Luxbum allows authentification using dotclear username and password via MySQL, while the default auth mechanism uses a md5 hash of the pass in a PHP file. If you trace all the code from login form to admin panel, you'll notice that user input isn't filtered in manager.php or mysql.inc.php. So if you use dotclear auth in luxbum, SQL injection is possible but, in order to bypass, we need to return at least one row to get it working and it has to be a dotclear admin. In dotclear, the table dc_user stores in the column 'user_super' the super admin status. If it's == 1 then the user is super-admin. Since the luxbum auth mechanism already fully accesses to dotclear users' data, exploiting is very easy and doesn't require the disclosure of dotclear database infos (DB name, username, pass, prefix etc.).
This exploit is for ViPlay3 version 3.00 or lower. It is a local stack overflow vulnerability that can be exploited by creating a malicious .vpl file. The malicious file contains a large number of 'A' characters which causes a stack overflow when the file is opened. This can lead to arbitrary code execution.
A vulnerability in Realty Web-Base v1.0 allows an attacker to bypass authentication by entering a username of ' or '1=1 and a password of ' or '1=1 or a username of [admin_name]' or '1=1 and a password of nothing. This allows the attacker to gain access to the admin panel of the website.
A vulnerability in The Recipe Script version 5 allows an attacker to bypass authentication and gain access to the administration panel. An attacker can then access the database backup page and download the database backup file.
When the option parameter is set to 'e', matches are not escaped, allowing attackers to inject malicious code into the application. For example, in the given code snippet, the phpinfo() function will be evaluated. In the preg_replace() function, matches are escaped by the addslashes() function, preventing malicious code injection.
A local stack overflow vulnerability exists in Streaming Audio Player 0.9. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This is due to the application failing to properly validate user-supplied input when handling .PLA files. An attacker can exploit this vulnerability by supplying a specially crafted .PLA file to the application, which will cause a stack-based buffer overflow, resulting in arbitrary code execution.
Job Script V2.0 is vulnerable to authentication bypass. An attacker can exploit this vulnerability to gain access to the admin panel without authentication. This vulnerability is due to the lack of proper authentication check in the changepassword.php script. An attacker can exploit this vulnerability by sending a POST request to the changepassword.php script with a valid username and no password.
A vulnerability in Simple Customer 1.3 allows an attacker to remotely change the admin password by sending a maliciously crafted POST request to the profile.php page. This can be exploited to gain administrative access to the application.
This exploit is a fairly standard hit and run stack overflow which can overwrite SEH. It has been successfully tested in Windows XP Home SP3 and Windows XP Pro SP3 with GrabIt 1.7.2b3, GrabIt 1.7.2b2 and GrabIt 1.7.2b.
ST-Gallery version 0.1 alpha is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Services By CQR