This script is vulnerable to Cookie manipulation attacks. By injecting a custom HTTP header or by injecting a META tag, it is possible to alter the cookies stored in the browser. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site. This vulnerability affects /Wiky/index.php/Special/Main/Templates. By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards. This script is also vulnerable to Cross Site Scripting attacks. By injecting malicious JavaScript code, it is possible to execute arbitrary code in the browser of the victim. Attackers will normally use this vulnerability to steal the session ID of the victim, thereby allowing them to hijack the user's session.
A Cross Site Request Forgery (CSRF) vulnerability was found in the Admin module of the Article Friendly website. An attacker could craft a malicious HTML page containing an image tag with a specially crafted URL that would delete the Admin user when the page was loaded. The URL would contain the filename parameter set to adminuser, the a parameter set to 3, and the adminid parameter set to the ID of the user to be deleted.
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. This XSS variant usually appears when a PHP script is using one of following variables without filtering them: PHP_SELF, REQUEST_URI, SCRIPT_URL, SCRIPT_URI. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
Max's Photo Album is vulnerable to a shell upload vulnerability. An attacker can upload a malicious file to the server, which can be accessed via the 'original/evil.php' URL. This can be exploited to gain remote code execution on the server.
This exploit is a remote denial of service (DoS) attack against the FTP Server By Zhang Boyang application. The exploit sends a large buffer of data to the FTP server, causing it to crash. The exploit was tested on an iPhone 3GS with 3.1.2 firmware.
Victim.com/script/admin, User Between Brackets : (' or 'a'='a), Pass Between Brackets : (' or 'a'='a), Enjoy Uploading Shells :D ( upload ASP shell types to be able to read/modify/download Files)
An attacker can access the backup folder of QuickDev 4 Php CMS and download the database backup files.
The password changing page of Tinypug is vulnerable to CSRF attack which can be used to change the password of the victim. The comment page is vulnerable to Stored XSS attack. But comments will be published only after administrator confirmation. However this XSS vulnerablity can be used in conjunction with the more serious security whole (CSRF) in order to change administrator's password.
A Remote Denial of Service (DoS) vulnerability exists in FtpDisc for Iphone and FtpDisc Lite due to improper handling of large data. An attacker can exploit this vulnerability by sending a large amount of data to the FTP server, resulting in a crash.
An attacker can exploit this vulnerability by sending a crafted SQL query to the vulnerable parameter 'sblink_id' in the 'moredetails.php' page. This can allow the attacker to gain access to the database and extract sensitive information such as usernames and passwords.
Services By CQR