-3.7-3.1.102mdk.i586.rpm
6cb36fc925f8793ef0f22a1d0adacb24 10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm
Mandriva Linux 10.2/X86_64:
4088008711f30343c6ddbd45dd4429f0 x86_64/10.2/RPMS/sash-3.7-3.1.102mdk.x86_64.rpm
6cb36fc925f8793ef0f22a1d0adacb24 x86_64/10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm
Mandriva Linux 2006.0:
6a8ef8036ca25661d6e1e18e826b7cf7 2006.0/RPMS/sash-3.7-3.1.20060mdk.i586.rpm
ebfdd661247a673a536d14b57bd1494f 2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
f3ace9f835ba2bcf3358404ec3b35863 x86_64/2006.0/RPMS/sash-3.7-3.1.20060mdk.x86_64.rpm
ebfdd661247a673a536d14b57bd1494f x86_64/2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm
Corporate 3.0:
76d84869521a8231bde684d29c909f77 corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.i586.rpm
5a52429713ca8dabda8fe0462eedbf41 corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
5fdfa411aaa588d14e3f92d877b31e0b x86_64/corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.x86_64.rpm
5a52429713ca8dabda8fe0462eedbf41 x86_64/corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm
Multi Network Firewall 2.0:
b1d67ff8736048c8687708ff614d995b mnf/2.0/RPMS/sash-3.6-5.1.M20mdk.i586.rpm
df79ea5562d8e2d45f98ead903f1b4c7 mnf/2.0/SRPMS/sash-3.6-5.1.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEOtv8mqjQ0CJFipgRAvmaAKDbjEYQYMNmbwm5XFF37ClR4W2+rACfSszW
RKonuFKGLwS+UEca0OtVDUc=
=I//9
-----END PGP SIGNATURE-----
------------------------------
Message: 7
Date: Mon, 10 Apr 2006 21:47:00 -0400 (CLT)
From: "Alvaro Olavarria" <aolavarria@...ure.cl>
Subject: [Full-disclosure] Dokeos 1.6.4 SQL Injection Vulnerability
To: full-disclosure@...ts.grok.org.uk
Cc: rodrigo@...ure.cl, info@...uriteam.com, bugtraq@...urityfocus.com,
submissions@...ketstormsecurity.org
Message-ID: <50544.201.221.203.126.1144720020.squirrel@....rgsc.cl>
Content-Type: text/plain;charset=iso-8859-1
Dokeos 1.6.4 SQL Injection Vulnerability
Author: Alvaro Olavarria <aolavarria@...ure.cl>
Affected: Dokeos <= 1.6.4
Status: Notified hereby
Vendor url: http://www.dokeos.com
Background.
Dokeos is an Open Source elearning and course management web application
translated in 34 languages
and helping more than 1.000 organisations worldwide to manage learning and
collaboration activities.
Vulnerability.
Dokeos was built using Claroline's code; it inherited several of its
features including an old version
of phpBB which is being used as the forum for the courses. There is a
problem in the "viewtopic.php",
where the $topic variable is not correctly sanitized and $forumview is
equal to "threaded", that would
allow an attacker to inject arbitrary code to the application.
Impact
An attacker could use Blind SQL Injection to gain access to privileged
data like the password hashes
for the administrator user and so on.
Proof of Concept
http://localhost/claroline/phpbb/viewtopic.php?cidReq=102&gidReq=&forum=1&0&forumview=threaded&topic=1[blind_sql_inject]
Greetings
Rodrigo Guitierrez <rodrigo@...ure.cl>
University of Los Lagos in Chile "for lending the required equipment for
testing" >:D
------------------------------
Message: 8
Date: Mon, 10 Apr 2006 16:28:23 -0700
From: Crispin Cowan <crispin@...ell.com>
Subject: Re: [Apparmor-dev] Re: [Full-disclosure] Re: [SC-L] Re:
[Owasp-dotnet] RE: 4 Questions:Latest IE vulnerability, Firefox vs IE
security, User vs Admin risk profile, and browsers coded in 100%
Managed Verifiable code
To: Brian Eaton <eaton.lists@...il.com>
Cc: Pascal Meunier <pmeunier@...ias.purdue.edu>,
full-disclosure@...ts.grok.org.uk,
Administrator@...eta.digitalrazor.com, apparmor-dev@...ge.novell.com
Message-ID: <443AEA17.2090406@...ell.com>
Content-Type: text/plain; charset=ISO-8859-1
Brian Eaton wrote:
> Does cap_setuid give a program enough authority to break out of the
> AppArmor profile?
>
No, cap_setuid is not sufficient. In fact, being full root is not
sufficient to break out of AppArmor confinement. Rood daemons being one
of the greatest threats to the system, AppArmor would not be very useful
if it could not confine root.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
------------------------------
Message: 9
Date: Mon, 10 Apr 2006 20:52:08 -0500
From: "0o_zeus_o0 elitemexico.org" <zeus.olimpusklan@...il.com>
Subject: [Full-disclosure] JetPhoto Multiple Cross-Site Scripting
Vulnerabilitie
To: full-disclosure@...ts.grok.org.uk, admin@...e-h.org,
bugtraq@...urityfocus.com
Message-ID:
<558f59870604101852r491b1860we3f4d90c9a7caa98@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
###########################################################################
# Advisory #11 Title: JetPhoto Multiple Cross-Site Scripting Vulnerabilitie
#
#
# Author: 0o_zeus_o0 ( Arturo Z. )
# Contact: zeus@...sdelared.com
# Website: www.elitemexico.org
# Date: 10/04/06
# Risk: Medium
# Vendor Url: http://www.jetphotosoft.com
# Affected Software: JetPhoto
# Non Affected:
#
#Info:
##################################################################
#this bug consists of inserting script in the line of execution of
#
#the affected system causing the robbery of cookie
#
#Example XSS:
##################################################################
#
#http://www.vuln.com/[path]/view/Classic.view/thumbnail.php?name=webalbum&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Classic.view/thumbnail.php?name=JetPhoto_Album&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Classic.view/gallery.php?name=JetPhoto_Album&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Classic.view/detail.php?name=JetPhoto_Album&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Orange.view/slideshow.php?name=<script></script><script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Orange.view/detail.php?name=1&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Orange.view/detail.php?name=1&page=<script>alert(
document.cookie);</script>
#
##################################################################
#
#Solution:
##################################################################
#
#
#VULNERABLE VERSIONS
##################################################################
#all
#
##################################################################
#Contact information
#0o_zeus_o0
#zeus@...sdelared.com
#www.elitemexico.org
##################################################################
#greetz: lady fire,Mi beba, olimpus klan team and elitemexico
#
# original advisorie: http://www.elitemexico.org/11.txt
##################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060410/cd943874/attachment-0001.html
------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 14, Issue 19
***********************************************
Powered by blists - more mailing lists