[EN] Mantis Bug Tracker 1.2.12 Persistent XSS

Hello Mantis Community,

few minutes ago I found an old nice persistent XSS in latest version of Mantis Bug Tracker (1.2.12).

Persistent XSS for admin

This vulnerability exists for admin user, but same could be in other part of this webapp.

Update : 18.01.2013
Few minutes ago I spoke again with Developer Team.
After this little chat I have surprise for you: new Mantis BT is comming! :)

Update 21.01.2013
As you can see now (in comments) MantisBT is available for download and soon you can get
brand new version. Patch for this vulnerability, for now is available here .

Once again I would like to thanks MantisBT Team for a fast reply, great knowledge and excellent work! :)

Cheers! o/
 

[EN] SMF 2.0.3 Persistent XSS

 For admin user this time ;)

Persistent XSS in latest SMF 2.0.3

 
Details here: http://whk.drawcoders.net/

At this point I would like to thanks all SMF Team for cooperating.
Fast and responsible Team! :)

[EN] e107 CMS 1.0.2 SQL Injection

Yes it's true, but calm down. This vulnerability can be triggered only by admin. ;)

If attacker is able to get admin's password, then vulnerability status can 'increase' from
low to high.

Anyway, more details soon.

If you need it faster - mail me.

[EN] osTicket 1.74 RC - multiple vulnerabilities

Details soon...

[EN] Wolf CMS 0.7.5-SP1 XSS

In latest Wolf CMS I found XSS vulnerability in 'Forgot password' mechanism.

Go to you admin panel:
http://192.168.64.106/wolfcms/?/admin/login  and click to 'Forgot password'.

Now put your xss code in forgot_email parameter:

./wolf/app/controllers/LoginController.php:154:           
return $this->_sendPasswordTo($_POST['forgot']['email']);


and

./wolf/app/views/login/forgot.php:61:                   
<input class="long" id="forgot-email" type="text" name="forgot[email]" value="<?php echo $email; ?>" />

and that's how we can do an xss attack here.

[EN] Wolf CMS 0.7.5-SP1 RCE

In latest Wolf CMS if user is able to create page, there we have remote-code execution possibility.

Let me know if you need details.

Cheers o/

[EN] osCommerce 2.3.3 Exploited

I found few bugs in latest version of popular osCommerce.

Here for now will be presented only persistent XSS bug and information disclosure.

It's good practice to remember that in case of information disclosure bugs we don't need any 'error displaying'. So it will be good idea to set it to "Off" in your php.ini file.


Update:

osCommerce 2.3.3 after XSS attack

This screen presents xss for logged in user.

[EN] 5 RCE in GetSimple 3.1.2 - Updated

Latest GetSimple CMS (3.1.2) is vulnerable to authentication bypass, and remote code exec.

RCE in latest GetSimple CMS

One of five exploits is here.
To all of you, who mailed me with feedback - thanks!

If you need 4 sploit more (to testing) - just let me know;)

o/

[EN] OSSEC Cool Dashboard - New release!

This time update version is with number 0.5, what you can check here. :)

As always Jess was extremly fast with new patch. Work with such a good coder is a pleasure.

Now, check OCD!

[EN] All about filtering...

To know how I feel when I'm testing 'another' web-code, watch this. ;D

Merry Xmas ;)
o/