Ubuntu Security Notice 6305-2 - USN-6305-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information.
caacfeb4e539a353abe770f6325dbffce7919a619b169957ffad81b1917bb00bThis Metasploit exploit module leverages sql injection and local file inclusion vulnerabilities in Cacti versions prior to 1.2.26 to achieve remote code execution. Authentication is needed and the account must have access to the vulnerable PHP script (pollers.php). This is granted by setting the Sites/Devices/Data permission in the General Administration section.
b4ef67908324e2b53eac068bc36847b4c86d487875706d6d2339e053cc3970f0This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845. It executes the phpinfo() function on the login page of the target device, allowing to inspect the PHP configuration. This script also has the option to save the phpinfo() output to a file for further analysis.
56c0a0ad9dba5be91bcf88dbed7e2234e764bf5d6166e8250dfe5f1920543e02XenForo versions 2.2.13 and below suffer from a zip slip filename traversal vulnerability in ArchiveImport.php.
5deccbdac2cfe207ec995833b611569397b53b3acedb61fbd211edfe7bb16b0dVinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in SystemHandler.class.php.
dc8db7a93b49f089a2c51bccac868cf579a7563c72b570b389665c44bbc72c33Red Hat Security Advisory 2024-0387-03 - An update for the php:8.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
9e341b2e86799d9ac8b07a6ec52cc960f726908e4657fdedf47b8b3de3a9fd76This Metasploit module exploits an unauthenticated remote command execution vulnerability in WordPress Backup Migration plugin versions 1.3.7 and below. The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution.
1feecca12306422ebe993c3821d87be77ad3056e719f9dcbae7c033f156e447fUbuntu Security Notice 6550-1 - It was discovered that Smarty, that is integrated in the PostfixAdmin code, was not properly sanitizing user input when generating templates. An attacker could, through PHP injection, possibly use this issue to execute arbitrary code. It was discovered that Moment.js, that is integrated in the PostfixAdmin code, was using an inefficient parsing algorithm when processing date strings in the RFC 2822 standard. An attacker could possibly use this issue to cause a denial of service.
63590f2a95686afe65ce57bda6bffeb19c1b4db5f13381940d89cd04952491fdISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.
d5776b6c39736c11bc5b6ee2bae4179fb341f58ff08665b96718f64ac8b63242This Metasploit module exploits a command injection vulnerability in MagnusBilling application versions 6.x and 7.x that allows remote attackers to run arbitrary commands via an unauthenticated HTTP request. A piece of demonstration code is present in lib/icepay/icepay.php, with a call to an exec(). The parameter to exec() includes the GET parameter democ, which is controlled by the user and not properly sanitised/escaped. After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data or asterisk. At a minimum, this allows an attacker to compromise the billing system and its database.
62af9cc329c88e7f145a1675e178871c1a75c9da5de26c8c623bef2bde4a73c2phpFox versions 4.8.13 and below have an issue where user input passed through the "url" request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.
ee85170a47f6253886312ffd969da7bc6af218c972178b1c78103cec1ae79a03SugarCRM versions 13.0.1 and below suffer from a server-side template injection vulnerability in the GetControl action from the Import module. This issue can be leveraged to execute arbitrary php code.
482a650864ca894b028d96d1341d94b0fd22a59191625c172302fe115ad4deb5Ubuntu Security Notice 6199-2 - USN-6199-1 fixed a vulnerability in PHP. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that PHP incorrectly handled certain Digest authentication for SOAP. An attacker could possibly use this issue to expose sensitive information.
e46b12e2ae2685b34c9735991a469a71e79fcd955c1df600d8da3956401fe3d8Red Hat Security Advisory 2023-5927-01 - An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
46c527bdcfb2145b61c0830ad98c9738174c2195ac8e1cd6200c84896fdfff5dRed Hat Security Advisory 2023-5926-01 - An update for php is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
f7b3d25853c407b0835193e19c69c5d5226d02c94935df3692d13b2fede8c6ecThis Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517WordPress Essential Blocks plugin versions 4.2.0 and below and Essential Blocks Pro versions 1.1.0 and below suffer from multiple PHP object injection vulnerabilities.
3bc456da9e240b7476040544d3e4f0b5fa6f68d4e3ad65a015be529481ab73adPHP Shopping Cart version 4.2 suffers from a remote SQL injection vulnerability.
606411a83a93b9d6c705936cd642d323cf06f1e728faa5294bef0c1a617f8551This Metasploit module exploits a vulnerability found in Online Pizza Ordering System version 1.0. By abusing the admin_class.php file, a malicious user can upload a file to the img/ directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on Ubuntu 22.04.
3002ce5e2a8a96ceb421dddfd1cd12fa3676d726242592bcbe8fb80e7b19715fThis Metasploit module exploits a command injection vulnerability on the SolarView Compact version 6.00 web application via the vulnerable endpoint downloader.php. After exploitation, an attacker will have full access with the same user privileges under which the webserver is running (typically as user contec).
d0437fdd852a45a2f8dcde9836a0c763b4e6b928a9997b6532fb7346909945a8PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.
b9b98b4a795bf346b16b6fba859f15dc9f9da7740340375a350eddf3a8d1d69fIslam CMS version 1.0 suffers from a remote PHP code injection vulnerability.
39b07aef1fa1c0862a22398b5f20aabeb8f16190e023159d1c613e4cc63eef60Ubuntu Security Notice 6305-1 - It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.
1dc8c3dad3030fd034169b595c1d037465ec0558c0e070e9e64ad1aef797927dThis Metasploit module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions 1.11.18 and below. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at the OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.
9eddd6c9a39fb97ca77aeebd1ec713969953ce2f89e609c528b4a46ca5ec152dSugarCRM versions 12.2.0 and below suffer from a PHP object injection vulnerability.
32f7ef69ef5791e90290f62780a766a77c6238a01e2c71417b234a5b64db910c
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed