Next Page >>
function call
0116D366 MOV EDX,DWORD PTR DS:[ECX+C0]
0116D36C MOV DWORD PTR DS:[EDX],EAX ; <- Control of EDX and EAX
-------------------------------------------------------------------
-------------------------------------------------------------------
Function Call
014AEA5F MOV EAX,DWORD PTR DS:[EDX+C] ; <- Control EDX
014AEA62 CALL EAX
014AEA64 TEST EAX,EAX
014AEA66 JE SHORT sqlservr.014AEA70
-------------------------------------------------------------------
file with a filename containing a kernel memory address, which allows
local users to obtain potentially sensitive information about kernel
memory use by listing this filename. (CVE-2010-4565)
The install_special_mapping function in mm/mmap.c does not make an
expected security_file_mmap function call, which allows local users
to bypass intended mmap_min_addr restrictions and possibly conduct
NULL pointer dereference attacks via a crafted assembly-language
application. (CVE-2010-4346)
The sk_run_filter function does not check whether a certain memory
os2. substring at the beginning of a name. (CVE-2010-2946)
Multiple integer signedness errors in net/rose/af_rose.c in the
Linux kernel allow local users to cause a denial of service (heap
memory corruption) or possibly have unspecified other impact via a
rose_getname function call, related to
the rose_bind and rose_connect functions. (CVE-2010-3310)
Integer overflow in the do_io_submit function in fs/aio.c in the
Linux allows local users to cause a denial of service or possibly
have unspecified other impact via crafted use of the io_submit system
arbitrary code, when visiting a malicious website.
CVE-2009-1698
It was discovered that there could be an uninitialised pointer when
handling a Cascading Style Sheets (CSS) attr function call. This could
lead to the execution of arbitrary code, when visiting a malicious
website.
CVE-2009-1687
CVE-2009-1698
WebKit does not initialize a pointer during handling of a Cascading Style Sheets
(CSS) attr function call with a large numerical argument, which allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption and application crash) via a crafted HTML document.
CVE-2009-1711
CVE-2011-4075
Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to
"query_engine", "query" is set to "none", and "search" is set to e.g.
"1") is not properly sanitised in lib/functions.php before being used in a
"create_function()" function call. This can be exploited to inject and
execute arbitrary PHP code.
For the oldstable distribution (lenny), these problems have been fixed in
version 1.1.0.5-6+lenny2.
Version Information:
http://www.website.tld/achievo/doc/CHANGES
Vulnerable Function / ID Calls: (XSS)
atkaction (this has to be used in conjunction with another main function call!)
Cross Site Scripting:
1. http://www.website.tld/achievo/index.php?"><script>alert(0)</script><br
Explained: The above has minimal impact as it's almost impossible if not impossible to abuse. This works only when One is NOT logged in.
DESCRIPTION:
The 3rd party module formlib.pl contained an error in handling/printing
of unsanitized Input data, which could lead to a malicious user
injecting code into the users displayed page via a custom generated
link, if this subroutine was called AND the users browser does not
encode the input string.
SECURITY IMPLICATIONS:
Low. "Skein" has written separately (not on bugtraq) that the danger
Details:
SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed.
The 'Type', 'snapshot' and 'table' parameters used in web page /em/console/ecm/history/configHistory and 'fConfigGuid' parameter used in /em/console/ecm/config/compare/compareWizSecondConfig are vulnerable to SQL Injection attacks. These web pages are part of Oracle Enterprise Manager web application. It may be possible for a malicious user to execute a function with the elevated privileges of the SYSMAN database user in the repository database. This user has the DBA role granted.
Impact:
This vulnerability allow a Oracle Enterprise Manager user with VIEW (or more) privileges to execute a function call with the elevated privileges of the SYSMAN database user.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1,
Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via vectors that trigger failure of
an nsXBLDocumentInfo::ReadPrototypeBindings function call, related
to the cycle collector's access to a hash table containing a stale
XBL binding (CVE-2012-0452).
_______________________________________________________________________
References:
recursion in certain DOM event handlers. (CVE-2009-1690).
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
pointer during handling of a Cascading Style Sheets (CSS) attr function
call with a large numerical argument, which allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via a crafted HTML document (CVE-2009-1698).
KDE Konqueror allows remote attackers to cause a denial of service
(memory consumption) via a large integer value for the length property
"onload" is set to a Javascript object's attributes or childNodes
collection. A event object is created and this object's memory is later
freed; however, a reference to the object remains. When the reference is
later used to access the event object, this now-invalid memory is
treated as a valid object. The corrupt object's vtable is used to make
an indirect function call. This may result in the execution of arbitrary
code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
> DESCRIPTION:
>
> The 3rd party module formlib.pl contained an error in handling/printing
> of unsanitized Input data, which could lead to a malicious user
> injecting code into the users displayed page via a custom generated
> link, if this subroutine was called AND the users browser does not
> encode the input string.
>
This is inaccurate.
There is another way to use your vuln (as not direct on typing it in to
"If [the argument] is 0, then malloc() returns either
NULL, or a unique pointer value that can later be
successfully passed to free()."
On an Ubuntu v8.04 system, malloc(0) is observed to return a non-null
pointer. Thus, execution continues. The msIO_fread() function call at
cgiutil.c:63 returns 0, so execution reaches cgiutil.c:69, which
contains "data[data_max] = '\0';". Because "data_max" is set to -1,
this causes the program to write a zero byte outside the bounds of the
"data" array in heap memory.
recursion in certain DOM event handlers. (CVE-2009-1690)
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
pointer during handling of a Cascading Style Sheets (CSS) attr function
call with a large numerical argument, which allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via a crafted HTML document. (CVE-2009-1698)
WebKit in Apple Safari before 4.0.2, KHTML in kdelibs in KDE, QtWebKit
(aka Qt toolkit), and possibly other products does not properly handle
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: phpDocumentor: Function call injection
Date: November 11, 2011
Bugs: #213318
ID: 201111-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
png_rgb_to_gray function but not the png_set_expand function, allows
remote attackers to overwrite memory with an arbitrary amount of data,
and possibly have unspecified other impact, via a crafted PNG image
(CVE-2011-2690).
The png_err function in pngerror.c in libpng makes a function call
using a NULL pointer argument instead of an empty-string argument,
which allows remote attackers to cause a denial of service (application
crash) via a crafted PNG image (CVE-2011-2691). NOTE: This does not
affect the binary packages in Mandriva, but could affect users if
PNG_NO_ERROR_TEXT is defined using the libpng-source-1.?.?? package.
invalid UTF-8 input that would pass the verification process and get
translated by 'MultiBytetoChar' to a string that includes the dot-dot
substring .
The fix to CVE-2007-1744 [6] consisted in setting the
'MB_ERR_INVALID_CHARS' flag to the function call thus making it fail
(setting the error code to 'ERROR_NO_UNICODE_TRANSLATION') if non-valid
UTF-8 input was provided.
However, since the inspection of input looking for the evil dot-dot
substring remained a step prior to its mapping to Unicode UTF-16 the basic
head element. If a user were tricked into viewing a malicious website, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-1690)
It was discovered that KDE-Libs did not properly handle the Cascading Style
Sheets (CSS) attr function call. If a user were tricked into viewing a
malicious website, an attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1698)
browser session in context of an affected site (CVE-2011-4074).
Input passed to the orderby parameter in cmd.php \(when cmd is set
to query_engine, query is set to none, and search is set to e.g. 1\)
is not properly sanitised in lib/functions.php before being used in
a create_function() function call. This can be exploited to inject
and execute arbitrary PHP code (CVE-2011-4075).
The updated packages have been upgraded to the latest version (1.2.2)
which is not vulnerable to these issues.
_______________________________________________________________________
Details:
SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed.
The 'targetType' parameter used in web page /em/console/target/svclvl/slrule and 'serviceType' parameter used in web page /em/console/target/svclvl/sldetails are vulnerable to SQL Injection attacks. These web pages are part of Oracle Enterprise Manager web application that is included with Oracle Database 11g Release 1. It may be possible for a malicious Enterprise Manager user to execute a function with the elevated privileges of the SYSMAN database user in the repository database. This user has the DBA role granted.
Impact:
This vulnerability allows an Oracle Enterprise Manager web user with VIEW (or more) privileges to execute a function call with the elevated privileges of the SYSMAN database user. This may also be exploited by an attacker that convinces a valid user to click or open a malicious link.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
this source code is also included in mysql-4.0.0, mysql versions >=
4.0.0 are affected.
function prototype: write(THD *thd, enumenum_server_command command,
const char* format, ...)
function call: write(thd, command, packet);
on line 2084:
case COM_CREATE_DB: // QQ: To be removed
{
char *db=thd->strdup(packet), *alias;
Description
===========
Venustech AD-LAB discovered that an FTP client connected to a
vulnerable server with passive mode and SSL support can trigger an
fclose() function call on an uninitialized stream in ftpd.c.
Impact
======
A remote attacker can send specially crafted FTP data to a server with
arbitrary code, when visiting a malicious website.
CVE-2009-1698
It was discovered that there could be an uninitialised pointer when
handling a Cascading Style Sheets (CSS) attr function call. This could
lead to the execution of arbitrary code, when visiting a malicious
website.
CVE-2009-1687
(in the case of iManager Server).
On the server side, the creation of a new class is handled by the
'jclient._Java_novell_jclient_JClient_defineClass@20' function, in the
'jclient.dll' module of the iManager Tomcat web server. This function
in turn invokes a subroutine that copies the user-defined class name
to a fixed-size buffer in the stack, without checking its length. The
following disassembled code of the Novell iManager Tomcat web server
illustrates the vulnerability.
/-----
So to summarize the attack: By sending a single serialized string to
any application based on the Zend Framework using PHPIDS it is
possible to utilize Zend Frameworks's own objects and execute
arbitrary PHP code by supplying the arguments to a preg_replace()
function call.
Proof of Concept:
SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.
CVE-2009-1698
WebKit in qt4-x11 does not initialize a pointer during handling of a
Cascading Style Sheets (CSS) attr function call with a large numerical
argument, which allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption and application crash) via
a crafted HTML document.
Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1,
Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via vectors that trigger failure of
an nsXBLDocumentInfo::ReadPrototypeBindings function call, related
to the cycle collector's access to a hash table containing a stale
XBL binding (CVE-2012-0452).
_______________________________________________________________________
References:
+--> MS SQL Server 2005 SQL Injection
+--/-- 1>
There is an SQL Injection vulenarability in the site search module.
The code can be find in "<SRC_DIR>/BlazeApps/Usercontrols/Search.ascx" file.
Submitting search criteria will cause subroutine "uxSubmitButton_Click"
in the file "<SRC_DIR>/BlazeApps/Usercontrols/Search.ascx.vb" to be executed.
Then it will use "uxSearchTextBox" input element value (POST Variable) and
the "tagname" input value (POST Variable) without escaping, in a query.
The exact place of injection bug is at lines 67 and 69.
Details:
SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed.
The "TARGET" parameter used in web page /em/console/reports/admin of Oracle Enterprise Manager web application is vulnerable to SQL Injection attacks. It may be possible for a malicious user to execute a function with the elevated privileges of the SYSMAN database user in the repository database. This user has the DBA role granted.
Impact:
This vulnerability allow a Oracle Enterprise Manager user with VIEW (or more) privileges to execute a function call with the elevated privileges of the SYSMAN database user.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Next Page>>
|
