The vulnerable code is in the Minishop 1.5 plugin on the Admin_Minishop.php, after installing it give to any user right to edit the minishop, then this user can inject arbitrary javascript code when using add product or add category(both options can trigger the XSS) in the name field typing <script>alert('XSS');</script> As you can see data is not sanitize :)
The issue is in the /src/acloglogin.php langid and lang parameters stored inside the cookie. Using a URL encoded POST or GET via port 85 input langid or lang will allow an attacker to view any file on the file system or upload arbitrary files to the file system. The webserver is running as root.
Vulnerability Research Team discovered a vulnerability in Microsoft IIS. The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers to diclose File and Folder names.
The default configuration of the WordPress Backup plugin exposes a logfile with filenames of the actual backups. The backup files are available for download once the name is extracted from this logfile. Depending on the settings this gives access to a copy of the WordPress database, wp-content, uploads, plugins or complete site.
Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules'). A non-priviledged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper while within a non-priviledged user's work directory. The evil file MUST be titled test.py! os.system('evilcommand') will result in python-wrapper executing said command, and then continuing normally with no signs of compromise if you redirect command output. Additionally, nmap makes a great backdoor from a non-priviledged user account because it's something that looks like you might actually want SETUID under certain circumstances, but not really(and it will bitch if invoked). A practical example of how this vulnerability could be useful is if you wish to attack a shared webhosting enviornment.
This exploit was leaked on the Full Disclosure mailing list and allows for remote root access on BSD telnetd. It was released by Kingcope in 2011.
This module exploits a stack-based buffer overflow vulnerability in version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview's window. An egg hunter is used for stability.
This module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the 'Admin' user has an empty password. Successful exploitation will lead to code execution with the privileges of the 'dpwinsdr.exe' (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default.
IrfanView Formats PlugIn is prone to an overflow condition. The JLS Plugin (jpeg_ls.dll) library fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted JLS compressed image file, a context-dependent attacker could potentially execute arbitrary code.
There is a file handling DoS in GIMP (the GNU Image Manipulation Program) for the 'fit' file format affecting all versions (Windows and Linux) up to and including 2.8.0. A file in the fit format with a malformed 'XTENSION' header will cause a crash in the GIMP program.
Services By CQR