The exploiter can upload a PHP shell via the upload.php script by renaming it to $name.php.wmv. The uploaded file will be in the user's account number folder. For example, if the user's account number is 4, the file path will be http://localhost/Forum/$gallery_path/files/4/$name.php.wmv. If the user's account number is 12345, the file path will be http://localhost/Forum/$gallery_path/files/1/2/3/4/5/$name.php.wmv.
Galatolo Web Manager suffers from insecure cookie handling, when a admin login is successful the script creates a cookie to show the rest of the admin area the user is already logged in. The bad thing is the cookie doesn't contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are logged in as a legit admin. The exploit code is a JavaScript code that sets the cookie values to 'admin' for both 'gwm_user' and 'gwm_pass' and then visits the '/admin' page to gain admin access.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'content' parameter to '/include/head_chat.inc.php' script. This can be exploited to include arbitrary files from local resources via directory traversal attacks.
Comdev Web Blogger version 4.1.3 and prior versions suffer from a remote sql injection vulnerability. The exploit is http://[target]/[path]/arcmonth.php?arcmonth=[SQL].
A remote file inclusion vulnerability exists in Pragyan 2.6.2. An attacker can exploit this vulnerability to execute arbitrary code on the vulnerable system. The vulnerability is due to the application failing to properly sanitize user-supplied input to the 'sourceFolder' parameter in the 'form.lib.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request containing a URL in the 'sourceFolder' parameter. This can allow the attacker to execute arbitrary code on the vulnerable system.
pSys is a module based PHP Script which is vulnerable to multiple Remote File Include vulnerabilities. The vulnerability exists in different files and in different variables and lines. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server.
Galatolo Web Manager (GWM) version 1.3a is vulnerable to XSS and Remote SQL Injection. An attacker can inject malicious code into the 'tag' parameter of the 'all.php' script and execute arbitrary JavaScript code in the browser of the victim. An attacker can also inject malicious SQL code into the 'id' parameter of the 'index.php' script of the 'users' plugin to gain access to the database of the application.
Input passed to multiple parameters in "predefined_variables.php" are not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources. POC: http://localhost/pluck-4_5_1/data/inc/themes/predefined_variables.php?blogpost=../../../../../../../../boot.ini
This vulnerability need register_global on. The file 'admin/index.php' (and most of the admin files) includes the file 'login.php' which contains a script that checks if the user has post good login and pass or not. If the user calls directly the login.php file, the script will not check the login and pass, and will set the session 'admin_login' to true.
A vulnerability in Yahoo Messenger 8.1 (latest) allows remote attackers to cause a denial of service (crash) via a crafted string argument to the c method of the target ActiveX control.
Services By CQR