The web interface does not use cookies at all and does not check the IP address of the client. If admin login is successful, every user from the LAN can access the management interface. Technicolor fixed the CVE-2014-1677 by encrypting the backup file with AES. However, the encrypted backup file remains accessible without authentication and if the password is not set in the web interface a default password is used. So, if an attacker accesses the backup file without authentication, the password cannot be set, and the backup file can be decrypted.
The web interface does not use cookies at all. If admin login is successful, the IP address of the admin user is stored and everybody can access the management interface with the same IP.
PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling in its `bzread()' function. The erroneous return values for Bzip2 are as follows: BZ_SEQUENCE_ERROR, BZ_PARAM_ERROR, BZ_MEM_ERROR, BZ_DATA_ERROR, BZ_DATA_ERROR_MAGIC, BZ_IO_ERROR, BZ_UNEXPECTED_EOF, BZ_OUTBUFF_FULL, BZ_CONFIG_ERROR. Should the invocation of BZ2_bzread() fail, the loop would simply be broken out of (bz2.c:152) and execution would continue with bzread() returning RETURN_NEW_STR(data).
A possible remote (or local) code execution were identified in the gettext.php file allowing an attacker to gain access on the nagvis host system and/or gain application's privileges throught a specially crafted .mo language file. The $string variable is not sufficiently sanitized before to be submitted to eval() function (which is dangerous) in select_string() funtion.
GRR is an open source resources manager tool used in many french public institutions. The application allows administrators to change the enterprise's logo uploading a new image with .png,.jpg or .gif extension only. Once uploaded, image name is 'splitted' in an array and renamed with the name 'logo' followed by the extention saved as 2nd array's element. This file called for example 'logo.jpg' is also 'chmoded' as 0666 permission and directly accessible in image folder (img_grr by default) by all users. It's possible for an attacker to add a second extension that will be used when the image will be renamed in order to bypass this basic filter (double extension upload filter bypassing). So, a file called backdoor.php.jpg will be renamed as logo.php with chmod 0666 permissions and could be used by attacker to gain more privileges on the targeted server (privesc due to 0666 permissions).
A couple of buffer overflow exploits for older versions of CoolPlayer+ Portable have already been published on Exploit-DB. This exploit is for the current version 2.19.6 and uses an Egghunter and ASLR bypass technique to execute a payload of 220 bytes. The payload is a Windows/exec command that executes calc.exe. The exploit is tested on Windows Vista Ultimate SP2.
The script that parses the request URL and displays user profile depending on the retrieved id does not use proper input validation against SQL injection.
This module exploits a Remote Command Execution vulnerability in Drupal CODER Module. Unauthenticated users can execute arbitrary command under the context of the web server user. CODER module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary command. The module does not need to be enabled for this to be exploited. This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.
This module exploits a remote command execution vulnerability in the Barracuda Spam & Virus firewall firmware version <= 5.1.3.007 by exploiting a vulnerability in the web administration interface. By sending a specially crafted request it's possible to inject system commands while escalating to root do to relaxed sudo configuration on the local machine.
This module exploits a remote command execution vulnerability in the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004 by exploiting a vulnerability in the web administration interface. By sending a specially crafted request it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces.
Services By CQR