A vulnerability exists in Arab Portal v2.1 which allows an attacker to remotely disclose files from the server. An attacker can send a specially crafted HTTP request containing directory traversal sequences (e.g. ../../../admin/conf.php) to the vulnerable server in order to access sensitive files. This vulnerability only works on Windows servers.
A vulnerability in NICE FAQ Script allows an attacker to bypass authentication and gain access to the administrative panel. This is due to the fact that the application fails to properly sanitize user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by supplying a specially crafted username and password. The username should be set to 'Admin' and the password should be set to ' OR 1=1--'. This will cause the application to bypass authentication and grant the attacker access to the administrative panel.
Pre ADS Portal is prone to multiple vulnerabilities, including an authentication bypass vulnerability and multiple cross-site scripting vulnerabilities. An attacker can exploit these issues to bypass authentication and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
A SQL injection vulnerability exists in Photo Gallery v1.2, which allows an attacker to execute arbitrary SQL commands via the 'cat_id' and 'photo_id' parameters in the 'gallery_category.php' and 'gallery_photo.php' scripts. An attacker can also bypass the authentication of the admin panel by using 'cyb3r-1st ' or ' 1=1--' as the username and password.
The Membership System V1.3 is vulnerable to SQL injection. An attacker can bypass authentication by using ' or 1=1-- as the username and password.
A SQL injection vulnerability exists in News And Article System v1.4. An attacker can inject malicious SQL queries via the 'aid' parameter in the 'article_details.php' script. An attacker can also bypass the authentication of the admin panel by using 'cyb3r-1st ' or ' 1=1--' as the username and password.
An unauthenticated attacker can exploit a SQL injection vulnerability in Events Calendar v 1.2 to gain access to the application's database. By sending a specially crafted HTTP request, an attacker can inject malicious SQL code into the application's query, allowing them to access the application's database. This can be used to gain access to sensitive information such as usernames and passwords.
hMailServer 4.4.2 is vulnerable to local and remote file inclusion. An attacker can exploit this vulnerability to gain access to sensitive information such as administrator password and database password. The vulnerability exists due to insufficient sanitization of user-supplied input to the 'page' and 'hmail_config[includepath]' parameters in the 'index.php' and 'initialize.php' scripts. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal sequences and a malicious file name to the vulnerable script. Successful exploitation of this vulnerability can result in unauthorized access to sensitive information.
A SQL injection vulnerability exists in the Mole-Group Taxi Calc Dist Script. An attacker can bypass the authentication process by entering the username 'cyb3r-1st' and the password 'cyb3r-1st' in the login page. This will allow the attacker to gain access to the application.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'flight' parameter to the 'info.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to bypass authentication, compromise the database, read/write arbitrary files, and execute arbitrary code on the server.
Services By CQR