Monday, 4 September 2017 | errors, path disclosure, system compromise

directly accessing this url we get an error with the paths


Windows and xampp that are not fitted for a production server that must store data.

I archived the page: | various security issues

Vulnerable Phocadownload

Possibility to add different videos from youtube[youtube video id]

They also got a malware (not from me - a lot of porn stuff)
Google Cache

Copy of the cached page:

Note: they fixed the problems. - path disclosure, system compromise

There is a path disclosure thanks to an error.
(original sample - )

It's possible to have access to the system.

sample path (It's public - don't bother me)
/repository/GCloud-WebRoot/ - content injection, possible admin reset to external MX server

wordpress 4.2.8

It's possible to inject content and reset the admin password and get the email to an external MX server.

The website is down for restyling but the wordpress scripts are still available to the public.

For example the admin area:

Sunday, 3 September 2017

Content Models html5

Content Models

Metadata: Content that sets up the presentation or behavior of the rest of the content. These elements are found in the head of the document.
Elements: <base><link><meta><noscript><script><style><title>

Embedded: Content that imports other resources into the document.
Elements: <audio><video><canvas><iframe><img>, <math>, <object><svg>

Interactive: Content specifically intended for user interaction.
Elements: <a><audio><video><button>, <details>, <embed><iframe><img><input><label><object><select><textarea>

Heading: Defines a section header.
Elements: <h1><h2><h3><h4><h5><h6>, <hgroup>

Phrasing: This model has a number of inline level elements in common with HTML4.
Elements: <img>, <span>, <strong><label><br /><small><sub>, and more.

Friday, 1 September 2017

Opencart 2.x - save settings for module or add module to layout

//loading the settings
$setting = $this->model_setting_setting->getSetting('mymodule');
//saving the settings
$setting = $this->model_setting_setting->editSetting('mymodule');

NOTE: in the form the input name="" must start with the name of the module. Example: mymodule_limit, mymodule_status, mymodule_othersetting

//getting data from the module - usually is loaded by the configured layout
$setting = $this->model_extension_module->getModuleByCode('mymodule');

//saving data for the module with new id from the POST (saves a new one that can be loaded from the layout)
               if (!isset($this->request->get['module_id'])) { // $this->model_extension_module->addModule('mymodule', $this->request->post);
                } else {
                $this->model_extension_module->editModule($this->request->get['module_id'], $this->request->post);

Saturday, 26 August 2017 | vulnerable wordpress
vulnerable/unpatched 4.8 wordpress, vulnerable/unpatched theme, path disclosure.

Twitter Delicious Facebook Digg Stumbleupon Favorites More