The remote webserver does not filter special characters or illegal input, allowing a threat actor to execute a Cross-site scripting vector by sending a malicious URL to an innocent victim, which can be used to steal cookies or redirect the victim to a malicious website.
When either printing as a Guest (when enabled) or as an Authenticated user via the CPS URL https://<hostname or ip>/cps, the user printing has the ability to delete any file on the host system that isn’t currently in use by the system itself. The field to enter a web page does not properly check the URI being entered, as such the user can enter a system file path and delete a file on the system.
SmartFTP 9.0 Build 2623 is vulnerable to a denial of service attack. By sending a specially crafted payload of 256 A characters, an attacker can cause the application to crash. This can be done by running a python script to generate a text file containing the payload, then copying the contents of the text file and pasting it into the Host field of the SmartFTP Client application.
Chaining multiple vulnerabilities to trigger deserialization via phar.
Alumni Tracer SMS Notification is vulnerable to SQL Injection and Cross-Site Request Forgery. An attacker can inject malicious SQL queries into the vulnerable parameters and can also add/update admin credentials by exploiting the Cross-Site Request Forgery vulnerability.
A vulnerability exists in Tourism Website Blog, which allows an attacker to execute arbitrary code or perform an SQL injection attack. The vulnerability is due to improper input validation in the 'add_city.php' and 'category.php' scripts. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious code. This can allow the attacker to execute arbitrary code or perform an SQL injection attack.
There are multiple issues in the implementation of the McAfee.TrueKey.Service which can result in privilege escalation through executing arbitrary processes or deleting files and directories. I discovered the main True Key service had a pre-existing vulnerability due to the Exodus Intelligence blog post (https://blog.exodusintel.com/2018/09/10/truekey-the-not-so-uncommon-story-of-a-failed-patch/) which just discussed a DLL planting attack that had tried to be fixed once (CVE-2018-6661), but unsuccessfully. So I decided to look into service itself and especially the SecureExecute command. There are multiple issues here, which I’m not sure you’ll address. I’m only going to provide a PoC for one of them (perhaps the most serious) but you should consider fixing all of them. Starting with the most serious and working back: 1. The target file to execute in SecureExecuteCommand::Execute is checked that it has the same Authenticode certificate as the calling service binary. This should ensure that only executables signed by McAfee would validate. However you don’t actually verify the signature is valid, you only call McAfee.YAP.Security.SecurityCertificate.WinTrust::CheckCertificates which gets the certificate from the binary using X509Certificate.CreateFromSignedFile. The CreateFromSignedFile method DOES NOT verify that the signature is correct, it only extracts the X509Certificate from the security data directory. What this means is you can take the security data directory from a vaild signed file, and apply it to an arbitrary file and it’ll pass the verification checks. This allows you to execute any binary you like. There is a VerifyEmbeddedSignature method, but you don’t actually call it. This is what I’ve sent as a POC. 2. There are multiple Time-of-Check Time-of-Use (TOCTOU) in the SecureEcecuteCommand::Execute method. 3. The SecureExecuteCommand::Delete method allows you to delete any file or directory you like.
When the mmap() syscall is invoked on a POSIX shared memory segment (DTYPE_PSXSHM), pshm_mmap() maps the shared memory segment's pages into the address space of the calling process. It does this with the code that sets the initial protection flags for the new memory object to be the requested protection flags, checked against the mode of the open file to ensure that a read-only file descriptor can only be used to create a readonly mapping. However, the maximum protection is always set to VM_PROT_DEFAULT, which is defined as VM_PROT_ALL.
Adiscon LogAnalyzer before 4.1.7 is affected by Cross-Site Scripting (XSS) in the 'referer' parameter of the login.php file.
This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to the main website directory. An attacker can upload a .zip file containing a malicious .php file, which can then be executed remotely.
Services By CQR