ZeroCMS v1.0 is vulnerable to SQL Injection. The user input which is passed via the 'article_id' POST parameter of 'zero_transact_article.php' is not properly sanitised allowing the attacker to inject arbitrary sql code and to execute queries to the database in order to extract sensitive information (e.g. credentials) and/or to take over the database/system.
Lunar CMS suffers from a cross-site request forgery and a stored XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to the 'subject' and 'email' POST parameters thru the 'Contact Form' extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
This exploit is a proof-of-concept for CVE-2014-4014, which is a local privilege escalation vulnerability in the Linux kernel. The exploit uses the clone() system call to create a new user namespace, and then sets the setgid bit on a file specified by the user. This allows the user to gain elevated privileges.
The page 'dhcpinfo.html' will list all machines connected to the network with hostname, IP, MAC and IP expiration. It is possible to store an XSS in this table by changing hostname.
A remote authenticated user with privileges to access 'contacts' module can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website.
This exploit demonstrates that any given docker image someone is asking to run in a docker setup can access ANY file on the host, such as dumping the host's /etc/shadow or other sensitive information, compromising the security of the host and any other docker VM's on it. The exploit uses container based VMM, separate pid and net namespace, stripped caps and RO bind mounts into container's /. However, as it is only a bind-mount, the fs struct from the task is shared with the host which allows to open files by file handles (open_by_handle_at()). As the exploit thankfully has dac_override and dac_read_search, it can do this. The handle is usually a 64bit string with 32bit inodenumber inside (tested with ext4). Inode of / is always 2, so it has a starting point to walk the FS path and brute force the remaining 32bit until the desired file is found.
This module abuses several directory traversal flaws in Rocket Servergraph Admin Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet, allowing a remote attacker to write arbitrary files and execute commands with administrative privileges. This module has been tested successfully on Rocket ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu 12.04 64 bits.
A vulnerability in AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' allows an attacker to execute arbitrary code remotely. The vulnerability is due to insufficient validation of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted SOAP request to the vulnerable server. Successful exploitation of this vulnerability can result in arbitrary code execution.
The vulnerability is caused due to a memset() boundary error in the processing of incoming data thru raw socket connections on TCP port 1001, which can be exploited to cause a stack based buffer overflow by sending a long string of bytes on the second connection. Successful exploitation could allow execution of arbitrary code on the affected node.
In ZTE routers the username is a constant which is 'admin' and the password by default is 'admin'. The rom-0 backup file contains sensitive information such as the router password. There is a disclosure in which anyone can download that file without any authentication by a simple GET request. If you look at the frame source in the 'Internet' tab under the 'Interface Setup' you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm. Once the user authenticates the router till another succeful authentication the password will be displayed in the page.
Services By CQR