Code Execution using import.php. We know import.php accept file and just read content not stored in server. But when we stored payload in our backdoor.csv and upload to phonebook, it executes our payload and shows on the next page in fields (in NAME, MOBILE, Email, Group Code, Tags) accordingly. In this case, the payload was stored in the Name field. However, the server does not execute the payload directly, so the user agent was changed to any command that was wanted to be executed. An example of the backdoor.csv file content is provided.
Remote attackers can inject arbitrary permalinks into the mantisbt Web Interface if an authenticated user visits a malicious webpage. Vuln code in "string_api.php" PHP file, under mantis/core/ did not account for supplied backslashes.
KMCIS CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string.
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.
A stack buffer overflow vulnerability exists in Sure Thing Disc Labeler 6.2.138.0. An attacker can exploit this vulnerability by creating a specially crafted project template file which when opened by the user, can lead to a return pointer being overwritten giving control over EIP when the function returns.
Remote Code Execution in Admin Log. In PlaySMS Admin have a panel where he/she monitor User status. Admin Can see Whose Online. Using this functionality we can exploit RCE in Whose Online page. When Any user Logged in the playSMS application. Some user details log on Whose Online panel like 'Username', 'User-Agent', 'Current IP', etc.
A valid username can be used as both username/password to login and compromise the application through the “/mc/” directory which is the ‘mobile client’ directory. This can be achieved ONLY if Active Directory/LDAP is being used. This flaw exists because of the lack of password randomization in the application version 9.0 when a user is entered into the application, thus the application assigns the password as the username. The flaw can then be exploited by logging into the application through the “/mc” directory and then backing out of the “/mc” directory by deleting it from the URL thus positioning you in the main application with the authority of the user you logged in as. (Help locating a valid username can come from another disclosed vulnerability in the application).
An XML External Entity(XXE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. SAP Business One Android Application is vulnerable to XXE. A remote attacker could exploit this vulnerability to expose highly sensitive information from servers.
The string 'GoodKey' can be used in place of a session token for the web interface, allowing a complete bypass to all web interface authentication.
An attacker can force a vulnerable server to trigger malicious requests to third-party servers or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks.
Services By CQR