This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of REGSRVR files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process.
The vulnerability exists in the Weather for PHP script version 1.0. It allows an attacker to include arbitrary local files by manipulating the 'PageName' parameter in the 'index.php' file. By appending '%00' to the 'PageName' parameter, an attacker can bypass the file extension check and include any local file on the server.
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).
The vulnerability allows an attacker to execute arbitrary code by exploiting an error handler in Ghostscript. By causing an executeonly procedure to stop, the attacker can expose the faulting operator to the error handler. The errordict is ignored in the -dSAFER sandbox, but filling up the stack with junk can still make the invocation of the errorhandler stop. This leaves the operand stack in an inconsistent state, allowing the attacker to execute arbitrary code.
The switch statement in the code only handles Js::TypeIds_Array but not Js::TypeIds_NativeIntArray and Js::TypeIds_NativeFloatArray. This can lead to type confusion when a native float array is considered as of type ObjectType::Object under certain circumstances where the condition "objValueType.IsLikelyArrayOrObjectWithArray()" is not fulfilled. Handling a native array as a definite object can lead to type confusion.
The file "scripts/sb_communicate.php" in Simple PHP Blog (sphpblog) version <= 0.5.1 contains code that allows an attacker to spoof their IP address.
Seqrite End Point Security v7.4 installs with weak folder permissions, allowing any user to gain full permission to the program directory. Additionally, the program installs services that run as 'LocalSystem' without the 'Self Protection' feature enabled, allowing a non-privileged user to elevate privileges to 'NT AUTHORITYSYSTEM'.
This exploit takes advantage of a buffer overflow vulnerability in Free MP3 CD Ripper version 2.8. By creating a specially crafted '.wma' file and loading it into the program, an attacker can execute arbitrary code with the privileges of the user running the program. The exploit bypasses Data Execution Prevention (DEP) and uses a modified Structured Exception Handler (SEH) exploit. Upon successful exploitation, a calculator application will be launched on the victim's machine.
Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.
This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.