The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04. The ovl_copy_up_* functions do not correctly check that the user has permission to write files to the upperdir directory. The only permissions that are checked is if the owner of the file that is being modified has permission to write to the upperdir. Furthermore, when a file is copied from the lowerdir the file metadata is carbon copied, instead of attributes such as owner being changed to the user that triggered the copy_up_* procedures.
This exploit is used to gain root access on Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) by exploiting incorrect permission handling and FS_USERNS_MOUNT. The exploit creates a shared library and creates a /etc/ld.so.preload file which is used to execute the shared library. The shared library contains a getuid() function which is used to check if the process is running as root and if it is, it will execute a shell.
The Milw0rm Clone Script v1.0 is vulnerable to an authentication bypass vulnerability due to improper sanitization of user input. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. This can allow an attacker to bypass authentication and gain access to the application.
The AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code.
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
Login to admin area requires a password but is easily bypassed using classic SQLInjection method because application uses concatenated user input to construct SQL queries. Another persistent XSS vector is here in author field for comments.
Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version. Stored XSS can be injected through a malicious check plugin or in the host profile. Reflected XSS can be injected in the Test service check page.
Multiple CSRFs exist in the Nakid CMS, allowing an attacker to change the admin password, add arbitrary users to the system, and alter system settings. Persistent XSS vulnerabilities exist in the username, password, email, fname, lname, from_name, include_path, primary_email, from_email, and title parameters. An authentication bypass LFI vulnerability exists in the content parameter.
GoldWave 6.1.2 is vulnerable to a local crash exploit. An attacker can create a file named 'poc.txt' and copy 'http://AAAAAAAA...' into it. When the user runs GoldWave 6.1.2 and opens the URL, the application will crash.
Services By CQR