An arbitrary file upload vulnerability in the WordPress Think Responsive Themes allows an attacker to upload malicious files to the server. This vulnerability exists in the upload_settings_image.php file, which is used to upload images to the server. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request with a malicious file attached. This will allow the attacker to upload the malicious file to the server.
A vulnerability in the WordPress Switchblade Themes allows an attacker to upload arbitrary files to the server. This is done by sending a POST request to the php.php file located in the framework/_scripts/valums_uploader/ directory. The POST request contains the malicious file which is then uploaded to the server. The uploaded file can be accessed at http://127.0.0.1/wordpress/wp-content/uploads/[year]/[month]/up.php
Input passed to the 'files[0][file]' parameter in '/ip_cms/modules/administrator/repository/controller.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.
A Blind SQL injection vulnerability exists in OpsView 'acknowledge' function. A malicious user can post bad data leading to a database dump, user creation, code execution, etc.
This module exploits a PHP code execution vulnerability in the 'neoclassic' skin for ProcessMaker Open Source which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x and cannot be removed via the web interface.
Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This module also allows an attacker to leverage another privilege escalation vuln. Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey and use this to escalate privileges to that of an admin, allowing the module to pop a shell as a previously unprivileged authenticated user. This module was tested against Moodle version 2.5.2 and 2.2.3.
OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system (including root).
ZABBIX allows an administrator to create scripts that will be run on hosts. An authenticated attacker can create a script containing a payload, then a host with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host.
NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute aribtrary PHP code remotely. This module was tested against vTiger CRM v5.4.0 and v5.3.0.
Services By CQR