Zahir Accounting adalah software akuntansi yang sangat banyak digunakan oleh tingkatan SOHO (Small Office Home Office) di Indonesia. Selain harganya yang terjangkau, Zahir memiliki fitur yang lebih dari cukup untuk menyelesaikan pencatatan akuntansi yang tanggung, dalam arti mampu menyisir tingkat menengah ke bawah dan juga mampu menghadapi tantangan akuntansi yang hampir mendekati tingkat enterprise. Pada kesempatan... Continue Reading →
Blind SQL Injection Vulnerability in FileRun <=2017.09.18
Some time ago while doing a pentest, we found a vulnerability in a file sharing web application named FileRun. This application allows us to access our files anywhere through self-hosted secure cloud storage, backup and sharing files for our photos, videos, files and more. The Vulnerability The vulnerability was found after the authentication. After we... Continue Reading →
Unicode Stack-based Buffer Overflow on CyberLink LabelPrint 2.5
It's been a while since the last post about exploitation on this blog. This time, we try to explain a stack based overflow on a software called Cyberlink LabelPrint. The software serves as a tool to assist in designing labels for CD / DVD covers. Cyberlink LabelPrint is included in the installation of Cyberlink Power2Go,... Continue Reading →
Centreon Enterprise Server 2.3.3 – 2.3.9-4 Blind SQL Injection
We discovered the vulnerability when we're looking for alternate software in network monitoring. We know and we love Nagios, and so the Centreon, they provide a very nice interface of Nagios. Centreon provide nice features and ease of use when you’re dealing with network monitoring. The backend system is still Nagios, but the interface is... Continue Reading →
PC Media Antivirus Insecure Library Loading Vulnerability
PC Media Antivirus (PCMAV) is an antivirus made by famous Indonesia computer magazine PCMedia . PCMAV is quite popular in 2006 since many virus creators in Indonesia actively spread a computer virus and infecting most computers in Indonesia. At that time some people start to claim a special anti-virus to detect Indonesia computer viruses, some... Continue Reading →
Trend Micro Control Manager SQL Injection Vulnerability
Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the back-end database, such as... Continue Reading →
webERP <=4.08.4 SQL Injection Vulnerability
Overview webERP is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu. Lack of input validation of the WO parameter may allow malicious users to inject an sql query. Proof of Concept... Continue Reading →
CyberLink Power2Go Unicode Stack Buffer Overflow
The proof of concept of the vulnerability has been released on December 9, 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn't contact me anymore. A week after our last email, they updated the product, and yes it's Power2Go 8. How do they know that the product is safe... Continue Reading →