This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code execution under the context of the user.
After pwning the ActiveCollab 'chat module' Stas Kuzma from USWebStyle thought it would be his and his teams best interest to have the 'Useresponse' application security 'tested'. I explained that there is no way I can afford the corporate edition and that I would still be glad to test it if I can recieve a copy (for non commerial use dah). A kind email back from Stas and I had full access to the corporate edition of the software package. We had a really hard time finding proper exploitable vulnerabilities as halfway through our testing they decided to remove our license :/. We notified the vendor a few weeks back regarding these bugs so I'm sure they will release a fix soon. Nonetheless, the path to unauth'ed remote code execution is as follows: 1. backdoor account that is unable to be deleted by the administrators frontend. Alternatively, you can just register an account without admin verification ;) 2. privilege escalation via a stored XSS when abusing bbcode parsing 3. CSRF against all administrator functionality 4. remote code execution by circumventing escape characters and abusing an eval() call in the 'admin/configuration.php' script.
qdPM is a free web-based project management tool suitable for a small team working on multiple projects. It is vulnerable to an arbitrary file upload vulnerability, which allows an attacker to upload a small php shell, and access it remotely. The application does not verify the file's extension when uploading an image for a user's profile. One needs a valid user account to upload the file, and no authentication is required to access the file.
This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited in the wild.
A buffer overflow vulnerability exists in the sub_4A7200 function due to insufficient bounds checking when copying user-supplied data into a fixed-length buffer. This can be exploited to execute arbitrary code by overwriting the return address of the function with a malicious address.
Opening a specially crafted mxd file will execute arbitrary code without prompting and without a crash of the application. This is due to a flaw in the programs ability to prompt a user before executing embedded VBA. Mxd files are not filtered by email systems so this allows a remote attacker to trick a user into opening a map file via email and unknowingly gain control over their system.
This module exploits the Wyse Rapport Hagent service and cause remote power cycle (Power off the wyse machine remotely).
Multiple persistent input validation vulnerabilities are detected in Squirrelcart Shopping v3.3.4 Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account. The persistent vulnerabilities are located in the Discount Image > Document Edit Name module exception handling & the Location Hours of Operations day listing.
Swoopo Gold Shop CMS v8.4.56 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user inter action. Successful exploitation of the vulnerability results in dbms & application compromise. The sql injection vulnerabilities are located in multiple files in the main menu and the bound parameters bgid, ptid, fmid & id.
Services By CQR