A CSRF vulnerability exists in iy10 Dizin Scripti, which allows an attacker to change the admin password without authentication. Additionally, an authentication bypass vulnerability exists in the application, which allows an attacker to bypass authentication and gain access to the application.
Apple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting. PoC: Create an direcotry and perform the following actions: # for i in {1..1024}; do mkdir B && cd B; done ... cd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory If such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g. # for i in {1..1024}; do cd .. ; done Then you can perform recursive 'ls' command. Let's run it ten times: # for i in {1..10}; do ls -laR > /dev/null; done ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory Segmentation fault: 11 Segmentation fault: 11 Segmentation fault: 11 ls: B: No such file or directory ls: B: No such file or directory Segmentation fault: 11 ls: B: No such file or directory ls: B: No such file or directory crash randometly. Let's see valgrind and lldb LLDB: ... /B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: total 0 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. Segmentation fault: 11 Valgrind: ==1409== Invalid write of size 8 ==1409== at 0x1003F7F2F: fts_build (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== by 0x1003F7A2F: fts_open (in /usr/lib/libSystem.B.dylib) ==1409== Address 0x10a7f8f90 is not stack'd, malloc'd or (recently) free'd
WP Easy Poll 1.1.3 is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). An attacker can inject malicious JavaScript code into the 'p_ques' parameter of the 'wp_easy_poll.php' script. This code will be executed in the browser of the victim when the poll is viewed. An attacker can also craft a malicious link and send it to the victim, which when clicked, will add a poll with the malicious JavaScript code in it.
I'm an ethical penetration tester and super moderator of Iran Security Team. I have updated the modem to latest firmware which released by the company. but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism. I used BurpSuite, wget and Nmap to find the vulnerabilities. The attacker can get the WIFI settings, Wimax credentials, enable and disable connections to modem, launch (D)DOS attack and change the password of ADMIN account.
The 'application' tag in Microsoft Windows Media Center link files (.mcl extension) can include a 'run' parameter, which indicates the path of a file to be launched when opening the MCL file, or a 'url' parameter, which indicates the URL of a web page to be loaded within the Media Center's embedded web browser. A specially crafted MCL file having said 'url' parameter pointing to the MCL file itself can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the Media Center's embedded web browser.
Windows Media Center contains a remote code execution vulnerability because it allows 'MCL' files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA 'self-executing' MCL files.
Atlassian Hipchat is a web service for internal instant messaging. A plugin is available for Jira that allows team collibration at real time. A message can be used to inject Java code into a Velocity template, and gain code exeuction as Jira. Authentication is required to exploit this vulnerability, and you must make sure the account you're using isn't protected by captcha. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with a vulnerable copy of HipChat.
SpiderControl PLC Editor Simatic suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group making the entire directory 'PLCEditorSimatic_6300400' and its files and sub-dirs world-writable.
SpiderControl SCADA Web Server Service suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Everyone' and 'Authenticated Users' group making the entire directory 'WWW' and its files and sub-dirs world-writable.
Poll widget is a WordPress plugin which provides a fancy user Polling layout to website users and allows them to vote according to options provided in a specific poll. The vulnerability exists in the front_end.php file, in which code is not filtering user-supplied data on the parameter question_id. This script is vulnerable to union-based SQL injection with a column count of 2.
Services By CQR