Posted by Rio Sherri on Apr 08
#!/usr/bin/python -w
# Title : Express Zip <= 2.40 Path Traversal
# Date : 07/04/2016
# Author : R-73eN
# Tested on : Windows Xp / Windows 7 Ultimate
# Software Link : http://www.nchsoftware.com/zip/
# Download Link: http://www.nchsoftware.com/zip/zipplus.exe
# Vulnerable Versions : Express Zip <= 2.40
# Express Zip doesn’t validates ” .. ” which makes possible
# to do a path traversal attack which can be converted easily to…
Posted by xiong piaox on Apr 08
Advisory: DotCMS Directory traversal vulnerability
Author: Piaox From Pingan Product Safety Group
Email: xiongyaofu351 () pingan com cn
Affected Version: dotCMS 3.5 Beta(the latest version)
==========================
Vulnerability Description
Recetly, I found a Directory traversal vulnerability in ‘DotCMS’
program, DotCMS is widely used in many companies.
Vulnerable file is:…
Posted by xiong piaox on Apr 08
Advisory: DotCMS xss vulnerability
Author: Piaox From Pingan Product Safety Group
Email: xiongyaofu351 () pingan com cn
Affected Version: dotCMS 3.5 Beta(the latest version)
Vulnerability Description
lucene_search.jsp
26 String query = request.getParameter(“query”);
27 if(!UtilMethods.isSet(query)){
28 query = “”;
29 }
164 <div><strong><%= LanguageUtil.get(pageContext,…
Posted by Simon Waters (Surevine) on Apr 08
CivicRM extends common CMS platforms (WordPress, Drupal) with a module to manage Civic campaigns, tracking donors,
amounts, and campaign CRM type activity.
I tested the WordPress integration of CivicRM 4.7b3 which was found to have blind SQL Injections that allow
authenticated users to download arbitrary database content.
The first was in the columns[0][data] parameter when querying a contact relationship in the AJAX query….
ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the default password for root, ‘inflection’.
Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages. Most commonly this is Perl and Python. When enabled, command execution is possible on the host. To execute system commands, loading the “untrusted” version of the language is necessary. This requires a superuser. This is usually postgres. The execution should be platform-agnostic, and has been tested on OS X, Windows, and Linux. This Metasploit module attempts to load Perl or Python to execute system commands. As this dynamically loads a scripting language to execute commands, it is not necessary to drop a file on the filesystem. Only Postgres 8 and up are supported.
The GET_CONFIG and GET_PARAMETER calls on IOMX are vulnerable to an information disclosure of uninitialized heap memory. This could be used by an attacker to break ASLR in the media server process by reading out heap memory which contains useful address information.
The IMemory interface in frameworks/native/libs/binder/IMemory.cpp, used primarily by the media services can be tricked to return arbitrary memory locations leading to information disclosure or memory corruption.
Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to bypass the ASLR protection mechanism via JIT data.