bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40084.txt
Offensive Security fc4bc08825 DB: 2016-07-12 
15 new exploits

Apache HTTPd - Arbitrary Long HTTP Headers DoS
Apache HTTPd - Arbitrary Long HTTP Headers DoS (Perl)

Apache HTTPd - Arbitrary Long HTTP Headers DoS
Apache HTTPd - Arbitrary Long HTTP Headers DoS (C)

Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit (c code)
Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit (C) (1)

Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2) (c code)
Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (C) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (perl code) (1)
Webhints <= 1.03 - Remote Command Execution Exploit (c code) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (perl code) (3)
Webhints <= 1.03 - Remote Command Execution Exploit (Perl) (1)
Webhints <= 1.03 - Remote Command Execution Exploit (C) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (Perl) (3)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (Perl Code)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (C Code)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (Perl)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (C)

SimpleBBS <= 1.1 - Remote Commands Execution Exploit (c code)
SimpleBBS <= 1.1 - Remote Commands Execution Exploit (C)

Xmame 0.102 (-lang) Local Buffer Overflow Exploit (c code)
Xmame 0.102 - (lang) Local Buffer Overflow Exploit (C)

aFAQ 1.0 (faqDsp.asp catcode) Remote SQL Injection Vulnerability
aFAQ 1.0 - (faqDsp.asp catcode) Remote SQL Injection Vulnerability

Apple CFNetwork HTTP Response Denial of Service Exploit (rb code)
Apple CFNetwork - HTTP Response Denial of Service Exploit (RB)

PhpBlock a8.4 (PATH_TO_CODE) Remote File Inclusion Vulnerability
PhpBlock a8.4 - (PATH_TO_CODE) Remote File Inclusion Vulnerability

WebPortal CMS <= 0.7.4 (code) Remote Code Execution Vulnerability
WebPortal CMS <= 0.7.4 - (code) Remote Code Execution Vulnerability

emergecolab 1.0 (sitecode) Local File Inclusion Vulnerability
emergecolab 1.0 - (sitecode) Local File Inclusion Vulnerability

Simple Machines Forums (BBCode) Cookie Stealing Vulnerability
Simple Machines Forums - (BBCode) Cookie Stealing Vulnerability

Movie PHP Script 2.0 (init.php anticode) Code Execution Vulnerability
Movie PHP Script 2.0 - (init.php anticode) Code Execution Vulnerability

Kjtechforce mailman b1 (code) SQL Injection Delete Row Vulnerability
Kjtechforce mailman b1 - (code) SQL Injection Delete Row Vulnerability

WordPress Activity Log Plugin 2.3.1 - Persistent XSS

IPS Community Suite 4.1.12.3 - PHP Code Injection
Adobe Flash - ATF Processing Overflow
Adobe Flash - JXR Processing Double Free
Adobe Flash - LMZA Property Decoding Heap Corruption
Adobe Flash - ATF Image Packing Overflow
Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (msf)

Ho' Detector (Promiscuous mode detector shellcode) (56 bytes)
Ho' Detector - Promiscuous mode detector shellcode (56 bytes)

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

Ruby on Rails ActionPack Inline ERB Code Execution

Lan Messenger sending PM Buffer Overflow (UNICODE) - Overwrite SEH
Lan Messenger - sending PM Buffer Overflow (UNICODE) Overwrite SEH
Tiki Wiki CMS 15.0 - Arbitrary File Download
Belkin Router AC1200 Firmware 1.00.27 - Authentication Bypass
WordPress All in One SEO Pack Plugin 2.3.6.1 - Persistent XSS
Device42 WAN Emulator 2.3 Traceroute Command Injection
Device42 WAN Emulator 2.3 Ping Command Injection
Device42 WAN Emulator 2.3 - Traceroute Command Injection
Device42 WAN Emulator 2.3 - Ping Command Injection

Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash

Dell KACE K1000 File Upload
Dell KACE K1000 - File Upload

Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
Dell SonicWALL Scrutinizer 11.01 - methodDetail SQL Injection

Valve Steam 3.42.16.13 - Local Privilege Escalation
Beauty Parlour & SPA Saloon Management System - Blind SQL Injection
Clinic Management System - Blind SQL Injection

Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes
2016-07-12 05:05:04 +00:00

72 lines
No EOL
2.2 KiB
Text
Executable file
Raw Blame History

---------------------------------------------------------------------------
IPS Community Suite <= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability
---------------------------------------------------------------------------
[-] Software Link:
https://invisionpower.com/
[-] Affected Versions:
Version 4.1.12.3 and prior versions.
[-] Vulnerability Description:
The vulnerable code is located in the /applications/core/modules/front/system/content.php script:
38. $class = 'IPS\\' . implode( '\\', explode( '_', \IPS\Request::i()->content_class ) );
39.
40. if ( ! class_exists( $class ) or ! in_array( 'IPS\Content', class_parents( $class ) ) )
41. {
42. \IPS\Output::i()->error( 'node_error', '2S226/2', 404, '' );
43. }
User input passed through the "content_class" request parameter is not properly sanitized before being used in a call
to the "class_exists()" function at line 40. This could be exploited by unauthenticated attackers to inject and execute
arbitrary PHP code leveraging the autoloading function defined into the /applications/cms/Application.php script:
171. if ( mb_substr( $class, 0, 14 ) === 'IPS\cms\Fields' and is_numeric( mb_substr( $class, 14, 1 ) ) )
172. {
173. $databaseId = mb_substr( $class, 14 );
174. eval( "namespace IPS\\cms; class Fields{$databaseId} extends Fields { public static \$customDatabaseId [...]
175. }
Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.
[-] Proof of Concept:
http://[host]/[ips]/index.php?app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*
[-] Solution:
Update to version 4.1.13 or later.
[-] Disclosure Timeline:
[04/07/2016] - Vendor notified
[05/07/2016] - Vulnerability fixed in version 4.1.13: https://invisionpower.com/release-notes/4113-r44/
[06/07/2016] - CVE number requested
[06/07/2016] - CVE number assigned
[07/07/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2016-6174 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-11
Reference in a new issue View git blame Copy permalink