This module combines two separate issues within Support Incident Tracker (<= 3.65) application to upload arbitrary data and thus execute a shell. The two issues exist in ftp_upload_file.php. The first vulnerability exposes the upload dir used to store attachments. The second vulnerability allows arbitrary file upload since there is no validation function to prevent from uploading any file type. Authentication is required to exploit both vulnerabilities.
Kool Media Converter fails to handle a malformed .ogg file, which can be used to cause a denial of service.
Soda PDF Pro suffers from a restriction of service (RoS) vulnerability when handling PDF or WWF file formats which can be exploited by malicious people to cause a denial of service scenario.
A while back, Tavis showed us three ways to exploit flaws in glibc's dynamic linker involving LD_AUDIT. The first way involved opening a file descriptor and using fexecve to easily win a race with $ORIGIN. The problem was that this required having read permissions on the SUID executables. Tavis recommended a work around involving filling a pipe until it was full so that anything written to stderr would block. This race, however, was not always successful. The third thing he showed us was that LD_AUDIT would load any trusted library, and he pointed out that libpcprofile.so could be jiggered to create a world writable root owned file in any directory. One candidate would be to write something to a crontab. What if, however, you don't have cron installed? He then went on to explain a quite extensive search routine to find candidates for libraries to load. But why search, when you already can make a world writable root owned file in any directory you want? The easier way is to use libpcprofile.so to create such a file, and then fill that file with code you want to run. Then, run that code using the same trick.
This module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command.
This exploit allows an attacker to remotely disclose or change the root/support password of Comtrend Router CT-5624. The exploit is written in Perl and uses the LWP::Simple module to send a GET request to the router's password.cgi page. The exploit has been tested on two different versions of the router, CT-5624 and CT-5637.
osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability. The vulnerable code is present in the .htaccess, content.php and page.php files. The PoC-Exploit involves sending a malicious request to the target server with the _ID parameter set to a malicious file path. This can be used to read sensitive files from the server.
Input passed to the 'content' parameter in 'do.php' on line 2112 is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.
As part of GreenSQL?s Database security research, we?ve been validating and extending coverage of known and unknown vulnerabilities in order to increase GreenSQL product security, at this post we will reveal a full working Prove of Concept for the CVE-2007-4517 vulnerability which executes arbitrary code. The Exploit: PL/SQL/2007-4517 exploit is a PL/SQL procedure that exploits the CVE-2007-4517 vulnerability, also known as Oracle Database XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Procedure Multiple Argument Remote Overflow. The vulnerability is caused due to a boundary error in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure when processing the OWNER and NAME arguments to create an SQL query. This can be exploited to cause a buffer overflow by passing overly long OWNER and NAME arguments to the affected procedure. The PL/SQL procedure calls to the xDb.XDB_PITRIG_PKG.PITRIG_DROPMETADATA() function with two arguments: 1. ?123?. 2. Buffer (2305 bytes). The buffer consists of payload, jmp instructions, arithmetic instructions and garbage.
All versions of OrderSys <= 1.6.4 are affected by Sql injection vulnerabilities. A valid account could be required to exploit the vulnerabilities. Proof of Concept: http://localhost/ordersys/ordering/interface_creator/index.php?table_name=vendor&function=search&where_clause=[SQL INJECTION]&page=0&order=Address&order_type=ASC http://localhost/ordersys/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause=[SQL INJECTION]&page=0&order=Address&order_type=ASC http://localhost/ordersys/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause=[SQL INJECTION]&page=0&order=Address&order_type=ASC
Services By CQR