Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world. There are three problems related to this vulnerability. The first causes an SQL error by tampering with the offset in the 'sources/Memberlist.php' feature. The same issue is also present in the 'sources/Online.php' file. The other problem is that it is easy for an attacker to learn the full physical path of the webserver. This can be accomplished via the 'Change Personal Photo' option in the user control panel.
Invision Power Top Site List is prone to an SQL Injection vuln in its 'comment' feature. This issue is very much exploitable as the injection happens right in the middle of a WHERE statement. An attacker can execute arbitrary requests, such as pulling the admin hash and/or possibly taking admin control over an affected Invision Power Top Site List. An example URL to exploit this vulnerability is index.php?act=comments&id=[Evil_Query].
It may be possible for an attacker to influence SQL queries by passing unexpected data to certain variables including the "id" and "key" variable. Even if an attacker is not successful with influencing an SQL query he can cause the outputted error message to execute script into an unsuspecting users browser thus causing a Cross Site Scripting attack. Also, the SQL error messages reveal a great deal of data about the server.
SQL Injection is possible by passing unexpected data to the 'sortby' variable in the 'members_list' module. This vulnerability may allow an attacker to manipulate queries as well as view the full physical path of the PostNuke installation. This is due to user input of the 'sortby' variable not being properly sanitized. XSS is possible via the download module by injecting HTML or Script into the 'ttitle' variable when viewing the details of an item for download.
When registering account a malicious user can set themselves to any user level they desire. The user level is determined by a hidden form field value titled 'accesslevel'. If a user sets themselves to the 'Super Admin' level [4] they can pretty much take over the entire portal. They can also view other user's passes in plaintext via the 'User Admin' feature by viewing the HTML source. By changing the 'user_id' field when editing their profile a malicious user can reset passwords for arbitrary accounts and edit their user info etc. XSS is possible on any page of an ASP APP Portal by appending the variable 'msg' with a value of any script you would like to be run. There are a number of places to inject code and have it run by a user or an admin. These include but are not limited to the following. Injection vulnerabilities exist in forums.asp When posting a new message, script can be injected into the Title and into the message form fields.
Autorank PHP is vulnerable to SQL Injection attacks. The vulnerabilities can be exploited by injecting SQL queries into the user & password fields when editing an account, the email field when requesting a lost password and the username field when registering an account. If a malicious attacker logs in with the username and password '-- he will automatically be given access to the first account cataloged in the database. He can then view the HTML source code to view that users password in plain text. This also leaves the database being used by Autorank PHP open for attack. The affected file is accounts.php
The login info for the database being used by Aardvark topsites can be viewed in plaintext by anyone who has access to the admin panel. By default phpinfo() for the server hosting an Aardvark Topsite can be viewed in the sources directory [ /sources/info.php ]. There are multiple ways to disclose the full server path on an Aardvark Topsites. Tampering with SQL queries is possible via the 'method' variable in display.php
DUportal Pro is a professional Web portal and online community. It contains numerous advanced features such as Web-based administration, Articles, Banner Ads, Event Calendar, Classified Ads, Web link directory, Downloads, Entertainment, Message Board, Picture Gallery, News, E-Commerce, Members Directory, Polls and Business Directory, and more which can be downloaded online. All modules are customizable via Web-based Admin panel, together with size, skins and themes. DU Software Products have been done with an extremely minimal understanding and/or concern of security, and very important aspects of web security such as, but not limited to: Unique Session ID's, Input Validation, and many more. Their software relies HEAVILY on hidden tags, client side input validation, and security through obscurity. Examples of some of the consequences of this weakly implemented/nonexistent security are Script Execution, Arbitrary File Upload, Account Hijacking, Database Exposure, Query Tampering, Code Injection and Server Compromise. Remote File Upload vulnerability allows an attacker to upload any file they wish, which can allow for script execution on the host machine as well as host compromise. Script execution in DU Software Products can take place in a number of ways, including the previously mentioned file upload vulnerability.
This exploit is a proof-of-concept for a buffer overflow vulnerability in the MQX RTCS code. It uses a default valid DHCP packet to overwrite an event function pointer, allowing for code execution.
This tool exploits a buffer underflow in glibc realpath() and was tested against latest release from Debian, Ubuntu Mint. It is intended as demonstration of ASLR-aware exploitation techniques. It uses relative binary offsets, that may be different for various Linux distributions and builds.
Services By CQR
