Input passed via the 'language' GET parameter to upgrade.php is vulnerable to directory path traversal. The directory path passed to the 'language' parameter is later used in include() function to include the following files: common.lang.php, admin.lang.php, install.lang.php and upgrade.lang.php. Under certain conditions this can be exploited to include malicious PHP file and execute arbitrary PHP code. Input passed via the 'section' GET parameter to admin.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected web site.
This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7. Using the application to open a specially crafted asx file, a buffer overflow may occur to allow arbitrary code execution under the context of the user.
This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses 'msgr3en.dll', which will load after office got load, so the malicious file must be loaded through 'File / Open' to achieve exploitation.
An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®). The username for the account, which cannot be disabled, is 'factory' and its password is dynamically generated based on the device's MAC address. Multiple attempts have been made in the past 12 months to have this backdoor removed and customers notified. An example exploit is provided in the text.
The 'p' parameter on index.php is vulnerable to SQL Injection. A user must be signed in to perform this attack.
An integer overflow vulnerability has been discovered in the EncoderParameter class of the .NET Framework. Exploiting this vulnerability results in an overflown integer that is used to allocate a buffer on the heap. After the incorrect allocation, one or more user-supplied buffers are copied in the new buffer, resulting in a corruption of the heap. By exploiting this vulnerability, it is possible for an application running with Partial Trust permissions to to break from the CLR sandbox and run arbitrary code with Full Trust permissions.
Mobipocket Reader version 6.2 Build 608 is vulnerable to a buffer overflow vulnerability. The vulnerability is caused due to a boundary error within the processing of the .prc file. By exploiting this vulnerability, an attacker can execute arbitrary code in the context of the application.
Exponent CMS is affected by XSS and SQL Injection vulnerabilities in version 2.0.5. Example PoC urls are as follows : http://example.com/index.php?section=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A) http://example.com/index.php?action=showall_by_tags&tag=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E&controller=news&src= () random4e5433b85bb1f http://example.com/index.php?controller=expTag&action=show&title=changes&src=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E
The vulnerability allows remote attackers to inject own malicious persistent script codes on application-side of the vulnerable module. The vulnerability is located in the `/admin/index.php` file with the vulnerable `$_GET` parameters `file` and `action`. Remote attackers are able to inject own malicious persistent script codes to the vulnerable `$_GET` parameters `file` and `action`. The request method to inject is GET and the attack vector is located on the application-side. The security risk of the persistent input validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.3. Exploitation of the persistent input validation vulnerability requires a low privilege web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects and persistent context manipulation.
SumatraPDF v2.0.1 is vulnerable to memory corruption when processing chm and mobi files. An attacker can exploit this vulnerability to execute arbitrary code on the target system.
Services By CQR