cFos Personal Net web server is vulnerable to a remote denial of service issue when processing multiple malformed POST requests in less than 3000ms. The issue occurs when the application fails to handle the data sent in the POST requests in a single socket connection causing heap memory corruption which results in a crash of the HTTP service.
A number of SQL injection vectors were identified within AlienVault (AV) 4.3.1 components. The “Geolocation Graph” and “Radar Access Control” AV components were found to accept HTTP request parameters that are concatenated without filtering or validation. These parameters are then passed as SQL queries which exposes the application to SQL Injection. This issue can be exploited by any unauthenticated users who have access to the AV web application. In addition the effective MySQL user was found to be “root” which allows attackers to leverage the identified issues into attacks against the AV host system.
The WD Arkeia virtual appliance is affected by a path traversal vulnerability. Path traversal enables attackers access to files and directories outside the web root through relative file paths in the user input. An unauthenticated remote attacker can exploit the vulnerability to gain unauthorized access to the WD Arkeia virtual appliance and stored backup data. The vulnerability is caused by insufficient input validation of the "fileName" parameter in the "download.php" script.
A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
Submit an image file via the wtf upload panel and intercept the POST request to /wp-admin/admin-ajax.php. By editing the data from the control 'accept_file_types', we can upload normally disallowed filetypes such as PHP. Append '|php' to the control 'accept_file_types' and change the extension in the data for 'filename' to '.php' and enter desired code. Submit this POST request and the file will be found in the directory /wp-content/uploads/public/wtf-fu_files/default/.
Forgotten controls lead to call install module which lead to create default administrator account again!
A SQL injection error within the sorter.php file can be exploited by unauthenticated people to conduct SQL injection attacks. The file does not sanitize the "sorter_value" parameter before using the value in a SQL query. A successful exploit can extract database content and e.g. administrative credentials (password hash).
This exploit uses OpenSSL to create an encrypted connection and trigger the heartbleed leak. The leaked information is returned within encrypted SSL packets and is then decrypted and wrote to a file to annoy IDS/forensics. The exploit can set heartbeat payload length arbitrarily or use two preset values for NULL and MAX length. The vulnerability occurs due to bounds checking not being performed on a heap value which is user supplied and returned to the user as part of DTLS/TLS heartbeat SSL extension. All versions of OpenSSL 1.0.1 to 1.0.1f are known affected.
This exploit generates cookie for administrator access from non-privileges cookie.
Sixnet sixview web console handle requests through HTTP on port 18081. These requests can be received either through GET or POST requests. I discovered that GET requests are not validated at the server side, allowing an attacker to request arbitrary files from the supporting OS.
Services By CQR