By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the default Wi-Fi password. This is easily obtained with another TR-064 command.
A vulnerability in PLANET ADSL ROUTER AND-4101 v1.8 allows an unauthenticated attacker to remotely disclose sensitive information from the device. By sending a specially crafted GET request to the webproc CGI script, an attacker can retrieve the contents of the /etc/shadow file, which contains the hashed passwords of all users on the system. This vulnerability affects PLANET ADSL ROUTER AND-4101 v1.8.
This vulnerability allows an attacker to bypass authentication and access sensitive files on NETGEAR ADSL routers. The vulnerability exists in the webproc CGI script, which allows an attacker to access the /etc/shadow file without authentication. This can be exploited by sending a specially crafted HTTP request to the vulnerable router.
A vulnerability in NETGEAR ADSL Router JNR1010 1.0.0.16 allows an authenticated remote attacker to disclose sensitive information from the device. By sending a specially crafted HTTP request to the web server of the device, an attacker can access the /etc/shadow file, which contains the hashed passwords of all users on the device. This vulnerability affects NETGEAR ADSL Router JNR1010 1.0.0.16.
A vulnerability in D-Link ADSL ROUTER DSL-2730U IN_1.02 allows an unauthenticated attacker to remotely disclose sensitive files on the device. By sending a specially crafted HTTP request to the device, an attacker can access the /etc/shadow file, which contains the hashed passwords of all users on the device. This vulnerability affects D-Link DSL-2730U/DSL-2750E devices running firmware version IN_1.02/SEA_1.04/SEA_1.07.
A vulnerability in the MOVISTAR ADSL ROUTER BHS_RTA BHS_RTA_C0_019 allows an attacker to remotely access the /etc/shadow file, which contains the encrypted passwords of all users on the system. By sending a specially crafted GET request to the webproc CGI script, an attacker can view the contents of the /etc/shadow file.
A stored Cross-Site Scripting (XSS) vulnerability has been found in the WassUp Real Time Analytics WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
A stored Cross-Site Scripting vulnerability was found in the 404 to 301 WordPress Plugin. This issue can be exploited by an anonymous user and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. The vulnerability exists in the file admin/class-404-to-301-logs.php, which fails to correctly escape user-controlled strings which are output in HTML tables containing logs shown to site administrators, such as the Referer (ref) and User-Agent (ua) fields. In order to exploit this issue, after an attack attempt has been made, an administrator must view the logs (via the WordPress administration console) provided by the plugin, by clicking '404 Error Logs'. Submit an HTTP request to a non-existent URL (to trigger the 404 handler) containing a header such as one of the following: Referer: "<iframesrc=javascript:alert(1)>" User-Agent: "<script>alert(1)</script>" When an administrator views the logs, the malicious code will be executed.
The vulnerability can be triggered through the saveLayout() method defined in /plugins/Dashboard/Controller.php: User input passed by anonymous users through the "layout" request parameter is being stored into a session variable at line 221, and this is possible by invoking an URL like this: http://[piwik]/index.php?module=Dashboard&action=saveLayout&token_auth=anonymous&layout=[injection]%26%2365536; Since Piwik is not using "utf8mb4" collations for its database, this can be exploited in combination with a MySQL UTF8 truncation issue in order to corrupt the session array, allowing unauthenticated attackers to inject arbitrary PHP objects into the application scope and carry out Server-Side Request Forgery (SSRF) attacks, delete arbitrary files, execute arbitrary PHP code, and possibly other attacks. Successful exploitation of this vulnerability requires Piwik to use the database to store session data (dbtable option) and the application running on PHP before version 5.4.45, 5.5.29, or 5.6.13.
A specially crafted web-page can cause Microsoft Internet Explorer 9 to access data before the start of a memory block. An attack that is able to control what is stored before this memory block may be able to disclose information from memory or execute arbitrary code.
Services By CQR