This is a very untypical SQL injection vulnerability. While viewing the details of a website in the chCounter backend, some data gets selected out of the database. The script thrusts the common visitor. When you view a website which uses chCounter, the title of the current page and other information gets directly written into the table chc_pages, column 'wert'. When the admin views the visitor's details (which contain the title of the visited pages) in the backend, the information is selected directly, no filter is used. The attacker can then inject SQL code into the query.
The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the 'same origin policy'. URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml). When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website opens the server to all domains (use of a single asterisk '*' as a pure wildcard is supported) like so: <cross-domain-policy> <allow-access-from domain='*' /> </cross-domain-policy>. This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies. Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially careful when using cross-domain policy files.
A vulnerability in Zyke CMS V1.0 allows an attacker to upload malicious files to the server. The vulnerability exists due to insufficient validation of user-supplied input in the 'controlpanel.php' script. A remote attacker can upload arbitrary files to the server, which can be used to execute arbitrary code on the vulnerable system.
A vulnerability in Zyke CMS V1.1 allows an attacker to bypass authentication and gain access to the admin panel. The vulnerability exists due to insufficient validation of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This may allow the attacker to gain access to the admin panel without authentication.
The Tirzen Framework (http://www.tirzen.net/tzn/) is a supporting API developed by Tirzen (http://www.tirzen.com), an intranet and internet solutions provider. The Tirzen Framework contains a SQL injection vulnerability (http://www.owasp.org/index.php/SQL_Injection). This vulnerability could allow an attacker to arbitrarily manipulate SQL strings constructed using the library. This vulnerability manifests itself most notably in the Task Freak (http://www.taskfreak.com/) open source task management software. The vulnerability can be exploited to bypass authentication and gain administrative access to the Task Freak system.
iScripts VisualCaster is a video hosting script that could be used to provide video hosting service to your customers. It is a turnkey solution to provide services like youTube. An attacker can exploit a SQL injection vulnerability in the playVideo.php script by supplying malicious input to the product_id parameter.
The vulnerability exists due to failure in the "/_layouts/help.aspx" script to properly sanitize user-supplied input in "cid0" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability.
The vulnerability allows an attacker to inject malicious code into the vulnerable application. The attacker can inject malicious code into the vulnerable application by using the 'Location Replace' and 'RFI' techniques. The attacker can use the 'Location Replace' technique to inject malicious code into the vulnerable application by sending a crafted URL to the vulnerable application. The attacker can use the 'RFI' technique to inject malicious code into the vulnerable application by sending a crafted URL to the vulnerable application. The attacker can also use the 'RFI' technique to gain access to sensitive information stored on the vulnerable application.
Create your own social community in minutes by using iScripts SocialWare. You can add a community to your existing web site or a standalone web 2.0 application. This script will allow you to create online networking communities for small groups like school classes, regional groups and others. It can also be used for the purposes of professional networking or romantic networks. By allowing your users to network with their family and friends, you are driving viral traffic to your site. The exploit involves registering in the site, going to the profile page, opening the 'ADD WIDGETS' option and uploading the evil script. The XSS vulnerability is present in the search query parameter.
A vulnerability exists in XT-Commerce v1 Beta 1 which allows an attacker to bypass authentication and create and download a backup. The attacker can access the backup.php/login.php page with the action parameter set to backupnow to create a backup. The attacker can then access the backup.php/login.php page with the action parameter set to download and the file parameter set to the name of the backup to download it.
Services By CQR