Redaxo is an easy to use open source content management system. A user can create his own website using the Redaxo CMS. During internal research, multiple vulnerabilities were identified in the Redaxo CMS software. The software is vulnerable to an SQL-Injection attack, allowing an authenticated user to access the database in an unsafe way. Some parts of the application do not have sufficient input validation and output encoding. This means user supplied input is inserted in an unsafe way resulting in a Cross Site Scripting vulnerability.
Custom search allows for SQL Injection, while default configuration allows for file write as MySQL user. Search field fails to escape MySQL special characters, allowing file creation and code execution. If permissions are not carefully set, one could write to web/crontab folders.
When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. The server begins by looping through each character for a given header value and checks the following: On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character. On Line 1172, the server checks if the character is a space or tab. On Line 1175, the server checks if the character is a line feed. If the character is non-printable ASCII (or less than 0x20), then all of the checks above are skipped over and the code throws an ëIllegalCharacterí exception on line 1186, passing in the illegal character and a shared buffer.
glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated. Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.
The plugin contains a CSRF vulnerability, which can be exploited to perform a script insertion attack. A malicious user can craft a malicious link and send it to an administrator of the website. When the administrator clicks on the link, the malicious script will be inserted into the database.
This Privilege escalation vulnerability enables an Normal user to escalate privilege and become administrator of the application.
$item_id inside process_category_order() is not properly escaped. We control this value using $_POST['payload']. Login as regular user and submit a form with a payload containing a malicious SQL query.
A buffer overflow vulnerability exists in Network Scanner Version 4.0.0.0 when a specially crafted string is inserted into the 'Detect IP from Host name...' field in the [TOOLS] tab, which can cause a SEH crash.
Alternate Pic Viewer crashes on a faulty PGM image file. The faulty PGM file is attached as POC.
The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a stack based buffer overflow when a user opens e.g. a specially crafted .DCI file. Successful exploitation allows execution of arbitrary code on the affected machine.
Services By CQR