XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when loading malformed M3U and PLS files (probably ASX files as well - working on the ASX Exploit as we speak). This merely executes CALC.exe but you could always add your own custom shellcode (alpha2).
A remote SQL injection vulnerability exists in Seditio version 1.10 and earlier. An attacker can exploit this vulnerability by sending a specially crafted HTTP GET request to the vulnerable server. The XVALUE parameter is unique to each user and is used to construct the vulnerable URL. By appending malicious SQL code to the vulnerable URL, an attacker can execute arbitrary SQL commands on the underlying database. For example, an attacker can use this vulnerability to change the password of the first user of Seditio to '123456'.
A remote SQL injection vulnerability exists in LDU <= 8.x, which allows an attacker to change the password of the first user of LDU to 123456. The vulnerability requires the attacker to be logged in to LDU and the XVALUE comes with the avatarselect link, which is special to every user in LDU.
PhotoCart 3.9 is vulnerable to a remote file include vulnerability. This vulnerability is due to the 'adminprint.php' script not properly sanitizing user input supplied through the 'admin_folder' and 'path' parameters. This can be exploited to include arbitrary files from remote locations by passing an URL as the parameter value. Successful exploitation requires that 'allow_url_fopen' is enabled.
XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when loading malformed M3U files (probably PLS and ASX files as well). This merely executes CALC.exe but you could always add your own custom shellcode (alpha2). Either the DisplayName field of the M3U or the FileName field can be used to exploit the system, but during my tests, using the DisplayName field caused Windows DEP to activate.
Plume CMS is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input. A successful exploit of these issues allows the attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'textFile' parameter to 'gallery_top.inc.php' script. A remote attacker can include and execute arbitrary local files, cause a denial of service or compromise a vulnerable system.
ASP Nuke is an open-source software application for running a community-based web site on a web server. By open-source, we mean the code is freely available for others to read, modify and use in accordance with the software license. ASP Nuke is an extensible framework that allows you to upgrade and add applications to the website quickly and easily. It uses a modular architecture allowing others to rapidly develop new modules and site operators to re-organize the layout and navigation for their site. An attacker can exploit a SQL injection vulnerability in the register.asp page of ASPNuke version 0.80 and earlier to execute arbitrary SQL commands on the underlying database. The vulnerable parameter is the StateCode parameter, which is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the register.asp page.
PHP Easy Download by default installation doesn't prevent any of the files in the file_info/admin directory from being accessed by a client. The file_info/admin/save.php file takes input passed to the script by $_POST and writes it to $_POST["filename"].0 unsanatized in the file_info/admin/descriptions directory.
phpWebThings 1.5.2 core/editor.php does not initialize the $editor_insert_bottom variable before using it to include files, assuming register_globals = on, we can initialize the variable in a query string and include a remote file of our choice.
Services By CQR