Packet Storm - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
Updated: 21 hours 38 min ago
This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.
Incom CMS suffers from an authentication bypass vulnerability via remote SQL injection.
This Metasploit module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using policykit. Then it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the password from the keyboard to the actual password verification against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under the current user account to query for the password and then pass it to a setuid-root binary to do the password verification. Therefore it is possible to inject a password stealer after compromising the user account. Since sudo requires only the user password (and not the root password of the system), stealing the user password of an administrative user directly allows escalating to root privileges. Please note that you have to start a handler as a background job before running this exploit since the exploit will only create a shell when the user actually enters the password (which may be hours after launching the exploit). Using exploit/multi/handler with the option ExitOnSession set to false should do the job.
Ex Libris Patron Directory Services version 2.1 suffers from an open redirection vulnerability.
Ex Libris Patron Directory Services version 2.1 suffers from a cross site scripting vulnerability.
The travel.cnn.com and ads.cnn.com sites suffer from cross site scripting and open redirection vulnerabilities.
WordPress Dmsguestbook plugin suffers from a remote unauthenticated data injection vulnerability.
CMS Pylot suffers from cross site request forgery and cross site scripting vulnerabilities.
WordPress Frontend Uploader plugin version 0.9.2 suffers from a cross site scripting vulnerability.
e107 version 2.0 Alpha2 suffers from a cross site request forgery vulnerability.
Maxthon Browser suffers from an address bar spoofing vulnerability.
jetAudio version 220.127.116.110 proof of concept denial of service vulnerability that creates a malicious .m3u file.
PMB versions 4.1.3 and below suffer from a post-authentication remote SQL injection vulnerability.
WhatsApp suffers from a remote reboot/crash vulnerability on Android versions 2.11.476 and below.
Lazarus Guestbook version 1.22 suffers from cross site scripting and remote SQL injection vulnerabilities.
Pimcore CMS versions 2.3.0 and 3.0 suffer from a remote SQL injection vulnerability.
PHPLIST versions 3.0.6 and 3.0.10 suffer from a remote SQL injection vulnerability.
Multiple WordPress themes suffer from an arbitrary file download vulnerability in download.php. These include Ultimatum, Medicate, Centum, Avada, Striking Theme & E-Commerce, cuckootap, IncredibleWP, Ultimatum, Medicate, Centum, Avada, Trinity, Lote27, and Revslider themes.
SysAid Server is vulnerable to an unauthenticated file disclosure attack that allows an anonymous attacker to read arbitrary files on the system. An attacker exploiting this issue can compromise SysAid user accounts and gain access to important system files. When SysAid is configured to use LDAP authentication it is possible to gain read access to the entire Active Directory or obtain domain admin privileges. Versions prior to 14.4.2 are affected.
This is a brief whitepaper that discusses SQL injection, cross site scripting, and remote shell upload vulnerabilities in various Joomla! plugins.