lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <48007.123.238.240.107.1295437030.squirrel@webmail.e-secure-it.com>
Date: Wed, 19 Jan 2011 17:07:10 +0530 (IST)
From: "AAA" <aaa@...ecure-it.com>
To: "Pradip Sharma" <sharma.pradip@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: vsworld.com - SQL Injection Vulnerability

Congrats Pradip!!,

For your work.

Regards
-Arnab




On Wed, January 19, 2011 5:04 pm, Pradip Sharma wrote:
vsworld - SQL Injection Vulnerability
http://www.thehackerslibrary.com/?p=979

Profile:
Developing solutions for areas as diverse as technology, trading, power,
travel, education and retail. In addition, regularly called upon to cater
to
the requirements of prestigious Government Bodies. Various prestigious
clients are in Client list.

Vendor URL:http://www.vsworld.com/index.php

Vulnerability Type : SQL Injection

Vulnerable URL:
http://www.vsworld.com/index.php/en/admin-login.html
&
http://www.vsworld.com/index.php =>VSM Login

User Name: NIL
Password: ' or '1'='1

Now, login to the Control Panel.

Effect: You have access to the main admin panel. Option to View, delete &
update
all client records, contact information, Email ids etc.

All employees personal information Contact no, address mail ids etc,
theire
login credentials passwords are visible.

Name: Venkatesh
ID:   venky
Pwd:  ----

Name: sangeeta
ID:   sangeeta
Pwd:  --------

Name: Ramkishan
ID:   VSMlHN23
Pwd  : -------

Name: Vikas
ID:   vsm_vik1
Pwd:  -------

Name: Vijay
ID:   vsm_vij
Pwd:  ------------

Name: X_Harish
ID:   vsm_hari
Pwd:  --------------

and more.......
passwords are not mentioned here for security reasons.

As the vulnerability is of most common type, notified to the vendor and he
has applied a fix.

Credit: Pradip Sharma, Sandeep Sengupta
Cyber Security Research Analysts, iSolution Software Systems Pvt. Ltd.
www.isolutionindia.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ