A logic error in the save function (compose.php) allows to a registered user to upload a file with any extension. The check for a valid file's extension is made after the upload and in the failure case, the file doesn't removed from the server. This can be exploited to execute arbitrary PHP code by uploading a PHP file.
AJ Matrix DNA is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to the admin credentials. The attacker can send a specially crafted SQL query to the vulnerable application and gain access to the admin credentials.
VMware Tools update OS command injection vulnerability allows unauthorized attackers to execute arbitrary commands on the vulnerable system.
The vulnerability exists due to failure in the "admin.php" script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: <form action="http://host/admin.php?page=users&subpage=usergroups&subpage=usergroups&action=add&uid=USER_ID" method="post" name="main" ><input type="hidden" name="gid" value="1"><input type="hidden" name="utype" value="2"><input type="hidden" name="action" value="Add"></form><script>document.main.submit();</script>
A parameter is not properly sanitised before being used in a SQL query. Input passed to 'char' parameter is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is set to Off.
The variable $ ABTPV_BLOQUE_CENTRAL was not correctly stated thus enabling the attack include malicious files or read files from the system. If allow_url_fopen=on --> RFI; If magic_quotes_gpc=off --> LFI;
This vulnerability allows remote attackers to cause a denial of service (DoS) condition on vulnerable installations of Microsoft Internet Explorer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of CSS import directives. By specifying a recursive import directive, an attacker can cause the browser to enter an infinite loop, consuming all available CPU resources.
The lm_tcp service listens (manually or automatically during the launching of 'Environment Display/Manager') on port 9001 and is vulnerable to a buffer overflow during the copying of a string in a buffer of 150 bytes which is part of a fixed structure. The overflow (max 19204 chars) allows only to overwrite the two memory pointers located after the space assigned to the copying of the string and they are immediately used for two memset(buffer, 0, 2) operations with the consequent effect of writing a 16bit 0x0000 in an arbitrary memory location.
When Winamp plays MUS files and other MIDI variants, it begins by converting them to a canonical format. Timestamps in MIDI files are encoded by serializing 32 bit integers into 1, 2, 3, 4 or 5 bytes, storing 7 data bits in each byte. The last bit is used to indicate whether or not a given byte is the last. The serialization is done into an 8 byte buffer, which should be large enough, but there is a logic bug in the code which allows an attacker to write one byte outside of the buffer. The serialization is done by shifting the input value multiples of seven bits, until there is no more bits set. This is done using the x86 instruction SAR. Unfortunately this instruction does not clear the register when shifting more than the register width, but instead shifts the requested amount modulo the register width. By crafting an input file so that Winamp tries to serialize a value which has the most significant bit cleared and one of the following three bits set, an attacker can force the program to write the value shifted 0, 7, 14, 21, 28, 3, 10, 17 and 24 bits; a total of nine output bytes. The least significant value overflows into the saved base pointer.
GNU inetutils ftp (shipped with linux and other *nix's) suffers a heap overflow while parsing command arguments (but ONLY when the argument is NOT passed on the same line.) If you run any command (open, user, cd, mkdir, etc) without an argument, ftp will prompt you for an argument with readline(). It will then copy this input into a 200 byte buffer without first checking it's length.
Services By CQR