Two Blind SQL Injection vulnerabilities exist in Webcat. The first vulnerability is present in the 'web_id' parameter and the second vulnerability is present in the 'id' parameter. An attacker can exploit these vulnerabilities by sending malicious SQL queries to the vulnerable parameters. For example, sending a malicious SQL query to the 'web_id' parameter as 'http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021' and 'http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021 and ascii(substring((SELECT concat(user_name,0x3a,user_password,0x3a,email,0x0a) FROM usertable limit 0,1),1,1))>80' can allow an attacker to extract sensitive information from the database. Additionally, an attacker can also exploit the 'id' parameter by sending a malicious SQL query as 'http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&id=50' and 'https://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(email,0x3a,user_password,0x0a),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90 from usertable--' to extract sensitive information from the database.
ActivDesk 3.0 is vulnerable to Cross-Site Scripting (XSS) and Blind SQL Injection. An attacker can inject malicious JavaScript code via the 'keywords0', 'keywords1', 'keywords2', and 'keywords3' parameters in the 'search.cgi' script, and can inject malicious SQL code via the 'cid' and 'kid' parameters in the 'kbcat.cgi' and 'kb.cgi' scripts respectively.
It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too. This for example makes it possible to grab for the "/etc/shadow" file on a linux box. An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.
The IBM Web Application Firewall can be evaded, allowing an attacker to exploit web vulnerabilities that the product intends to protect. The issue occurs when an attacker submits repeated occurrences of the same parameter. The example shown below uses the following environment: A web environment using Microsoft IIS, ASP .NET technology, Microsoft SQL Server 2000, being protected by the IBM Web Application Firewall. As expected, the following request will be identified and blocked (depending of configuration) by the IBM Web application firewall. IIS with ASP.NET (and even pure ASP) technology will concatenate the contents of a parameter if multiple entries are part of the request. IIS with ASP.NET (and even pure ASP) technology will concatenate both entries of iid parametes, resulting in the following request. The IBM Web Application Firewall will not detect this request as malicious and will allow it to pass through.
Directory traversal vulnerabilities have been found in ManageEngine ServiceDesk Plus 8.0, a web based helpdesk system written in Java. The vulnerability can be exploited to access local files by entering special characters in variables used to create file paths. The attackers use “../” sequences to move up to root directory, thus permitting navigation through the file system.
iSupport version 1.8 is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This request contains malicious SQL statements that are executed in the backend database. This can allow an attacker to gain access to sensitive information such as usernames, passwords, and other sensitive data stored in the database.
BrewBlogger 2.3.2 is vulnerable to Reflected Cross-Site Scripting (XSS) and SQL Injection and Full Path Disclosure. An attacker can exploit these vulnerabilities by sending a maliciously crafted URL to the target application. The Reflected XSS vulnerability can be exploited by sending a specially crafted URL containing malicious JavaScript code to the target application. The SQL Injection vulnerability can be exploited by sending a specially crafted URL containing malicious SQL code to the target application. The Full Path Disclosure vulnerability can be exploited by sending a specially crafted URL to the target application, which will reveal the full path of the application.
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.1 (Build 6.0.10.10) or earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN packet containing a long username, an attacker may be able to execute arbitrary code.
Multiple SQL injection vulnerabilities exist in Same Team E-shop manager, which could allow an attacker to execute arbitrary SQL commands on the underlying database. The vulnerabilities exist in the 'id_shop', 'id_article', 'ref' parameters of the 'catalogue.php', 'article.php', 'banniere.php', 'detail_news.php', 'detail_produit.php' scripts, respectively.
This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.00. When sending a specially formatted packet to the Runtime.exe service, an attacker may be able to execute arbitrary code.
Services By CQR