IL and CSRF vulnerabilities in D-Link DAP-1360

Hello 3APA3A! There are Information Leakage and Cross-Site Request Forgery vulnerabilities in D-Link DAP-1360 Wi-Fi Access Point and Router. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model with other...

D-Link DAP 1150 Cross Site Request Forgery / Cross Site Scripting D-Link DAP 1150 Cross Site Reques

Exploit for hardware platform in category web applications In 2011 and beginning of 2012 I wrote about multiple vulnerabilities http://securityvulns.ru/docs27440.html, http://securityvulns.ru/docs27677.html, http://securityvulns.ru/docs27676.html in D-Link DAP 1150 several dozens. That time I wro...

WordPress 3.5.1 Cross Site Scripting

Hello list! These are Cross-Site Scripting vulnerabilities in WordPress. Which I've disclosed last week. At WordPress 3.5.2 release, WP developers mentioned about three holes as "security hardenings" to decrease their importance and to make it looks like there were less fixed holes. One of these...

Dotclear 2.4.4 Cross Site Scripting / Content Spoofing

Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in Dotclear. CMS Dotclear has three vulnerable flash-files: swfupload.swf, playerflv.swf and playermp3.swf. File swfupload.swf it's Swfupload. I've wrote about vulnerabilities in Swfupload in November 2012...

Multiple XSS vulnerabilities in IBM Lotus Domino

Hello 3APA3A! I want to warn you about multiple Cross-Site Scripting vulnerabilities in IBM Lotus Domino. Last year I've announced multiple vulnerabilities in IBM software and after IBM fixed many of them, I've disclosed them. These are new vulnerabilities in Domino, which I've found at 03.05.201...

WordPress Plugin WP-UserOnline Persistent XSS vulnerability

This perl exploit I've developed at 26.04.2010. As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous versions. After my informing the developer released WP-UserOnline 2.70 at 07.05.2010. In version 2.70 he fixed XSS, but not Full path disclosure vulnerabilities. Hello list! in 20...

JW Player Pro 5.10.2295 Spoofing / Cross Site Scripting

Hello list! I want to warn you about security vulnerabilities in JW Player Pro. These are Content Spoofing and Cross-Site Scripting vulnerabilities. In June I've wrote about vulnerabilities in JW Player http://securityvulns.ru/docs28176.html. And these are vulnerabilities in licensed version of t...

CSRF, DT and AB vulnerabilities in D-Link DSL-500T ADSL Router

Hello 3APA3A! I want to warn you about new security vulnerabilities in D-Link DSL-500T ADSL Router. Which I've found and disclosed last week. These are Cross-Site Request Forgery, Directory Traversal and Authentication Bypass vulnerabilities. This is my fifth advisory 3 and 4 were announced and...

Vulnerabilities in D-Link DSL-500T ADSL Router

Hello 3APA3A! I want to warn you about security vulnerabilities in D-Link DSL-500T ADSL Router. These are Predictable Resource Location, Brute Force and Cross-Site Request Forgery vulnerabilities. This is my first advisory from series of advisories about vulnerabilities in D-Link products...

Adobe ColdFusion 7 Cross Site Scripting

Hello list! I want to warn you about new security vulnerabilities in Adobe ColdFusion. These are Cross-Site Scripting and Full path disclosure vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are Adobe ColdFusion 7 and previous versions to XSS, an...

Уязвимости в теме Live Wire Edition для WordPress

Здравствуйте 3APA3A! Сообщаю вам о найденных мною Cross-Site Scripting, Full path disclosure, Abuse of Functionality и Denial of Service уязвимостях в теме Live Wire Edition для WordPress. Это коммерческий шаблон для WP. XSS WASC-08:...

Vulnerabilities in HoloCMS

Здравствуйте 3APA3A! Сообщаю вам о найденных мною Insufficient Anti-automation и Denial of Service уязвимостях в системе HoloCMS. Уязвимости имеют место в скрипте капчи CaptchaSecurityImages.php, который используется в данной системе. Об уязвимостях в CaptchaSecurityImages я уже сообщал...

Vulnerabilities in CaptchaSecurityImages

Здравствуйте 3APA3A! Сообщаю вам о найденных мною Insufficient Anti-automation и Denial of Service уязвимостях в веб приложении CaptchaSecurityImages. Это скрипт капчи, который используется на многих веб сайтах и движках. Insufficient Anti-automation уязвимость я нашёл 06.10.2007, во время...

Hydra CMS Cross Site Scripting / SQL Injection Vulnerabilities

Exploit for unknown platform in category web applications ============================================================== Hydra CMS Cross Site Scripting / SQL Injection Vulnerabilities ============================================================== Hello Full-Disclosure! I want to warn you about...

Vulnerabilities in SimpGB

Hello 3APA3A! I want to warn you about security vulnerabilities in SimpGB. These are Full path disclosure, Insufficient Anti-automation and Cross-Site Scripting vulnerabilities. Full path disclosure: http://site/admin/index.php?lang=1 http://site/admin/pwlost.php?lang=1...

Cross-Site Scripting vulnerability in E107

Hello 3APA3A! I want to warn you about Cross-Site Scripting vulnerability in E107. XSS: At page for sending news to email http://site/email.php?news.1 it's possible to conduct XSS attack via Referer header. Particularly it can be done via flash. Referer: 'scriptalertdocument.cookie/script...

Multiple vulnerabilities in XAMPP

Hello 3APA3A! I want to warn you about multiple security vulnerabilities in XAMPP. These are Predictable Resource Location, Information Leakage, Cross-Site Scripting and Directory Traversal vulnerabilities. Predictable Resource Location: There are standard paths to resources in XAMPP, which can b...

Insufficient Authentication vulnerability in Acer notebooks

Здравствуйте 3APA3A! Сообщаю вам о найденной мною Insufficient Authentication уязвимости в ноутбуках Acer. Уязвимость я обнаружил 28.04.2009 на двух моих ноутбуках. На данных ноутбуках используется Windows XP Home Rus, в случае других ОС уязвимость также может присутствовать. В Windows XP Home в...

Power Phlogger 2.2.5 - 'css_str' SQL Injection

SQL Injection vulnerability in Power Phlogger By MustLive http://websecurity.com.ua Detailed information: http://websecurity.com.ua/2158/ Description: SQL Injection vulnerability in Power Phlogger it is PHP/MySQL logging tool via counters. To make SQL Injection attack you need to be logged into...

Power Phlogger 2.2.5 - css_str SQL Injection

Power Phlogger 2.2.5 - cssstr SQL Injection SQL Injection vulnerability in Power Phlogger By MustLive http://websecurity.com.ua Detailed information: http://websecurity.com.ua/2158/ Description: SQL Injection vulnerability in Power Phlogger it is PHP/MySQL logging tool via counters. To make SQL...