There is a use-after-free vulnerability in URLStream.readObject. If the object read is a registered class, the constructor will be invoked to create the object. If the constructor calls URLStream.close, the URLStream will be freed, and the deserialization function will continue to write to it.
This exploit utilizes PHP's internal '%Z' (zval) format specifier to achieve code-execution. It fakes an object-type zval in memory and then bounces through it carefully. It also leaks a pointer to the string itself and edits the global variable with correct pointers before hitting it a second time to get EIP. It is a reliable exploit with a 100% success rate. Credit to Stefan Esser (@i0n1c) for the original idea.
The Ol Bookmarks Manager 0.7.4 (root) is vulnerable to remote SQL injection. An attacker can exploit this vulnerability by injecting malicious SQL queries into the 'id' parameter of the '/read/index.php' script. This allows the attacker to retrieve sensitive information from the database, such as passwords and login credentials.
This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP setup with display_errors set to On, which can be used to allow us to upload a malicious ZIP file. On the web application, a blacklist verification is performed before extraction, however it is not sufficient to prevent exploitation. You are required to login to the target to reach the vulnerability, however this can be done as a student account and remote registration is enabled by default. Just in case remote registration isn't enabled, this module uses 2 vulnerabilities in order to bypass the authentication: 1. confirm.php Authentication Bypass Type Juggling vulnerability 2. password_reminder.php Remote Password Reset TOCTOU vulnerability
The Cogent Datahub version 7.3.9 and below is vulnerable to an elevation of privilege vulnerability. By placing a specially crafted script file in the appropriate directory, an attacker can execute arbitrary code with elevated privileges. The vulnerability has been assigned the CVE-2016-2288 identifier.
Variables $loggedIn & $activated are not predefined. Vulnerable files: login.php, headerLinks.php, submit1.php, myFav.php, userCP.php. PoC: http://victim.com/tutorialcms/userCP.php?loggedIn=1&activated=1. Subject To: register_globals set to on. GoogleDork: "Powered By Photoshop Tutorials".
Trend Micro Deep Discovery suffers from multiple CSRF vectors, allowing an authenticated user to modify various settings of the application.
The Olbookmarks 0.7.4 version is vulnerable to multiple Remote File Inclusion (RFI) attacks. An attacker can exploit these vulnerabilities by injecting malicious code via the 'root' parameter in various PHP files.
The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods. However, by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call, we can cause a use-after-free of the IOCommandGate.
The attached fuzz case causes a crash in shape rendering.
Services By CQR