Certain versions of O'Reilly WebSite Professional's web server package ship with a utility called 'webfind.exe' that contains a remotely exploitable buffer overflow. This allows a remote user to execute arbitrary commands on the server by providing unchecked user input through a search page. The buffer overrun occurs in the 'QUERY_STRING' variable derived from the user's search keywords. The provided code is a proof of concept that launches the 'calc.exe' window on the server's machine.
Alibaba Web Server fails to filter piped commands when executing cgi-scripts. This can be used to execute commands with the privileges of the web server process on a target machine.
Netzero, a free internet service provider, stores the username and password locally in a text file called id.dat. The encryption used for storing the credentials is weak and can be easily decrypted. The exploit allows malicious users to decrypt the username and password using a simple substitution cipher.
This is an exploit for Phorum 5 that allows for arbitrary local file inclusion. It works if the target server has register_globals set to On and magic_quotes_gpc set to Off. The exploit requires a valid user account and can execute shell commands. It supports options for specifying a different port or using a proxy. The examples provided demonstrate how to use the exploit with different commands and options.
A remote attacker can execute code as root by exploiting the format-string vulnerability in the 'rpc.statd' program, which is part of the 'nfs-utils' package that is shipped with a number of popular Linux distributions. The attacker can construct a format string that injects executable code into the process address space and overwrites a function's return address, thus forcing the program to execute the code.
Cvsweb 1.80 makes an insecure call to the perl OPEN function, providing attackers with write access to a cvs repository the ability to execute arbitrary commands on the host machine. The code that is being exploited here is the following: open($fh, "rlog '$filenames' 2>/dev/null |"). An attack allows the attacker to execute arbitrary commands on the host machine by visiting the CVSweb page or waiting for someone else to do the same.
This exploit allows an attacker to disclose admin credentials through an SQL injection vulnerability in the 'ip' argument of the memberlist.php file in PhpBB 3. It works regardless of php.ini settings and requires a global moderator account with 'simple moderator' role.
The AlienVault application is vulnerable to a reflected XSS attack in the 'url' parameter of 'top.php'. An attacker can entice a logged-in user to visit a malicious URL and hijack their session. Additionally, there is a blind SQL injection vulnerability in the 'tcp_port' parameter of 'base_qry_main.php' that allows an attacker to extract the admin hash. The vulnerability was reported to CERT on 28 May 2012 and publicly disclosed on 23 Jul 2012.
By supplying an overly large username or groupname with the IR_INIT command, it is possible to trigger a remote buffer overflow condition. Successful exploitation will enable a remote attacker to execute arbitrary code as the user the canna server is running as.
BitchX IRC clients, versions 75 up to and including 1.0c16, are vulnerable to a Denial of Service and possible remote execution of code. By /invite-ing someone to a channel name containing formatting characters (%s, %n, etc) an IRC user can cause the targetted user's BitchX client to seg-fault. This is caused by the fact that bitchx passes the channel name from the invite into the logging function as its format string [which is used directly in a vsprintf], rather than as an argument to the format. This also affects the KILL command.
Services By CQR