Home » 2009 » June » 27 » Report Vulnerabilities
18.31.22
Report Vulnerabilities
Hi,

Here's the vulnerabilities descriptions and POCs:
##############################
###

I write to report three vulnerabilities that I found in the last version of Aardvark Topsites PHP(5.2.1) and older versions.

The cause of all of them is the incorrect verification of input parameters.


Here are the vulnerabilities:
==================

HTML Injection (up to 5.2.0)
--------------------------

For example, is possible to inject a link to any URL with any anchor text.

POC: /index.php?a=search&q=psstt+security”><a+href%3Dhttp%3A%2F%2Fwebsec.id3as.com>Web-Application-Security


Information Disclosure 1 (up to 5.2.1)
--------------------------

Disclosure of full path of the application sources when you put a negative number at the ’start’ parameter.

POC: /index.php?a=search&q=psstt&start=-4


Information Disclosure 2 (up to 5.2.0)
--------------------------

Disclosure of full path of the application sources and some source code too when you put an non-existent user at ‘u’ parameter.

POC: /index.php?a=rate&u=nonexistentuser
==================

I created a page with the details and possible updates at: http://websec.id3as.com/aardvark-topsites-php-521-security-vulnerabilities-disclosure/


Feel free to ask me any question about this to properly report this vulnerabilities.

Google Dork: "Powered by Aardvark Topsites PHP 5.2.0"
(or 5.2.1 for the last version)

#################################

Thanks,
José Pablo González / J07AP3
Views: 17513 | Added by: apeh1706 | Rating: 0.0/0
Total comments: 7
7 EarnestGom  
0
Just desire to say your article is as astounding. The clearness in your post is just nice and i could assume you're an expert on this subject. Well with your permission allow me to grab your feed to keep up to date with forthcoming post. Thanks a million and please keep up the enjoyable work.
купить диплом в белово
http://lsfiredept.listbb.ru/viewtopic.php?f=2&t=342
http://sfpdsa.listbb.ru/viewtopic.php?f=2&t=373
http://samara.listbb.ru/viewtopic.php?f=3&t=290
http://fire-team.ru/forum/member.php?u=1143
http://darknews.ru/put-k-professionalnomu-uspehu-priobreti-diplom-i-stan-ekspertom

купить диплом техникума

6 ShaneJopot  
0
Hi there to every one, for the reason that I am actually eager of reading this weblog's post to be updated regularly. It consists of fastidious material.
купить диплом в назрани
http://diploms-help.ru
http://efawb.ru
http://arxitekt.ru

купить диплом в бийске

5 LewisSlamb  
0
Helpful info. Fortunate me I discovered your web site unintentionally, and I'm stunned why this accident didn't took place earlier! I bookmarked it.
купить диплом в казани
http://intsms.ru
http://mosproizvoditelnost-conf.ru
http://vniikukuruzy.ru

купить диплом в мурманске

4 Fobertbuice  
0
I blog frequently and I genuinely thank you for your information. Your article has truly peaked my interest. I'm going to take a note of your blog and keep checking for new information about once per week. I opted in for your RSS feed too.
куплю диплом кандидата наук
http://sibsocio.ru
http://kosprof.ru
http://paradise-kursk.ru

купить диплом в сыктывкаре

3 GichardShows  
0
What's up, after reading this amazing paragraph i am too delighted to share my familiarity here with mates.
купить диплом в клинцах
http://prohalal-faunia.ru
http://uk-ahml.ru
http://seoyour.ru

купить диплом прораба

2 Naomichi  
0
What I find so inrietsteng is you could never find this anywhere else.

1 huntfisherr  
0
Ставной невод - Ставной  невод,  снасть  известная  и  широко применяемая  по  берегам  наших  морей,  по  крайней  мере  в последние  двести-триста  лет.   Интересно,  что  в  середине прошлого  века  ставными  неводами  осуществлялся  лов  лососевых  на  севере  России,  а  лов  этих  видов  рыбы  любительской  снастью,  в  частности,  удочкой  или  спиннингом, практически  еще  не  был  известен. нашла на http://fisherhunter.ru/rybalka/rybolovnye-snasti/dedovskie-snasti/stavnoi-nevod.html


сами смотрите

Name *:
Email *:
Code *:
close