The vulnerability exists in the view_item.php script, which is vulnerable to SQL injection attacks. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable script with the ItemID parameter containing malicious SQL code. This can allow the attacker to access or modify the application's data, execute system commands, or even access the underlying file system.
MHP DownloadScript v2.2 is vulnerable to SQL injection. An attacker can inject malicious SQL queries to the vulnerable parameter in the admin login page. This can be exploited to bypass authentication, access, modify or delete data from the database.
The vulnerability exists in the 'item.php' script, which is vulnerable to SQL injection attacks when the 'id' parameter is supplied with malicious input.
There is a stack-based buffer overflow in IntegraXor that can be triggered by passing an overly large value to the "save" method of the IntegraXor.Project control located in igcomm.dll. This control is marked both safe for scripting and safe for initialization. The vulnerable code in this block passes String1 (dest) and lpString2 (src) to lstrcpyW() without validating the length of lpString2. lstrcpyW() then copies lpString2 byte for byte into String1 (1024 bytes wchar buffer) and adds a terminating NULL byte to the end. If you attach a debugger and set a breakpoint on 100027CD, you can see an exception registration record is stored before the return address.
Radius Manager is a centralized way for administration of Mikrotik, Cisco, Chillispot and StarOS routers and wireless access points. It has a centralized accounting system that uses Radius, provinding easy user and accounting management for ISP's. This problem was confirmed in the following versions of the Radius Manager, other versions maybe also affected. Radius Manager 3.8.0. The Radius Manager system is affected by Multiple Stored Cross Site Scripting. The “Group Name” and “Description” in “new_usergroup” menu do not sanitize input data, allowing attacker to store malicious javascript code in a page. The same thing occurs with “new_nas” menu.
A file upload vulnerability exists in the TinyMCE plugin, which allows an attacker to upload malicious files to the server. The vulnerability is due to the lack of proper input validation and sanitization of the uploaded files. An attacker can exploit this vulnerability by uploading a malicious file with a .gif extension, which can then be moved to a .php extension.
A vulnerability exists in CubeCart v3.x which allows an attacker to upload a malicious file to the server. The vulnerability exists in the 'includes/rte/editor/filemanager/browser/default/connectors/test.html' page, which allows an attacker to upload a malicious file using the PHP mode.
VRsecos.sys create a device called 'VRsecos' and handles DeviceIoControl Code = 0x8307202c, which use the function 'strcpy' to copy memory from irp systembuffer to driver's data area, can be overwrite critical kernel object memory in vrsecos.sys's data area.
TKRgAc2k.sys create a device called 'TKRgAc', and handles these io control codes for: 0x22140:Receive registry monitor key value name MD5, 0x221448:Receive Registry monitor key name, 0x221444:Receive Registry key monitor enable, 0x221410:Receive virus name that matchs the key value name MD5, 0x220c54:Create share memory for receive virus notification, 0x220c5c:Receive event handle for send virus notification. Tkacrg2k.sys create FileObject->FsContext for each process to open the device, and save key/key value/virus name/event object in FsContext. Here contains a design error, if a registry operation is intercepted and match the rules, but event handle has not been set, TKAcRg2k.sys will still be nofity of this event to ring3 with KeSetEvent(NULL,0). An attacker can allocate a fake KEVENT structure at zero address and overwrite any address with KEvent->WaitThreadList->KThread->WaitListEntry's remove list entry operation.
AhnRec2k.sys create a device called 'AhnRecDrv' and handles DeviceIoControl Code = 0x8101261C, which execute user input function pointer in kernel mode. Although AhnRec2k.sys did not create any symbolic link for this device and leave this device's interface for internal use, we can still use native function 'ZwCreateFile' to open the device and send request to its. AhnRec2k.sys (1.2.0.4) will check if function pointer below MmHighestUserAddress, but it also can be exploit.
Services By CQR