The 2Moons application is vulnerable to SQL Injection and Reflected Cross Site Scripting. An attacker can exploit the SQL Injection vulnerability by sending a specially crafted HTTP request to the application. The Reflected Cross Site Scripting vulnerability can be exploited by sending a specially crafted HTTP request to the application.
PHP File Manager is vulnerable to creation of arbitrary files on server via CSRF which we can use to create remote backdoor shell access if victim clicks our malicious linx or visits our malicious webpages. To create backdoor shell we will need to execute two POST requests 1- to create PHP backdoor shell 666.php 2- inject code and save to the backdoor we just created.
Classic FTP v2.36 is vulnerable to a Denial of Service attack when a malicious user sends a CWD command with a large number of characters. This causes the server to crash and the service to become unavailable.
I found a security bug in sudo (checked in the latest versions of sudo running on RHEL and ubuntu) when a user is granted with root access to modify a particular file that could be located in a subset of directories. It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow). I was able to perform such redirect and retrieve the data from the /etc/shadow file.
phpFileManager version 0.9.8 is vulnerable to Remote Command Execution. An attacker can execute arbitrary commands on the vulnerable system by getting the victim to click a malicious link or visit a malicious website.
The login form is affected by a code injection vulnerability via the 'id' POST parameter, which allows an attacker to inject and execute arbitrary commands on the system.
We discovered a bug in userhelper, a setuid-root program from the usermode package that provides a basic interface to change a user's password, gecos information, and shell; its -f (Full Name), -o (Office), -p (Office Phone) and -h (Home Phone) command-line options are equivalent to those of the traditional chfn program. userhelper's chfn() function verifies that the fields it was given on the command-line are sane (i.e., contain no forbidden characters). Unfortunately, these forbidden characters (":,=") do not include '' and allow local attackers to inject newline characters into /etc/passwd and alter this file in unexpected ways. We discovered a bug in libuser's passwd_file_parse() function, which parses /etc/passwd and /etc/shadow files. This function does not properly handle lines containing a ':' character in the username field. This bug can be used to perform a denial-of-service attack against systems using libuser, as it prevents the system from parsing the /etc/passwd and /etc/shadow files. We were also able to turn this bug into a local root exploit.
The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible to CSRF. Additionally, the following parameters were found to be susceptible to SQLi - Form submitted to /wp-admin/admin-ajax.php: - data[galleryID] Form submitted to /wp-admin/admin.php: - galleryid - id
Hexis cyber Hawkeye-G network threat appliance is vulnerable to persistent XSS injection when adding device accounts to the system. The appliance contains an endpoint sensor that collects client information to report back to the Hawkeye-G web interface. When adding device accounts to the system XSS payloads supplied to the vulnerable id parameter 'name' will be stored in database and executed each time certain threat appliance webpages are visited. We can force internal server 500 errors that leak back end information's. Stack traces are echoed out to the end user instead of being suppressed this can give attackers valuable information into the system internals possibly helping attackers in crafting more specific types of attacks.
Multiple CSRF(s) Vulnerabilities: 1- CSRF Add arbitrary accounts to system vulnerable URL: https://localhost:8443/interface/rest/accounts/json vulnerable POST parameter: 'name' 2- CSRF modification of network sensor settings a) Turn off 'Url matching' Sensor b) Turn off 'DNS Inject' Sensor c) Turn off 'IP Redirect' Sensor vulnerable URL: https://localhost:8443/interface/rest/dpi/setEnabled/1 vulnerable POST parameters: 'url_match' 'dns_inject' 'ip_redirect' 3- CSRF whitelisting of malware MD5 hash IDs vulnerable URL: https://localhost:8443/interface/rest/md5-threats/whitelist vulnerable POST parameter 'id'
Services By CQR