PhpCollab is an open source web-based project management system, that enables collaboration across the Internet. The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.
PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.
An attacker can access to management console pages directly and without authentication. All files in these directories are directly accessible. An Attacker can directly access to the user page and Add User or View Password or Change Administrator credential without authentication.
This CVE is assigned to Wang Chunyu (Red Hat) and discovered by Syzkaller. In this POC, skb_shinfo(SKB)->nr_frags was overwritten by ev->iferror = err (0xff) in the condition where nlh->nlmsg_len==0x10 and skb->len > nlh->nlmsg_len.
Any registered user can login when edit cookie userInfo. When login successful, DVR saves cookie: userInfo + webport with value: base64 encode (user:pass). But Dvr does not check pass with cookie. When not yet login, you add a cookie: userInfoXX (xx : web port) with value base64 encode (admin: any words). And go url: http://dvr-domain.dynns.com:XX/doc/page/main.asp. It will Authentication Bypass.
MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector: The 'Microsoft Scriptlet Component' ActiveX. This issue facilitates attacks against the IE rendering engine because some enhanced security features are not enabled by default. This issue allows web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine. Additionally, it was not (publicly) known that you could pass relative URLs to the ActiveX, causing Word/Works documents to reference itself, as HTML, potentially disclosing sensitive information to malicious attackers, like file contents, the Windows user name, etc. Instructions for the PoC are also provided.
The security obligation allows an attacker to arbitrary download files. Vulnerable Source: include_once('.......php'); // Check download token if (empty($_GET['mime']) OR empty($_GET['token'])) { exit('Invalid download token 8{'); } // Set operation params $mime = filter_var($_GET['mime']); $ext = str_replace(array('/', 'x-'), '', strstr($mime, '/')); $url = base64_decode(filter_var($_GET['token'])); $name = urldecode($_GET['title']). '.' .$ext; Proof of Concept: http://localhost/[PATH]/download.php?mime=video/webm&title=Efe&token=[FILENAME_to_BASE64]
SQL injection on [srch] parameter. Proof of Concept (PoC): SQLi: http://localhost/[path]/product-list.php?srch=search AND 3233=3233 AND 'NeVc'='NeVc Parameter: srch (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: srch=search' AND 3233=3233 AND 'NeVc'='NeVc
The vulnerability allows an employee users to inject sql commands into the vulnerable parameter. Proof of Concept: http://localhost/[PATH]/?hr-dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL] -23+union+select 1,2,3,4,5,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),7,8--%20- http://localhost/[PATH]/?hr-dashboard=user&page=user&tab=view_employee&action=view&employee_id=[SQL]
SmarterStats Version 11.3.6347, and possibly prior versions, will Render the Referer Field of HTTP Logfiles in URL /Data/Reports/ReferringURLsWithQueries. The vulnerability can be exploited by an attacker to inject malicious HTML tags into the Referer field of an HTTP logfile, which can be rendered in a browser when the user clicks the Referer URL link in the Referer URL report. The attacker can then use the malicious HTML tags to perform malicious activities such as Cross Site Scripting (XSS), Client Side Request Forgery (CSRF), and Open Redirection.
Services By CQR