High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website. Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. The vulnerability exists due to insufficient filtration of 'work[]' HTTP POST parameter in '/bitrix/admin/bitrix.mpbuilder_step2.php' script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.
Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed on Internet Explorer 11 running on Windows 7 SP1 (x64). The vulnerability is caused by the fact that the MSHTML!CObjectElement object is freed while still in use.
Polycom VVX-series IP phones provide a web administrative interface. Inside this interface two URLs were discovered that exposed a 'file=filename' parameters. Due to unsafe file system operations in this interface, it is possible to exploit the following pages, and possibly others, using path traversal attacks.
There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function. To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".
If IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.
This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method an attacker may be able to execute arbitrary code.
This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website. By setting an overly long value to 'ConvertFile()', an attacker can overrun a buffer and execute arbitrary code.
This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file.
This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code.
This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584.
Services By CQR