[oss-security] Linux kernel floppy ioctl kernel code execution

Hi, As this was posted to linux-distros, and was supposed to be made public earlier this week, but so far wasn't published on oss-sec ... Reported by Matthew Daley to [email protected]. There apparently exists a proof of concept root exploit, that allows local users with access to a floppy devi...

POSH /portal/addtoapplication.php rssurl Parameter SQL Injection

SQL injection vulnerability in portal/addtoapplication.php in POSH aka Posh portal or Portaneo 3.0 before 3.3.0 allows remote attackers to execute arbitrary SQL commands via the rssurl parameter. Vulnerability Type: SQL Injection For the exploit source code contact DSquare Security sales team...

Sixnet Sixview 2.4.1 - Web Console Directory Traversal

Exploit for hardware platform in category web applications Exploit Title: Sixnet sixview web console directory traversal Date: 2014-04-21 Exploit Author: daniel svartman Vendor Homepage: www.sixnet.com Software Link: Not available, hardware piece - appliance Version: 2.4.1 Tested on: Sixnet Sixvi...

方维O2O城市生活服务平台后门任意文件上传漏洞（官网演示getshell）

简要描述： 用户好像不太多，但基本都有这个后门文件 详细说明： 后门文件路径 /esfile.php 官网介绍 http://www.fanwe.com/o2o 前台演示地址:http://o2o.fanwe.net/ 会员账号：fanwe 密码：fanwe http://o2o.fanwe.net/index.php?ctl=uccenter 分享处上传图片马 F12去掉尺寸，得到图片马地址 http://o2o.fanwe.net/public/comment/201404/17/10/1acafed8eeffa043489a4321b877e36690.jpg Getshell...

CVE-2014-0356

The CVE-2014-0356 issue affects ZyXEL Wireless N300 NetUSB NBG-419N routers (firmware 1.00(BFQ.6)C0). The vulnerability arises from command injection via shell metacharacters in input to management.c functions (detectWeather, set_language, SystemCommand, NTPSyncWithHost) and via udps commands (SE...

lxml Filter Bypass

Hi, all I've accidentally found vulnerability in cleanhtml function of lxml python library. User can break schema of url with nonprinted chars \x01-\x08. Seems like all versions including the latest 3.3.4 are vulnerable. Here is PoC. from lxml.html.clean import cleanhtml html = '''\ aaa bbb bbb b...

csChat-R-Box Script Site Cross-Site Scripting Vulnerability

Exploit for cgi platform in category web applications Exploit Title: "csChat-R-Box Script Site" Cross-Site Scripting XSS Google Dork: csChatRBox.cgi Date: 4/10/2014 Exploit Author: Satanic2000 Vendor Homepage: http://www.cgiscript.net Software Link:...

QuickCms 5.4 - Multiple Vulnerabilites

Exploit for php platform in category web applications Exploit Title: QuickCms 5.4 Multiple Vulnerabilites Date: 04/08/2014 Author: shpendk Software Link: http://opensolution.org/download,en,18.html?sFile=Quick.Cms/Quick.Cmsv5.4.zip Version: 5.4 Tested on: Xampp on Windows Reflected XSS...

CVE-2014-2668

creationtimestamp| type| source ---|---|--- 2014-03-26 00:00:00+00:00| confirmed| https://www.exploit-db.com/exploits/32519...

osCmax跨站请求伪造漏洞

Bugtraq ID:66272 osCmax是一款免费的PHP开源商城。 osCmax存在跨站请求伪造漏洞，允许远程攻击者构建恶意URI，诱使用户解析，可以目标用户上下文执行恶意操作，如添加管理员账户。 0 osCmax 2.5.X 目前没有详细解决方案提供： http://www.oscmax.com/ html form method="post" name="newmember" action="http://127.0.0.1/catalog/admin/adminmembers.php?action=membernewpage=1mID=1" input...

Quantum vmPRO Backdoor Command

This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'net/ssh' class Metasploit3 "Quantum vmPRO Backdoor Command", 'Description' = %q This module abuses a backdoor command in vmPRO 3.1.2. Any user,...

QNX 6.x phgrafx File Enumeration

QNX 6.x phgrafx file enumeration vulnerability by cenobyte 2013 - vulnerability description: QNX setuid root /usr/photon/bin/phgrafx allows any non-root user to enumerate files and directories due to opendir messages. - vulnerable platforms: QNX 6.5.0SP1 QNX 6.5.0 QNX 6.4.1 QNX 6.3.0 QNX 6.2.0 -...

Joomla 3.2.1 /index.php SQL注入漏洞

No description provided by source...

大汉xxgk（政府信息公开）系统某处越权+getshell

简要描述： 政府信息公开系统的getshell。和前两天发的那个拿shell方式是不一样的。 详细说明： 越权发生在setup/oprsetting.jsp 拿shell是在上传license文件的jsp中setup/oprlicenceinfo.jsp 漏洞证明： 此时已经将setup的登录密码清空。（有风险，请勿随意尝试，不要跟着我犯错……） 提交数据的时候清空密码即可登录成功 img src="https://images.seebug.org/upload/201403/032350491567f745ccbf670be2346bb5147a9878.png"...

SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write

This module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution...

程氏舞曲 Sql一枚 依旧无视Gpc。

简要描述： 程氏CMSV3.5 正式版 更新时间：2014-02-18 下载次数：13145 表示下载的这个 是最新的了把? 无需登录 无视Gpc。 详细说明： 在app/controllers/zj.php中 public function so $data='';$datacontent=''; $fid = $this-security-xssclean$this-uri-segment3; //方式 $key = $this-security-xssclean$this-uri-segment4; //关键字 $page =...

IBM BPMS 8.0.0.1 Privilege Escalation / Disclosure

IBM BPMS version 8.0.0.1 suffers from account reconfiguration, privilege escalation, and information disclosure vulnerabilities. Exploit Title: IBM BPMS BPM User account reconfiguration/Privilege Escalation/Information Disclosure Date: 31.01.14 Exploit Author: 0in Software link:...

ThinkSAAS逻辑漏洞可致拖库

简要描述： ThinkSAAS的一个逻辑漏洞导致可以实时备份网站数据库，同时可以获取备份数据库文件名。 下载实时备份的数据库实现脱裤。漏洞影响所有版本。 详细说明： thinksaas系统使用常量INTS来控制页面的访问，然后在每个功能模块用一句代码： defined'INTS' or die'Access Denied.'; 来限制访问，这样设计带来的问题是，一个文件包含可以通杀，越权访问执行任意功能模块。 看到/app/user/action/plugin.php代码： fetchallassoc"SHOW TABLES"; foreach$arrTables as $key=$it...

D-Link DIR-615 vE4 Firmware 5.10 - Cross-Site Request Forgery

D-Link DIR-615 vE4 Firmware 5.10 - Cross-Site Request Forgery Exploit Title: Dlink DIR-615 Hardware Version E4 Firmware Verion 5.10 CSRF Vulnerability Google Dork: N/A Date: 19/02/2014 Exploit Author: Dhruv Shah Vendor Homepage:...

D-link router CSRF exploit detailed explanation-vulnerability warning-the black bar safety net

A, introduction The purpose of this article is to demonstrate a CSRF vulnerability in D-link DIR-6 0 0 router-hardware version: BX firmware version: 2.16-CSRF vulnerability, for example. D-link CSRF vulnerability is already disclosed herein will be described in detail at the entire D-link CSRF...