Lc Flickr Carousel V1.0 is vulnerable to a local file disclosure vulnerability. An attacker can exploit this vulnerability by sending a crafted request to the getImage.php script with a file parameter containing a relative path to the file they wish to access. This can be used to access sensitive files such as the /etc/passwd file.
eCan v0.1 is vulnerable to a local file disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the show_source.php script with a relative path to the file they wish to view. For example, a request to show_source.php?fid=../../../../../../../../../../../etc/passwd will display the contents of the /etc/passwd file.
House Style 0.1.2 is vulnerable to a local file disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This will allow the attacker to read any file on the server, including sensitive files such as /etc/passwd. The vulnerability exists due to insufficient sanitization of user-supplied input to the 'file' parameter in the 'report.php' script.
This module exploits a command injection vulnerability found in Hastymail 2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on the "lib/ajax_functions.php" script. Authentication is required on Hastymail in order to exploit the vulnerability. The module has been successfully tested on Hastymail 2.1.1 RC1 over Ubuntu 10.04.
This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.
This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.
PredictId parameter in post request is vulnerable to blind SQL injection. When attempting follow-up submissions, the plugin states that you've already voted. This can easily be circumvented by using your browser's back button. Using Burp Suite or other proxy, intercept the post request when submitting your answer and append and 1=1 to the predictId parameter before forwarding: predictSelection=1&predictId=1 and 1=1&postAction=submitVote&submitVote.x=70&submitVote.y=26 In the example above, the statement evaluates to true and the vote count increases by 1. Sending a new request with "predictId=1 and 1=0" will not increase the vote count.
This vulnerability allows an attacker to execute arbitrary code on the target system by placing a malicious python script in the current working directory. In Python 2, the malicious script is executed when help('modules') is run. In Python 3, the malicious script is executed when help('modules') is run and the __pycache__ directory is removed from the working directory.
This module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.
This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.
Services By CQR