Adcycle is a package of perl scripts available from Adcycle.com. The scripts are designed to manage banner ad rotation through a web interface, backended with a MySQL database. A problem with the suite could allow remote execution of commands. The handling of input by the script may allow users to gain access to the accounts of other users that are currently logged in. By generating a custom crafted request and appending it to the adcenter.cgi script, a user would be able to fill the values needed to get access to the system, and execute commands as a user already logged into the system. This makes it possible for a malicious to gain access to database resources and execute arbitrary commands.
It is possible for a remote user to cause a denial of service condition in Working Resources BadBlue by requesting a specially crafted URL composed of 284 or more bytes. A restart of the server is required in order to gain normal functionality.
Bajie Webserver is vulnerable to command injection when a specially crafted URL containing arbitrary code is requested. Any arbitrary commands appended to a malicious URL after the ';' will be executed as an independent job.
A remote user can use Bajie's built-in upload feature to place malicious scripts on Bajie webservers. These uploaded scripts are placed in known destination directories and can be automatically executed. Unfortunately Bajie's CGI processor doesn't verify the CGI program exists before executing the script. Once these files are uploaded, they can be then executed as CGI scripts on the server.
It is possible for a remote user to gain read access to directories and files outside the root directory of ITAfrica WEBactive by requesting a specially crafted URL composed of '../' sequences.
It is possible for a remote user to gain read access to directories and files outside the root directory of ES.One. Requesting a specially crafted URL by way of 'store.cgi', composed of '/../' sequences and appended with '%00' will disclose an arbitrary directory.
A buffer overflow vulnerability has been reported in John Roy Pi3Web web server. The ISAPI application within the server fails to properly handle user supplied input. Requesting a specially crafted URL will cause the buffer to overflow and possibly allow the execution of arbitrary code. Pi3Web has also been known to disclose the physical path to the web root by requesting an invalid URL.
WebPALS is vulnerable to a specially crafted URL composed of a known filename, which can be used to disclose the requested file residing on a machine running WebPALS. This vulnerability can also be used to execute arbitrary code with root privileges.
WebPALS is vulnerable to a specially crafted URL composed of a known filename, which will disclose the requested file residing on a machine running WebPALS. This vulnerability will also allow an attacker to execute arbitrary code with root privileges.
A remote user could gain read access to known files outside of the root directory where HIS Software Auktion 1.62 resides. Requesting a specially crafted URL composed of '../' sequences along with the known filename will disclose the requested file. This vulnerability could also lead to the execution of arbitrary code.
Services By CQR