A vulnerability exists in Calendar Script v1.1 which allows an attacker to bypass the authentication process and gain access to the admin panel. This is due to the application not properly sanitizing user-supplied input to the 'username' parameter when handling the 'login' action. An attacker can exploit this vulnerability by supplying a crafted 'username' parameter value of ' or 1=1#' and any value for the 'password' parameter.
The exploit creates and prints a malformed postscript document that will cause the CUPS pstopdf filter to write an error message out to its log file that contains the string /tmp/getuid.so. However, since we also symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the error message and malicious shared library path will be appended to the ld.so.preload file, allowing us to elevate privileges to root.
RoundCube Webmail is a browser-based IMAP client that uses 'chuggnutt.com HTML to Plain Text Conversion' library to convert HTML text to plain text, this library uses the preg_replace PHP function in an insecure manner. This vulnerability allows an attacker to execute arbitrary shell commands using PHP curly syntax plus some tricks to bypass PHP magic_quotes_gpc to avoid using single or double quotes.
SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit is an exploit that allows an attacker to gain access to the cookies of a user on the SolarCMS 0.53.8 (Forum) platform. The exploit works by sending a specially crafted HTTP request to the server, which then returns the user's cookies in the response. The attacker can then use the cookies to gain access to the user's account.
CoolPlayer is prone to a buffer overflow vulnerability when processing specially crafted skin files. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Pligg 9.9.5 Beta contains a vulnerability in 'evb/check_url.php' unfiltered $_GET['url'] parameter. The filtration strips tags and converts html special chars, but it is not enough, because an attacker can use MySQLs CHAR() function to convert shell to allowed chars. The exploit tries to get the full server path, but if not succeeded, then it will brute it. If the path has been found then the exploit will try to upload a tiny shell via SQL-Injection.
A vulnerability in the Wordpress Plugin Page Flip Image Gallery version 0.2.2 allows an attacker to disclose sensitive information from the server. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'book_id' parameter of the 'getConfig.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. This may allow the attacker to disclose sensitive information from the server, such as the '/etc/passwd' file.
A vulnerability in Text Lines Rearrange Script (download.php filename) allows an attacker to read arbitrary files on the server. The vulnerability is due to insufficient sanitization of user-supplied input to the 'filename' parameter in the download.php script. An attacker can exploit this vulnerability by sending a malicious HTTP request to the vulnerable script with a specially crafted filename parameter. This will allow the attacker to read arbitrary files on the server.
This exploit tries to read an arbitrary file. It needs magic_quotes_gpc=off
PHPg 1.6 has a few XSSes, path disclosures, and a DoS vulnerability. The first two XSSes can be triggered by sending a malicious URL to the application. The path disclosure can be triggered by sending a malicious file name to the application. The DoS can be triggered by creating a folder with a malicious name.
Services By CQR