elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg() php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT argument as part of the name parameter is still permitted and enables the execution of arbitrary commands as the www-data user.
748ee7b37719159b8db8d6bf33aad64bAHSS-PHP version 1.0 suffers from cross site scripting and remote SQL injection vulnerabilities.
00674176fa93d01b22d17bb2c4952741POMS-PHP version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
bd8eafbd3e81ab90a2981a83f111f34cFirebase's PHP-JWT suffers from an algorithm confusion issue. Proof of concept code included.
4c84fb0fba2f42d4741760b2e2b2764cCOVID19 Testing Management System version 1.0 suffers from a remote SQL injection vulnerability leveraging the searchdata parameter on the patient-search-report.php page. This is a variant of the original discovery of SQL injection in this version as discovered by Rohit Burke in May of 2021.
b36fd4281ed2835482616a0d0da9e478Red Hat Security Advisory 2021-2992-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include bypass, null pointer, and server-side request forgery vulnerabilities.
0321756619f042ba1c91635b25b8fce2Hotel Management System version 1.0 exploit that leverages a blind cross site scripting attack against the admin to have a reverse PHP shell uploaded.
aa7d7b6de743aefd9eda1c19bbe45794PHP version 7.3.15-3 suffers from a PHP_SESSION_UPLOAD_PROGRESS session data injection vulnerability.
c88e9682c0140b88e53745d1f1516e69This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress SP Project and Document plugin versions prior to 4.22. The security check only searches for lowercase file extensions such as .php, making it possible to upload .pHP files for instance. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/sp-client-document-manager/<user_id>/<random_payload_name>.php.
d73daa7ac6681410691920aff7640598This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress Modern Events Calendar plugin versions prior to 5.16.5. This is due to an incorrect check of the uploaded file extension. Indeed, by using text/csv content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/<random_payload_name>.php.
75b29e689541f825031d9308d2c36b24This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Backup Guard versions prior to 1.6.0. This is due to an incorrect check of the uploaded file extension which should be of SGBP type. Then, the uploaded payload can be triggered by a call to /wp-content/uploads/backup-guard/<random_payload_name>.php.
a13b79ee96d9f6b0f86db446a8c091a9KevinLAB BEMS version 1.0 suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the page GET parameter in index.php is not properly verified before being used to include files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
4bc3f448faf6a5df2c5354ab9084063bKevinLAB BEMS version 1.0 suffers from an unauthenticated SQL Injection vulnerability. Input passed through input_id POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code to bypass the authentication mechanism.
3498bc654a493cbf9b46522829eb067cConcrete5 versions 8.5.5 suffer from a logging settings phar deserialization vulnerability. User input passed through the logFile request parameter is not properly sanitized before being used in a call to the file_exists() function at line 91. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper), allowing them to carry out a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires an administrator account.
a1fb25a9ba4326669a0ede911fe27d02Ubuntu Security Notice 5006-2 - USN-5006-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that PHP incorrectly handled certain PHAR files. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. Various other issues were also addressed.
66293c19cf8113112211326af4be7f4cUbuntu Security Notice 5006-1 - It was discovered that PHP incorrectly handled certain PHAR files. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that PHP incorrectly handled parsing URLs with passwords. A remote attacker could possibly use this issue to cause PHP to mis-parse the URL and produce wrong data. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10. Various other issues were also addressed.
d2eaebcf41b9edfd36340798eb2ac873This Metasploit module exploits an arbitrary file upload in the WordPress wpDiscuz plugin versions from 7.0.0 through 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable server.
fdf8135289f12d026401f86e91ab3f6dThis Metasploit module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution.
574d24d96494d02754d265cd9346aa85This Metasploit module allows an attacker with a privileged rConfig account to start a reverse shell due to an arbitrary file upload vulnerability in /lib/crud/vendors.crud.php.
b0d94160c515ca53615beeeac06c2e14This Metasploit module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included.
d7acd34cfa8d5f47a3eb69700fe86af1PHP version 8.1.0-dev remote code execution exploit that leverages a backdoor under the User-Agentt header.
4a66165091ec5e614d9f7b2d045ffcb8This Metasploit module exploits a SQL injection vulnerability in Cacti versions 1.2.12 and below. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload. After calling the payload, the value is reset.
96f2d2ce45330fd71491a45ad435fbe4IPS Community Suite versions 4.5.4.2 and below suffer from a PHP code injection vulnerability. The vulnerability exists because the IPS\cms\modules\front\pages\_builder::previewBlock() method allows to pass arbitrary content to the IPS\_Theme::runProcessFunction() method, which will be used in a call to the eval() PHP function. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permission to manage the sidebar (such as a Moderator or Administrator) and the "cms" application to be enabled.
1b4fb4e5987be3d21bd6ca2f13378d32PHP version 8.1.0-dev unauthenticated remote command execution proof of concept exploit that leverages the backdoor.
68b81a413521d514b1b67f8bde5a5138Trixbox version 2.8.0.4 has an OS command injection vulnerability that can be leveraged via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
b20a34f5709b4607d3383fa6db1f537f
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed