This module exploits an Unrestricted file upload vulnerability in Web Viewer 1.0.0.193 on Samsung SRN-1670D devices: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
No HTML escaping when returning an $error in /install/index.php can lead to an XSS which can be used to take over an attacker account. The vulnerability occurs in /install/index.php:2503 and occurs because there is no html encoding of the $error. A simple way to exploit this is to create an error by using the Database Server Hostname and inserting HTML characters there. It is a POST XSS and this is a PoC: <form name="x" action="http://target.com/install/index.php" method="post"><input type="hidden" name='dbengine' value="mysqli"><input type="hidden" name='config[mysqli][dbhost]' value="<img src=x onerror=alert(0)>"><input type="hidden" name='config[mysqli][dbuser]' value="lol"><input type="hidden" name='config[mysqli][dbpass]' value="lol"><input type="hidden" name='config[mysqli][dbname]' value="lol"><input type="hidden" name='config[mysqli][tableprefix]' value="lol"><input type="hidden" name='config[mysqli][encoding]' value="utf8"><input type="hidden" name='config[mysql][dbhost]' value="localhost"><input type="hidden" name='action' value="create_tables"></form><script>document.x.submit();</script> Using this attack you can steal the cookies and you can install the MyBB server as you want, giving you almost full control over the MyBB server.
This RCE can be executed via CSRF but doesn't require it (in some special cases). The requirements are there shouldn't be a lock in the /install/ directory and then if you have access to the install directory you don't need CSRF, but if you don't then you need CSRF. There is a CSRF vulnerability in MyBB /install/index.php which can be used to inject PHP code into /inc/config.php which is then used in most of the pages (require MYBB_ROOT."/inc/config.php" is in most of the pages). The vulnerability exists in the table creation process for sqlite databases, this is because the Database Path is then inserted into the /inc/config.php file in line 11 as $config['database']['database'] = 'DB Path'; The vulnerability occurs because MyBB doesn't properly escape the Database Path, allowing an attacker to easily inject PHP by inserting a DB Path of : lol'; echo 'lol this will not cause any parse errors since there will be a : '; added at the end. Of course the attacker can easily just execute code in the server, getting backdoor access to the server easily.
Xlight FTP Server is vulnerable to a buffer overflow crash when a maliciously crafted string is pasted into certain fields in the application. This can be exploited by an attacker to crash the application, resulting in a denial of service.
Symantec Endpoint Protection (SEP), does not validate where WinAPI messages comes from (lack of UIPI). Therefore, malware can easily spoof messages to the UI or send WM_SYSCOMMAND to close the SEP UI denying end user ability to scan / run the EP AntiVirus protection. Spoofed messages could also potentially inform a user a scan was clean.
A heap out-of-bound read vulnerability in timelib_meridian() can be triggered via wddx_deserialize() or other vectors that call into this function on untrusted inputs.
There is a use-after-free vulnerability in jscript.dll library that can be exploited in IE11. jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library (specifically, a script tag with language="Jscript.Encode" attribute will do the trick). This is a use-after-free in jscript!JsErrorToString that can lead to a heap overflow. When JsErrorToString runs, it tries to concatenate “name” and “message” properties of an Error object into an AString object (AString is a string type that is implemented as a list of simpler string parts). First the function converts both “name” and “message” properties to strings using the ConvertToString function, however the second call to ConvertToString can trigger a callback (via toString) and delete the “name” string. Later, when AString is converted to the BString in AString::ConvertToBSTR, the size of the result BString could be calculated incorrectly which can lead to a heap overflow.
pfSense <= 2.3.1_1 is affected by a post-authetication os command injection vulnerability in auth.inc via the /system_groupmanager.php page (System menu-->User Manager-->Groups) in the handling of the members[] parameter. This allows an authenticated WebGUI user with privileges for system_groupmanager.php to execute commands in the context of the root user.
SMPlayer 17.11.0 is vulnerable to a buffer overflow vulnerability when opening a specially crafted .m3u file. The vulnerability can be triggered by creating a .m3u file with a string of 24538 'A' characters and opening it twice in the application. This will cause the application to crash.
Access and go to the Radio URL tab and add a new URL. Add script as the value of the field. Payload : <script> alert(1)</script> Script saved and gives an image msg with a javascript execution on image click.
Services By CQR