PEAR Archive_Tar versions prior to 1.4.4 suffers from a php object injection vulnerability.
301d1addd2f16d82750f17ee54102420SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a path traversal vulnerability. User input passed through the "webhook_target_module" parameter is not properly sanitized before being used to save PHP code into the hooks file through the Web Logic Hooks module. This can be exploited to carry out path traversal attacks and e.g. create arbitrary directories. Successful exploitation of this vulnerability requires admin privileges.
0a73c52a5465fdc38ae3bede2f424098SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a PHP code injection vulnerability. User input passed through the "trigger_event" parameter is not properly sanitized before being used to save PHP code into the 'logic_hooks.php' file through the Web Logic Hooks module. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.
bc08aaf51fef23154d37431b75e27168SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a PHP code injection vulnerability. User input passed through key values of the 'labels_' parameters is not properly sanitized before being used to save PHP code within the "ParserLabel::addLabels()" method when saving labels through the Module Builder. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.
a185f42ec61a0417ce4c9024f155944aSugarCRM versions prior to 7.9.4.0 and 7.11.0.0 suffer from a PHP code injection vulnerability in the WorkFlow module. User input passed through the $_POST['base_module'] parameter to the "Save" action of the WorkFlow module is not properly sanitized before being used to write data into the 'workflow.php' file. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.
695389da1dad0e4c2419d379b1d1e132SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a PHP code injection vulnerability. User input passed through key values of the 'list_value' JSON parameter is not properly sanitized before being used to save PHP code when adding/saving dropdowns through the Module Builder. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.
d7144a03e522ca3b40f5f45efbaea7ddWhitepaper called How to Exploit PHP Remotely to Bypass Filters and WAF Rules.
951bbbe0ecb41f1c347de656c6715e7eWhen the WordPress plugin Snap Creek Duplicator restores a backup, it leaves dangerous files in the filesystem such as installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to arbitrary PHP code execution. WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit to make the WordPress site work again.
3e9bb4227872fd85077a0576d93fc20fWhitepaper called PHP Source Code Analysis. Written in Turkish.
541f02d58c221e424f1e880cec6cd567Debian Linux Security Advisory 4353-1 - Multiple security issues were found in PHP, a widely-used open source denial of service/information disclosure when parsing malformed images, the Apache module allowed cross-site-scripting via the body of a insufficient input validation which can result in the execution of arbitrary shell commands in the imap_open() function and denial of service in the imap_mail() function.
d9b1a99e04d2c1e6335bb4aef129d5a1Slackware Security Advisory - New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
a1bcb0ddb933e7f43392915dd032cfe1Debian Linux Security Advisory 4351-1 - It was discovered that PHPMailer, a library to send email from PHP applications, is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code.
caddae86ea0cbb47f309c50d59d72537PHP Server Monitor version 3.3.1 suffers from a cross site request forgery vulnerability.
5fe1c2f708db2fb89bc73606a4894920Gentoo Linux Security Advisory 201812-1 - Multiple vulnerabilities have been found in PHP, the worst of which could result in a Denial of Service condition. Multiple versions are affected.
855d25fbb1fcefb9b726efaee310ece2The imap_open function within PHP, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.
d4da49f1f3382fe81325e51853a7fcc3PHP-Proxy version 5.1.0 suffers from a local file inclusion vulnerability.
96c23b5c4ac90b08c6b144a53cf3862dPHP Mass Mail version 1.0 suffers from a remote shell upload vulnerability.
0cb5d71edeb4a2b0e094423306caac00In this article, the author explores ways to bypass protection methods using the PHP Stream Wrappers, which are responsible for handling protocol related tasks like downloading data from a web or ftp server and exposing it in a way in that it can be handled with PHP's stream related functions.
a947e8c1cb30f07e7cee7d234092661ePHP version 5.2.3 (Debian) suffers from an imap imap_open disable functions bypass vulnerability.
aa9bfde85a72aab2622a5ce32e492d2aUsing a web browser or script server-side request forgery (SSRF) can be initiated against internal/external systems to conduct port scans by leveraging D-LINK's MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 version 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser.
d9afd3cea418548b6c3b72153c1261feThis Metasploit module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions 9.22.0 and below. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This Metasploit module provides a generic exploit against the jQuery widget.
dc66674939d313842bacc7cddcbdd16cPHP Proxy version 3.0.3 suffers from a local file inclusion vulnerability.
87c29784be880e65ee17bc44869c13beSimple PHP Shopping Cart version 0.9 suffers from remote shell upload and remote SQL injection vulnerabilities.
590960260c339d781b319ed9b86ae390PHP-SHOP Master version 1.0 suffers from a cross site request forgery vulnerability.
8a78b5651bd99ac517bc63e491f64913The FLIR AX8 thermal sensor camera version 1.32.16 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed via the 'file' parameter in download.php is not properly verified before being used to download config files. This can be exploited to disclose the contents of arbitrary files via absolute path.
acdaa748301edd2bc81cd2080da980c7
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed