An attacker can exploit this vulnerability by setting a malicious cookie value using the JavaScript code 'javascript:document.cookie = "user=[admin_id],' or ' 1=1--; path=/";'. For the demo, the JavaScript code 'javascript:document.cookie = "user=1,' or ' 1=1--; path=/";' can be used.
pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
The vulnerability exists in the 'order' and 'direction' arguments of the ExecuteQueries() function in /private/system/classes/listfactory.class.php, near line 336. The filters are inefficient, as they call COM_applyFilter() which calls COM_applyBasicFilter() in /public/lib-common.php near line 5774. The variables are not surrounded by quotes, allowing for bad characters to be used in the exploit. The exploit is executed by accessing the URL http://[target]/[path]/list.php?order=[sql]&direction=[sql].
PowerCHM is a software used to create CHM files from Html Files, Text Files, Microsoft Word Documents and Adobe Acrobat Document. This exploit is a local buffer overflow exploit which is tested on WinXP Pro SP2 (English). It creates a file called 'Watchmen.hhp' which contains a header and a buffer overflow code. The buffer overflow code contains a shellcode which is 8B EC 33 FF 57 C6 45 FC 63 C6 45 FD 6D C6 45 FE 64 C6 45 F8 01 8D 45 FC 50 B8 C7 93 BF 77 FF D0 and is followed by 41 bytes of padding and a return address of 0x4212EDE8.
PowerCHM 5.7 is vulnerable to a stack overflow vulnerability when a specially crafted hhp file is opened. The vulnerability is caused due to a boundary error when handling the 'Title' field of the hhp file. This can be exploited to cause a stack-based buffer overflow via an overly long string.
An attacker can inject a malicious JavaScript code into the username field of the registration page, which will be executed when the username is displayed on the site. This can be done by filling in the rest of the fields and submitting the form. Usernames show in comments, game scores, and so on.
A vulnerability in the SFTP Rename operation of FreeSSHd 1.2.1 was discovered by r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au). The vulnerability was patched in 1.2.2 and can be exploited by sending a malicious payload to the server. The payload contains NOPs, shellcode, padding, SEH and nextSEH.
The vulnerability is caused due to an error in handling the NLST command. This can be exploited to crash the FTP service by sending the "NLST" with NULL argument.
A SQL injection vulnerability exists in the Free PHP Petition Signing Script Release, which allows an attacker to gain access to the admin panel. An attacker can send a specially crafted HTTP request to the vulnerable application in order to exploit this vulnerability. The vulnerable code is located in the index.php file, where the application does not properly sanitize user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements in the username parameter. This will allow the attacker to gain access to the admin panel.
Simply Classified v0.2 is vulnerable to SQL Injection in the category_id parameter. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords. The vulnerable code is located in the adverts.php file, lines 33-34. The exploit code is a URL with the category_id parameter set to a UNION ALL SELECT statement. This statement will concatenate the login and password fields from the members table.
Services By CQR