A permanent Cross Site Scripting vulnerability was found in Achievo 1.4.2, because the application fails to sanitize user-supplied input. The vulnerability can be triggered by any logged-in user who is able to add a Scheduler Category.
The vulnerability is caused due to an improper check in “Document Types” section under Setup menu, allowing the upload of files with arbitrary extensions to a folder inside the Webroot. This can be exploited to e.g. execute arbitrary PHP code by uploading a specially crafted PHP script containing some kind of Web Shell.
UBB.threads is prone to multiple file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible. An attacker can exploit these issues via a browser. The following example URIs are available: http://server/path/ubb/libs/smarty/Smarty_Compiler.class.php?_plugins_params=[RFI] http://server/path/ubb/libs/html.inc.php?[USER_LANGUAGE]=[RFI] http://server/path/ubb/ubbthreads.php?file=../../../../../../../../etc/passwd%00
Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. For a good understanding of the vulnerabilities it is necessary to be familiar with the way IPB handles input data. Below is a quick trace of input validation process. The code snippets come from IPB version 3.0.4. The init() function cleans the input data passed via methods like GET, POST or others at the start of each request to the forum before any of the input variables are processed. Let's look into sanitization performed by cleanGlobals function.
When a malicious user sends a 'USER test' packet and then kills the connection immediately, the CPU usage of the Core FTP Server increases to 100% and stays at that level until the FTP service is stopped.
Fourtwosevenbb 2.3.2 is vulnerable to SQL injection. This vulnerability exists due to insufficient sanitization of user-supplied input in the 'post' parameter of the 'showpost.php' script. An attacker can exploit this vulnerability to gain access to sensitive information from the database, such as usernames and passwords. The PoC for this vulnerability is http://server/[path]/showpost.php?ForumID=1&post=[SQL].
The vulnerability exists in the 'main_forum.php' file, which allows an attacker to inject malicious SQL queries via the 'cat' parameter. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can be done by sending an HTTP request with a malicious 'cat' parameter value, such as '-1+Union+ALL+Select+1,group_concat(aId,0x3a,aUsername,0x3a,apassword),3,4,5,6,7+FROM+admins--' or '-1+Union+ALL+Select+1,group_concat(mId,0x3a,mUsername,0x3a,mpassword),3,4,5,6,7+FROM+members--'
This code was written for educational purpose. It is a remote SQL injection vulnerability in Vivid Ads Shopping Cart. It allows an attacker to extract admin details from the database. The dork used for this exploit is 'Vivid Ads Shopping Cart'. The exploit is written in PHP and uses fsockopen to connect to the server and send a GET request to the detail.php page with a malicious payload. The payload is a union select statement that concatenates the login and password of the admin user. The response is then parsed to extract the admin details.
DAZ Studio is a 3D figure illustration/animation application released by DAZ 3D Inc. DAZ Studio can be accessed via a scripting language which allows for quite a bit of diversity in tool creation. DAZ Studio does not ask for any confirmation from the user prior to executing a scripting file with any of the following extensions: .ds, .dsa, .dse, .dsb. An attacker could abuse the scripting interface by enticing an unsuspecting user to open a malicious scripting file, thus obtaining remote code execution.
A remote command execution vulnerability exists in PHP Live! Support v3.1 due to improper validation of user-supplied input in the 'l' parameter of the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious code in the 'l' parameter. This can allow the attacker to execute arbitrary code on the vulnerable system.
Services By CQR