Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

Debian: 2030-1: mahara: sql injection

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) Debian: 2030-1: mahara: sql injection
# 1  
Old 04-06-2010
Debian: 2030-1: mahara: sql injection
LinuxSecurity.com: It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names. [More...]

More...
Login or Register to Ask a Question

Previous Thread | Next Thread

1 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

SQL Injection Detection

I want to grep/awk /var/log/httpd/mysite-access_log.log and check if 2 words from the following appear in a single line: benchmark union information_schema drop truncate group_concat into file case hex lpad group order having insert union select from (12 Replies)
Discussion started by: koutroul
12 Replies
Login or Register to Ask a Question

LEARN ABOUT BSD

rlogin

RLOGIN(1C)																RLOGIN(1C)

NAME

       rlogin - remote login

SYNOPSIS

       rlogin rhost [ -ec ] [ -8 ] [ -L ] [ -l username ]
       rhost [ -ec ] [ -8 ] [ -L ] [ -l username ]

DESCRIPTION

       Rlogin connects your terminal on the current local host system lhost to the remote host system rhost.

       Each  host  has	a  file /etc/hosts.equiv which contains a list of rhost's with which it shares account names.  (The host names must be the
       standard names as described in rsh(1C).)  When you rlogin as the same user on an equivalent host, you don't need to give a password.   Each
       user may also have a private equivalence list in a file .rhosts in his login directory.	Each line in this file should contain an rhost and
       a username separated by a space, giving additional cases where logins without passwords are to be permitted.  If the  originating  user	is
       not  equivalent	to  the  remote  user, then a login and password will be prompted for on the remote machine as in login(1).  To avoid some
       security problems, the .rhosts file must be owned by either the remote user or root.

       The remote terminal type is the same as your local terminal type (as given in your environment TERM variable).  The terminal or window size
       is  also copied to the remote system if the server supports the option, and changes in size are reflected as well.  All echoing takes place
       at the remote site, so that (except for delays) the rlogin is transparent.  Flow control via ^S and ^Q and flushing of input and output	on
       interrupts  are	handled  properly.   The  optional argument -8 allows an eight-bit input data path at all times; otherwise parity bits are
       stripped except when the remote side's stop and start characters are other than ^S/^Q.  The argument -L allows the rlogin session to be run
       in  litout  mode.   A  line  of the form ``~.'' disconnects from the remote host, where ``~'' is the escape character.  Similarly, the line
       ``~^Z'' (where ^Z, control-Z, is the suspend character) will suspend the rlogin session.  Substitution  of  the	delayed-suspend  character
       (normally  ^Y)  for  the  suspend character suspends the send portion of the rlogin, but allows output from the remote system.  A different
       escape character may be specified by the -e option.  There is no space separating this option flag and the argument character.

SEE ALSO

       rsh(1C)

FILES

       /usr/hosts/*	   for rhost version of the command

BUGS

       More of the environment should be propagated.

4.2 Berkeley Distribution					   May 12, 1986 							RLOGIN(1C)