Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application. Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users: http://localhost/monstra-3.0.3/users/1. The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found. Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
The 'username' login parameter allows for OS Command injection via command Injection during a failed login attempt returns the command injection output to a limited login failure field. By using concatenation '||' a command may be appended to the username.
When displaying the detail of an item (a password entry), the 'label' value is display using the stripslashes() sanitization function. This function does not efficiently prevent XSS. POC of a persistant XSS: add item with label: $str = "' onclick='javascript:alert("XSS found");' alt='";echo "<a href='". strip_tags($str) ."'></a>"; This xss will be trigger each time a user click on this item. As item can be share, there is a way for a user to trick an admin to trigger this xss. fix in commit cd112ea (see https://github.com/nilsteampassnet/TeamPass/pull/1140). POC of a persistant XSS: Add a new role with name: <script>alert("XSS found");</script> This xss will be trigger each time a user click on this role.
WordPress Site Import 1.0.1 is vulnerable to both local and remote file inclusion. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable parameter 'url' in the page.php file. This can be used to execute arbitrary code on the server.
Zortam Mp3 Media Studio is a program that changes tags sound file. If the tag length is over a certain length, the program will crash. An mp3 file with a title tag length of 3000 can be created to cause the program to crash. This exploit was tested on Windows7 Professional SP1 En x86.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device requiring the iowarrior driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor: [bLength: 0x12, bDescriptorType: 0x1, bcdUSB: 0x200, bDeviceClass: 0x3, bDeviceSubClass: 0x0, bDeviceProtocol: 0x0, bMaxPacketSize: 0x40, idVendor: 0x7c0, idProduct: 0x1500, bcdDevice: 0x100, iManufacturer: 0x1, iProduct: 0x2, iSerialNumbers: 0x3, bNumConfigurations: 0x1]. This is the configuration descriptor containing the malicious value for bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the system.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device requiring the snd-usb-audio driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor: [bLength: 0x12, bDescriptorType: 0x1, bcdUSB: 0x200, bDeviceClass: 0x3, bDeviceSubClass: 0x0, bDeviceProtocol: 0x0, bMaxPacketSize: 0x40, idVendor: 0x582, idProduct: 0x0, bcdDevice: 0x100, iManufacturer: 0x1, iProduct: 0x2, iSerialNumbers: 0x3, bNumConfigurations: 0x1]. This is the configuration descriptor containing the malicious value for bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the system (multiple free).
This module exploits a remote code execution vulnerability in PHP Utility Belt, which is a set of tools for PHP developers and should not be installed in a production environment, since this application runs arbitrary PHP code as an intended functionality.
The DZS Videogallery Plugin for Wordpress contains multiple vulnerabilities that allow an unauthenticated attacker to perform Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. The vulnerabilities exist due to the lack of proper sanitization of user-supplied input in the 'initer' and 'width' parameters of the 'popup.php' and 'ajax.php' scripts, respectively. An attacker can exploit these vulnerabilities by enticing an authenticated user to follow a malicious link or visit a malicious page.
The Beauty Premium theme contains a contact form that is vulnerable to CSRF and File Upload vulnerability in the sendmail.php file. The file attachment gets uploaded to the wordpress upload directory and it is not sanitized, allowing attackers to upload harmful code.
Services By CQR