56796 matches found
Attachmate Reflection OpenSSL TLS心跳信息泄漏漏洞
CVE ID:CVE-2014-0160 Attachmate Reflection是一款优秀的Unix终端仿真软件。 Attachmate Reflection所绑定的OpenSSL存在安全漏洞,OpenSSL处理TLS”心跳“扩展存在一个边界错误,允许攻击者利用漏洞获取64k大小的已链接客户端或服务器的内存内容。内存信息可包括私钥,用户名密码等。 0 Attachmate Reflection 14.x 目前没有详细解决方案: http://www.attachmate.com/...
Huawei eSight User-Defined设备图像上传漏洞
BUGTRAQ ID: 64633 华为eSight是面向企业网的网络管理软件,针对中小企业的典型诉求,特别推出eSight体验版和eSight精简版,通过简单易用的管理系统帮助企业聚焦于关键业务应用,实现无忧网管。 由于程序在处理设备图像上传时未能正确验证文件,这可以被攻击者利用通过一个中间人攻击操纵上传的文件,并随后执行任意代码。 0 Huawei eSight V200R003C01SPC200 Huawei eSight = V200R003C00 厂商补丁: Huawei ----- Huawei eSight V200R003C01SPC200以修复此漏洞,建议用户下载使用:...
Microsoft Windows SSL/TLS信息泄露漏洞
CVE ID: CVE-2011-3389 Microsoft Windows是微软发布的非常流行的操作系统。 Microsoft Windows在SSL/TLS协议的实现上存在信息泄露漏洞,远程攻击者可利用此漏洞泄露敏感信息并劫持用户会话。 此漏洞源于在CBC模式中结合对称密码套件使用Secure Sockets Layer 3.0 SSL和Transport Layer Security 1.0 TLS 协议时出现的设计错误,通过中间人攻击加密HTTPS会话。 Microsoft Windows Microsoft Windows XP Home Microsoft Windows ...
Linux Kernel "net/"子系统"af_packet.c"本地信息泄露漏洞
BUGTRAQ ID: 48986 Linux Kernel是Linux操作系统的内核。 Linux Kernel的 "net/"子系统"afpacket.c"在实现上存在本地信息泄露漏洞,本地攻击者可利用此漏洞获取敏感信息。 Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.kernel.org/...
PHP 5.2.5 多个函数安全模式绕过漏洞
No description provided by source...
nginx HTTP请求远程缓冲区溢出漏洞
Bugraq ID: 36384 CVE ID:CVE-2009-2629 nginx是一款高性能的HTTP 和反向代理服务器。 nginx处理特殊构建的URIs存在缓冲区溢出,远程攻击者可以利用漏洞以应用程序程序执行任意指令。 当处理特殊构建的URIs时ngxhttpparsecomplexuri函数存在缓冲区下溢错误,可导致nginx服务器把URI中的数据在分配缓冲区前就写入到堆内存中,可导致以服务进程权限执行任意指令。 Igor Sysoev nginx 0.8.14 Igor Sysoev nginx 0.7.61 Igor Sysoev nginx 0.6.38 Igor...
Apple Safari 4.0多个安全漏洞
BUGTRAQ ID: 35260 CVECAN ID:...
BBSGood论坛程序UserInfo.asp页面Blogurl变量过滤不严导致SQL注入漏洞
BBSGood是国内首创使用缓存技术的论坛 在UserInfo.asp页面代码当中,我们可以看到变量Blogurl未经过滤带入sql语句,导致Sql注入漏洞。 代码举例: 行1729-1853. 1. case 14 2. if Request.QueryString"save"=1 then 3. if trimRequest.Form"blogurl""" then 4. Set rsdj = Server.CreateObject"ADODB.Recordset" 5. rsdj2="select id from LxTelUser where...
Microsoft Windows SMB NT Trans请求缓冲区溢出漏洞(MS09-001)
BUGTRAQ ID: 33121 CVECAN ID: CVE-2008-4834 Windows是微软发布的非常流行的操作系统。 Microsoft服务器消息块(SMB)协议软件处理特制SMB数据包的方式存在缓冲区溢出漏洞,未经认证的远程攻击者可以在NT Trans请求中指定畸形的值导致内核忙碌,必须重启系统才能恢复操作。利用此漏洞的大多数尝试会导致系统拒绝服务,但是远程执行代码在理论上是可行的。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft...
phpBG 0.9.1 (rootdir) Remote File Inclusion Vulnerabilities
No description provided by source. phpBG 0.9.1 rootdir Remote File Inclusion Vulnerability D.Script: http://phpbg.sourceforge.net/ POC: /intern/admin/other/backup.php?admin=1&rootdir=Shell /intern/admin/?rootdir=Shell /intern/clan/memberadd.php?rootdir=Shell /intern/config/key2.php?rootdir=Shell...
PHPNuke-Clan <= 4.2.0 (mvcw_conver.php) RFI Vulnerability
No description provided by source. '/ -.- --------------------------oOO------OOo------------------------- | PHPNuke-Clan = v4.2.0 mvcwconver.php Remote File Inclusion | | coded by DNX | ------------------------------------------------------------------ ! Discovered: DNX ! Vendor:...
Joomla Link Directory Component <= 1.0.3 Remote Include Vulnerability
No description provided by source. .: insecurity research team :. ....:...:. . .:. | |/ :/ // :/ .:. : | | | \\ /\ / :. . ..: ||| / \ \ .: .:.. .. ./ .:/:. ./. .:/: . ...:. .advisory. .:... :..................: 18.o8.2oo6 .. Affected Application: Link Directory = v1.0.3 Mambo/Joomla CMS...
PHPCollab 2.x / NetOffice 2.x (sendpassword.php) SQL Injection Exploit
No description provided by source. !/usr/bin/php -q -d shortopentag=on ? echo "PHPCollab v2.x / NetOffice v2.x sendpassword.php SQL Injection \r\n"; echo "by rgod [email protected]\r\n"; echo "site: http://retrogod.altervista.org\r\n\r\n"; echo "- works with magicquotesgpc = Off\r\n\r\n"; echo "...
Apache JMeter uses an unsecure RMI connection in Distributed mode
Severity: Important Vendor: The Apache Software Foundation Versions Affected: JMeter 2.X, 3.X Description 0: When using Distributed Test only RMI based, jmeter uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code. This only affect...
REMOTE CODE EXECUTION (CVE-2017-13772) WALKTHROUGH ON A TP-LINK ROUTER
INTRODUCTION In this post, I will be discussing my recent findings while conducting vulnerability research on a home router: TP-Link’s WR940N home WiFi router. This post will outline the steps taken to identify vulnerable code paths, and how we can exploit those paths to gain remote code executio...
Microsoft Windows10 AHCACHE.SYS Remote Denial Of Service(CVE-2016-3369)
Summary A denial of service vulnerability exists in the AHCACHE.SYS driver. A specially crafted Portable Executable file can cause a bugcheck in the Windows kernel resulting in remote denial of service. Tested Versions Windows 10, AHCACHE.SYS version 10.0.10586.0 Tested on Windows 10 X86 Product...
MS16-032 Secondary Logon Handle local mention the right vulnerability
No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/payloadgenerator' require 'msf/core/exploit/powershell' require 'rex' class MetasploitModule...
PHPMyWind 5.1 /include/common.func.php 代码执行漏洞
/include/common.func.php/字符串转数组/ if!functionexists'String2Array' function String2Array$data if$data == '' return array; @eval"$array = $data;"; return $array; $data变量进入eval执行,当传入$data为:111|222$phpinfo执行的PHP语句为:@eval"$array = array"1"="111|222$phpinfo","2"="";;"页面返回:...
Oracle Document Capture Actbar2.ocx Insecure Method
No description provided by source. Source: http://packetstormsecurity.org/files/view/97866/DSECRG-11-004.txt ActiveX components contain insecure methods. Digital Security Research Group DSecRG Advisory DSECRG-00153 Application: Oracle Document Capture Versions Affected: Release 10gR3 Vendor URL:...
izicontents <= rc6 (rfi/lfi) Multiple Vulnerabilities
No description provided by source. o bug /. . . . .-' -...-'/ o o , . o -...--.\ vuln.: iziContents = RC6 RFI/LFI Multiple Remote Vulnerabilities author: [email protected] download: http://www.izicontents.com/download/iziContents1RC6.zip greetz: cOndemned, kacper ; remote file inclusion:...
NiTrO Web Gallery <= 1.4.3 (section) Remote SQL Injection Vulnerability
Viva IslaM Viva IslaM Remote SQL Injection Vulnerability NiTrO Web Gallery V1.3 - V1.4- V1.41 - 1.42 - V1.43 albums.php section AuTh0r : Mr.SQL H0ME : WwW.PaL-HaCkEr.CoM Email : [email protected] !! SYRIAN HaCkErS !! Script : NiTrO Web Gallery Versions : V1.3 - V1.4- V1.41 - V1.42 - V1.43 Site :...
Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit (x86/x64)
No description provided by source. / second verse, same as the first CVE-2009-2698 udpsendmsg, x86/x64 Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at NULL and finding it executed This exploit is a bit more nuanced and thoughtful ; use ./therebel.sh for everything At this...
Franklin Fueling Systems TS-550 evo‘cgi-bin/tsaws.cgi’安全绕过漏洞
Bugtraq ID:64996 CVE ID: CVE-2013-7247 Franklin Fueling Systems TS-550 evo是美国富兰克林油系统(Franklin Fueling Systems)公司的一套燃油管理系统,它可通过储罐监控系统全面控制燃油管理,并提供彩色通知和详细标识说明的警报页面功能,迅速获得警报内容。 使用2.0.0.6833和2.3.1.7492版本固件的Franklin Fueling Systems TS-550...
Apache Tomcat FORM身份验证安全绕过漏洞
BUGTRAQ ID: 56812 CVECAN ID: CVE-2012-3546 Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 Tomcat v7.0.30、6.0.36之前版本在FORM身份验证的实现上存在安全漏洞。在使用FORM验证时,若其他组件(如Single-Sign-On)在调用FormAuthenticatorauthenticate之前调用了request.setUserPrincipal,则攻击者可以通过在URL结尾添加"/jsecuritycheck"以绕过FORM验证 0 Apache Group Tomcat 7.0.0 - 7.0.2...
Apple iTunes多个安全漏洞
CVE ID:...
Mozilla Firefox安全限制绕过漏洞(CVE-2011-2370)
BUGTRAQ ID: 48380 CVE ID: CVE-2011-2370 Firefox是一款非常流行的开源WEB浏览器。 Firefox在实现上存在安全限制绕过漏洞,远程攻击者可利用此漏洞诱使用户接受插件和主题的安装对话框 Mozilla Firefox 4.x Mozilla Firefox 4.0.1 Mozilla Firefox 4.0 Beta1 Mozilla Firefox 4.0 Mozilla Firefox 3.x 厂商补丁: Mozilla ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:...
Microsoft Windows SMB操作解析远程代码执行漏洞(MS11-020)
BUGTRAQ ID: 47198 CVE ID: CVE-2011-0661 Windows是微软公司开发的流行操作系统。 Microsoft Windows SMB操作解析在实现上存在远程代码执行漏洞,远程攻击者可利用此漏洞以SYSTEM权限在应用程序中执行任意代码或造成拒绝服务。 Microsoft Server Message Block SMB协议软件处理特制SMB报文时存在未验证远程代码执行漏洞。无需验证即可利用此漏洞,攻击者通过发送特制的SMB报文到运行服务器服务的计算机利用此漏洞。成功利用此漏洞可完全控制受影响系统。 Microsoft Windows XP...
HP OpenView Network Node Manager多个远程代码执行漏洞
HP OpenView Network Node Manager是一款HP公司开发和维护的网络管理系统软件,具有强大的网络节点管理功能。 HP OpenView Network Node Manager存在多个安全漏洞: CVE-2009-3845: CNCVE ID:CNCVE-20090898 CNCVE-20093845 CNCVE-20093846 CNCVE-20093849 CNCVE-20093848 CNCVE-20094176 CNCVE-20094177 CNCVE-20094178 CNCVE-20094179 CNCVE-20094180 CNCVE-200941...
FCKeditor connectors模块多个跨站脚本及目录遍历漏洞
CVECAN ID: CVE-2009-2324,CVE-2009-2265 FCKeditor是一款开放源码的HTML文本编辑器。 FCKeditor没有正确地验证用户对多个connector模块所传送的输入,远程攻击者可以利用samples目录中的组件注入任意脚本或HTML,或通过目录遍历攻击上传恶意文件。 FCKeditor = 2.6.4 从editor\filemanager\connectors中删除不使用的连接器 在config.ext中禁用文件浏览器 完全删除samples目录 厂商补丁: FCKeditor ---------...
多个BSD平台'strfmon()'函数整数溢出漏洞
BUGTRAQ ID: 28479 CVE ID:CVE-2008-1391 CNCVE ID:CNCVE-20081391 多个BSD平台'strfmon'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。 问题代码类似如下: include monetary.h ssizet strfmonchar restrict s, sizet maxsize, const char restrict format, ...; - --- 1. /usr/src/lib/libc/stdlib/strfmon.c -整数溢出...
PHP <= 5.2.1 hash_update_file() Freed Resource Usage Exploit
No description provided by source. ?php //////////////////////////////////////////////////////////////////////// // // // | || | | | | | | \| || || \ // // | |/ || '|/ |/ -| ' \ / -/ |||| /| || / //...
PHP <= 5.2.0 ext/filter FDF Post Filter Bypass Exploit
No description provided by source. ?php //////////////////////////////////////////////////////////////////////// // // // | || | | | | | | | || || // // | |/ || '|/ |/ -| ' / -/ |||| /| || / //...
Exim 4.89 - 'BDAT' Denial of Service(CVE-2017-16944)
On 23 November, 2017, we reported two vulnerabilities to Exim. These bugs exist in the SMTP daemon and attackers do not need to be authenticated, including CVE-2017-16943 for a use-after-free UAF vulnerability, which leads to Remote Code Execution RCE; and CVE-2017-16944 for a Denial-of-Service D...
Microsoft Malware Protection Engine RCE (CVE-2017-0290)
Natalie Silvanovich and Tavis Ormandy of Google Project Zero found a pretty nasty bug in Microsoft Malware Protection Engine, allowing an attacker to execute arbitrary code as LocalSystem on any Windows computer running any Microsoft anti-malware product such as Security Essentials or Windows...
Linux kernel Local Denial of Service Vulnerability (CVE-2017-7308 )
The packetsetring function in net/packet/afpacket.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service integer signedness error and out-of-bounds write, or gain privileges if the CAPNETRAW capability is held...
SSD Advisory – Ubuntu LightDM Guest Account Local Privilege Escalation(CVE-2017-7358)
Vulnerability Summary The following advisory describes a local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS. Ubuntu is an open source software platform that runs everywhere from IoT devices, the smartphone, the tablet and the PC to the server and the cloud. LightDM ...
QEMU: virtfs permits guest to access entire host filesystem (CVE-2016-9602)
If an attacker can execute arbitrary code in the guest kernel and a virtfs is set up, the attacker can access the entire filesystem of the host using a symlink attack. This might require the security model "passthrough" or "none" - I haven't tested with the mapped modes. Repro steps: 1. Place som...
ZCMS(JSP) V1.1 登陆绕过&SQL注入&跨站漏洞
No description provided by source...
MyBB 1.8.1 /member.php SQL注入漏洞
注册时post参数questionid存在SQL注入 http://xxx/mybb/member.php?action=register...
某图书管理系统存在通用型SQL注入漏洞
简要描述: ... 详细说明: 系统名称:博云非书资料管理系统 厂商信息:杭州麦达电子有限公司版权所有 该系统有个特别 高大上 的功能:“云中心查找”功能 恰好这个查找的链接的参数存在sql注入漏洞,且该功能无需登录。 百度搜索:inurl:poweb 非书资料管理系统 罗嗦到这里,看证明吧 -------------------------------- 下面的漏洞证明,直接给出“云中心查找”功能得出链接(只要是该系统,都存在查找的功能,且无需登陆到系统中),链接类似于...
Shop7z多个漏洞大礼包
简要描述: 前台存储型XSS打后台,后台限制不严导致敏感数据访问,自己给自己充值TAT,等等···· 详细说明: 0x01 前台XSS,使用官方最新的免费版源代码 在注册用户的时候,地址当中输入XSS代码 " 如图 然后注册,显示注册成功 这时候查看一下后台---会员信息管理--会员管理---该会员详细信息 可以看到xss代码已经插进去了 而xss平台也能收到cookies信息 0x02 未授权访问 http://127.0.0.1/admin/huiyuandetail.asp?id=831 该地址在免费版中未做权限检查,导致可以直接在这里遍历会员信息,同时可以修改任意会员信息 相关代...
Vivotek IP Cameras - RTSP Authentication Bypass
No description provided by source. Core Security - Corelabs Advisory http://corelabs.coresecurity.com Vivotek IP Cameras RTSP Authentication Bypass 1. Advisory Information Title: Vivotek IP Cameras RTSP Authentication Bypass Advisory ID: CORE-2013-0704 Advisory URL:...
Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation
No description provided by source. //source: http://www.vsecurity.com/resources/advisory/20101019-1/ / Linux Kernel = 2.6.36-rc8 RDS privilege escalation exploit CVE-2010-3904 by Dan Rosenberg [email protected] Copyright 2010 Virtual Security Research, LLC The handling functions for sendin...
DZOIC Handshakes Auth Bypass SQL Injection
No description provided by source. ? ?????????????????????????In The Name Of Allah The Mercifull?????????????????????? ? Tybe: DZOIC Handshakes suffer from auth bypass remote sql injection Vendor: www.dzoic.com ? Software: DZOIC Handshakes - ? author: R3d-D3v!L ? TEAM: ArAB!AN !NFORMAT!ON SeCuR!T...
RoundCube Webmail <= 0.2-3 beta Code Execution Vulnerability
No description provided by source. Public Release Date of POC: 2008-12-22 Author: Jacobo Avariento Gimeno Sofistic CVE id: CVE-2008-5619 Bugtraq id: 32799 Severity: Critical Vulnerability reported by: RealMurphy Intro ---- Roundcube Webmail is a browser-based IMAP client that uses chuggnutt.com...
Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)
No description provided by source. Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later. orig: http://zenthought.org/content/file/android-root-2009-08-16-source back: http://www.exploit-db.com/sploits/android-root-20090816.tar.gz...
大汉版通系统任意文件上传/删除漏洞
简要描述: 大汉版通某系统存在多处任意文件上传/删除漏洞 详细说明: 一、漏洞代码 文件上传: 漏洞一:/xxgk/jcmsfiles/jcms1/web1/site/zfxxgk/ysqgk/attachupload.jsp 漏洞二:/xxgk/jcmsfiles/jcms1/web1/site/zfxxgk/ysqgk/applyattachupload.jsp 文件删除: 上述两个文件同时存在任意文件删除漏洞 先来看任意文件删除的代码: if"D".equalsstrBillStatus delFileName =...
Ecmall 2.3.0本地文件包含漏洞
简要描述: 文件包含,受到gpc和php版本限制 详细说明: 漏洞文件:admin/app/plugin.app.php 思路来源于: WooYun: Ecmall 2.3 File Inclusion Vulnerability(鸡肋) function getplugininfo$id //id参数存在文件包含漏洞 $plugininfopath = ROOTPATH . '/external/plugins/' . $id . '/plugin.info.php'; return include$plugininfopath;...
大汉版通JIS统一身份认证系统源码某处的信息泄漏可能影响大部分JIS
简要描述: 有点奇葩但是已经遇到过两次的漏洞。不过不要因为我分类选了“信息泄漏”就觉得这个只是小漏洞……其实这货可能影响大了呢!而且里面的利用可以结合之前我提交的JIS的漏洞综合来利用,还是有点意思的 详细说明: 2.2.1版本的JIS中某个文件包含了JIS相关邮件找回密码的邮箱信息!包含邮箱用户名和邮箱密码!也就是说,有一部分版本的JIS,找回用户密码的功能所发出的邮件,都是利用该邮箱发出的!到底有什么危害?下面继续看 漏洞证明: jis\check\findpwd\oprvalidate.jsp String sender =new...
eYou /php/report/lastlogin_list_export.php SQL注入漏洞
eYou是国内一款流行的邮件管理系统软件,其存/php/report/lastloginlistexport.php文件中代码第52行,判断$GET'time'和$GET'stime'变量是否为空,执行代码第53-54行,删除由addslashes函数添加的反斜杠,并赋值给$time和$stime变量。执行代码第66行,将$time和$stime变量拼接SQL语句,代码第68行,将拼接的SQL语句带入数据库执行。此过程中,并未将$time和$stime变量进行有效过滤,导致SQL注入漏洞产生。 eYou...