Grawlix is a CMS for publishing comics, which is written in PHP. In version 1.0.3, it does not have CSRF protection, which means that an attacker can perform actions for a victim, if the victim visits an attacker controlled site while logged in. An attacker can for example change the password of an existing admin account, which may in turn lead to code execution via a different vulnerability in the admin area.
The Bigware Shop 2.3.01 application is vulnerable to Local File Inclusion due to the $language parameter not being declared. An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious file path in the language parameter. This will allow the attacker to read sensitive files from the server.
A fun little format string vulnerability exists in PHP 7.0.0 due to how non-existent class names are handled. From my limited research, it is believed that this issue is likely exploitable for full code execution. This issue does not appear to be present in previous PHP versions and has been patched in version 7.0.1.
A heap-based out-of-bounds read vulnerability was discovered in Wireshark. This vulnerability can be triggered by feeding a malformed file to tshark. The crash can be observed in an ASAN build of Wireshark (current git master).
There is a use-after-free in Sound.setTransform. If a transform value is set to an object with valueOf defined, it can free the transform before the values are set. A minimal PoC is as follows: this.createEmptyMovieClip('my_mc', 1); var my_sound:Sound = new Sound('my_mc'); var o = {valueOf : func}; my_sound.attachSound('world'); my_sound.setTransform({ll : o, lr: 0x77777777, rr : 0x77777777, rl : 0x77777777}); my_sound.start(); function func(){ my_mc.removeMovieClip(); return 0x77777777; } A sample swf and fla are attached. Note that these PoCs will not cause a crash. Instead, they demonstrate the use-after-free by overwriting the matrix array of a ConvolutionFilter. The use-after-free changes the array from being all zeros to having values of float 0x77777777 at the end. The test fails if the second array is not all zero. The test passes if the second array is all zero. These PoCs only work on 64-bit systems.
Software Crashes due to SEH Over-Write. The exploit involves overwriting the SEH and NSEH pointers with AAAAAAAA. The offset is 620.
The Ovidentia Widgets 1.0.61 is vulnerable to a remote command execution exploit. The $GLOBALS['babInstallPath']-parameter in /programs/groups.php line 24 is vulnerable to this exploit. An attacker can use some shellcode or c99 to exploit this vulnerability.
The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once. So it's possible to compromise the web-server about it. An attacker can inject s0me php-shellcode. I think, it's a big problem in this web-software!
If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs.
If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free.
Services By CQR