The vulnerability exists due to insufficient filtration of user-supplied data passed to the 'userid' parameter in 'flvideo.php' script. A remote attacker can execute arbitrary SQL commands in application's database, cause denial of service, access or modify sensitive data, exploit various vulnerabilities in the underlying SQL server software, etc.
This proof of concept will copy any arbritrary file from one location to a second location. A malicious user may be able to use this to copy a file from an attacker controlled share to the target or from the target to an attacker controlled system (ie from an attacker share to the startup folder). It can also be used to overwrite existing files.
This module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileString method, which allow the user to write arbitrary files. It's abused to drop a payload embedded in a dll, which is later loaded through the Init() method from the lrMdrvService control, by abusing an insecure LoadLibrary call. This module has been tested successfully on IE8 on Windows XP. Virtualization based on the Low Integrity Process, on Windows Vista and 7, will stop this module because the DLL will be dropped to a virtualized folder, which isn't used by LoadLibrary.
This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This module can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An 'onmove' event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a 'SelectAll' command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, it will be used to call a virtual function of the object, which will then lead to the crash.
A heap buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts a user-defined JavaScript function and can be used to trigger the heap buffer overflow.
GOMPlayer Version 2.2.53.5169 is vulnerable to a crash when a specially crafted .wav file is dragged to the player. The crafted file contains a malicious chunk of data which causes the application to crash.
After creating POC file (.wav),drag it to Player and click Play button!
During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have a remote previous to authentication heap corruption in its sshd component. Exploitation of this vulnerability will allow full access to the router device. This analysis describes the bug and includes a way to get developer access to recent versions of Mikrotik RouterOS using the /etc/devel-login file. This is done by forging a modified NPK file using a correct signature and logging into the device with username ‘devel’ and the password of the administrator. This will drop into a busybox shell for further researching the sshd vulnerability using gdb and strace tools that have been compiled for the Mikrotik busybox platform.
Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection. Proof of concept is provided in the text.
By simply placing the following two URLs into a web browser, a vulnerability will all models and firmware versions allow for bypass of administrative credential challenge. All models and firmware versions can access these pages with no authentication. An un-authenticated user can preform almost all administrative tasks once the authentication is bypassed. By sending a specially crafted packet to the modem, an attacker can cause the modem to crash and reboot. This can be done remotely and repeatedly, causing a denial of service.
Services By CQR