Acc Auto Dealer Script is vulnerable to persistent XSS and SQL Backup. An attacker can inject malicious JavaScript code into the Description field of the user profile, which will be executed when the site admin visits the user profile. Additionally, the attacker can access the SQL backup file which contains user credentials.
ZeeCareers v2x is vulnerable to XSS and Auth Bypass. An attacker can inject malicious JavaScript code into the 'title' parameter of the 'basic_search_result.php' page. Additionally, the 'editprofile.php', 'forgot.php', 'additionalfeatures.php', 'employer_reg.php' pages are vulnerable to Auth Bypass.
This exploit is a proof-of-concept for a memory corruption vulnerability in Mozilla Codesighs. The vulnerability is caused by a lack of proper input validation when parsing a line of text from a file. This can be exploited to execute arbitrary code by supplying a specially crafted line of text. The vulnerability is triggered when the program attempts to scan the line of text using the sscanf() function.
The value of the module parameter passed to index.php page is included using the PHP main function. This may be a principle of local file inclusion vulnerability but in this case the final NULL byte is properly sanitised. However an invalid module name produces a warning message with the full path of the interested page.
All parameters of this application are not properly sanitised and are affected to SQL Injection.
This module exploits a stack-based buffer overflow in the Millenium MP3 Studio 2.0. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio. This functionality has not been tested in this module.
At the older versions of xampp 'xamppsecurity.php' was allowed only for localhost but at version 1.7.2 it is accessible by all. And you can change the .htacces user & pass and the phpMyAdmin pass.
A SQL injection vulnerability exists in Illogator Shop, which allows an attacker to bypass authentication by providing a crafted username and password. The crafted username and password are '1'or'1'='1'. This allows an attacker to gain access to the application without providing valid credentials.
I've noticed one XSS exploit was found by someone else so i decided to check it a little bit more and i found some sweet CSRF exploits in admin panel. The exploits include CSRF Delete Email List, CSRF Clear Queue, CSRF Send letter, and CSRF Delete Email by ID.
The GET where parameter passed to SearchResults.php has not properly sanitised. Because of the affected query, the Magic Quotes GPC flag (php.in) may be on.
Services By CQR