The application suffers from a stored cross-site scripting and a SQL Injection vulnerability when input is passed to the 'cname' POST parameter in 'add-category.php' and 'cdel' GET parameter in 'del.php' script which is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing. The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to Scan behind perimeter firewalls or possibly include files from the local file system e.g. <!DOCTYPE scan [<!ENTITY test SYSTEM "http://localhost:22">]> <scan>&test;</scan>
A SQL Injection vulnerability is detected in the ES Job Search Engine v3.0 Web Application. Remote attackers without access privileges can execute/inject own sql commands to compromise the search engine dbms. The vulnerability is located in the listing modules with bounded vulnerable category parameter. Successful exploitation of the remote sql injection vulnerability result in dbms or web application compromise. Exploitation requires no privileged user account.
This vulnerability has been discovered on QNAP TS-1279U-RP, but probably other products that use the same firmware may be affected. The CGI "/cgi-bin/filemanager/utilRequest.cgi" is prone to a path injection, which makes it possible, for authenticated users, to access, delete o modify any file, included system files, configuration files and files owned by other users. Due to the single user configuration of the embedded linux system, it is possible to access any system file without restrictions (included /etc/shadow, that contains the hash of the administrator password). Vulnerable parameters are (the list is not exhaustive): /cgi-bin/filemanager/utilRequest.cgi [source_file] /cgi-bin/filemanager/utilRequest.cgi?func=delete [file_name] /cgi-bin/filemanager/utilRequest.cgi?func=copy [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=move [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=get_acl_properties [name].
This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor's JMX Invoker exposed on the 'JMXInvokerServlet'. By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The DeploymentFileRepository methods are only available on Jboss 4.x and 5.x.
This module exploits a vulnerability in MobileCartly. The savepage.php file does not do any permission checks before using file_put_contents(), which allows any user to have direct control of that function to create files under the 'pages' directory by default, or anywhere else as long as the user has WRITE permission.
Versions of Group-Office (a web app for online collaboration) prior to 4.0.90 are subject to a SQL injection vulnerability located in the calendar module. A PHP file, used to serve data in the JSON format, does not sufficiently sanitise a user-supplied parameter injected into the ORDER BY part of an SQL query. An attacker can leverage this flaw to extract information from the database via SQL errors.
Support4Arabs Pages v2.0 is vulnerable to a Remote SQL Error Based Injection vulnerability. This vulnerability is due to the lack of proper sanitization of user-supplied input in the 'id' parameter of the 'pages.php', 'categories.php' and 'news.php' scripts. An attacker can exploit this vulnerability to inject malicious SQL queries and gain access to the database. The attacker can also use this vulnerability to gain access to sensitive information such as usernames and passwords stored in the database.
Splunk 4.3.3 and prior versions has 'Data Preview' functionality located at 'Manager >> Data Inputs >> Files & Directories >> Data Preview' which allows an authenticated user to read the content of arbitrary files on the server it is running.
The Anonymous Researchers discovered a Stored XSS vulnerability allowing an attacker to inject arbitrary script code into an existing and fully patched JIRA + GreenHopper installations (JIRA=V4.4.3, GreenHopper prior to V5.9.8). The requirements for a successful attack are minimal. A user logged into the targeted JIRA issue tracking system needs to be convinced to visit an attacker controlled link. Once that link has been visited by the unsuspecting victim, an invisible form will perform a POST request and the victim will be redirected to a URL where username, password and login credentials such as cookies can be read and processed by the attacker. An attacker can obtain access to privileged accounts and get control over the JIRA issue tracker and connected systems.
Services By CQR