A universal Object Injection payload for vulnerable PHP applications, which make use of TCPDF library, is here shared. The payload abuses the __destruct() magic method of the Tcpdf class defined in tcpdf.php and allows to arbitrary delete files on the filesystem.
When doing the SSH version exchange, if the server sends a banner missing , it can lead the PrivateShell client to crash.
The vulnerability is caused due to a boundary error in the processing of a user input in the registration id field of the registration procedure, which can be exploited to cause a buffer overflow when a user inserts long array of string for the ID. Successful exploitation could allow execution of arbitrary code on the affected machine.
I have discovered a vulnerability in Clickheat 1.13 onwards that would allow an attacker to execute arbitrary commands on the remote webserver, in the context of the user running the webserver, without authentication. This could lead to unauthenticated access to the Clickheat web application, and potentially complete takeover of the remote webserver. For the exploit to be successful, the webserver (Apache was tested in this case) must be configured to handle Perl (.pl) scripts and have the ExecCGI directive present in the VirtualHost configuration. The issue stems from a script called parseClickLogs.pl in the /scripts directory of clickheat. If the Apache configuration is setup as above, this script will be executed when a user visits /clickheat/scripts/parseClickLogs.pl, as shown in Apache logs. Arbitrary parameters can be supplied to the script directly from the URL, separated by +'s. In the script, on line 48 is a vulnerable open() command.
The Sendio [1] ESP Web interface authenticates users with a session cookie named 'jsessionid'. The vulnerability [CVE-2014-0999] is caused due the way the Sendio ESP Web interface handles the session cookie. When a user logs in to the Web interface, the application generates a session cookie and stores it in the user's browser. This cookie is used to authenticate the user in subsequent requests. The vulnerability is caused because the application does not properly sanitize the session cookie when it is included in URLs. This allows an attacker to access the Web interface without authentication by using the session cookie of a valid user.
Unauthenticated Blind SQL Injection via gallery_id field.
On the registration form the address field is not validated before returning it to the user. Visiting the Directory page, will show the confirm window.
Remote Code Execution via email field. When the admin user checks the subscibers list, the php code is executed.
Jackrabbit WebDAV plugin use insecurely configured XML parser to parse incoming PROPPATCH and PROPFIND requests. As a result it is vulnerable to XXE attacks. Besides Jackrabbit JCR, WebDAV plugin is incorporated into the following software: Apache Sling, Adobe AEM.
An authenticated SQL injection vulnerability exists in the WordPress plugin "GigPress" due to insufficient sanitization of user-supplied input in the "show_artist_id" parameter of the "admin/handlers.php" script. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application's back-end database.