On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who works in security quickly learns, bash will drop privileges very early if uid != euid. Where disable_priv_mode is defined as: void disable_priv_mode () { setuid (current_user.uid); setgid (current_user.gid); current_user.euid = current_user.uid; current_user.egid = current_user.gid; } Non-Linux systems tend to use pdksh as /bin/sh, which also supports privmode since version 5.0.5. However, this never really happens on Debian derived systems. Debian (and therefore Ubuntu) will use dash by default (see https://wiki.debian.org/DashAsBinSh), or disable it with this patch if you choose to use bash: http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff A nice example of this failing can be observed in the VMware utilities, which try to invoke lsb_release with popen() to learn about the current execution environment. This means you can get a nice easy root shell like this on any Debian/Ubuntu derived system with VMware installed.
vBulletin 4 does not properly sanitize parameters to breadcrumbs_create allowing an attacker to inject arbitrary SQL commands (SELECT). Risk is rather low due to the fact that the API key is required and CVE-2014-2023 can be used to obtain the API key.
vBulletin 4/5 does not properly sanitize client provided xmlrpc attributes (e.g. client name) allowing the remote xmlrpc client to inject code into the xmlrpc API logging page. Code is executed once an admin visits the API log page and clicks on the API clients name.
This exploit allows an attacker to run commands on a remote system using lshell pathing vulnerability in versions <= 0.9.15. The exploit first checks the host to verify if lshell is running and then checks the version to verify if it is vulnerable. If vulnerable, it prepares a pseudo-shell and allows the attacker to run commands on the remote system.
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Trixbox is prone to multiple security vulnerabilities, including SQL-injection, cross-site scripting, local file-include, and remote code-execution. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, exploit latent vulnerabilities in the underlying database or perform certain unauthorized actions and gain access to the affected application.
Yealink VoIP Phones are prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
The Elegance theme for WordPress is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input. Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
InfraRecorder is prone a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.
Laravel is prone to a security weakness due to pseudo password hash collision. Attackers can exploit this issue to bypass intended security restrictions. This may aid in further attacks. An attacker can use a 72 character string of 'A' to match two different passwords, one being 'mysupersecretpassword' and the other being 'longcatishere'.
Services By CQR