Windows maintains a DC cache in win32kbase!gpDispInfo->pdceFirst. If you create multiple windows from a shared class while switching between CS_OWNDC and CS_CLASSDC, you can cause cache list entries to maintain references to free WND structures. This might take a while to crash though, something has to cause the list to be traversed (e.g. a new window opens) after the freed memory has changed. It can also crash in some very strange places.
Snitz search feature is vulnerable to XSS which can aide an attacker in stealing cookies, and thus compromising the account. In order to steal another users identity, all an attacker needs to know is thier encrypted password. This is not very hard to obtain using the XSS as described above, or other methods. Once an attacker has this info, all they have to do is login to thier normal account to get a valid session id, close the browser, replace thier username and encrypted pass with that of the victim, and return to the site where they will be recognized as the victim. This is the most serious of the vulns, as it requries no real effort and leaves the entire snitz forum open to attack. All an attacker has to do is request a forgotten password, save the password reset page offline,edit the member id to the desired member id, and submit the form. The members password will then be reset to that of the attackers choosing.
Max Web Portal is vulnerable to Cross-Site Scripting (XSS) attacks and Hidden Form Field Weakness. An attacker can exploit the XSS vulnerability by entering malicious code into the search utility. The Hidden Form Field Weakness can be exploited by adding certain fields to the form which can be used to deface the website or send private messages to all members of the website.
MegaBrowser HTTP server is vulnerable to a directory traversal vulnerability which allows access to any file on the system as well as directory viewing of the root web directory. While not as serious as the previously mentioned vuln, this still poses a threat as it may allow an attacker to harvest a list of valid FTP usernames on the system.
WinMX 2.6 is an older version of the popular file sharing client WinMX. While the current version is 3.31, 2.6 still remains quite popular. Especially amongst users on private networks. The problems with WinMX 2.6 is that it provides pretty much NO password protection. This can be exploited both locally and remotely. Locally, one can edit a particular server, and upon doing so the username and pass are presented in plaintext, and the other way is to open the nservers.dat file in the WinMX directory. Remotely, the passwords are encrypted by such servers as SlavaNap etc, but they are passed to the server in plaintext, so any malicious server owner with a packet sniffer can exploit this vuln.
phpLinks is prone to HTML injection due to a vulnerability in the search feature. Search queries are not sufficiently sanitized of HTML and script code. These search queries may potentially be displayed to other users when the most popular searches are viewed. If an attacker includes malicious HTML or script code in these queries, it is possible that the attacker-supplied code may be rendered in the web client software of other users. phpLinks does not sufficiently sanitized HTML and script code supplied via form fields before displaying this data to administrative users. This issue exists in the 'add.php' script, which is used to add sites to the phpLinks system. As a result, an attacker may cause malicious HTML and script code to be executed in the web client of an administrative user who reviews attacker-supplied data submitted when a site is added.
An HTML injection vulnerability has been discovered in PHP TopSites. The issue occurs due to insufficient sanitization of user-supplied data. By injecting HTML code into the <body> tag of the description page, when submitting website, it may be possible to cause an administrator to edit or delete database entries. This issue will occur when an unsuspecting administrator loads the submitted description. This vulnerability also affects the 'edit.php' script. A vulnerability has been discovered in PHP TopSites. Due to invalid sanitization of user-supplied input by the 'help.php' script, it may be possible for an attacker to steal another users cookie information or other sensitive data. This issue can be exploited by constructing a malicious URL containing embedded script code as a 'help.php' parameter. When an unsuspecting user follows the link sensitive information, such as cookie-based authentication credentials may be obtained by the attacker. A weakness has been discovered in PHP TopSites. It has been reported that user's passwords are stored in plaintext and thus are visible to TopSites administrators. This poses a security risk as TopSite script users may use the same passwords on other systems. A vulnerability has been discovered in PHP TopSites. Due to insufficient sanitization of user-supplied data, it may be possible for an attacker to inject arbitrary SQL code into the 'edit.php' script. This issue can be exploited by constructing a malicious URL containing embedded SQL code as a 'edit.php' parameter. When an unsuspecting user follows the link, the SQL code may be executed in the context of the vulnerable script.
The application allows users to upload files to the server without any restrictions. An attacker can upload malicious files to the server and execute arbitrary code on the device. The application contains a hard coded backdoor that allows an attacker to gain unauthorized access to the device. The application is vulnerable to cross site request forgery attacks, command injection attacks, denial of service attacks, and information disclosure attacks. The application contains code that has been reused from other applications.
The vulnerability is a hard coded backdoor within the cgi binary '/cgibin/webproc'. This backdoor allows an attacker to execute arbitrary commands as root without authentication.
A buffer overflow vulnerability exists in GetGo Download Manager proxy options 5.3.0.2712, where a maliciously crafted response from a proxy can trigger an overflow. The victim must have a proxy selected in order to be vulnerable. The attacker can set the proxy IP of the host running the script and set the port of the proxy on GetGo under proxy settings. When the victim downloads any page or file, the program incorrectly parses the response and passes the request to the malicious host, triggering the overflow.
Services By CQR