The administrative web application does not enforce authorization on the server side. User access is restricted via Javascript only, by display available functions for each particular user based on their privileges. Low privileged users of the Zhone Router can therefore gain unrestricted access to administrative functionality, e.g. by modifying the javascript responses returned by the Zhone web server. Any low-privileged user of the ZHONE Router Web Administrative Portal can obtain all users passwords stored in the ZHONE web server. The ZHONE router uses Base64 encoding to store all users passwords for logging in to the Web Administrative portal. As these passwords are stored in the backup file, a malicious user can obtain all account passwords.
A stack-based buffer overflow vulnerability exists in CDex version 1.79. An attacker can exploit this vulnerability by generating a file using the python code provided and replacing the old CDexGenres.txt with the new one. This will cause the application to crash.
By chaining the vulnerabilities together in combination with user interaction, an attacker may gain full control over the firewall and the underlying network. The first attack could be to trick non-admin users to follow a malicious link in order to trigger a CSRF exploit via the /nonauth/certificate.php script. The script may exploit the SQL Injection flaw in reports.php for example. Once able to query the database, sensitive data of the users can be transmitted back to the attacker. Information of interest could be for example the traffic usage of admin users and their top-visited webpages. In the next attack, this information may be used to embed another CSRF exploit into one of the top-visited webpages. If the attacker succeeds and the exploit gets triggered, the attacker may gain full control over the firewall and the underlying network.
Netgear Voice Gateway EVG2000 is managed through a web management portal. The application provides a Diagnostics feature that has four (4) options: a.Ping an IP address b.Perform a DNS Lookup c.Display the Routing Table d.Reboot the Router Option 1 Ping an IP address was confirmed to be vulnerable to OS Command Injection. The ping_IPAddr parameter does not sufficiently validate input. It is possible to use the semi-colon character (;) to inject arbitrary OS commands and retrieve the output in the application's responses. In the Services menu, the Service Table lists any existing Service-Port mappings. A new service can be added with a payload value of <script>alert(xss)</script> in the ServiceType parameter. The application does not check any malicious input and accepted this new entry. The JavaScript input was then returned unmodified in a subsequent request for the Services Table Entries. The web application lacks any input validation or output encoding mechanism, allowing an attacker to inject arbitrary JavaScript code into the application's responses.
The handler parameter is vulnerable to file path manipulation attacks. When we submit a payload */tmui/locallb/virtual_server/../../../../WEB-INF/web.xml* in the *handler* parameter, the file *WEB-INF/web.xml* is returned.
PoC for libsndfile <= 1.0.25 (latest version) Heap overflow. Possible attack vectors include Firefox (on Linux) -> SWF/Audio play -> pulseaudio -> libsndfile, email attachment, TCP socket connection (for audio server only), file upload (ex. server side audio file manipulation, interactive voice responder), etc. Affected products include PulseAudio, Jack AudioConnectionKit, Adobe Audition, Audacity, Asterisk-eSpeak Module, and other products using libsndfile.
Dream CMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Related to the CSRF issue, an authenticated arbitrary PHP code execution exist. The vulnerability is caused due to the improper verification of uploaded files in '/files-manager-administration/add-file' script via the 'file' POST parameter which allows of arbitrary files being uploaded in '/resource/filemanager/1/home/' where the admin first needs to add the file extension in the allowed list (csrf'd). This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file and execute system commands.
This Joomla component is vulnerable to SQL injection via two parameters, order_direction and order_field. An attacker can inject malicious SQL queries into the vulnerable parameters to gain access to the database and potentially execute arbitrary code.
Tomabo MP4 Converter 3.10.12 is vulnerable to a denial of service attack when a specially crafted .m3u file is opened. The application crashes when a 600000 bytes long string is written to the file.
Any logged user can change his 'User Group' membership by editing the parameter _2_userGroupsSearchContainerPrimaryKeys in the HTTP POST REQUEST generated when updating his profile in the page 'Manage my account'. This may lead to privilege escalation.
Services By CQR