This exploit uses a malicious HTML page to cause a memory corruption in Firefox 3.5.10 and 3.6.6 when used with Windows Media Player 10 or 11. The malicious HTML page contains a script that creates an embedded Windows Media Player object and reloads the page until the object is created. This causes a memory corruption in Firefox, which can be used to execute arbitrary code.
This exploit targets a stack based buffer overflow in Oracle Java 6. The vulnerability has been confirmed in Update 20 and 21 and it probably exists in earlier version as well. The overflow allows control over the EBP and EIP registers when the vulnerable code returns. This exploit tries to bypass DEP using the "Havoc" mechanism first published at http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/. This is a combination of a heap spray and a ret-into-libc attack that tries to set the executable flag on a block of memory in the heap spray before executing it.
Application insert HTTP 'y' parameter in 'manageajax.php' and HTTP 'pic' parameter in 'thumb.php' into html output and fails while sanitize user supplied these inputs. Attackers can execute malicious javascript codes or hijacking PHPSESSID for privilege escalation. Attacker can create a specially crafted page and force collabtive administrators to visit it and can gain administrative privilege. For prevention from CSRF vulnerabilities, application needs anti-csrf token, captcha and asking old password for critical actions.
The entire system is vulnerable to CSRF (Cross-site request forgery) since this does not include a system to prevent CSRF attacks. An example exploit is provided which can be used to change the password of users, including the administrator.
This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.
A local file inclusion vulnerability in BaconMap 1.0 can be exploited to include arbitrary files.
OrangeHRM 2.6.0.1 is vulnerable to a Local File Inclusion vulnerability. An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious file path in the 'uri' parameter. This will allow the attacker to read any file on the server.
A vulnerability exists in the way Sync Breeze v2.2.30 processes its login requests after accepting a connection from a remote client. If a packet with a length greater than 484 bytes is received with the command prefix 'ServerLogin.' the effected Service (syncbrs.exe) will crash, from the result of a buffer overflow. An attacker can easily leverage this vulnerability and control execution flow / execute arbitrary code.
Auto e-Manager is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'ID' parameter in the 'detail.asp' page. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be used to access or modify data in the back-end database.
FoxPlayer Version 2.3.0 is vulnerable to a buffer overflow vulnerability when a specially crafted .m3u file is opened. The application will crash with 218 bytes, more will do the job too.
Services By CQR