CVE-2007-2372
published 2007-04-30CVE-2007-2372: admin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier prints a Location header but does not exit when administrative credentials are…
PriorityP350critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
8.20%
94.2th percentile
admin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier prints a Location header but does not exit when administrative credentials are missing, which allows remote attackers to compose an e-mail message via a post with the subject, message, format, and list_id fields; and send the message via a direct request for the MsgId value under admin/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gregory_kokanosky | phpmynewsletter | <= 0.8_beta_5 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow (PoC)
exploitdb·2007-06-08
CVE-2007-1685 Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow (PoC)
Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow (PoC)
---
source: https://www.securityfocus.com/bid/24373/info
K9 Web Protection is prone to a buffer-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer.
An attacker could leverage this issue to execute arbitrary code with administrative privileges. A successful exploit could result in the complete compromise of the affected system.
K9 Web Protection 3.2.36 is reported vulnerable; other versions may be affected as well.
CSIS.DK - BlueCoat K9 Web Protection Overflow
Discovery and Exploit by Dennis Rand - CSIS.DK
http://127.0.0.1:2372/home.html[Ax168][DCBA][A x 56][BBBB][AAAA]
Return Address = DCBA
Pointer to the next SEH record = BBBB
SE
Exploit-DB
phpMyNewsletter 0.8 (beta5) - Multiple Vulnerabilities
exploitdb·2007-04-05
CVE-2007-2372 phpMyNewsletter 0.8 (beta5) - Multiple Vulnerabilities
phpMyNewsletter 0.8 (beta5) - Multiple Vulnerabilities
---
#!/usr/bin/php -q -d short_open_tag=on
Thanks to rgod for the php code and Marty for the Love
";
if ($argc Delete Config Value (Rude Attack - can't do anything after)
2 - > Send an Email to all of the subscribers (Do not alter anything)
Related: 1 - > None
2 - > OneWordTitle TextOfYourChoice
Es:
php ".$argv[0]." localhost /myphpnl/ Newsletter_Hacked BlackHawk Got Your Newsletter
";
die;
}
/*
Attack N°1
vuln code is in index.php: the function to ceck the login is at line 79,
but the code to change the config file is at line 33..
if mq=off you can inject a shell into the file..
Attack N°2
vuln code is in send_mod.php at line 16:
if(!checkAdminAccess($conf->admin_pass, $form_pass))
header("Location:index.php");
this is not a
2007-04-30
Published