A Cross-Site Request Forgery (CSRF) vulnerability exists in NooMS CMS version 1.1.1. An attacker can craft a malicious HTML page that contains a form with hidden fields that when submitted, will modify the settings of the NooMS CMS. The form contains fields for the admin username, admin password, site name, site URL, number of results per page, language, and theme. An attacker can modify these settings without the knowledge of the administrator.
The vulnerability exists due to failure in the 'editprofile.php' and 'admin.php' scripts to properly sanitize user-supplied input. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. User can execute arbitrary JavaScript code within the vulnerable application. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
The vulnerability exists due to failure in the 'users/edituser.php' script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: <form action='http://host/users/edituser.php?id=USERID&action=update' method='post' name='main'><input type='hidden' name='un' value='test'><input type='hidden' name='unOld' value='test'><input type='hidden' name='fn' value='test'><input type='hidden' name='tit' value='test'><input type='hidden' name='em' value='email (at) example (dot) com [email concealed]'><input type='hidden' name='pw' value=''><input type='hidden' name='pwa' value=''><input type='hidden' name='perm' value='5'><input type='hidden' name='Save' value='Save'></form><script>document.main.submit();</script> User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the 'projects/viewprojectsite.php' script to properly sanitize user-supplied input. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/projects/viewprojectsite.php?id=PROJECTID&action=add&task=1&title=<script>alert(document.cookie)</script>
S40 CMS is prone to Local File Inclusion vulnerability because of poor security checks and bad input sanitization: GET variables are not properly sanitized before being included via require() PHP function. Having a quick look at page() function, the security issue is clear: $pid ($_GET['p']), is not sanitized or passed through a valid regular expression before being returned to require() function of index.php file.
GreenPants 0.1.7 is vulnerable to multiple SQL Injections. The vulnerable files are indexheader.php, searcher.php, indexviewentry.php, editcat.php and editemot.php. An attacker can exploit these vulnerabilities by sending malicious input to the vulnerable parameters. For example, http://localhost/greenpants/index.php?id=-99 UNION SELECT VERSION() can be used to exploit the vulnerability in indexheader.php.
A local file inclusion vulnerability in eyeOS 2.3 can be exploited to include arbitrary files. A reflected cross-site scripting vulnerability in eyeOS 2.3 can be exploited to execute arbitrary JavaScript.
A SQL injection vulnerability in Graugon Forum 1.3 can be exploited to extract arbitrary data. In some environments it may be possible to create a PHP shell.
The vulnerability exists in the Dream Vision Technologies Pvt Ltd web application. An attacker can exploit the vulnerability by sending malicious SQL queries to the vulnerable parameter in the URL. For example, http://site.com/product.php?sid=[SQLI] or http://site.com/detail.php?id=[SQLI]
This exploit is based on a buffer overflow vulnerability in Mplayer Lite 33064. It uses a shellcode to execute a command (calc.exe) and a return-oriented programming technique to bypass the non-executable stack protection. It has been tested on Windows 7 x64 and does not work on 32 bit without heavy modification of offsets.
Input passed via the 'show' parameter to the 'includes/classes/tutorial.php' script is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Services By CQR