A sql Injection Vuln exists in Universal College's site. A remote attacker can easily get the pwd and login.
Some details:
Vuln Type: SQL injection
FTP: ftp://ftp.uc.edu.np/ (Proftpd 1.3.0 server//WL)
VULN RATING: 6/10 (SQL INJECTION), 8/10 (OLD FTP SERVER. MANY EXPLOITS ARE OUT THERE)
STATUS:Notified
Some proofs:
Table_names: login, user
Dumps:
Not_REVEALED for security
Screenshot of Logged in cpanel:
Hope they fix it down :D
good job, bro. nepali developers need to learn how to prevent themselves from getting owned.
ReplyDeleteThnx bro, but the more severe problem lies in the ftp server of wliink. They still use the damn old proftpd 1.3.0 and see there are lots of scripts available to exploit it. Even a n00b script kiddie can exploit that.
ReplyDeleteThey must use recent version. I think the best is Pure-FTPD [TLS] which is a freeware.Why r they hesitating to upgrade i don't understand.