The Overflow vulnerability lies in the profile option parameter “–p”. When a string of 236 bytes is send to blat, the EBP and EIP register gets overwritten by the user input. Reproduction: blat.exe crashes with this command blat.exe –install smtp.my.tld 127.0.0.1 –p <”A”*234+”B”*2>
A vulnerability in CMS Tiki-Wiki allows an attacker to execute arbitrary code on the vulnerable system. The vulnerability exists due to insufficient sanitization of user-supplied input passed to the 'viewmode' parameter of 'tiki-calendar.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary code on the system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
It is possible to change the password of the administrator and complete account can be take over using this. Steps to Reproduce the same: 1. Login into the account. 2. Navigate to http://localhost/SlimCMS/admin/config 3. Fill the details and intecept the request using BurpSuite 4. Send the link to victim and password will be changed for the admin user (Once the victim's clicks on the URL).
Several functions in the GPU command buffer service interact with the GPU mailbox manager (gpu/command_buffer/service/mailbox_manager_impl.cc), passing a reference to shared memory as the mailbox argument. MailboxManagerImpl does not expect this mailbox argument to be malleable in this way, and it is in several places copied and passed to various stl functions, resulting in unexpected behaviour from double-reads when an attacker modifies the mailbox name mid function. The attached POC uses the GPU command 'ProduceTextureDirectCHROMIUMImmediate' to trigger a use-after-free but other commands that interact with the mailbox manager should also be vulnerable in a similar way.
The attached PoC crashes 32-bit Windows 7 with special pool enabled on win32k.sys. It might take several runs in order to reproduce. Tested the PoC on a single core VM.
The attached PoC triggers a blue screen on Windows 7 with special pool enabled on win32k.sys. A reference to the bitmap object still exists in the device context after it has been deleted.
jbFileManager is vulnerable to path traversal, which allows an attacker to view, add, and delete files and directories outside of the web root directory. An attacker can send a specially crafted HTTP request containing '..' directory traversal strings to view, add, or delete files and directories outside of the web root directory. This can be exploited to read arbitrary files from the server or to delete files.
People are to lazy to change default credential unless application force them to do that. Line 128: <br />Default username/password: <b>admin/pass</b></div>; Cross Site Scripting: File : eventList.php // Improper user input validation on Line 24: $serviceID = (!empty($_REQUEST["serviceID"]))?strip_tags(str_replace("'","`",$_REQUEST["serviceID"])):getDefaultService(); Line 60: <?php echo SAMPLE_TEXT?> <strong><?php echo VIEW?> <a href="index.php?serviceID=<?php echo $serviceID?>"><?php echo CALENDAR?></a></strong> Payload = 1337" onmouseover="alert(1); Local File Inclusion: File:config.php Lang variable is under the user control. Line 31: $lang = (!empty($_REQUEST["lang"])) ? strip_tags(str_replace("'", "`", $_REQUEST["lang"])) : 'english'; Storing user controlled variable within session variable. Line 36 - 38 : if (!empty($_REQUEST["action"]) && $_REQUEST["action"] == "changelang") { $_SESSION['curr_lang'] = $lang; } And using it with include function which cause straightforward file inclusion. Line 60 - 68 : if (!empty($_SESSION['curr_lang'])) { $lang = $_SESSION['curr_lang']; } if (file_exists("lang/".$lang.".php")) { include("lang/".$lang.".php"); } else { include("lang/english.php"); } Payload = ../../../../../../../../../etc/passwd PoC = http://www.convergine.com/scripts/booking/config.php?action=changelang&lang=../../../../../../../../../etc/passwd
The application suffers from an unquoted search path issue impacting the service 'AdobeUpdateService' for Windows deployed as part of Adobe Creative Cloud. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.
The id and lu parameters of the com_enmasse component of Joomla are vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to gain access to sensitive information from the database.
Services By CQR