Google SketchUp Pro 7.0 suffers from a memory corruption and stack based buffer overflow vulnerability. It fails to handle the .skp file format resulting in crash overflowing the memory stack, poping out the crash reporter tool from Google. EBX, ESI and EDI gets overwritten (depending of the offset). The issue is triggered when double-clicking the file or thru Open menu by just selecting the file. Same happens with the 2 other apps included in this Pro version of Google SketchUp. LayOut 2.0 (current version: 2.0.10247) suffers from the same issue when insering the .skp file by File -> Insert -> evil.skp file. Style Builder 1.0 (current version: 1.0.10247) by going Preview -> Change Model -> evil.skp file. Another issue is the DLL files provided with the Google SketchUp Pro package. ThumbsUp.dll and xerces-c_2_6.dll mingles with the Thumbnail view from Microsoft. If you select the created 'SketchUp_PoC.skp' file, explorer.exe instantly crashes and restarts. Every application that uses Open Dialog Boxes will crash if you view the folder containing the PoC file in thumbnails view. Attaching files on e-mail thru Mozilla Firefox, viewing thumbnails of the PoC crashes Firefox with it's crash reporter, MS Office, Skype, MSN Messenger, etc...
An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by sending a specially crafted HTTP request to the vulnerable application. The malicious SQL query can be sent as a parameter value in the vulnerable URL. This can allow an attacker to access or modify the data in the back-end database.
This exploit allows an attacker to gain access to the etc/passwd file of a vulnerable PunBB Reputation.php Mod <= v2.0.4 website. The exploit requires the register_globals and magic_quotes_gpc settings to be enabled. The attacker can use the LWP::UserAgent and HTTP::Cookies modules to send a malicious request to the vulnerable website, which will then return the contents of the etc/passwd file. The attacker can then save the file to a local file and use it to gain access to the system.
MUJE CMS 1.0.4.34 is vulnerable to Local File Inclusion. No admin is required for the exploit. The PoC's are http://127.0.0.1/path/admin.php?_class=../../../../../../boot.ini%00 and http://127.0.0.1/path/install/install.php?url=../../../../../../../boot.ini. Admin is required for the exploit http://127.0.0.1/path/admin.php?_htmlfile=../../../../../../boot.ini%00.
Really Simple CMS 0.3a is vulnerable to a local file inclusion vulnerability due to a lack of sanitization of user-supplied input to the 'PT' parameter in the 'plugings/pagecontent.php' script. An attacker can exploit this vulnerability to include arbitrary files from the web server, such as '/boot.ini', by passing a maliciously crafted 'PT' parameter in a request. This can lead to the disclosure of sensitive information.
d.net CMS is vulnerable to SQL Injection and Local File Inclusion. No admin is required for SQL Injection, while admin is required for Local File Inclusion. The PoC for SQL Injection is http://127.0.0.1/path/index.php?page=null+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7+from+cms_security_master+where+id=1-- and for Local File Inclusion is http://127.0.0.1/path/dnet_admin/index.php?edit_id=2&_p=2&type=../../../../../../boot.ini%00
CMSphp 0.21 is vulnerable to both Local File Inclusion and Cross-Site Scripting. The Local File Inclusion vulnerability can be exploited by sending a specially crafted HTTP request to the vulnerable application. The Cross-Site Scripting vulnerability can be exploited by sending a specially crafted HTTP request containing malicious JavaScript code to the vulnerable application.
dit.cms 1.3 is vulnerable to Local File Inclusion. The vulnerable code is present everywhere in the application. The PoC's provided in the text can be used to exploit the vulnerability.
Orbis CMS 1.0 is vulnerable to Arbitrary File Download, Arbitrary Delete File, and SQL Injection. No login is required for Arbitrary File Download and Arbitrary Delete File. For SQL Injection, a login is required. The vulnerable code for Arbitrary File Download is header('Content-Type: application/force-download'); header('Content-Disposition: attachment; filename="'.basename($_GET['fn']).'"'); readfile($_GET['fn']); and for Arbitrary Delete File is $filename = $_GET['fn']; unlink($filename) or die("Couldn't delete ".$filename.". Please contact your web designer."); and for SQL Injection is $sql = "SELECT * FROM users WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'". The PoC for Arbitrary File Download is http://127.0.0.1/[path]/admin/fileman_file_download.php?fn=../../../../../../../boot.ini and http://127.0.0.1/path/admin/fileman_file_download.php?fn=includes/config/db.php, for Arbitrary Delete File is http://127.0.0.1/[path]/admin/fileman_file_delete.php?fn=../uploads/example.jpg, and for SQL Injection is username : ' or 1=1-- and password : ' or 1=1--.
justVisual 1.2 is vulnerable to Remote File Inclusion. The vulnerable code is present in multiple files such as index.php, contact.php, pageTemplate.php and utilities.php. An attacker can exploit this vulnerability by sending a malicious URL in the fs_jVroot parameter.
Services By CQR