The vulnerability allows an attacker to access the config file, logfile, change the DNS settings and perform stored XSS without authentication. The vulnerability exists due to insufficient authentication check when processing user-supplied input. A remote attacker can bypass authentication and gain access to the config file, logfile, change the DNS settings and perform stored XSS.
OpenDocMan is vulnerable to stored XSS, allowing any user the ability to upload malicious scripts. When adding a new file, a user can enter a malicious Description or Comment field input. Insufficient sanitization allows the following XSS to slip by: <sc<script>ript>alert(document.cookie)</sc<script>ript>. This value is then stored, and any user viewing it is affected. Admin's who are required to approve documents, or view them, are also affected. Stored XSS also exists when generating new Departments; by inserting a malicious Department name like above, arbitrary code can be remotely executed to visitors. Reflective XSS exists in the error.php page. By submitting the following request, an alert is generated: http://localhost/opendocman/error.php?ec=13&last_message=%3Csc%3Cscript%3Eript%3Ealert%281%29%3C/sc%3Cscript%3Eript%3E
A time-based blind SQL injection vulnerability exists in Joomla DJ Classifieds version 2.0. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. This can allow the attacker to execute arbitrary SQL commands on the underlying database.
This exploit allows an attacker to add an admin user to the social generator script version 2.2. The attacker can use the Dork 'inurl:my_profile.php?user_id=MTM=' to find vulnerable websites. The attacker can then use the form to add an admin user with the username and password of their choice.
A buffer overflow vulnerability exists in ABBS Audio Media Player v3.1 when a specially crafted .lst file is opened. This could allow an attacker to execute arbitrary code on the target system. The exploit is for the current version and WinALL.
When one clicks in the 'Save To' textbox or the 'Browse' button, a popup appears with the directories on the 'Volume_1' share. When one clicks the '+' sign to open a directory, a POST request is sent to /goform/GetNewDir with the following parameters: fNEW_DIR, f_backup, f_IP_address, f_file. A directory traversal is possible via the fNEW_DIR variable, and we can browse not only the directories, but the files too with setting f_file to '1'. When one clicks the 'play button' on a scheduled download, a POST request is sent to /goform/right_now_d with the following parameter: T1. SCHEDULE<num> is injectable, so for example setting T1 to the following writes the output of the 'id' command to a file in the root directory: T1 <at job id>,SCHEDULE<num>,<user>,id > /mnt/Volume_1/../../id.txt
AudioCoder 0.8.18 is vulnerable to a buffer overflow vulnerability due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by supplying a specially crafted .m3u file with a malicious payload. This payload will overwrite the SEH handler and execute arbitrary code.
In module wpsio.dll, a BSTR string stored in the file is copied to the stack buffer, without strict length inspection, leading to a stack buffer overflow. This sample exploit this issue to cover an object stored in the stack, leading to crash during the virtual function call. Successfully exploited this vulnerability will lead to arbitrary code execution.
Multiple vulnerabilities have been found in Vivotek IP cameras [1] (and potentially cameras from other vendors sharing the affected firmware) that could allow an unauthenticated remote attacker: 1. [CVE-2013-1594] to process GET requests that contain sensitive information, 2. [CVE-2013-1595] to execute arbitrary code, 3. [CVE-2013-1596] to access the video stream via RTSP, 4. [CVE-2013-1597] to dump the camera's memory and retrieve user credentials, 5. [CVE-2013-1598] to execute arbitrary commands from the administration web interface (pre-authentication with firmware 0300a and post-authentication with firmware 0400a).
This module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the 'A comment is held for moderation' option on Wordpress must be unchecked for successful exploitation. This module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
Services By CQR