Audioactive player v1.93b is vulnerable to a local buffer overflow vulnerability. This vulnerability is caused due to a boundary error when handling specially crafted .m3u files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a specially crafted .m3u file with the vulnerable application. Successful exploitation could result in arbitrary code execution.
The ArtForms 2.1b7 component for Joomla! contains a vulnerability that allows remote attackers to include arbitrary files from local resources via a URL in the mosConfig_absolute_path parameter to the imgcaptcha.php, mp3captcha.php, and swfmovie.php scripts in the components/com_artforms/assets/captcha/includes/captchaform/ and components/com_artforms/assets/captcha/includes/captchatalk/ directories, respectively.
D-Link released new firmware designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. There is a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha. When you login with the captcha enabled, the request looks like this: GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2. The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right: GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a. Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request: GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0. When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.
A vulnerability in MRCGIGUY Top Sites1.0.0 allows an attacker to set an insecure cookie, allowing them to gain access to the admin panel without authentication.
A vulnerability in MRCGIGUY SimpLISTic SQL 2.0.0 allows an attacker to inject a malicious cookie into the application. The malicious cookie can be used to gain access to the application without authentication. The exploit code is a JavaScript code that sets a cookie with the value 'logged in' and the path '/'.
Bypassing SQL injection can be done by entering ' or 1=1-- in the username and password fields. XSS can be done by entering '><script>alert(1)</script> in the questionid parameter.
A vulnerability exists in Ultimate Profit Portal Version 1.0.1 which allows an attacker to set an arbitrary cookie value. An attacker can exploit this vulnerability by setting the uppadmin cookie to logged in, which will allow them to gain access to the admin panel without authentication. The exploit code is javascript:document.cookie="uppadmin=logged%20in;path=/"; and a demo of the exploit can be found at http://www.myhotlinks.net/cgi-bin/directory/admin.cgi.
The Ticket System / The Ticket System PHP Version 2.0 is vulnerable to an insecure cookie handling vulnerability. An attacker can exploit this vulnerability by setting a malicious cookie with the value 'ttc_admin=1%7Cadmin;path=/'. This will allow the attacker to gain administrative access to the application.
Message Box Version 1.0 is vulnerable to an insecure cookie handling vulnerability. An attacker can exploit this vulnerability by setting the mbadmin cookie to 'logged in' and accessing the admin.cgi page.
A vulnerability in Amazon Directory Version 1.0/2.0 allows an attacker to gain administrative access by setting a cookie. An attacker can exploit this vulnerability by setting the cookie 'amazonadmin=logged%20in;path=/' using JavaScript.
Services By CQR