Using a web browser or script server-side request forgery (SSRF) can be initiated against internal/external systems to conduct port scans by leveraging D-LINK's MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 version 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser.
d9afd3cea418548b6c3b72153c1261feThis Metasploit module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions 9.22.0 and below. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This Metasploit module provides a generic exploit against the jQuery widget.
dc66674939d313842bacc7cddcbdd16cPHP Proxy version 3.0.3 suffers from a local file inclusion vulnerability.
87c29784be880e65ee17bc44869c13beSimple PHP Shopping Cart version 0.9 suffers from remote shell upload and remote SQL injection vulnerabilities.
590960260c339d781b319ed9b86ae390PHP-SHOP Master version 1.0 suffers from a cross site request forgery vulnerability.
8a78b5651bd99ac517bc63e491f64913The FLIR AX8 thermal sensor camera version 1.32.16 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed via the 'file' parameter in download.php is not properly verified before being used to download config files. This can be exploited to disclose the contents of arbitrary files via absolute path.
acdaa748301edd2bc81cd2080da980c7The FLIR AX8 thermal sensor camera version 1.32.16 suffers from two unauthenticated command injection vulnerabilities. The issues can be triggered when calling multiple unsanitized HTTP GET/POST parameters within the shell_exec function in res.php and palette.php file. This can be exploited to inject arbitrary system commands and gain root remote code execution.
d06114bdae6c5e38a699adb6567a8ba2This Metasploit module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This Metasploit module was tested against Navigate CMS 2.8.
da3b2bf872655ae3a17ea15d8ed164aaUbuntu Security Notice 3766-2 - USN-3766-1 fixed a vulnerability in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that PHP incorrectly handled certain exif tags in JPEG images. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. Various other issues were also addressed.
a6da1b13303103e6972312ac2ca98410Moodle versions 3.5.2, 3.4.5, 3.3.8, and 3.1.14 suffer from a remote php unserialize code execution vulnerability.
4230dd49813d98f84c6358427e417b39Ubuntu Security Notice 3766-1 - It was discovered that PHP incorrectly handled restarting certain child processes when php-fpm is used. A remote attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 18.04 LTS. It was discovered that PHP incorrectly handled certain exif tags in JPEG images. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. Various other issues were also addressed.
13f0348bda82b5ca1eba85e0d5b724d6Slackware Security Advisory - New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
5f3e62dec417873d80984702db0e07efPHP File Browser Script 1 suffers from a directory traversal vulnerability.
8869edeebd781f2fcebd992664779415Easylogin Pro version 1.3.0 suffers from an a deserialization issue in Encryptor.php that permits a code execution vulnerability.
03801bbaa56a11377a136ef865c65bf3Debian Linux Security Advisory 4276-1 - Fariskhi Vidyan and Thomas Jarosch discovered several vulnerabilities in php-horde-image, the image processing library for the Horde groupware suite. They would allow an attacker to cause a denial-of-service or execute arbitrary code.
84275deef406d84c7f82d6c07a2ae031OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.
f671f8d4d1775a87dfdb4e245c86573aDebian Linux Security Advisory 4262-1 - Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to open redirects, cross-site request forgery, information disclosure, session fixation or denial of service.
9d90561cb123024abe81fc4647a6aff3PHP Template Store Script version 3.0.6 suffers from persistent cross site scripting vulnerabilities.
955dd57ab80d69477021cb73445e4ecfHRSale HR Management PHP script version 1.0.6 suffers from a local file disclosure vulnerability.
7359826a28a3b8ffd79965cd3b39d5bfThis Metasploit module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. Combining these vulnerabilities gives the opportunity execute operation system commands under the context of the web user.
e1ed8b7a67ea6ddd018934d8c751a6d1Vtiger version 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This Metasploit module was tested against vTiger CRM version 6.3.0.
72429cacd6f8d8507d950f72f13a44cdSuper CMS Blog Pro PHP Script version 1.0 suffers from a cross site scripting vulnerability.
65c8fcb0181b7cc5639b9ffd8ad8014cSuper CMS Blog Pro PHP Script version 1.0 suffers from shell upload and remote SQL injection vulnerabilities.
4d4af76da07a9471a1cd3679240ce824NUUO NVRmini suffers from a remote command execution vulnerability in upgrade_handle.php.
929ca4e4e4ddf2ac4f48d2373e20ba9bSlackware Security Advisory - New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
16dbf231d102e07198b15fae7baa2d9d
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed