When registering account a malicious user can set themselves to any user level they desire. The user level is determined by a hidden form field value titled 'accesslevel'. If a user sets themselves to the 'Super Admin' level [4] they can pretty much take over the entire portal. They can also view other user's passes in plaintext via the 'User Admin' feature by viewing the HTML source. By changing the 'user_id' field when editing their profile a malicious user can reset passwords for arbitrary accounts and edit their user info etc. XSS is possible on any page of an ASP APP Portal by appending the variable 'msg' with a value of any script you would like to be run. There are a number of places to inject code and have it run by a user or an admin. These include but are not limited to the following. Injection vulnerabilities exist in forums.asp When posting a new message, script can be injected into the Title and into the message form fields.
Autorank PHP is vulnerable to SQL Injection attacks. The vulnerabilities can be exploited by injecting SQL queries into the user & password fields when editing an account, the email field when requesting a lost password and the username field when registering an account. If a malicious attacker logs in with the username and password '-- he will automatically be given access to the first account cataloged in the database. He can then view the HTML source code to view that users password in plain text. This also leaves the database being used by Autorank PHP open for attack. The affected file is accounts.php
The login info for the database being used by Aardvark topsites can be viewed in plaintext by anyone who has access to the admin panel. By default phpinfo() for the server hosting an Aardvark Topsite can be viewed in the sources directory [ /sources/info.php ]. There are multiple ways to disclose the full server path on an Aardvark Topsites. Tampering with SQL queries is possible via the 'method' variable in display.php
DUportal Pro is a professional Web portal and online community. It contains numerous advanced features such as Web-based administration, Articles, Banner Ads, Event Calendar, Classified Ads, Web link directory, Downloads, Entertainment, Message Board, Picture Gallery, News, E-Commerce, Members Directory, Polls and Business Directory, and more which can be downloaded online. All modules are customizable via Web-based Admin panel, together with size, skins and themes. DU Software Products have been done with an extremely minimal understanding and/or concern of security, and very important aspects of web security such as, but not limited to: Unique Session ID's, Input Validation, and many more. Their software relies HEAVILY on hidden tags, client side input validation, and security through obscurity. Examples of some of the consequences of this weakly implemented/nonexistent security are Script Execution, Arbitrary File Upload, Account Hijacking, Database Exposure, Query Tampering, Code Injection and Server Compromise. Remote File Upload vulnerability allows an attacker to upload any file they wish, which can allow for script execution on the host machine as well as host compromise. Script execution in DU Software Products can take place in a number of ways, including the previously mentioned file upload vulnerability.
This exploit is a proof-of-concept for a buffer overflow vulnerability in the MQX RTCS code. It uses a default valid DHCP packet to overwrite an event function pointer, allowing for code execution.
This tool exploits a buffer underflow in glibc realpath() and was tested against latest release from Debian, Ubuntu Mint. It is intended as demonstration of ASLR-aware exploitation techniques. It uses relative binary offsets, that may be different for various Linux distributions and builds.
The vulnerability occurs when stack-allocated variables are copied to the heap. This can lead to type confusion, as the two variables share the same buffer. An attacker can exploit this vulnerability by converting the type of one of the variables, which will then be reflected in the other variable.
AsmJSByteCodeGenerator::EmitCall which is used to emit call insturctions doesn't check if an array identifier is used as callee. The method handles those invalid calls in the same way it handles valid calls such as 'arr[idx & ...]()'. In these cases, the index register remains NoRegister which is (uint32_t)-1. It results in OOB read.
The PoC is triggerable when the 'DeferParse' flag is enabled and requires a with statement. It can be triggered by using '
'.repeat(0x1000) or by using the command ./ch poc.js -ForceDeferParse.
Chakra fails to distinguish whether the function is referenced in the param scope and ends up to emit an invalid opcode.
Services By CQR