When 360 Total security is load on Windows machine the binaries try to load a DLL (Shcore.dll) in order to display correctly in High DPI displays. 360 Total security install Shcore.dll on Windows 8.1 and above, but not in previous versions (for example – Windows 7 and XP). For this reason, the administration components of 360 Total Security try to find and load this DLL in Windows 7 too, where it does not exist. Placing a DLL named Shcore.dll in a directory listed in the PATH system variable will load this in the memory space of 360 software. Loading the DLL inside a 360 administration process gives us privileges of administrator.
OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. By default an OrientDB has 3 roles – admin, writer and reader. These have their usernames same as the role. For each database created on the server, it assigns by default these 3 users. The privileges of the users are: admin – access to all functions on the database without any limitation; reader – read-only user; writer – same as the ‘reader’, but it can also create, update and delete records. From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements, this permission requirement is not required and information is returned to unprivileged users. Thus even if the db admin changes the admin user password, an attacker woule be able to gain access to the database.
McAfee Security Scan Plus retrieves promotional and UI design information from different mcafee.com domains and displays them to the user, typically in the main application window. The vulnerability is caused by multiple factors: Information is retrieved over plaintext HTTP that can be trivially modified by an active network attacker. McAfee Security Scan Plus rely on the MCBRWSR2.DLL library to display HTML content. The Library exposes the LaunchApplication() JavaScript API that executes arbitrary commands on the affected system.
An independent security researcher has reported a vulnerability in Odoo CRM version 10.0 which allows an administrator to execute arbitrary Python code with the same privilege level as the Odoo webapp by anonymizing the database then attempt the de-anonymization process with a crafted pickle file.
Crafting the download request and adding a path traversal vector to it, an authenticated user, can use this function to download files that are outside the normal scope of the download feature (including sensitive files). In addition, the function can be called from a low privileged user, a user that is logged on to the User Portal (i.e. Missing Function Level Access Control), a combinations of these two vulnerabilities can be used to compromise the integrity of the server, by allowing a User Portal to elevate his privileges.
User controlled input is not sufficiently sanitized, by sending a PUT request to /ISAPI/Security/users/1 HTTP/1.1 an attacker can change the admin password.
An independent security researcher, Kacper Szurek, has reported a SQL injection vulnerability in QTS Helpdesk versions 1.1.12 and earlier. In order to trigger the vulnerability, a user needs to have Remote Support option enabled. User controlled input is not sufficiently sanitized, by sending a CLI request to www/App/Controllers/Cli/SupportUtils.php an attacker can trigger an SQL injection and receive the password of the _qnap_support user.
User controlled input is not sufficiently sanitized when passed to File Manager (gollem) module (version 3.0.11). The “fn” parameter does not validate certain met characters by causing the requested file or filesystem to be downloaded without credentials. It is only necessary to know the username and the file name.
A flaw in the proprietary protocol used by Tiandy IP cameras allows an attacker to forge a request that will return configuration settings of the Tiandy IP camera. By sending a crafted request, an attacker can download files such as config_server.ini, extendword.txt, config_ptz.dat, config_right.dat, config_dg.dat, and config_burn.dat.
These two vulnerabilities can be triggered to cause a Denial of Service against a server, under the following conditions: An attacker can pass an URL parameter that points to a controlled FTP server to the target Target server uses vulnerable component(s) to fetch the resource specified by the attacker Target server does not prevent fetching of FTP URI resources In both vulnerabilities, the attack sequence is the following: Attacker forces vulnerable target server to parse an FTP URL which points to an attacker’s controlled FTP server Target server fetches FTP resource provided by attacker Attacker’s FTP server abruptly exits, leaving the Java process on target server with two internal threads in an infinite waiting status If the Java process is single-threaded, then it cannot further process any other client requests, reaching a Denial of Service condition with only one request from the attacker In case of a multi-threading process, then it is possible to use the same technique and reach a Denial of Service condition of all available threads, by issuing one request for each available thread The attacker’s controlled FTP server has to “abruptly” exit when the Java client will perform a connection attempt, in order to leave the Java process in an infinite waiting status
Services By CQR