lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5c6a6f0e0606161033o70a068cckd0149978a95207ab@mail.gmail.com>
Date: Fri Jun 16 18:33:37 2006
From: joxeanpity at gmail.com (Joxean Koret)
Subject: Solved -Several flaws in e-business designer
	(eBD)

The advisory talk about 3 vulnerabilities

1) File upload issues (related with your patch).

2) Sql injection and path disclosure.

3) Clear text autentication.

I can assume that sysadmin could force https by himself, but... really the
2nd vuln is not related with eBD?


On 6/16/06, Blanca Pons de Dalmases <bpons@...yssoft.com> wrote:
>
>  A Bug in the eBD HTML editor has been discovered. It will allow an user
> to modify the images of the /imgfiles folder (the files raised in the
> option resources > images).
>
> Oasyssoft, the producer, has installed the patch in all our servers, so
> all MyeBD users are updated since the end of may.
>
> Anyway, you will find here the emergency Patch instalation
> http://lists.oasyssoft.com/ebd-devel/200605/binNr7awTFdvt.bin <http://>
> for being installed at your servers. Althought this patch is for version
> 3.1.4, it is also available in all eBD versions.
>
> The other mentioned vulnerabilities have no relation to eBD. System
> Managers are in charge of configuring their servers in a secure way,
> whether or not they are executing eBD .
>
> If you require further information, please contact us at
> ebd.soporte@...yssoft.com <http://>.
>
>  Blanca Pons
> bpons@...yssoft.com
> Dir. Marketing y Comunicaci?n
> e-business designer
>  C/ Sardenya 56 Local
> 08005 Barcelona
> Tel: 902 181 349
> Fax: 932 217 303
> www.oasyssoft.com
> 2655 Le Jeune Rd. Suite 517
> Coral Gables, FL 33134 United States
> Phone: +1(305) 448 2148
> Fax: +1(305) 448 0097
> www.ebdsoft.com
>
> eBD es un producto Oasyssoft
> Este mensaje (as? como los archivos adjuntos o los links que contiene)
> puede contener informaci?n privilegiada o confidencial. Si no es usted el
> destinatario indicado, queda notificado de que la utilizaci?n, divulgaci?n
> y/o copia sin autorizaci?n est? prohibida en virtud de la legislaci?n
> vigente. Si ha recibido este mensaje por error, le rogamos que nos lo
> comunique inmediatamente por esta misma v?a y proceda a su destrucci?n.
>
> This email (and any attachments or hyperlinks within it) may contain
> information that is confidential, legally privileged or otherwise protected
> from disclosure. If you are not the intended recipient of this email, you
> are not entitled to use, disclose, distribute, copy, print, disseminate or
> rely on this email in any way. If you have received this email in error,
> please notify the sender immediately by telephone or email and destroy it,
> and all copies of it.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060616/5ec3d675/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ