Tuesday, 30. September 2008, 01:17:30
openxss, security, vulnerability
It is just a matter of time for the first two advisories to appear either at CVE's database or at BugTraq. I know I promised at least three of them, but I haven't found enough time to write the third one. There might be some others, it just depends on how much more time I want to spend/waste (depends on the POV) trying to understand wordpress' code, wiki-related code, and other similar code.
Read more...
Thursday, 25. September 2008, 01:47:07
debian, vulnerability, php, security
I have just took a quick look at yet another OpenID-related php script which is, just like the others I've seen, open to XSS attacks.
Read more...
Tuesday, 21. August 2007, 02:26:11
security, vulnerability
Just found a SQL Injection vulnerability in VHCS2 2.4.7.1:
Read more...
Sunday, 17. September 2006, 03:36:37
vulnerability, webinsta, bug
Yesterday night I released the Webinsta CMS version 0.4.0c, this version is not affected at all by none of the two reported vulnerabilities.
It also includes some other minor fixes and a new module that adds the possibility to change the page's title by using a tag on the
content block.
All users are encouraged to upgrade to Webinsta CMS 0.4.0c NOW
Sunday, 3. September 2006, 17:30:48
webinsta, vulnerability, patch, secunia
Yesterday I got an e-mail from a person who wanted to know if the Webinsta CMS was secure or not, because he found a
secunia advisory for the Webinsta CMS (not for Webinsta's Limbo CMS) and an
exploit for that vulnerability.
After checking the links I noticed that, yes, somebody did find that vulnerability that can be found on any Webinsta CMS version prior 0.4.x.
I think I'll have to ask Ceasar to no longer host that old Webinsta CMS version and better redirect all the visitors to my website, where they can find the latest version of the Webinsta CMS, which is
not vulnerable. Of course the latest version can always be found on the
Webinsta CMS page of my website.
More information about the vulnerability:The vulnerability is caused because of the operations that emulate the PHP's register_globals=on setting.
What happens when a vulnerable website is called with the title=some%20title query? This is what happens:
- HTTP request to index.php?title=some%20title
- index.php includes the configuration file (config.php) which contains the website title and some other information (including administrators' username and password).
- index.php includes code/globaldefs.php which emulates register_globals=on wether the server has register_globals set to on or off. On the emulation process, it doesn't verify what variables already exist, so it overrides the global variable $title by setting the content to "some title".
- continues the index.php script execution.
This means that ANY parameter being sent can be set as a global variable, even overriding the website configuration.
What does that means?The website can be affected in many ways: changing the website title, loading modules, loading external scripts (if the server's configuration allows to open sockets).
Does this vulnerability can be used to login into the administration panel?Yes and no, the vulnerability can be used to retrieve the admin username and password, or even more. But the vulnerability doesn't affect the admin login page because the script that makes sure the admin user and pass matches the one set in the config.php file doesn't load the code that introduces the vulnerability.
Everybody who has a Webinsta CMS website should upgrade to 0.4.x immediately.How is it fixed on the latest Webinsta CMS version?The code that emulates register_globals=on is no longer loaded on pages that doesn't require this special (and bad) PHP setting; meaning that it is only used in a few pages of the administration panel because the index.php no longer makes use of register_globals. This is just a small fix, because that code is not used on the in-development InWeb CMS (which is based on the Webinsta CMS).
Showing posts 1 -
5 of 6.
WIDGETIZE