Destiny Media Player version 1.61 is vulnerable to a stack-based buffer overflow when processing specially crafted .m3u files. This can be exploited to execute arbitrary code by tricking a user into opening a malicious .m3u file.
This exploit is used to gain access to the username and password of a Lito Lite website. It uses a combination of Cross Site Scripting and Blind SQL Injection to gain access to the website's database.
Destiny Media Player version 1.61.0 is vulnerable to a local stack overflow vulnerability. By creating a specially crafted .m3u file with 31185 A's, an attacker can overwrite the saved return address and execute arbitrary code on the vulnerable system.
The phpSkelSite script is vulnerable to Remote File Inclusion (RFI), Local File Inclusion (LFI) and Cross-Site Scripting (XSS). An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable script. The malicious URL can contain a malicious file or code which can be executed on the vulnerable server.
An implementation error in the imageRotate() function of the gd library in PHP 5 can cause information leakage from the memory of the PHP (or possible the web server) process. Information leak vulnerabilities allow access to e.g. the Apache memory which might contain the private RSA key for the SSL cert. If an attacker is able to read it he can perform real man in the middle attacks on all SSL connections.
A vulnerability in Built2Go PHP Rate My Photo v1.46.4 allows an attacker to upload a malicious file to the server. An attacker can register to the application and add a malicious code to the head of a shell file. The attacker can then save the shell file and access it via the member.php page. This vulnerability can be exploited by an unauthenticated attacker.
A vulnerability in Built2Go PHP Link Portal v1.95.1 allows an authenticated user to upload a malicious file to the server. An attacker can exploit this vulnerability by registering to the application and adding a malicious code to the head of a shell file. The attacker can then save the shell file and access it via the member.php page. This vulnerability can be exploited by an authenticated user with low privileges.
Konqueror 4.1 is vulnerable to Cross Site Scripting and Remote Crash Vulnerabilities. An attacker can inject malicious JavaScript code in the applications, trash and remote URLs. An attacker can also crash the application by using remote://crash:konqueror@ and applications://crash:konqueror@ URLs. This will cause the application to crash and display a Fatal Error Occurred message.
PowerClan 1.14a is vulnerable to an authentication bypass vulnerability due to a SQL injection flaw. An attacker can exploit this vulnerability by entering ' or 1=1/* as the username and any value as the password to gain access to the admin area.
A SQL injection vulnerability exists in powernews 2.5.4. An attacker can send a specially crafted HTTP request containing malicious SQL statements to the vulnerable application in order to gain access to unauthorized information or to manipulate data. The malicious SQL statements can be sent to the vulnerable application through the 'newsid' parameter.
Services By CQR