56796 matches found
Ruby Fiddle::Function.new Heap Overflow Vulnerability(CVE-2016-2339)
DESCRIPTION An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "argtypes" allocation is made based on args array length. Specially constructed object passed as element of args...
Apple Core Graphics BMP Framework img_decode_read Remote Code Execution Vulnerability(CVE-2016-4637)
SUMMARY An exploitable out of bounds write exists in the handling of BMP images on Apple OS X and iOS. A crafted BMP document can lead to an out of bounds write resulting in remote code execution. Vulnerability can be triggered via a saved BMP file delivered by other means when opened in any...
Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read(CVE-2017-7115)
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe"...
Artifex MuPDf JBIG2 Parser Code Execution Vulnerability(CVE-2016-8729)
Summary An exploitable memory corruption vulnerability exists in the JBIG2 parser of Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be passed to a memset resulting in memory corruption and potential code execution. An attacker can specially craft a PDF and send to the...
Poppler PDF Image Display DCTStream::readScan() Code Execution Vulnerability(CVE-2017-2814)
Summary An exploitable heap overflow vulnerability exists in the image rendering functionality of Poppler-0.53.0. A specifically crafted pdf can cause an image resizing after allocation has already occurred, resulting in heap corruption which can lead to code execution. An attacker controlled PDF...
Google Android Broadcom Wi-fi Driver Information Disclosure Vulnerability(CVE-2017-0633)
An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10,...
Roundcube mail body of the stored cross site Vulnerability(CVE-2017-6820)
Author: Badcode, sebao know Chong Yu 404 security lab Date: 2017-03-17 0x00 vulnerability overview 1. Vulnerability description Roundcube is a widely used open source e-mail program, in the globe there are many organizations and companies are in use. On the server to successfully install...
Wordpress Plugin Olimometer 2.56 - SQL Injection
Vulnerability parameters: olimometerid= Using sqlmap Parameter: olimometerid GET Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: olimometerid=1 AND 6227=6227 Type: AND/OR time-based blind Title: MySQL = 5.0.12 AND time-based blind Payload: olimometerid=1...
74cms V3.4(<20140310) plus/ajax_officebuilding.php SQL 注入漏洞
No description provided by source...
Red Hat Automatic Bug Reporting Tool任意文件写入漏洞
问题在abrt-action-install-debuginfo-to-abrt-cache 在默认的情况下,它会在/var/tmp/abrt-tmp-debuginfo-RANDOMSUFFIX创建一个临时文件,然后会下载rpm文件到这个文件夹,之后会进行解压,因为是临时文件夹,所以解压的路径不是这个,而是在/var/cache/abrt-di,但是因为这个文件夹并不是随机创建的,而且可预测性极强,所以我们可以提前创建这个文件夹,依靠控制unpacked.cpio这个文件,我们就能欺骗abrt-action-install-debuginfo提取一个我们可控制的cpio文件...
某校园管理系统后台SQL注入(无需登录/SA权限)
简要描述: ... 详细说明: 百度dork:inurl:/ws2004/ 技术支持:南京苏亚星资讯科技开发有限公司 ---------------------------------------- 漏洞页面:ws2004/SysManage/LeaveWord/List.asp?AbPage=1&where=%20where%20Title%20like%20111 漏洞参数:where 均为sa权限 ---------------------------------------- 漏洞证明: 1 http://www.suyaxing.com:81/ws2004/...
Supermicro Onboard IPMI Port 49152 敏感文件泄露漏洞
关于 IPMI:智能平台管理接口 IPMI 是一种开放标准的硬件管理接口规格,定义了嵌入式管理子系统进行通信的特定方法。IPMI 信息通过基板管理控制器 BMC(位于 IPMI 规格的硬件组件上)进行交流。IPMI是智能型平台管理接口(Intelligent Platform Management Interface)的缩写,是管理基于...
某教育类通用cms任意文件下载漏洞
简要描述: 某教育类通用cms任意文件下载漏洞 详细说明: 不知道算不算通用 可下载web.config文件,数据库信息文件泄露 http://sbc.xzit.edu.cn/hxjc/DownLoad.aspx?Accessory=../web.config http://hedds.njutcm.edu.cn/DownLoad.aspx?Accessory=../web.config http://www.emcjs.org/DownLoad.aspx?Accessory=../web.config...
Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit
No description provided by source. / i-CAN-haz-MODHARDEN.c Linux Kernel 2.6.36-rc1 CAN BCM Privilege Escalation Exploit Jon Oberheide [email protected] http://jon.oberheide.org Information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959 Ben Hawkes discovered an integer overflow in th...
AllMyGuests <= 0.4.1 (cfg_serverpath) Remote File Include Vulnerability
No description provided by source. ============================================================================ AllMyGuests = ?AMGconfigcfgserverpath Remote File Inclusion Exploit ============================================================================ Scirpt Infected signin.php Critical leve...
Mac OSX Server DirectoryService Buffer Overflow
No description provided by source. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Mac OSX Server DirectoryService buffer overflow 1. Advisory Information Title: Mac OSX Server DirectoryService buffer overflow Advisory ID: CORE-2013-0103 Advisory URL:...
Social Sites MyBB Plugin 0.2.2 - Cross Site Scripting
No description provided by source. Exploit Title: Social Sites MyBB Plugin 0.2.2 Cross Site Scripting Google Dork: inurl:usercp.php?action=socialsites Date: 13.12.2012 Exploit Author: s3m00t Vendor Homepage: http://mattrogowski.co.uk/mybb/ Software Link: http://mods.mybb.com/view/social-sites...
Ultimate PHP Board 1.0 final beta ViewTopic.PHP Directory Contents Browsing
No description provided by source. source: http://www.securityfocus.com/bid/6334/info Ultimate PHP Board UPB is a freely available, open source PHP Bulletin Board. It is available for the Unix and Linux operating systems. Under some circumstances, it may be possible to disclose the contents of...
Emefa Guestbook 3.0 - Remote Database Disclosure Vulnerability
No description provided by source. Title: Emefa Guestbook V 3.0 Remote Database Disclosure Vulnerability Credit: Cyber.Zer0 E-mail: Cyber.Zer04tHotmaildotcom Download: http://www.emefa.dyndns.org/downloads/ Remote: Yes Dork: Emefa Guestbook V 3.0 --=Database Disclosure=--...
Prozilla Hosting Index (directory.php cat_id) - SQL Injection Vulnerability
No description provided by source. \ /\ \ / | \ \ | / \ // / | \ | \ \ Y / | \ / / \ /| /\ / / / / / .OR.ID ECHOADV88$2008 ----------------------------------------------------------------------------------------- ECHOADV88$2008 Prozilla Hosting Index directory.php catid Blind Sql...
Siemens Simatic S7-300 PLC Remote Memory Viewer
No description provided by source. Exploit Title: Siemens Simatic S7 300 Remote Memory Viewer Backdoor Date: 7-13-2012 Exploit Author: Dillon Beresford Vendor Homepage: http://www.siemens.com/ Tested on: Siemens Simatic S7-1200 PLC CVE : None require 'msf/core' class Metasploit3 Msf::Auxiliary...
sweetrice cms 0.6.7 - Multiple Vulnerabilities
No description provided by source. Vulnerability ID: HTB22669 Reference: http://www.htbridge.ch/advisory/resetadminpasswordinsweetricecms.html Product: SweetRice CMS Vendor: basic-cms.org http://www.basic-cms.org/ Vulnerable Version: 0.6.7 Vendor Notification: 21 October 2010 Vulnerability Type:...
Invision Power Board <= 3.3.4 unserialize Regex Bypass
No description provided by source. ?php / So this is the patch that sanitizes, static public function safeUnserialize $serialized // unserialize will return false for object declared with small cap o // as well as if there is any ws between O and : if isstring $serialized && strpos $serialized, \...
GIMP 2.8.0 FIT File Format DoS
No description provided by source. Summary ======= There is a file handling DoS in GIMP the GNU Image Manipulation Program for the 'fit' file format affecting all versions Windows and Linux up to and including 2.8.0. A file in the fit format with a malformed 'XTENSION' header will cause a crash i...
WEBBDOMAIN Post Card <= 1.02 (catid) SQL Injection Vulnerability
No description provided by source. post Card catid Remote SQL Injection Vulnerability Author: Hussin X Home : www.IQ-TY.com & www.TrYaG.cc MaiL : [email protected] script : http://webbdomain.com/php/postcarden/index2.php script : http://webbdomain.com/php/postcardir/index2.php DorK :...
Cannonbolt Portfolio Manager 1.0 - Multiple Vulnerabilities
No description provided by source. Cannonbolt Portfolio Manager v1.0 Stored XSS and SQL Injection Vulnerabilities Vendor: IWCn Systems Inc. Product web page: http://www.iwcn.ws Affected version: 1.0 Summary: Cannonbolt Portfolio Manager is a sleek and AJAX based PHP script to manage projects and...
TP-Link TL-WR740N Wireless Router - Denial of Service Exploit
No description provided by source. ?!/usr/local/bin/perl TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit Vendor: TP-LINK Technologies Co., Ltd. Product web page: http://www.tp-link.us Affected version: - Firmware version: 3.16.4 Build 130205 Rel.63875n Released: 2/5/2013 -...
Apple Safari 6.0.1 for iOS 6.0 and OS X 10.7/8 - Heap Buffer Overflow
No description provided by source. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------------+ | Packet Storm Advisory 2013-0903-1 | | http://packetstormsecurity.com/ |...
F-Secure E-mail/Server Security OpenSSL TLS/DTLS心跳信息泄漏漏洞
CVE ID:CVE-2014-0160 F-Secure E-mail/Server Security/F-Secure Server Security产品存在安全漏洞。 F-Secure E-mail/Server Security/F-Secure Server Security所绑定的OpenSSL存在安全漏洞,OpenSSL处理TLS”心跳“扩展存在一个边界错误,允许攻击者利用漏洞获取64k大小的已链接客户端或服务器的内存内容。内存信息可包括私钥,用户名密码等。 0 F-Secure E-mail and Server Security 10.x F-Secure E-mail...
OpenSSL ECDSA Nonces恢复漏洞
CVE ID:CVE-2014-0076 OpenSSL是一款开放源码的SSL实现,用来实现网络通信的高强度加密。 OpenSSL椭圆曲线签名与校验ECDSA实现存在错误,允许攻击者通过FLUSH+RELOAD缓存边道攻击来获取nonce值并之后得出私钥。 0 OpenSSL 1.x 用户可参考厂商的GIT库以获得补丁修复此漏洞: http://www.openssl.org/...
GnuTLS证书验证安全限制绕过漏洞
BUGTRAQ ID: 65919 CVECAN ID: CVE-2014-0092 GnuTLS是用于实现TLS加密协议的函数库。 GnuTLS 3.1.22, 3.2.12之前版本在实现上存在安全漏洞,X.509证书验证的错误处理不正确,可将故障证书标记为有效证书,这可使远程用户利用此漏洞绕过证书验证。 0 GnuTLS GnuTLS 3.2.12 GnuTLS GnuTLS 3.1.22 厂商补丁: GnuTLS ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://gnutls.org...
Apache Tomcat会话固定漏洞
Bugtraq ID:65769 CVE ID:CVE-2014-0033 Apache Tomcat是一款开放源码的JSP应用服务器程序。 由于对路径参数处理的修复引入的回溯,即使在启用disableURLRewriting的情况下也可导致一个会话固定攻击,允许远程攻击者利用漏洞未授权访问应用。 0 Apache Tomcat 6.0.0 - 6.0.37 厂商补丁: Apache ----- Apache Tomcat 6.0.39已经修复该漏洞,建议用户下载更新: http://tomcat.apache.org/...
Linksys系列未明远程代码执行漏洞
No description provided by source. !/usr/bin/php ?php / Exploit for 0day linksys unauthenticated remote code execution vulnerability. As exploited by TheMoon worm; Discovered in the wild on Feb 13, 2013 by Johannes Ullrich. I was hoping this would stay under-wraps until a firmware patch could be...
Discuz!某处功能缺陷可导致特定情况下无视安全提问直接登录
简要描述: 详细说明: Discuz!X云平台有QQ互联功能,可使用QQ账号绑定论坛账户登陆论坛。但是,如果论坛账户设置了安全提问的情况下,使用关联的QQ账号登陆依然不需要安全提问,造成安全问题。 漏洞证明: 0x01.我在一次安全测试中拿下了某小型领主站的数据库,并把它还原到了我的phpmyadmin中。经过查找,其中有5d6d某版主的密码hash。(此处有一个提示,precommonmember表中保存的并不是真实的密码md5,真正的hash在preucentermembers表中,算法为md5md5$pass.$hash 0x02.把hash拿去cmd5解密...
FCKeditor 2.4.3 /fckeditor/editor/filemanager/upload/asp/class_upload.asp 文件上传漏洞
...
Ruby on Rails 远程安全绕过漏洞(CVE-2013-0276)
BUGTRAQ ID: 57896 CVECAN ID: CVE-2013-0276 Ruby on Rails简称RoR或Rails,是一个使用Ruby语言写的开源Web应用框架,它是严格按照MVC结构开发的。 Ruby on Rails 3.2.12, 3.1.11, 2.3.17之前版本在ActiveRecord的 "attrprotected" 方法中存在错误,没有正确限制访问模块属性的黑名单,通过特制的请求,可导致非法修改某些值。 0 Ruby on Rails 3.2.x Ruby on Rails 3.1.x Ruby on Rails 2.3.x 厂商补丁: Ruby o...
正方高校现代管理系统任意修改成绩查看照片漏洞
简要描述: 还是传说中1000所高校用的正方高校现代管理系统 详细说明: 一般院校都有一个可以查到学号工号的地方,例如: 信息门户-好友系统 有的学校没有这个信息门户,或者信息门户只对教师开放,那么还有一个在线教学平台可以查到哦 具体位置自己找吧。 先输入你老师的名字,找到其工号…… 然后到高校现代管理系统(这里可能会有两个地址,一个是评教系统,没什么用,另一个可以选择登陆身份的就是我们要进的系统了) 当然是弱密码经测试80%的高校都没让老师们修改弱密码!大学老师啊!! 输入工号(密码相同)。 先说查看照片。...
PHP 5.3.x 'open_basedir'安全限制绕过漏洞
BUGTRAQ ID: 54612 CVE ID: CVE-2012-3365 PHP 是一种 HTML 内嵌式的语言,PHP与微软的ASP颇有几分相似,都是一种在服务器端执行的嵌入HTML文档的脚本语言,语言的风格有类似于C语言,现在被很多的网站编程人员广泛的运用。 PHP 5.3.15之前版本在SQLite扩展中存在错误,可被利用绕过"openbasedir"功能。 0 PHP 5.3.x 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.php.net...
Python SimpleHTTPServer 'list_directory()'函数跨站脚本漏洞
Bugtraq ID: 54083 CVE ID:CVE-2011-4940 Python SimpleHTTPServer是一款支持上传的简单HTTP服务程序。 Python SimpleHTTPServer listdirectory函数由于缺失字符集参数,攻击者可以利用漏洞进行跨站脚本攻击,可获得敏感信息或劫持用户会话。 0 Python 2.6.5 Python 2.6.2 Python 2.5.5 Python 2.5.3 Python 2.5.2 -r6 Python 2.5.2 Python 2.5.1 Python 2.5.5c2 Python 2.5 厂商补丁:...
MariaDB/MySQL 概率性任意密码(身份认证)登录漏洞(CVE-2012-2122)
No description provided by source. $Id$ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit...
Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
No description provided by source. / linux-undeadattack.c Linux IGMP Remote Denial Of Service Introduced in linux-2.6.36 CVE-2012-0207 credits to Ben Hutchings: http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html written By Kingcope Year 2012 Ripped & modified co...
PHP "zend_strndup()"多个空指针引用拒绝服务漏洞
BUGTRAQ ID: 51417 CVE ID: CVE-2011-4153 PHP是一种在电脑上运行的脚本语言,主要用途是在于处理动态网页,包含了命令行运行接口或者产生图形用户界面程序。 PHP在检验zendstrndup调用的返回值的实现上存在多个拒绝服务漏洞,攻击者可利用这些漏洞造成受影响应用崩溃,拒绝服务合法用户。 0 PHP 5.3.8 厂商补丁: PHP --- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.php.net...
Mozilla Firefox/Thunderbird/SeaMonkey多个安全漏洞
BUGTRAQ ID: 49166 CVE ID: CVE-2011-0084,CVE-2011-2978,CVE-2011-2980,CVE-2011-2981,CVE-2011-2982,CVE-2011-2983,CVE-2011-2984,CVE-2011-2985,CVE-2011-2986,CVE-2011-2987,CVE-2011-2988,CVE-2011-2989,CVE-2011-2990,CVE-2011-2991,CVE-2011-2992,CVE-2011-2993...
Linux Kernel fs/partitions/osf.c信息泄露漏洞
BUGTRAQ ID: 46878 CVE ID: CVE-2011-1163 Linux Kernel是Linux操作系统的内核。 Linux Kernel在fs/partitions/osf.c的实现上存在信息泄露漏洞,本地攻击者可利用此漏洞从堆内存获取敏感信息。 自动验证存储设备的OSF分区表的代码中存在缓冲区溢出错误 Linux kernel 2.6.x OpenVZ Project OpenVZ 028stab091.1 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.kernel.org/...
Linux Kernel "posix-cpu-timers.c"本地竞争条件漏洞
BUGTRAQ ID: 45028 CVE ID: CVE-2010-4248 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel在实现上存在漏洞,攻击者可以利用此漏洞引起内核瘫痪,异常终止受影响的计算机。 posix-cpu-timers.c认为将要终止的进程会执行posixcputimersexitgroup并将从 signal-cputimers列表中删除所有!CPUCLOCKPERTHREAD计时器。但它错误地认为 timer-it.cpu.task总是组前导,这样dead -task就表示不作用的线程组。 Linux kernel...
PHP ZipArchive::getArchiveComment()函数空指针引用拒绝服务漏洞
BUGTRAQ ID: 44718 CVE ID: CVE-2010-3709 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 ZipArchive库允许透明的读写ZIP压缩档案及其之中的文件。对于PHP中所使用的ZipArchive::getArchiveComment函数: - --- 1945 static ZIPARCHIVEMETHODgetArchiveComment 1946 1947 struct zip intern; 1948 zval this = getThis; 1949 long flags = 0; 1950 const ch...
phpwind远程代码执行漏洞
简要描述: phpwind较高版本论坛中存在一个严重的漏洞,成功利用该漏洞可以远程执行任意php代码,影响phpwind 7和phpwind 8 详细说明: pwajax.php中的 elseif $action == 'pcdelimg' InitGParray'fieldname','pctype'; InitGParray'tid','id',2; if !$tid || !$id || !$fieldname || !$pctype echo 'fail'; $id = int$id; if $pctype == 'topic' $tablename =...
动网(DVbbs) Ver 8.3.0 多个跨站漏洞
动网论坛做为目前国内最大的社区论坛软件服务提供商,依靠其强大的功能、非凡的访问速度和负载能力、友好方便的客户操作界面、优质的客户服务、国内领先的 技术和强大而持续的产品研发并保持不断创新的能力,动网所提供的动网社区论坛产品已经占据了国内社区论坛产品使用比例的70%以上。 目标网站对用户提交的变量代码未进行有效的过滤或转换,允许攻击者插入恶意WEB代码。 此版本新存在两处跨站漏洞 DVbbs Version 8.3.0 等待官方补丁 demo1:...
PHP tempnam()函数safe_mode验证绕过安全限制漏洞
BUGTRAQ ID: 38431 PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 当目录路径没有以“/”结束时PHP的tempnam函数中没有正确的执行safemode验证,攻击者可以绕过安全限制获得对目录的读写访问。 PHP PHP 5.3.x PHP PHP 5.2.x 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://svn.php.net/viewvc/php/php-src/branches/PHP53/ext/session/session.c?view=log...
Oracle Outside In多个缓冲区溢出漏洞
Bugraq ID: 34994 CVE ID:CVE-2009-1009 CVE-2009-1010 CVE-2009-1011 CNCVE ID:CNCVE-20091009 CNCVE-20091010 CNCVE-20091011 Oracle Outside In是一款软件开发工具包套件SDK,为开发人员提供了一个访问、转换和控制 400 多种非结构化文件格式的内容的综合解决方案。 Oracle Outside In存在多个缓冲区溢出,远程攻击者可以利用漏洞以应用程序权限执行任意指令。 -处理Microsoft...