Next Page >>
user
####################
- Discussion:
####################
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
IMPACT
------
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
exploitation of these flaws on x64 versions of Linux.
VMware Workstation 6.5
IMPACT
------
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
ClickOnce is a deployment technology that allows you to create
self-updating Windows-based applications that can be installed and run
with minimal user interaction. A ClickOnce application is any Windows
Forms or Console application published using ClickOnce technology.
Applications can be published from a web page, a file share, or from
media (i.e. CD-ROM). ClickOnce is available in .NET 2.0 and later.
An application that is deployed through ClickOnce consists of at least
$this->p_acp = $this->get_p('acp');
# ACP path
if( !$this->p_acp )
{
# If the user changed the ACP directory, we can
# find it (if the "Remove ACP Link" option was not
# applied) by log in as an Admin, and then click
# on "Admin CP". This can be done with a user
# but I didn't implemented that ;)
$this->msg('Using default ACP path: admin', 1);
xine-lib, such as Totem-xine and Amarok, to effect the necessary changes.
Details follow:
It was discovered that xine-lib did not correctly handle certain malformed
Ogg and Windows Media files. If a user or automated system were tricked into
opening a specially crafted Ogg or Windows Media file, an attacker could cause
xine-lib to crash, creating a denial of service. This issue only applied to
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)
It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not
4) Description of Vulnerabilities
Multiple vulnerabilities have been discovered in OpenX, which can be
exploited by malicious people to conduct cross-site scripting,
cross-site request forgery, and file inclusion attacks and by
malicious users to conduct script insertion and SQL injection attacks.
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
most popular script on www.hotscripts.com. UTF-8 CuteNews is a current
fork of the Cute News project which is designed to improve security and
is available for free from http://korn19.ch/coding/utf8-cutenews/
Multiple vulnerabilities exist in Cute News and UTF-8 CuteNews. These
vulnerabilities can be exploited to steal user credentials, disclose
file contents, disclose the file path of the application and execute
arbitrary commands.
Cute News appears to be abandoned since September 2008. A local file
inclusion (LFI) vulnerability was discovered by athos on January 9th,
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
threat" attack it is possible to execute arbitrary code. This
attack affects the ActiveX control as well as the Java applet.
------------------------------------------------------------------------
Tested version
CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274
3. *Vulnerability Description*
ManageEngine ADSelfService Plus [1] is a secure, web-based, end-user
password reset management program. This software helps domain users to
perform self service password reset, self service account unlock and
employee self update of personal details (e.g. telephone numbers, etc)
in Microsoft Windows Active Directory. Administrators find it easy to
automate password resets, account unlocks while managing optimizing the
designed to provide you with all the features you need from a webshop.
------------------------------------------------------------------------
Insecure installation instructions
------------------------------------------------------------------------
Besides changing the default password for the admin user and removing
the install.php script, no specific instructions are provided to secure
the installation of FWS. The manual assumes that FWS is installed on a
LAMP server (Linux, Apache, MySQL & PHP). If the ZIP archive is
extracted or the files are uploaded to the document root of the
webserver, the new files and directories will be created based on the
1.Vulnerability information
---------------------------
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
To all,
The reason I wrote this article was not to explain how to create a hidden
user account. I wrote the article to show you that you can modify the SAM
in real time in a way that is undetectable by ANYONE. This modification
allows you to masquerade any user account as the built-in Administrator.
Christian,
"Continued Access" to a system means that someone has compromised a system
Hi!
>
> The reason I wrote this article was not to explain how to create a hidden
> user account. I wrote the article to show you that you can modify the SAM
> in real time in a way that is undetectable by ANYONE. This modification
> allows you to masquerade any user account as the built-in Administrator.
>
> Christian,
>
> "Continued Access" to a system means that someone has compromised a system
xulrunner-1.9.2 1.9.2.7+build2+nobinonly-0ubuntu0.9.10.2
Mozilla has changed the support model for Firefox and they no longer
support version 3.0 of the browser and will only support version 3.5 of the
browser for a while longer. As a result, Ubuntu is providing an upgrade to
Firefox 3.6 for Ubuntu 9.04 and 9.10 users, which is the most current
stable release of Firefox supported by Mozilla. When upgrading, users
should be aware of the following:
- Firefox 3.6 does not support version 5 of the Sun Java plugin. Please use
icedtea6-plugin or sun-java6-plugin instead.
Problems addressed by these patches:
I Arbitrary code execution and denial of service vulnerabilities
This release fixes a security vulnerability that could allow a
guest operating system user with administrative privileges to cause
memory corruption in a host process, and thus potentially execute
arbitrary code on the host. (CVE-2007-4496)
This release fixes a denial of service vulnerability that could
allow a guest operating system to cause a host process to become
Xulrunner 1.9.2.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
---------------
SUPERAntiSpyware and Super Ad Blocker have almost identical device
drivers in order to set up hooks and perform other duties from kernel
space. These device drivers suffer from lack of validation of
parameters passed from user mode. Additionally, some of the functions
accessible from user mode are inherently insecure and lead to easy
privilege escalation. All vulnerabilities are applicable to both
applications.
Analysis and code was developed for SUPERAntiSpyware v4.33.1000, but
www.ExploitDevelopment.com 2010-M$-001
----------------------------------------------------------
TITLE:
Flaw in Microsoft Windows SAM Processing Allows Continued
Administrative Access Using Hidden Regular User Masquerading After
Compromise
SUMMARY AND IMPACT:
All versions of Microsoft Windows allow real-time modifications to the
Security Accounts Manager (SAM) that enable an attacker to create a
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device.
The following example identifies a Cisco Network Building Mediator
changes.
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
We apologize for the inconvenience.
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
> after which even correct credentials will not be accepted. You can't
> tell the difference in the UI you are using, so it's understandable to
> have missed these extra limits.
>
A malicious user can abuse the feature "Check for mail using POP3" for
realize the automatic process of password cracking.
As you comment, using this feature exist a lock (for 2 hours) for
authentication attempts, and beyond this limit (100 requests) the
message returned by the application does not allow to known if the
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
IronPort Encryption Appliance devices contain two vulnerabilities
that could allow unauthorized users to gain access to the IronPort
Encryption Appliance administration interface and modify other users'
settings. These vulnerabilities do not affect Cisco Registered
Envelope Service users.
Cisco has released free software updates that address these
Overview:
/////////
Software called "HP Info Center" is shipped with almost every HP laptop model for few years.
It is designed to support user with quick system information and hardware configuration
using single button touch.
One of its ActiveX controls deployed by default by the vendor has three insecure methods
that allow a malicious person to target the HP notebook machines for a remote code execution
and remote registry manipulation based attacks.
This vulnerability affects Tandberg C Series Endpoints and E/EX
Personal Video units, including software that is running on the C20,
C40, C60, C90, E20, EX60, and EX90 codecs. The software version of
the Tandberg unit can be determined by logging into the web-based
user interface (UI) or using the "xStatus SystemUnit" command.
Users can determine the Tandberg software version by entering the IP
address of the codec in a web browser, authenticating (if the device
is configured for authentication), and then selecting the "system
info" menu option. The version number is displayed after the
Summary
=======
A vulnerability exists in some Cisco Secure Access Control System
(ACS) versions that could allow a remote, unauthenticated attacker to
change the password of any user account to any value without
providing the account's previous password. Successful exploitation
requires the user account to be defined on the internal identity
store.
This vulnerability does not allow an attacker to perform any other
Next Page>>
|
