A buffer overflow vulnerability exists in Oracle� Hyperion Smart View for Office Fusion Edition 11.1.2.3.000 Build 157 when a large value is entered into the 'Shared Connections URL' field in the 'Options' menu. This can be exploited by any Microsoft Office product such as Excel, Word, or PowerPoint. The output of the crash analyzed in the debugger is shown in the text.
cgiemail is currently shipped with cPanel and is enabled by default. cgiecho a script included with cgiemail will return any file under a websites document root if the file contains square brackets and the text within the brackets is guessable.
The Unarchiver 3.11.1 is vulnerable to a local crash when opening a specially crafted '.tar.Z' file. The vulnerability is caused due to a boundary error when processing the file header, which can be exploited to cause a stack-based buffer overflow via a specially crafted '.tar.Z' file. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the application.
A user with low privileged can be able view all requests/tickets (include attachments).
LanSpy 2.0.0.155 is vulnerable to a buffer overflow attack. This exploit was discovered by n30m1nd in 2016 and is tested on Win7 32bit and Win10 64 bit. The exploit code generates an 'addresses.txt' file which can be used to run the exploit. The exploit code uses a 32bit Alphanum-ish shellcode and bad chars detected are 00 2d 20.
Pluck CMS 4.7.3 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can exploit this vulnerability to add a page to the target website by crafting a malicious HTML page and tricking an authenticated user into visiting it. The malicious HTML page contains a form with hidden fields that are automatically submitted when the user visits the page. The form contains the title, content, description, keywords, hidden, sub-page, theme, and save fields. When the form is submitted, the page is added to the target website.
The Ancillary Function Driver (AFD) supports Windows sockets applications and is contained in the afd.sys file. The afd.sys driver runs in kernel mode and manages the Winsock TCP/IP communications protocol. An elevation of privilege vulnerability exisits in the AFD driver due to improper handling of objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2016-3231 was an issue caused by passing a relative agent path name which allowed the DLL path loaded for the agent DLL to be redirected to another file. This seems to have been fixed and as far as I can tell this issue is no longer exploitable from a sandbox. However the problem is there’s an assumption that it’s not possible to write a file to the system32 directory, which technically is true but practically for this exploit false. As I’ve blogged about before, and also submitted bugs (for example MSRC-21233) a normal user can created named streams on directories as long as they have FILE_ADD_FILE access right to the directory. When you do this you create what looks from a path perspective to be in the parent. For example the system32asks folder is writable by a normal user, so you can copy a DLL to system32asks:abc.dll and when GetFullPathName is called the filename returned is tasks:abc.dll. When the GetValidAgentPath is called it checks if this file is in system32 by using GetFileAttributes, which succeeds and the service will proceed to load the file.
This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such as the following example: def show render params[:id] end Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This module doesnt use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution.
The PHP Business Directory is vulnerable to Reflected XSS and Stored XSS. Reflected XSS can be exploited by sending a maliciously crafted URL to the victim, which when clicked, will execute the malicious code. Stored XSS can be exploited by sending a maliciously crafted URL to the victim, which when clicked, will execute the malicious code stored in the database. The malicious code can be injected into the URL parameters such as businessname, slogan, businesslicence, address, city, suburb, businessstate, country, zippostcode, telephone1, telephone2, mobilecell, fax, email, website, socialmedia1, socialmedia2, socialmedia3, productservice, manager, paymentsaccepted, and categoryname.
Services By CQR