CoreHTTP server fails to properly sanitize input before calling popen() and allows an attacker using a standard web browser to execute arbitrary commands. During code review / debugging of CoreHTTP, a look at http.c source file revealed that only " and are escaped, allowing one to specify |`& and any other special formatting. The URL then gets broken into 2 parts: url (which in this case is a script) and args (which contains our 'evil' buffer). There is a caveat though, DIRLIST overwrites the value of url and url overwrites the value of args - so for simple directory listing this vulnerability becomes a bit more difficult to exploit (depending on directory name, the system could still be vulnerable). Finally, here's the call to popen: pipe(pipefd); /* make pipe then fork */ c = fork(); if (c > 0) { /* original, keep going */ close(pipefd[1]); /* no need to write */ sprocket->fd = pipefd[0]; SetNonBlocking(sprocket->fd); sprocket->state = READING; sprocket->read_func = ReadPipe; sprocket->write_func = NULL; sprocket->close_func = ClosePipe; sprocket->data = (void *)popen(cmd, "r"); return; } else if (c == 0) { /* child, exec */ close(pipefd[0]); /* no need to read */ dup2(pipefd[1], 1); /* stdout */ dup2(pipefd[1], 2); /* stderr */ execl("/bin/sh", "sh", "-c", cmd, NULL); exit(0); }
Aurora CMS suffers a remote SQL injection exploit in content.php. The type is UNION statement SQL injection.
Simple PHP Blog is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
This exploit is a Remote Buffer Overflow Exploit for TFTP Daemon Version 1.9. It is a Remote Denial of Service Attack. The exploit is coded in C and uses the ws2_32.lib library. It sends 300 bytes of A (41) to the target IP address.
A buffer overflow vulnerability exists in Easy RM to MP3 27.3.700 on Windows XP SP3. An attacker can exploit this vulnerability by sending a specially crafted m3u file containing a malicious payload to the victim. The malicious payload is executed when the victim opens the file, resulting in arbitrary code execution.
This vulnerability allows an attacker to upload a malicious file to the server if the 'storage' file is not protected with a htaccess file or any other security measure. The attacker can click on 'Browse' and select a malicious file, click 'Upload' and after the upload is complete, the attacker can copy the new name of the shell and access it via the URL http://server/script/storage/<shell_name>.php
The Uploader 2.0 is vulnerable to a remote file disclosure vulnerability. An attacker can exploit this vulnerability by sending a crafted HTTP request to the download_checker.php file with a malicious filename parameter. This will allow the attacker to view the contents of the config.inc.php file, which contains the MySQL configuration (user & password).
Directory Listing: The server is vulnerable to directory listing, which allows an attacker to view the contents of a directory without authentication. Cross Site Scripting: The server is vulnerable to Cross Site Scripting (XSS) attacks, which allows an attacker to inject malicious code into a web page. Unprotected Admin Panel Files: The server is vulnerable to unauthorized access to the admin panel files, which allows an attacker to gain access to sensitive information. Unprotected Log Files: The server is vulnerable to unauthorized access to log files, which allows an attacker to view sensitive information. Mail Registration Validation Bypass: The server is vulnerable to mail registration validation bypass, which allows an attacker to bypass the registration validation process. Full Path Disclosure: The server is vulnerable to full path disclosure, which allows an attacker to view the full path of a file.
Mr.Elgaarh discovered a Remote SQL Injection vulnerability in Active PHP Bookmarks v1.3. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The attacker can use the Dork “Powered by Active PHP Bookmarks v1.3” inurl:.view_group.php?id= to search for vulnerable servers. The attacker can then use the union select statement to extract the admin username and password from the apb_users table. The admin panel path is http://server/path/cookie_auth.php?action=cookie_login.
This exploit is a buffer overflow vulnerability in Playme_now.m3u file. The vulnerability is caused due to a boundary error when handling the file, which can be exploited to cause a stack-based buffer overflow by sending a specially crafted file to the affected application. Successful exploitation of this vulnerability may allow execution of arbitrary code.
Services By CQR