Variable $phpbb_root_path not sanitized.When register_globals=on an attacker can exploit this vulnerability with a simple php injection script.
A remote SQL injection vulnerability exists in ?IXForum 1.12. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The attacker can use the ?epId?parameter in the ?eplyNew.asp?page to inject malicious SQL code and gain access to the admin panel.
There is directory traversal vulnerability in the checkview(??). Exploit Testing involves sending a crafted HTTP request to the vulnerable application, which can be used to access files outside the web root directory.
Mini-stream RM-MP3 Converter? V 3.1.2.2 is vulnerable to a local buffer overflow vulnerability. An attacker can exploit this vulnerability by crafting a malicious .m3u file with a specially crafted header and a payload of 17416 bytes of A characters followed by a return address of 7C874413. This will cause the program to execute the payload, which is a shellcode that will open a command prompt.
A vulnerability exists in loginscript.php that allows for SQL injection of the 'user_name' and 'password' POST parameters.
A vulnerability exists in the WordPress Booking Calendar plugin version 4.1.4, which allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks. An attacker can add or delete bookings by sending a malicious POST request to the vulnerable application. The POST request contains the action to be performed, such as 'INSERT_INTO_TABLE' or 'DELETE_BY_ID', and the parameters required for the action.
The application allows authorized users to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to change administrator's email. An attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability.
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor. This request will create an administrator with all roles with a username of notadmin and a password of notpassword. Many vectors of remote code execution are available to an administrator. Not only can an administrator deploy WAR applications, they can also evaluate arbitrary groovy scripts via the web interface.
This exploit is based on the OLE Remote Code Execution vulnerability identified as MS14-060 (CVE-2014-4114). It creates a blank PowerPoint show (ppsx) file to exploit the vulnerability. The script will also create the INF file and an optional Meterpreter reverse_tcp executable with the -m switch. Alternatively, you can host your own exectuble payload. Host the INF and GIF (EXE) in an SMB share called 'share'.
The SR101 routers supplied by Sky Broadband are vulnerable to an offline dictionary attack if the WPA-PSK handshake is obtained by an attacker. The WPA-PSK pass phrase has the following features: Random, A to Z Uppercase only, 8 characters long, 208,827,064,576 possible combinations ( AAAAAAAA ? ZZZZZZZZ ) 26^8. We notified Sky Broadband about the problem in January 2014 yet Sky Broadband are still supplying customers with routers / modems that use this weak algorithm. We purchased a used rig in December 2013, comprising off: Windows 7, I3 Processor, 4GB RAM, 2TB Drive, Radeon HD 5850. We generated 26 dictionary files using ?mask processor? by ATOM, piping each letter out to its own file. Using our Radeon HD5850 on standard settings, we were hitting 80,000 keys per second. Breakdown: 26^8 = 208,827,064,576 ( 208 billion possible combinations ) 26^8 / 80,000 keys per second = 2,610,338 seconds 2,610,338 / 60 seconds = 43,505 minutes 43,505 / 60 minutes = 725 hours 725 hours / 24 hours = 30 Days
Services By CQR