Iceni Argus PDF Uninitialized WordStyle Color Length Code Execution Vulnerability

Summary An exploitable uninitialized variable vulnerability which leads to a stack-based buffer overflow exists in Iceni Argus. When it attempts to convert a malformed PDF to XML a stack variable will be left uninitialized which will later be used to fetch a length that is used in a copy operatio...

Axessh 4.2 - Denial Of Service

Axessh是一款windows下的ssh工具，使用后会开启ssh 22端口，并开启wsshed.exe服务，当wsshed.exe在接收字符串时，会调用BIGNUM相关函数进行处理，但对于BIGNUM的结构体没有进行赋初值，导致空指针引用引发拒绝服务漏洞，下面对此漏洞进行详细分析。 这里要提的一点是，Exploit-db给的PoC可以触发漏洞，但实际上，只要连接22端口，都会引发这个漏洞的发生，哪怕只发送一字节的内容。 附加wsshed.exe，执行PoC，引发中断，这边捕获到漏洞触发位置。 0:000 g f74.a68: Access violation - code c00000...

Variable Override Vulnerability in DuomiCms_V1.32

DuomiCms is a specialized video-on-demand system. A variable override vulnerability exists in the common.php page of DuomiCms version 1.32. An attacker can exploit the vulnerability to cause arbitrary login in the background...

[SECURITY] Fedora 25 Update: sshrc-0.6.1-1.fc25

You can use this to set environment variables, define functions, and run post-login commands. This is quite useful when you have several servers that you don't want to configure independently...

ntfs-3g - Unsanitized modprobe Environment Privilege Escalation

ntfs-3g - Unsanitized modprobe Environment Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072 ntfs-3g is installed by default e.g. on Ubuntu and comes with a setuid root program /bin/ntfs-3g. When this program is invoked on a system whose kernel does not...

Posnic 1.03 Unauthorized Password Recovery Vulnerability

Exploit for php platform in category web applications ------------------------------------------------------------------------- + Posnic 1.03 forgetpass.php Unauthorized Password Recovery ------------------------------------------------------------------------ Discovered by Juri Gianni -...

BSA-2017-115

Security Advisory ID : BSA-2017-115 Component : Apache HTTPD Revision : 2.0: Final The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow...

PHP study notes and security vulnerabilities-vulnerability warning-the black bar safety net

System variables $POST // get the post data is a dictionary $GET // get get data, is a dictionary The error control operator PHP supports one error control operator:@the. When it is placed in a PHP expression, the expression may produce any error information is ignored. Variable default value Whe...

Adobe Acrobat Reader DC jpeg decoder Remote Code Execution Vulnerability

Summary A use of uninitialized memory vulnerability exists in JPEG image file format decoding code of Adobe Acrobat Reader which ultimately leads to a heap-based buffer overflow which can be abused to achieve remote code execution. A specially crafted PDF file with an embedded JPEG can trigger th...

UBUNTU-CVE-2016-7999

ecrire/exec/validerxml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery SSRF attacks via a URL in the varurl parameter in a validerxml action...

UBUNTU-CVE-2016-7982

Directory traversal vulnerability in ecrire/exec/validerxml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the varurl parameter in a validerxml action...

CVE-2016-8628

Ansible fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as...

Design/Logic Flaw

The "http-client" egg always used a HTTPPROXY environment variable to determine whether HTTP traffic should be routed via a proxy, even when running as a CGI process. Under several web servers this would mean a user-supplied "Proxy" header could allow an attacker to direct all HTTP requests throu...

CVE-2016-6286

The "spiffy-cgi-handlers" egg would convert a nonexistent "Proxy" header to the HTTPPROXY environment variable, which would allow attackers to direct CGI programs which use this environment variable to use an attacker-specified HTTP proxy server also known as a "httpoxy" attack. This affects all...

CVE-2016-6286

The "spiffy-cgi-handlers" egg would convert a nonexistent "Proxy" header to the HTTPPROXY environment variable, which would allow attackers to direct CGI programs which use this environment variable to use an attacker-specified HTTP proxy server also known as a "httpoxy" attack. This affects all...

CVE-2016-6286

The "spiffy-cgi-handlers" egg would convert a nonexistent "Proxy" header to the HTTPPROXY environment variable, which would allow attackers to direct CGI programs which use this environment variable to use an attacker-specified HTTP proxy server also known as a "httpoxy" attack. This affects all...

Adobe Reader DC XSLT variable Heap-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within XSLT's...

Piwigo Remote File Inclusion Vulnerability (CNVD-2017-00112)

Piwigo is a web-based photo album software from the Piwigo team. The software supports photo publishing, management, multiple browsing options categories, tags, time and more. A security vulnerability exists in the admin/plugin.php file in Piwigo 2.8.3 and earlier versions, which stems from the...

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

ghostscript: getenv and filenameforall ignore -dSAFER

It was found that the ghostscript functions getenv and filenameforall did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable and list directory respectively, fro...