 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 524 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Protector System Multiple Vulnerabilities |
|
 manunkind1 writes "Janek Vind has reported some vulnerabilities in Protector System, allowing
malicious people to conduct Cross Site Scripting, SQL injection and bypass the
protection filters.
1) If error messages hasn't been turned off in PHP,
the "blocker_query.php" script will return error messages if an invalid value is
supplied to the "portNum" parameter. This can be exploited to reveal the
installation path.
2) Input passed to the "target" and "portNum"
parameters in the "blocker_query.php" script isn't properly verified before it
is returned to the user. This can be exploited to execute arbitrary HTML or
script code in a user's browser session in context of an affected site by
tricking the user into visiting a malicious website or follow a specially
crafted link.
3) Input passed in GET queries to PHP-Nuke isn't properly
verified before it is used in an SQL insert query. This can be exploited by
malicious people to manipulate SQL queries by injecting arbitrary SQL
code.
4) It is possible to bypass the SQL injection filter system, by
altering the injected SQL query using comments "/**/" in the command.
The vulnerabilities have been reported in version 1.15b1. Prior versions may
also be affected.
Solution:
Use another
product.
Provided and/or discovered by:
Janek Vind "waraxe"
http://secunia.com/advisories/11478/
Admin Note: How about improving it?"
|
|
Posted on Tuesday, April 27 @ 19:01:30 CEST by Zhen-Xjell |
|
|
|
|
| |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Protector System Multiple Vulnerabilities (Score: 1)
by chatserv on Tuesday, April 27 @ 19:54:22 CEST
(User Info | Send a Message) http://nukeresources.com | | Mr. waraxe only seems to offer suggestions like "Use another product.", not very helpful unless you are part of another CMS' dev team in which case you would benefit from people following said advice. Flaw reports are a valuable tool in themselves but the average vulnerability reporter often provides a workaround for his found flaws. While the report can help the author correct such errors what about popular scripts like MyeGallery whose author no longer updates the version for Nuke, if you point out vulnerabilities but don't provide possible solutions for the problem you leave the average user that has minimum to no experience in coding out in the open. |
| | | | |
Re: Protector System Multiple Vulnerabilities (Score: 1)
by MisterWORK on Wednesday, April 28 @ 00:37:51 CEST
(User Info | Send a Message) http://protector.warcenter.se | http://www.securityfocus.com/bid/10206/solution/
I fixed this a day ago. =O) And released it yesterday. But working togheter is good =) |
| | | | | |
|
