Next Page >>
executed
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
Parts of Vim are written in the Vim script language. A feature of this
language widely used in the Vim code is the ``execute'' command, an equivalent
of ``eval'' in some other languages. Throughout Vim, arguments passed to
``execute'' are not sanitized properly. This can lead to arbitrary code
execution. We will show several exploits which execute arbitrary code upon
opening a crafted file with the ex(1), vim(1), or view(1) commands. Only in
few cases will we explore the possibility of remote exploitation. We will
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).
An integer overflow in the JBIG2 decoder allows remote attackers to
execute arbitrary code via a crafted PDF file (CVE-2009-1179).
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).
An integer overflow in the JBIG2 decoder allows remote attackers to
execute arbitrary code via a crafted PDF file (CVE-2009-1179).
Application: Piwik <= 0.4.5
Severity: Piwik unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
utilizes Piwik's classes to upload arbitrary files or
execute arbitrary PHP code
Risk: Critical
Vendor Status: Piwik 0.5.0 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/
If any exception occurs during execution of a kernel-mode service
routine's prologue prior to the initial SWAPGS instruction, or in the
epilogue after the final SWAPGS instruction, then the fault handler
will be invoked with a "return CS" indicating kernel mode, but with a
GS base not guaranteed to be kernel GS, because the interrupted
prologue code did not yet have a chance to execute the SWAPGS
instruction. In other words, the interrupt handler for the exception
could execute with user GS still active, and yet it will not use
SWAPGS to switch to kernel GS because the previous mode was kernel
mode, meaning the handler could then act upon user-controlled data as
though it were trusted kernel data.
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/login.php?action=process" method="post" name="main" id="main">
Description:
============
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of McAfee LinuxShield. User interaction is not
required to exploit this vulnerability but an attacker must be
authenticated.
The LinuxShield Webinterface communicates with the localy installed
Description:
============
This vulnerability allows remote attackers to execute arbitrary code
on vulnerable installations of McAfee LinuxShield. User interaction
is not required to exploit this vulnerability but an attacker must
be authenticated.
The LinuxShield Webinterface communicates with the localy installed
The JBIG2 decoder in Xpdf 3.02pl2 and earlier allows remote attackers
to cause a denial of service (crash) via a crafted PDF file that
triggers a free of uninitialized memory (CVE-2009-0166).
Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9,
and probably other products, allows remote attackers to execute
arbitrary code via a PDF file with crafted JBIG2 symbol dictionary
segments (CVE-2009-0195).
The JBIG2 decoder in Xpdf 3.02pl2 and earlier allows remote attackers
to cause a denial of service (crash) via a crafted PDF file that
>
>
> Description:
> ============
>
> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable installations of McAfee LinuxShield. User interaction is not
> required to exploit this vulnerability but an attacker must be
> authenticated.
>
> The LinuxShield Webinterface communicates with the localy installed
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)
It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not
correctly handle memory allocation failures. If a user or automated system were
tricked into opening a specially crafted MNG, MOD, or Real file, an attacker
could crash xine-lib or possibly execute arbitrary code with the privileges of
the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10,
and 8.04 LTS. (CVE-2008-5233)
It was discovered that the QT demuxer in xine-lib did not correctly handle
an invalid metadata atom size, resulting in a heap-based buffer overflow. If a
If any exception occurs during execution of a kernel-mode service
routine's prologue prior to the initial SWAPGS instruction, or in the
epilogue after the final SWAPGS instruction, then the fault handler
will be invoked with a "return CS" indicating kernel mode, but with a
GS base not guaranteed to be kernel GS, because the interrupted
prologue code did not yet have a chance to execute the SWAPGS
instruction. In other words, the interrupt handler for the exception
could execute with user GS still active, and yet it will not use
SWAPGS to switch to kernel GS because the previous mode was kernel
mode, meaning the handler could then act upon user-controlled data as
though it were trusted kernel data.
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
threat" attack it is possible to execute arbitrary code. This
attack affects the ActiveX control as well as the Java applet.
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
fork of the Cute News project which is designed to improve security and
is available for free from http://korn19.ch/coding/utf8-cutenews/
Multiple vulnerabilities exist in Cute News and UTF-8 CuteNews. These
vulnerabilities can be exploited to steal user credentials, disclose
file contents, disclose the file path of the application and execute
arbitrary commands.
Cute News appears to be abandoned since September 2008. A local file
inclusion (LFI) vulnerability was discovered by athos on January 9th,
2009 for which no patch has been made.
The Windows operating system supports a range of file permissions
for files stored on volumes formatted in the NTFS file system format.
For executing EXE files, the acting user account only needs the
"Execute File" permission, while all others might be missing or denied,
allthough there are cases when this is not true. The exact rule is unknown
to the author. In the system used to test and verify the vulnerability
the Execute File was enough to run programs. On another system running
Windows 7 that was not true. Start of EXE files succeeded only if other
permissions were enabled, including the Read Data permission. On another
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
"%ALLUSERSPROFILE%\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86"
for 32-bit installations and in "%ALLUSERSPROFILE%\Application Data\
{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64" for 64-bit installations. The
installer installs in this directory DifXInstall32.exe or DifXInstall64.exe for
32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other
files. After the installer writes these files to the directory, it will execute
DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a
privileged user.
On a standard Windows installation, unprivileged users have write-access to
"%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes
JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg,
and (3) JBIG2Stream::readGenericBitmap. (CVE-2009-0146, CVE-2009-0147)
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow. (CVE-2009-0163)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg,
and (3) JBIG2Stream::readGenericBitmap. (CVE-2009-0146, CVE-2009-0147)
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow. (CVE-2009-0163)
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg,
and (3) JBIG2Stream::readGenericBitmap. (CVE-2009-0146, CVE-2009-0147)
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and
earlier allows remote attackers to cause a denial of service (daemon
crash) and possibly execute arbitrary code via a crafted TIFF image,
which is not properly handled by the (1) _cupsImageReadTIFF function
in the imagetops filter and (2) imagetoraster filter, leading to a
heap-based buffer overflow. (CVE-2009-0163)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
about software on the user's computer. This issue only affects Firefox 2.
(CVE-2008-5012)
It was discovered that Firefox did not properly check if the Flash
module was properly unloaded. By tricking a user into opening a crafted
SWF file, an attacker could cause Firefox to crash and possibly execute
arbitrary code with user privileges. This issue only affects Firefox 2.
(CVE-2008-5013)
Jesse Ruderman discovered that Firefox did not properly guard locks on
non-native objects. If a user were tricked into opening a malicious
Details follow:
Alin Rad Pop discovered an array index vulnerability in the SDP
parser. If a user or automated system were tricked into opening a
malicious RTSP stream, a remote attacker may be able to execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2008-0073)
Luigi Auriemma discovered that xine-lib did not properly check
buffer sizes in the RTSP header-handling code. If xine-lib opened an
AOL LLC Vendor Statement;
Overview
AOL has become aware of security vulnerabilities in several AIM instant
messaging clients. Successful exploitation of these vulnerabilities could
allow an attacker to execute arbitrary commands on a user's workstation.
AOL has deployed host side filtering on the AIM servers to block this
potentially malicious content from being sent to AIM clients.
Affected Products and Applications
* AIM 6.1
AOL LLC Vendor Statement;
Overview
AOL has become aware of security vulnerabilities in several AIM instant
messaging clients. Successful exploitation of these vulnerabilities could
allow an attacker to execute arbitrary commands on a user's workstation.
AOL has deployed host side filtering on the AIM servers to block this
potentially malicious content from being sent to AIM clients.
Affected Products and Applications
* AIM 6.1
users for requests that were initiated by a plugin and received a
307 redirect to a page on a different web site. (CVE-2011-0059)
Buffer overflow in Mozilla Firefox 3.6.x before 3.6.14, Thunderbird
before 3.1.8, and SeaMonkey before 2.0.12 might allow remote attackers
to execute arbitrary code or cause a denial of service (application
crash) via a crafted JPEG image. (CVE-2011-0061)
The nsIScriptableUnescapeHTML.parseFragment method in the
ParanoidFragmentSink protection mechanism in Mozilla Firefox before
3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey
following problems:
CVE-2009-0945
Array index error in the insertItemBefore method in WebKit, as used in qt4-x11,
allows remote attackers to execute arbitrary code.
CVE-2009-1687
The JavaScript garbage collector in WebKit, as used in qt4-x11 does not
Failure on manipulation of either MNG or Real or MOD files can lead
remote attackers to cause a denial of service by using crafted files
(CVE: CVE-2008-5233).
Heap-based overflow allows remote attackers to execute arbitrary
code by using Quicktime media files holding crafted metadata
(CVE-2008-5234).
Heap-based overflow allows remote attackers to execute arbitrary code
by using either crafted Matroska or Real media files (CVE-2008-5236).
the following problems:
CVE-2009-0945
Array index error in the insertItemBefore method in WebKit, allows remote
attackers to execute arbitrary code via a document with a SVGPathList data
structure containing a negative index in the SVGTransformList, SVGStringList,
SVGNumberList, SVGPathSegList, SVGPointList, or SVGLengthList SVGList object,
which triggers memory corruption.
Next Page>>
|
