XYCMS hf_book. php page parameter id injection vulnerability

No description provided by source...

Country micro CMS government website system guestbook SQL injection

No description provided by source...

TerraMaster NAS TOS <= 3.0.30 Unauthenticated RCE as Root

Recently I bought a TerraMaster F2-420 NAS from Amazon in order to store my private code, backups and this kind of stuff. As soon as it arrived I started to play with its web interface and eventually I wanted to see how it was implemented, moreover I was curious to see if I could find any remotel...

Country micro cms Membership authentication SQL injection

No description provided by source...

Think high CMS there is multiple SQL injection vulnerabilities

No description provided by source...

Country micro CMS government website system public Advisory module SQL injection

No description provided by source...

PHPMyWind v5. 4 background arbitrary file deletion

No description provided by source...

ourphp background arbitrary file deletion

No description provided by source...

CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux

======================================================================== Contents ======================================================================== Analysis Exploitation Example Acknowledgments ======================================================================== Analysis...

Mozilla Firefox: Memory disclosure in ConvolvePixel(CVE-2017-5465)

Mozilla bug tracker link: https://bugzilla.mozilla.org/showbug.cgi?id=1347617 There is an out of bound read leading to memory disclosure in Firefox. The vulnerability was confirmed on the nightly ASan build. PoC: Preliminary analysis: The problem seems to be the negative krenel unit length. This...

Apple iOS / OS X NSKeyedArchiver Memory Corruption(CVE-2017-2527)

CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method reads an Int "index" then passes that to builtinfunction mov ebx, edi -- controlled unsigned int mov r14d, ebx lea r15, ZL9functions0 ; functions mov rax, r15+r148 if rax is non-null it's returned as an objective-c...

OpenVPN Access Server : CRLF injection with Session fixation(CVE-2017-5868)

Description OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, a...

Google Android Broadcom Wi-fi Driver Information Disclosure Vulnerability(CVE-2017-0633)

An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10,...

Apple MacOS 32-Bit Syscall Exit Kernel Register Leak(CVE-2017-2509)

The XNU kernel, when compiled for a x86-64 CPU, can run 32-bit x86 binaries in compatibility mode. 32-bit binaries use partly separate syscall entry and exit paths. To return to userspace, unixsyscall in bsd/dev/i386/systemcalls.c calls threadexceptionreturn in osfmk/x8664/locore.s, which in turn...

Linux: eBPF verifier log leaks lower half of map pointer

When the eBPF verifier kernel/bpf/verifier.c runs in verbose mode, it dumps all processed instructions to a user-accessible buffer in human-readable form using printbpfinsn. For instructions with class BPFLD and mode BPFIMM, it prints the raw 32-bit value: else if class == BPFLD if BPFMODEinsn-co...

Apple MacOS NSUnarchiver Heap Corruption(CVE-2017-2523)

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to manipulate NSBuiltinSetTable. Neither path has any bounds checking and the...

Apple macOS - 'stackshot' Raw Frame Pointers(CVE-2017-2516)

This is an issue that allows unentitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug. By design, the syscall stacksnapshotwithconfig permits unentitled root to dump information about all user stacks and kernel stacks. While a target...

Apple iOS / MacOS Netagent Kernel Memory Disclosure(CVE-2017-2507)

iOS/MacOS kernel memory disclosure due to lack of bounds checking in netagent socket option handling netagentctlsetopt is the setsockopt handler for netagent control sockets. Options of type NETAGENTOPTIONTYPEREGISTER are handled by netagenthandleregistersetopt. Here's the code: static errnot...

Mozilla Firefox: out-of-bounds read in gfxTextRun(CVE-2017-5447)

Mozilla bug tracker link: https://bugzilla.mozilla.org/showbug.cgi?id=1343552 There is an out-of-bounds read vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build. PoC: .class1 float: left; white-space: pre-line; .class2 border-bottom-style: solid; font-face: Arial;...

Apple iOS / MacOS Domain Socket Kernel Use-After-Free(CVE-2017-2501)

iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which...

Apple iOS / MacOS NSKeyedArchiver Heap Corruption(CVE-2017-2524)

Using lldb inside a simple helloworld app for iOS we can see that there are over 600 classes which we could get deserialized for persistance for example. The TextInput framework which is loaded has a class TIKeyboardLayout. The initWithCoder: implementation has this code: this is the x86 code, th...

Code Injection through DLL Sideloading in 64bit Oracle Java(CVE-2017-3511)

This blog post is about a DLL sideloading vulnerability in the 64bit Windows version of Oracle Java. It allows any local user to inject code in Java processes of other users. At the time of writing it has been verified with the latest stable 64bit Java version 1.8.0101 on both a fully patched...

Apple macOS - Local Privilege Escalation Vulnerability(CVE-2017-6978)

HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType; it reads a type field and uses that to index an array of function pointers for the support types: const:0000000000053ED0...

WebKit: UXSS via ContainerNode::parserRemoveChild

Here's a snippet of ContainerNode::parserRemoveChild. void ContainerNode::parserRemoveChildNode& oldChild disconnectSubframesIfNeededthis, DescendantsOnly; let xml = let p = document.querySelector'p'; let link = p.appendChilddocument.createElement'link'; link.rel = 'stylesheet'; link.href =...

WebKit enqueuePageshowEvent / enqueuePopstateEvent Universal XSS(CVE-2017-2510)

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS UXSS attacks via a crafted web site that improperly interacts with pageshow events. He...

WebKit: UXSS via Editor::Command::execute(CVE-2017-2504)

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS UXSS attacks via a crafted web site that improperly...

WebKit: UXSS through HTMLObjectElement::updateWidget(CVE-2017-2493)

When an object element loads a JavaScript URLe.g., javascript:alert1, it checks whether it violate the Same Origin Policy or not. Here's some snippets of the logic. void HTMLObjectElement::updateWidgetCreatePlugins createPlugins ... String url = this-url; ... if !allowedToLoadFrameURLurl return;...

WebKit WebCore::FrameView::scheduleRelayout Use-After-Free(CVE-2017-2514)

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service memory corruption and application crash via a crafted we...

Linux lp.c Out-of-Bounds Write via Kernel Command-line

Vulnerable Versions Linux 4.12-rc1 and below Linux 3.x Linux 2.6.x Linux 2.4.x Linux 2.2.x Mitigation Patch has been committed to the mainline tree, available in the 4.12-rc2 release. 3.18 / 4.4 stable releases with the patch are also avaialble see timeline. Technical Details Due to a missing...

initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection

In the May 2017 Android Security Bulletin, Google released a patch to a critical and unique vulnerability CVE-2016-10277 in the Nexus 6 bootloader we had found and responsibly disclosed. By exploiting the vulnerability, a physical adversary or one with authorized-ADB/fastboot USB access to the...

WebKit: JSC: BindingNode::bindValue doesn't increase the scope's reference count(CVE-2017-2505)

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service memory corruption and...

Samba remote code execution vulnerability(CVE-2017-7494)

A vulnerability overview 1 vulnerability profile Samba is in the Linux and UNIX systems implement SMB Protocol one software, many IoT devices also use Samba. 2017 5 May 24, Samba released a 4. 6. 4 version, to fix a serious remote code execution vulnerability, the vulnerability number...

xycms section management module sql injection vulnerability

No description provided by source...

IBM Informix Dynamic Server Open Admin Tool RCE (CVE-2017-1092)

Vulnerabilities Summary The following advisory describes six 6 vulnerabilities found in Informix Dynamic Server and Informix Open Admin Tool. IBM Informix Dynamic Server Exceptional, low maintenance online transaction processing OLTP data server for enterprise and workgroup computing. IBM Informi...

xycms manage_book.php page parameters keyword injection vulnerability

No description provided by source...

webone cms news_con.php parameters of the pk-SQL injection vulnerability

No description provided by source...

Country micro-cms comments solicited module SQL injection

No description provided by source...

VMWare Workstation On Linux Privilege Escalation

This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at /.asoundrc. libasound...

Country micro CMS multiple reflected XSS

No description provided by source...

openEAP Unified login portal system there is a common type XXE vulnerability

No description provided by source...

PlaySMs 1.4 'import.php' Remote Code Execution

Description Code Execution using import.php We know import.php accept file and just read content not stored in server. But when we stored payload in our backdoor.csv and upload to phonebook. Its execute our payload and show on next page in field in NAME,MOBILE,Email,Group COde,Tags accordingly . ...

PHPCMS v9. 6. 2 arbitrary file read vulnerability

By diff found phpcms patch to modify the filtering$fileurl location and added the path in".."of the judgment. By fuzzing and read other about phpcms file read vulnerability analysis of the articles, found the following several ways the path can still bypass this patchwindows && a specific version...

Address bar spoofing on macOS Safari(CVE-2017-2500)

version: Safari function spoof document.write"Apple loginPlease input your Apple ID!!!But this is not apple.com!"; window.location.assign"http://www.apple.com:1234"; //or you can use the following JS code: //window.location.assign"http://access.apple.com"; setIntervalspoof,2000; setTimeoutfunctio...

GNU Bash code execution vulnerability in path completion(CVE-2017-5932)

1 Introduction GNU Bash from version 4.4 contains two bugs in its path completion feature leading to a code execution vulnerability. An exploit can be realized by creating a file or directory with a specially crafted name. A user utilizing GNU Bash's built-in path completion by hitting the Tab...

KDE kauth and kdelibs Logic Flaw Lets Local Users Obtain Root Privileges(CVE-2017-8422)

This document describes a generic root exploit against kde. The exploit is achieved by abusing a logic flaw within the KAuth framework which is present in kde4 org.kde.auth and kde5 org.kde.kf5auth. It is possible to spoof what KAuth calls callerID's which are indeed D-Bus unique names of the...

Win32k Elevation of Privilege Vulnerability(CVE-2017-0263)

May has been a busy month for vulnerabilities in the world's most popular desktop operating system. Hackers have made headlines with massive infections by WannaCry ransomware, which exploits an SMB security flaw and the ETERNALBLUE tool. Shortly prior, on May 9, Microsoft fixed CVE-2017-0263, whi...

Oracle PeopleSoft Remote Code Execution: Blind XXE to SYSTEM Shell

Oracle PeopleSoft I had the chance, a few months ago, to audit several Oracle PeopleSoft solutions, including PeopleSoft HRMS and PeopleTool. Despite several undocumented CVEs, the Internet did not have much to offer on how to attack the software, except for the very informative talk from ERPScan...

Joomla! 3.7 Core SQL Injection (CVE-2017-8917)

Author: p0wd3r know Chong Yu 404 security lab Date: 2017-05-18 0x00 vulnerability overview Vulnerability description Joomla to 5 on 17 May released the new version 3. 7. 1, and https://www.joomla.org/announcements/release-news/5705-joomla-3-7-1-release.html this update fixes a high risk SQL...

iBooks information disclosure(CVE-2017-2497)

What's ePub file? EPUB is an e-book file format with the extension .epub that can be downloaded and read on devices like smartphones, tablets, computers, or e-readers. And in technical implementation An EPUB file is a ZIP archive that contains, in effect, a website—including HTML files, images, C...

Microsoft Malware Protection Engine RCE (CVE-2017-0290)

Natalie Silvanovich and Tavis Ormandy of Google Project Zero found a pretty nasty bug in Microsoft Malware Protection Engine, allowing an attacker to execute arbitrary code as LocalSystem on any Windows computer running any Microsoft anti-malware product such as Security Essentials or Windows...