56796 matches found
Gimp 2.2.14 .RAS File Download/Execute Buffer Overflow Exploit (win32)
No description provided by source. / :: Kristian Hermansen :: Date: 20070509 Description: Gimp 2.2.14 RAS vuln, thanks to Marsu. This one is universal download and exec using call esp in libgimpcolor-2.0-0.dll. Vulnerable: Gimp 2.2.14 Tested: Gimp 2.2.14 on Windows Vista, XP, 2000 Compile: gcc -o...
Dokeos <= 1.8.0 (my_progress.php course) Remote SQL Injection Exploit
No description provided by source. !/usr/bin/perl -w Dokeos = 1.8.0 SQL Injection Exploit Discovered by: Silentz Payload: Admin Username & Hash Retrieval Website: http://www.w4ck1ng.com &n...
Microsoft Excel畸形set font值远程代码执行漏洞(MS07-023)
Microsoft Excel是Office套件中的电子表格工具。 Excel在处理文件中的畸形set font值时存在漏洞,远程攻击者可能利用此漏洞通过诱使用户打开恶意文档来控制用户机器。 此类文件可能包括在电子邮件附件中或宿主在恶意网站上。如果用户受骗打开了特制的Excel文件的话,就可能触发内存破坏,导致执行任意指令。 Microsoft Excel Viewer 2003 Microsoft Excel 2007 Microsoft Excel 2003 SP2 Microsoft Excel 2002 SP3 Microsoft Excel 2000 SP3 Microsoft...
aForum <= 1.32 (CommonAbsDir) Remote File Inclusion Vulnerability
No description provided by source. AForum =1.33 Remote file inclusion Func.php Download Script : http://www.agner.org/software/msgbrd2/aforum.zip Thanks Str0ke D0rk:allintitle:List of messageboards Exploit : http://localhost/aforumpath/common/func.php?CommonAbsDir=shell.txt? Discovered By : ThE...
Microsoft Exchange Base64 MIME消息远程代码执行漏洞(MS07-026)
Microsoft Exchange Server是一款企业级的邮件服务程序。 Microsoft Exchange Server处理特定的畸形编码数据时存在漏洞,远程攻击者可能利用此漏洞控制服务器。 Microsoft Exchange没有正确地解码base64编码的内容,如果用户向服务器发送了特制的base64编码的MIME邮件消息的话,就可能导致执行任意指令。 Microsoft Exchange Server 2007 Microsoft Exchange Server 2003 SP2 Microsoft Exchange Server 2003 SP1 Microsoft...
ProFTPD AUTH多个验证模块安全绕过漏洞
proftpd是一款流行的开放源代码的FTP服务程序。 proftpd在AUTH API上存在一个错误,远程攻击者可以利用漏洞可以绕过安全限制,未授权访问。 由于FTP协议需要分开USER和PASS命令,ProFTPD独立的通过USER对用户数据进行检查,而当PASS接收到时对用户的验证进行校验。因此这些组合使ProFTPD允许多个同步Auth模块存在如modauthunix, modsql, modldap,可能导致某个验证模块提供用户数据modauthunix而另一个模块验证用户数据如modsql. 当验证模块modsql配置成使用底限制的验证策略,如: SQLAuthTypes...
McAfee e-Business Server无效数据长度拒绝服务漏洞
McAfee e-Business Server用于为存储和共享文档的企业和个人提供透明加密。 McAfee e-Business Server在处理畸形的认证请求时存在漏洞,远程攻击者可能利用此漏洞导致服务器崩溃。 如果攻击者在认证到McAfee e-Business Server期间发送了畸形认证报文的话就会导致服务器崩溃。收到报文后服务器会读取其长度,然后试图从缓冲区读取该长度的字节。如果攻击者能够指定很大的长度值但发送了很小的报文,就会导致服务器读取到所映射堆内存之外,触发无法处理的异常,管理服务器会崩溃。 0 McAfee E-Business Server 8.5.1.101...
MyBlog Games.PHP远程文件包含漏洞
MyBlog是一款基于PHP的WEB应用程序。 MyBlog不正确过滤用户提交的输入,远程攻击者可以利用漏洞以WEB权限执行任意命令。 问题是'Games.PHP'脚本对用户提交的'scoreid'参数缺少过滤,指定远程服务器上的文件作为包含参数,可导致以WEB权限执行任意命令。 MyBlog MyBlog 1.6 MyBlog MyBlog 1.5 MyBlog MyBlog 1.4 MyBlog MyBlog 1.3 MyBlog MyBlog 1.2 MyBlog MyBlog 1.1 MyBlog MyBlog 1.0 目前没有解决方案提供:...
FireBug 跨站脚本执行漏洞
BUGTRAQ ID: 23315 FireBug是一个非常实用的JavaScript以及DOM查看调试工具,是Firefox的一个插件。 FireBug的对脚本代码的处理实现上存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行恶意脚本代码。 在浏览器中远程脚本是受到沙盒限制的,也就是任何http:或https:前缀的URL都是安全的。浏览器扩展使用chrome: protocol,这个协议不受任何限制,因此浏览器扩展都是受信任的。如果远程脚本诱骗浏览器对chrome:执行JavaScript表达式的话,这个脚本就可以完全控制整个chrome及操作系统,因为命令执行和读写访问都是允许的。...
MS Windows Animated Cursor (.ANI) Stack Overflow Exploit
No description provided by source. / Copyright c 2007 devcode ^^ D E V C O D E ^^ Windows .ANI LoadAniIcon Stack Overflow CVE-2007-1765 Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete...
sBLOG 0.7.3 Beta (inc/lang.php) Local File Inclusion Exploit
No description provided by source. !/usr/bin/perl sBLOG 0.7.3 Betainc/lang.phpLocal File Inclusion Exploit D.Script: http://sourceforge.net/projects/sblog/ V.Code: ifisset$conflangdefault && fileexists'lang/' . $conflangdefault . '.php' require'lang/' . $conflangdefault . '.php'; Discovered...
Oracle Application Server DMS跨站脚本漏洞
Oracle Application Server是一款商业性质的应用服务程序。 Oracle Application Server不正确过滤用户提交的输入,远程攻击者可以利用漏洞进行跨站脚本攻击,获得敏感信息。 问题存在于Oracle动态监视服务中,其中脚本'spy'对用户提交的参数缺少过滤。提交恶意脚本代码作为参数数据,诱使用户访问,可获得目标用户敏感信息。 Oracle Application Server Release 2 10.1.2 .0.2 Oracle Application Server Release 2 10.1.2 .0.1 Oracle Application...
PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit
No description provided by source. ?php //////////////////////////////////////////////////////////////////////// // // // | || | | | | | | \| || || \ // // | |/ || '|/ |/ -| ' \ / -/ |||| /| || / //...
PHP PHPInfo函数跨站脚本漏洞
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。 phpinfo函数可以显示有关PHP当前环境的详细信息,包括所发送请求变量的dump。该函数在显示GET、POST或COOKIE变量中所提供的数组内容时没有进行转义,允许攻击者通过特制请求执行跨站脚本攻击。 PHP 4.4.3 - 4.4.6 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.php.net --TEST-- SECURITY phpinfo simple XSS test --SKIPIF-- ?php...
Wordpress 2.1.1远程命令执行后门漏洞
WordPress是一款免费的论坛Blog系统。 WordPress提供软件下载的网站被入侵,入侵者修改了软件代码码植入远程可执行命令的后门,远程攻击者可能利用这个后门以Web进程权限在安装了恶意版本WordPress的服务器上执行任意命令。 被修改的文件是wp-includes/feed.php和wp-includes/theme.php,被添加了如下代码: 在wp-includes/feed.php文件中: function commenttextphpfilter$filterdata eval$filterdata; ... if $GET"ix"...
pam_ssh空密码短语绕过认证限制漏洞
pamssh是结合SSH密钥和SSH客户端使用的PAM模块,允许使用SSH密钥为UNIX提供登录服务。 pamssh的实现上存在漏洞,远程攻击者可能利用此漏洞获取非授权访问。 如果禁用了allowblankpassphrase选项的话,pamssh的pamssh.c文件中的authviakey函数会无法正确地限制同空密码短语使用私钥。在提示输入密码短语时用户可以输入随机的非空短语绕过认证限制而使用空密码短语私钥。 pamssh 1.91 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:...
PHP FOpen Safe_Mode限制绕过漏洞
PHP是一款开放源代码的网络编程语言。 PHP存在安全模式绕过问题,远程攻击者可以利用漏洞写文件到其他未授权位置,建立文件并执行。 在PHP 5.2.0中可使用写模式绕过safemode,fopen函数描述如下: - -845-845--- Code from PHP520 ext/standard/file.c START stream = phpstreamopenwrapperexfilename, mode, useincludepath ? USEPATH : 0 | ENFORCESAFEMODE | REPORTERRORS, NULL, context; -...
Computer Associates多个CleverPath Portal环境会话劫持漏洞
CleverPath Portal环境一般配置在多个Portal服务器共享一个通用数据存储时存在安全问题。这可导致通过其中一个Portal服务器连接的用户可继承Portal会话,关联另一个Portal服务器中的某个用户的安全验证。 当多个Portal服务器共享通用数据存储并两个Portal服务器在同一时间里启动,由于CleverPath Portal环境变量数据存在问题,可导致以其他用户权限访问服务程序。CleverPath Portal环境变量不是默认配置。 Computer Associates Unicenter Workload Control Center 1.0 SP4...
DieselScript Smart Traffic Index.PHP远程文件包含漏洞
DieselScript Smart Traffic是一款基于PHP的WEB应用程序。 DieselScript Smart Traffic不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是'index.php'脚本对用户提交的'src'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。 DieselScripts Smart Traffic http://www.dieselscripts.com/ http://www.example.com/Script...
Tiny Web图库图象参数远程文件包含漏洞
Tiny Web Gallery是一款基于PHP的图库程序。 Tiny Web Gallery不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是\'image.php\'、\'image.php2\'脚本对用户提交的\'image\'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。 Tiny Web Gallery 1.5 http://www.tinywebgallery.com/en/index.htm...
NetBSD多个本地信息泄露漏洞
NetBSD是一款开放源代码的操作系统。 NetBSD在返回内核内存到用户空间时缺少过滤,本地攻击者可以利用漏洞获得内核敏感信息。 目前没有详细漏洞细节提供。 NetBSD NetBSD 3.0.1 NetBSD NetBSD 3.0 NetBSD NetBSD 2.1 NetBSD NetBSD 2.0.3 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0 NetBSD NetBSD Current NetBSD NetBSD 3,1RC1 NetBSD NetBSD 2.1.1 NetBSD NetBSD 2.0.4...
EncapsCMS 0.3.6 (core/core.asp) Remote File Include Vulnerability
No description provided by source. Firewall encapscms 0.3.6 - Remote File Include by Firewall BuG FounD by Firewall Application Affect: encapscms 0.3.6 Sorce Code: http://scripts.ringsworld.com/content-management/encapscms-0.3.6.zip Code: includeonce$root."core/Config.php";...
Kayako eSupport <= 2.3.1 (subd) Remote File Inclusion Vulnerability
No description provided by source. Script: Kayako eSupport = 2.3.1 Vendor: Kayako www.kayako.com Discovered: beford xbefordx gmail com Comments: It seems like the vendor silently fixed the issue in the current version more like since v2.3.5 withouth warning users of previous versions, noobs...
Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)
No description provided by source. / $Id: raptorprctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $ raptorprctl.c - Linux 2.6.x suiddumpable vulnerability Copyright c 2006 Marco Ivaldi [email protected] The suiddumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16...
BLOG:CMS <= 4.0.0k Remote SQL Injection Exploit
No description provided by source. !/usr/bin/php -q -d shortopentag=on ? echo "BLOG:CMS = 4.0.0k sql injection/admin credentials disclosure exploit\n"; echo "by rgod [email protected]\n"; echo "site: http://retrogod.altervista.org\n"; echo "dork: "Powered by BLOG:CMS"|"Powered by...
MS Windows XP Workstation Service Remote Exploit (MS03-049)
漏洞描述:Microsoft DCE/RPC服务可以提供网络管理功能,这些功能提供管理用户帐户和网络资源管理的功能。部分网络管理功能在Windows目录下的"debug"子目录会生成调试日志文件。Microsoft Workstation服务在处理日志记录时缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞提供超长参数触发缓冲区溢出,以SYSTEM权限在系统上执行任意指令。 日志功能中使用vsprintf在日志文件中生成字符串,日志文件名为"NetSetup.LOG",其保存在Windows "debug"目录中。...
MS Internet Explorer Object Data Remote Exploit (M03-032)
CVE-ID:CVE-2003-0701CNNVD-ID:CNNVD-200308-125漏洞影响范围:•Microsoft Internet Explorer 5.01 •Microsoft Internet Explorer 5.5 •Microsoft Internet Explorer 6.0 •Microsoft Internet Explorer 6.0 for Windows Server 2003 解决方案:官方已发布升级补丁,请立即升级到最新版本。 titleby malware M03-032 Exploit/title script language=vbs...
Visual Tools DVR VX16 未授权命令注入
...
VoIPMonitor未授权远程代码执行漏洞(CVE-2021-30461)
SSD Advisory – VoIPmonitor UnAuth RCE May 6, 2021 SSD Disclosure / Technical Lead Uncategorized TL;DR Find out how a vulnerability in VoIPmonitor allows an unauthenticated attacker to execute arbitrary code. Vulnerability Summary VoIPmonitor is “open source network packet sniffer with commercial...
Hacking LIFX Smart LED Light bulbs to steal WiFi Passwords
Context Information Security firm has discovered a security vulnerability in LIFX smart LED light bulbs that can be remotely controlled by mobile devices. Researchers at Context Information Security have discovered a security flaw in a WiFi enabled, smart LED light LIFX bulb that can be remotely...
CloudMe Unauthenticated Remote Buffer Overflow(CVE-2018-6892)
The following advisory describes one 1 vulnerability found in CloudMe. CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are...
OpenNMS Java Object Deserialization RCE
! /usr/bin/env python3 Credits: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/opennms nessus/plugins/opennmsjavaserialize.nasl cobbled together by pancho import socket import sys def buildcmd:...
Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from authenticated arbitrary system command execution. The application interface allows users to perform certain actions via HTTP requests without...
Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service
Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. /lte/lteuicc.shtml: 858:...
Windows: use-after-free in jscript!NameTbl::GetValDef(CVE-2017-11903)
There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: - An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy Auto-Discovery host and sending a malicious wpad.dat file to the victim. This works...
VMware VNC Dynamic Resolution Request Code Execution Vulnerability(CVE-2017-4933)
Summary An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption. An attacker can create a VNC session to trigger this vulnerability. Tested Versions Vase,...
Coredy CX-E120 Repeater Multiple Vulnerabilities
Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in Coredy CX-E120 Repeater. The Coredy CX-E120 WiFi Range Extender is “a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal an...
CRITICAL CODESYS VULNERABILITIES IN WAGO PFC 200 SERIES
VENDOR DESCRIPTION “The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for decentralized automation tasks. With the relay, function and interface modules, as well as overvoltage protection, WAGO provides a suitable interface for any application.” Source:...
Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service(CVE-2017-2909)
Summary An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over network to trigger this vulnerability...
Adobe Flash Player Infinite Recursion Arbitrary Read Access Violation(CVE-2016-4132)
SUMMARY A potentially exploitable read access violation vulnerability exists in the a way Adobe Flash Player handles infinitely recursive calls. A specially crafted ActionScript code can cause a read access violation which can potentially be further abused. To trriger this vulnerability user...
Ruby Psych::Emitter start_document Heap Overflow Vulnerability(CVE-2016-2338)
DESCRIPTION An exploitable heap overflow vulnerability exists in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase...
Kaspersky Internet Security KLIF Driver NtAdjustTokenPrivileges_HANDLER Denial of Service(CVE-2016-4305)
Summary A denial of service vulnerability exists in the syscall filtering functionality of Kaspersky Internet Security KLIF driver. A specially crafted native api call can cause a access violation in KLIF kernel driver resulting in local denial of service. An attacker can run program from user mo...
Hancom Hangul HCell Workbook Table and Pivot Style Code Execution Vulnerability(CVE-2016-4293)
Description This vulnerability was discovered within the Hangul Hcell application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul Hcell Document .cell and...
Aerospike Database Server Set Name Code Execution Vulnerability(CVE-2016-9054)
Summary An exploitable stack-based buffer overflow vulnerability exists in the querying functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause a stack-based buffer overflow in the function assindexsimatchlistbysetbinid resulting in remote code execution. An...
Moxa AWK-3131A Web Application systemlog.log Information Disclosure Vulnerability(CVE-2016-8725)
Summary An exploitable information disclosure vulnerability exists in the Web Application functionality of the Moxa AWK-3131A wireless access point running firmware 1.1. Retrieving a specific URL without authentication can reveal sensitive information to an attacker. Tested Versions Moxa AWK-3131...
PowerIso Parsing Code Execution Vulnerability(CVE-2017-2817)
Summary An stack buffer overflow vulnerability exists in the ISO parsing functionality of Power Software Ltd PowerISO. A specially crafted ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific ISO file to trigger this vulnerability. Tested...
Foscam IP Video Camera CGIProxy.fcgi Change Username pureftpd.passwd Injection Vulnerability(CVE-2017-2850)
Summary An exploitable injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary characters in the pureftpd.passwd file during a username...
Ledger CLI Account Directive Use-After-Free Vulnerability(CVE-2017-2808)
Summary An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger th...
Windows Kernel stack memory disclosure in nt!NtQueryInformationTransaction(CVE-2017-8480)
We have discovered that the nt!NtQueryInformationTransaction system call called with the 1 information class discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10. The specific name of the 1 information class or the layout of the corresponding...
Windows Kernel stack memory disclosure in DeviceApi(CVE-2017-8474)
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 through the PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp IOCTLs sent to the \Device\DeviceApi device. The analysis shown below was...