This module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution.
Restricted access to this script isn't properly realized, so an attacker might be able to upload a malicious file with a double extension (ex: .php.jpg) and execute arbitrary code.
The submission form of the Wordpress uCan Post plugin is not well sanitized and will result in stored XSS in admin pages. Name, Email and Post Title fields are not sanitized and are injectable with a payload which will be stored in the pending submission page in admin panel. Email field can also result in reflected XSS. The payload will be reflected in the public page if permissions to publish a post from the public interface are not needed.
CKEditor is prone to Persistent Cross-Site Scripting within the actual editor, as it is possible for an attacker could maliciously inject eventhandlers serving java-script code in preview / editing in html mode. If an attacker injects an eventhandler into an image, such as 'onload='alert(0);', then the javascript will execute, even if the data is saved and previewed in editing mode later on. (The XSS will only executing during preview / editing in html mode.) If an administrator tries to edit the comment afterward, or is logged in and browses to the edit page of the malicious comment, then he or she will execute the javascript, allowing attacker controlled code to run in the context of the browser.
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the '_OVBuildPath' function within 'ov.dll'. There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function '_OVConcatPath' which finally uses 'strcat' in a insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path. If the installation path cannot be guessed the default installation path is used.
deV!L`z Clanportal 1.5.5 Moviebase Addon is vulnerable to Blind SQL Injection. The vulnerability exists in the 'movies/index.php?action=showkat&id=' parameter. An attacker can inject malicious SQL queries to the vulnerable parameter and gain access to the database. The SQL Injection Filter Function must be bypassed in order to exploit the vulnerability.
The vulnerability exists in the deV!L`z Clanportal Gamebase Addon, which allows an attacker to inject arbitrary SQL commands via the 'gameid' parameter in the 'gamebase/?action=detail' URL. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames and passwords.
A SQL injection vulnerability exists in the PhpBridges Blog System. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable parameter 'id' in the 'members.php' file. This can allow the attacker to gain access to the database and execute arbitrary code.
A SQL injection vulnerability exists in pGB 2.12. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database.
This module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.
Services By CQR