CVE-2007-1255
published 2007-03-03CVE-2007-1255: Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary…
PriorityP433medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
0.87%
54.1th percentile
Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
| connectix | connectix_boards | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL IMAP login buffer overflow attempt
suricata·2010-09-23
CVE-1999-0005 GPL IMAP login buffer overflow attempt
GPL IMAP login buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence High, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT
suricata·2010-07-30·CVSS 6.0
CVE-2007-1255 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004705; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII
suricata·2010-07-30·CVSS 6.0
CVE-2007-1255 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004709; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT
suricata·2010-07-30·CVSS 6.0
CVE-2007-1255 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004706; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT
suricata·2010-07-30·CVSS 6.0
CVE-2007-1255 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004707; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE
suricata·2010-07-30·CVSS 6.0
CVE-2007-1255 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004708; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE
suricata·2010-07-30·CVSS 6.0
CVE-2007-1255 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004710; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
Exploit-DB
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
exploitdb·2007-04-01
CVE-2005-1255 IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Ipswitch IMAIL Server IMAPD 7.13 - 8.20 exploit
* Site : http://www.ipswitch.com
* Found by : iDEFENSE Security (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=243)
* ----------------------------------------
* Exploit date : 31.03.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows 2000 SP4 and Windows XP ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info: Well, this is the realization of the IMAIL IMAPd 'LOGIN' buffer overflow vulnerability.
* The version provided by kcope uses SEH overwrite method, which doesn't work on Windows XP SP2,
* so i have written the exploit that overwrites EI
Exploit-DB
Connectix Boards 0.7 - 'p_skin' Multiple Vulnerabilities
exploitdb·2007-02-21
CVE-2007-1255 Connectix Boards 0.7 - 'p_skin' Multiple Vulnerabilities
Connectix Boards 0.7 - 'p_skin' Multiple Vulnerabilities
---
#!/usr/bin/php
URL: http://www.acid-root.new.fr/
Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options]
Params: -url For example http://victim.com/connectix/
-usr The username of your account
-pwd The password of your account
-type Privilege Escalation(1) or Code execution(2)
Options: -proxy If you wanna use a proxy
-proxyauth Basic authentification
"); exit(1);
}
$url = getparam('url',1);
$user = getparam('usr',1);
$pass = getparam('pwd',1);
$type = getparam('type',1);
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$theme = 'Zephyr';
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);
prin
No writeups or analysis indexed.
http://osvdb.org/33538http://secunia.com/advisories/24255http://securityreason.com/securityalert/2364http://www.securityfocus.com/archive/1/460947/100/0/threadedhttps://www.exploit-db.com/exploits/3352http://osvdb.org/33538http://secunia.com/advisories/24255http://securityreason.com/securityalert/2364http://www.securityfocus.com/archive/1/460947/100/0/threadedhttps://www.exploit-db.com/exploits/3352
2007-03-03
Published