High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system. HTTP GET parameter 'abspath' is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server.
This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM. Authentication is not required to exploit this vulnerability.
This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM.
When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Gnome Nautilus <= v3.16 is vulnerable to DoS attack through a malicious crafted file. A malicious crafted file can be used to perform a DoS attack in Nautilus. The attacker must have local access to affected system or convince the victim to download the file (email, web url etc.). Next time the victim tries to open the directory that contains the malicious file, Nautilus crashes without warning. The file must have a `.jp2` extension and start with the JPEG signature (`0xFFD8`). This seems to happen every time Nautilus is trying to update the thumbnail of the file.
Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is taking place before saving package details in DB. This allows a malicious user to include JS code in package name and/or package description.
One can perform an SQL injection attack simply by exploiting the following WP ajax actions: edit_video, delete_photo, delete_gallery, delete_video, reload_photos, edit_gallery, edit_gallery_confirm, edit_photo, edit_photo_confirm, edit_video_confirm, set_as_main_photo, sort_photo_list, sort_gallery_list, reload_videos. POST parameters that are exploitable in each action respectively: video_id, photo_id, gal_id, video_id, gal_id, gal_id, gal_id, photo_id, photo_id, video_id, photo_id, gal_id, order, order, video_id. In case #7 a user can also change the gallery name, description and visibility by setting POST parameters gal_name, gal_desc and gal_visibility respectively. In case #8 photo_id is first casted to integer and a query to DB is performed. If results are returned then for each result a new query is performed without casting the photo_id to integer. So if an attacker knows a valid video id then it can perform the attack in the second query. This achievable because <?php (int)'1 and sleep(5)' === 1; ?>. In case #9 a user can also change the photo name, description, tags and category by setting POST parameters photo_name, photo_desc, photo_tags and photo_category respectively. In case #10 a user can also change the video name, unique id and type by setting POST parameters video_name, video_unique_id and video_type respectively.
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, acessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98.
A local privilege escalation exists in Acunetix WVS 10, it allow a local user (even guest) to gain same privilege as System user. With default Acunetix installation, a service called "AcuWVSSchedulerv10" will be installed, this service run as local system user. AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction it expose some API to interact via a web server usually localhost:8183. The problem is that the API "addScan" doesn't check for user privilege, so a guest user can call this API and gain same privilege as System user.
Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion that allows attackers to read arbitrary server files outside of the current web directory by injecting "../" directory traversal characters, which can lead to sensitive information disclosure, code execution or DOS on the victims web server.
Services By CQR