Ultimate Product Catalogue 4.2.2 is vulnerable to SQL Injection. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'CatID' parameter of the 'get_upcp_subcategories' AJAX action. An attacker can send a malicious request to the vulnerable application and execute arbitrary SQL commands in application's database, allowing to steal sensitive data from the database.
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using the [ELIDED] character when the database is configured to use asian encoding (BIG 5). The file ./inc/dbmysql.class.php defines the encoding the database should use. This files uses the "SET NAMES" function which offers the possibility to use a specific encoding. For the proof-of-concept, the attacker targeted the "Surname" form input in the User profile by adding the characters ø (xBFx27) before the SQL code (the request must be sent using Western encoding) : ø', password=61529519452809720693702583126814 -- x. Once received by the server, the request will be sanitized, giving : ø', password=61529519452809720693702583126814 -- x. The value will then be sent to the database with a BIG5 encoding. Here is the critical point, as BIG5 will see the string ø as a single asian character encoded on two bytes. As the single quote isn't escaped anymore, the SQL code will be executed and will set the password of every accounts to the value 61529519452809720693702583126814 (=MD5 hash of "ximaz" string).
A heap corruption vulnerability was discovered in the KERNEL32.DLL!VFS_Write API, which is exposed to remote attackers by default in all recent versions of Windows. The vulnerability is caused by an unchecked memcpy, which can lead to wild eip. A minimal testcase can be used to trigger the vulnerability.
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) Command Line Process (CLP) is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. The vulnerability is triggered by providing an overly long procedure name inside a CALL statement.
lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL. Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and people do not post on the upstream bugzilla is easy discover duplicates, so I downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate of an existing issue. Upstream seems a bit dead, latest release was into 2011, so this blog post will probably forwarded on the upstream bugtracker just for the record. The complete ASan output of the issue: 'WRITE of size 4 at 0x7ffe82a515a0 thread T0'
Lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL. A global buffer overflow vulnerability was discovered in Lame when processing a specially crafted MP3 file. This vulnerability can be exploited to cause a denial of service or potentially execute arbitrary code.
This module exploits a command injection vulnerablity in NETGEAR DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request with valid login details.
JAD ( Java Decompiler ) 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
This exploits a vulnerability in Windows XP to Windows 8.1. The master file table, or MFT, is a hidden file in the NTFS file system. It maps out all files in the drive. It is supposed to be protected from any user access because all files that use NTFS have a reference to it. If the directory is recreated, the system will lock the file until the next reboot. Therefore, for example, when trying to create a file or read the volume of files, NTFS attempts to seize ERESOURCE $ MFT file and will hang at this stage forever. The exploit tries to access a nonexistant file c:/$MFT/pwned. The browser will hang then stop responding, then after the browser exists, the rest of the system becomes unresponsive.
In Eltek Management Section, on following path, some json files (sush as cfgUseraccount1.json to cfgUseraccount10.json) will be called, that disclose some of pre-defined system users. The json response is containing username and password (hashed in MD5), if you crack the MD5 hashes to plain text you can be able to login in the system.
Services By CQR