CVE-2009-2011
published 2009-06-16CVE-2009-2011: Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.18%
98.5th percentile
Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict access to the shell.execute JavaScript API method, which allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes this method.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dxstudio | dx_studio_player | <= 3.0.29.0 | — |
| dxstudio | dx_studio_player | — | — |
| dxstudio | dx_studio_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP responses serving files with Content-Type 'application/octet-stream' containing a ZIP archive with an embedded 'header.xml' — this is the crafted .dxstudio payload delivery mechanism used by the Metasploit module. ↗
- →Detect browser plugin (Firefox DLL or IE ActiveX) invoking shell.execute() from JavaScript within a .dxstudio document context — this is the core exploitation primitive. ↗
- →Alert on .dxstudio files being served or downloaded from the web, especially those that are ZIP archives containing a header.xml with embedded batch commands (CMDS/BATNAME substitution pattern). ↗
- →Look for randomly named .bat files written to disk by the DX Studio Player plugin process — the exploit stages a payload by writing a randomly named batch file via the plugin's file-write capability. ↗
- →In IE, watch for a single per-host prompt allowing the DX Studio Player ActiveX control to access local files — subsequent exploitation on the same host will be silent. ↗
- ·Affected versions are 3.0.29.0 and earlier (including 3.0.22.0 and 3.0.12.0); version 3.0.29.1 and later contain the fix. The vulnerability is present in both the Firefox DLL plugin and the IE ActiveX control. ↗
- ·The shell.execute() API is intentionally unrestricted in the standalone DX Studio Player — exploitation via this vector is only a vulnerability in the browser plugin context, not the standalone player. ↗
- ·Metasploit payload space is limited to 2048 bytes, requiring a cmdstager (multi-stage command execution) approach with a line max of 2047 bytes per command. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hfvg-qx3h-rpgq: Worldweaver DX Studio Player 3
ghsa_unreviewed·2022-05-02
CVE-2009-2011 [HIGH] CWE-78 GHSA-hfvg-qx3h-rpgq: Worldweaver DX Studio Player 3
Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict access to the shell.execute JavaScript API method, which allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes this method.
Kernel
namei: allow restricted O_CREAT of FIFOs and regular files
kernel_security·2018-08-23·CVSS 7.2
CVE-2000-1134 [HIGH] namei: allow restricted O_CREAT of FIFOs and regular files
namei: allow restricted O_CREAT of FIFOs and regular files
Disallows open of FIFOs or regular files not owned by the user in world
writable sticky directories, unless the owner is the same as that of the
directory or the file is opened without the O_CREAT flag. The purpose
is to make data spoofing attacks harder. This protection can be turned
on and off separately for FIFOs and regular files via sysctl, just like
the symlinks/hardlinks protection. This patch is based on Openwall's
"HARDEN_FIFO" feature by Solar Designer.
This is a brief list of old vulnerabilities that could have been prevented
by this feature, some of them even allow for privilege escalation:
CVE-2000-1134
CVE-2007-3852
CVE-2008-0525
CVE-2009-0416
CVE-2011-4834
CVE-2015-1838
CVE-2015-7442
CVE-2016-7489
This list is no
Red Hat
Apache Tomcat CVE-2009-0783 regression
vendor_redhat·2011-08-12·CVSS 4.2
CVE-2011-2481 [MEDIUM] Apache Tomcat CVE-2009-0783 regression
Apache Tomcat CVE-2009-0783 regression
Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.
Statement: This issue did not affect any version of Tomcat shipped in Red Hat products. This flaw only affected Tomcat versions 7.0.0 - 7.0.16.
Package: tomcat5 (Red Hat Enterprise Linux 5) - Not affected
Package: tomcat6 (Red Hat Enterprise Linux 6) - Not affected
Red Hat
OpenOffice.org: InteVyDis Demo of OpenOffice 0day. Released with VulnDisco 8.8 pack (release date May,2009)
vendor_redhat·2011-05-31·CVSS 7.8
CVE-2011-2177 [HIGH] OpenOffice.org: InteVyDis Demo of OpenOffice 0day. Released with VulnDisco 8.8 pack (release date May,2009)
OpenOffice.org: InteVyDis Demo of OpenOffice 0day. Released with VulnDisco 8.8 pack (release date May,2009)
OpenOffice.org v3.3 allows execution of arbitrary code with the privileges of the user running the OpenOffice.org suite tools.
Statement: We do not currently plan to fix this issue due to the lack of further information about the flaw and its impact. If more information becomes available at a future date, we may revisit the issue.
Red Hat
kernel: usb: buffer overflow in auerswald_probe()
vendor_redhat·2009-10-29·CVSS 6.8
CVE-2009-4067 [MEDIUM] kernel: usb: buffer overflow in auerswald_probe()
kernel: usb: buffer overflow in auerswald_probe()
Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.
Statement: This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as the affected code has been removed. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1386.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included i
Suricata
ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
suricata·2011-07-01
CVE-2009-3459 ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; file.data; content:"Colors 1073741838"; fast_pattern; pcre:"/]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, cve CVE_2009_3459, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
Suricata
ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt
suricata·2011-01-15
CVE-2009-2990 ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt
ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_15, cve CVE_2009_2990, deployment Perimeter, confidence M
Exploit-DB
Zimbra 2009-2013 - Local File Inclusion
exploitdb·2013-12-06
CVE-2013-7091 Zimbra 2009-2013 - Local File Inclusion
Zimbra 2009-2013 - Local File Inclusion
---
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30085.zip (zimbraexploit_rubina119.zip)
---------------Description-----------------
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allo
Exploit-DB
Open Flash Chart 2 - Arbitrary File Upload (Metasploit)
exploitdb·2013-10-26
CVE-2011-4275 Open Flash Chart 2 - Arbitrary File Upload (Metasploit)
Open Flash Chart 2 - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Open Flash Chart v2 Arbitrary File Upload",
'Description' => %q{
This module exploits a file upload vulnerability found in Open Flash
Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file
in order to upload and execute malicious PHP files.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Braeden Thomas', # Initial discovery + Piwik PoC
'Gjoko Krstic ', # OpenEMR PoC
'Halim Cruzito', # zonPHP PoC
'Brendan Coles ' # Metasploit
],
'References' =>
[
['BID', '37314'],
['CVE', '2009-4140'],
['OSVDB', '59051'],
['EDB', '10532']
],
'Payload' =>
{
'Space'
Exploit-DB
MangosWeb - SQL Injection
exploitdb·2012-01-08
CVE-2012-5348 MangosWeb - SQL Injection
MangosWeb - SQL Injection
---
EXPLOIT TITLE: MangosWeb SQL Vulnerability
DATE: 1/7/2012
BY Hood3dRob1n
AFFECTED PRODUCTS: MangosWeb Enhanced Version 3.0.3
SW LINK: http://code.google.com/p/mwenhanced/
CATEGORY: WebApp 0day
DORK: intext:MangosWeb ENhanced Version 3.0.3 @2009-2011, KeysWow Dev Team
TESTED ON: W7 & Backtrack 5
DEMO1: http://wowfaction.selfip.com/wow/
DEMO2: http://www.mojotrollz.eu/
DEMO3: http://h1987786.stratoserver.net:8096/
Greetz to: -DownFall, Zer0Pwn, zerofreak, ~!White!~, Dr. Hobo, ring0_, Pi , and Greyerstring!
Found SQL vulnerabilities in this CMS whcih seems to affect a large amount of online gaming sites. There is a SQL injection vulnerability in the Login field of the login form located at the top of the site pages. If you inject a single apostrophe (') into t
Exploit-DB
Elxis CMS 2009 - 'index.php?task' Cross-Site Scripting
exploitdb·2011-12-05
CVE-2011-4918 Elxis CMS 2009 - 'index.php?task' Cross-Site Scripting
Elxis CMS 2009 - 'index.php?task' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/50910/info
Elxis CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/elxis/index.php?id=3&Itemid=9&option=com_content&task=%22%20onmouseover%3dprompt%28dclabs%29%20dcl%3d%22
Exploit-DB
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)
exploitdb·2011-10-20
CVE-2009-3999 HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)
---
##
# $Id: hp_power_manager_filename.rb 14016 2011-10-20 17:40:21Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "HP Power Manager 'formExportDataLogs' Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.
By creating a malformed request specifically for the fileName parameter, a stack-based
buffer overflow occurs due to a long error message (which contains the fileName),
which may resu
Exploit-DB
BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass
exploitdb·2011-10-07
CVE-2009-0450 BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass
BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass
---
# Exploit Title: BlazeVideo HDTV Player 6.6 Professional (Universal DEP+ASLR Bypass)
# Author: modpr0be
# Software Download: http://www.blazevideo.com/download.php?product=blazevideo-hdtv-pro
# Date: 07/10/2011
# Tested on: Windows XP SP3, Windows Vista SP2, Windows 7 SP1
# Thanks: corelanc0d3r, cyb3r.anbu, otoy, sickness, 5m7x, loneferret, _sinn3r, mr_me
# Take a look at mona.py :) awesome tool developed by corelanc0d3r and his team:
# https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
# this is the old fashioned bug, i just try to make it universal :)
# it has also been exploited by:
# Greg Linares: http://www.exploit-db.com/exploits/2880
# LiquidWorm: http://www.exploit-db.com/exploits/7975
# hack
Exploit-DB
Symantec System Center Alert Management System - 'xfr.exe' Arbitrary Command Execution (Metasploit)
exploitdb·2011-08-19
CVE-2009-1429 Symantec System Center Alert Management System - 'xfr.exe' Arbitrary Command Execution (Metasploit)
Symantec System Center Alert Management System - 'xfr.exe' Arbitrary Command Execution (Metasploit)
---
##
# $Id: ams_xfr.rb 13591 2011-08-19 18:35:29Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
'Description' => %q{
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
because the application fails to properly sanitize user-supplied input.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version'
Exploit-DB
DreamBox DM800 - Arbitrary File Download
exploitdb·2011-06-21
CVE-2011-4716 DreamBox DM800 - Arbitrary File Download
DreamBox DM800 - Arbitrary File Download
---
# Exploit Title: [title]
# Date: [date]
# Author: [ShellVision]
# Version: [dm800 <= 1.6rc3]
# Tested on: [dm800 Release 4.6.0 2009-12-24]
DreamBox DM800 Arbitrary File Download Vulnerability
Vendor: Dream Multimedia GmbH
Product web page: http://www.dream-multimedia-tv.de
Affected version: DM800 (may affect others version)
Summary: The Dreambox is a series of Linux-powered
DVB satellite, terrestrial and cable digital television
receivers (set-top box).
Desc: Dreambox suffers from a file download vulnerability
thru directory traversal with appending the '/' character
in the HTTP GET method of the affected host address. The
attacker can get to sensitive information like paid channel
keys, usernames, passwords, config and plug-ins info, et
Exploit-DB
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
exploitdb·2011-04-16
CVE-2009-0565 Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
---
##
# $Id: ms09-027 10477 2011-04-13 11:59:02Z mc $
##
##
# This file is not part of the Metasploit Framework and may not be subject to
# redistribution and commercial restrictions.
##
#TODO some testing to find the real banned characters and maxlen
# add those parameters to the .rb file
# drop in appropriate directory
# ulimit -s 100000 is required to run this exploit appropriately
require 'msf/core'
#require 'zlib'
class Metasploit3 'MS Word Record Parsing Buffer Overflow(MS-09-027)',
'Description' => %q{
MS Word Record Parsing Buffer Overflow(MS-09-027)
Vulnerble application MS office 2003
Tested on XP SP2 - MS Ofice 2003 v. 11.5604.5606
Bug Found By Wushi of team509
Greets Villy, Abhishek Lyall and A
Exploit-DB
vTiger CRM 5.0.4 - Local File Inclusion
exploitdb·2011-03-05·CVSS 7.5
CVE-2009-3249 [HIGH] vTiger CRM 5.0.4 - Local File Inclusion
vTiger CRM 5.0.4 - Local File Inclusion
---
#!/usr/bin/python
# ~INFORMATION: #
# Exploit Title: Vtiger CRM 5.0.4 Pre-Auth Local File Inclusion Exploit #
# Google Dork: "The honest Open Source CRM" "vtiger CRM 5.0.4" #
# Date: 5/3/2011 #
# CVE: CVE-2009-3249 #
# Windows link: http://bit.ly/fiOYCL #
# Linux link: http://bit.ly/hluzLf #
# Tested on: Windows XP/Linux Ubuntu #
# PHP.ini Settings: gpc_magic_quotes = Off #
# Advisory: http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt #
# Creds: Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco #
# "ascii" Ongaro are credited with the discovery of this vulnerability. #
# Greetz: mr_me, sud0, sinn3r & my other fellow hackers #
# Note: Loading URL files may require tampering of code ;-) #
# ~VULNERABLE CODE:
'''
Exploit-DB
Horde - Horde_Image::factory driver Argument Local File Inclusion
exploitdb·2011-02-11·CVSS 6.4
CVE-2009-0932 [MEDIUM] Horde - Horde_Image::factory driver Argument Local File Inclusion
Horde - Horde_Image::factory driver Argument Local File Inclusion
---
# Exploit Title: Horde Horde_Image::factory driver Argument Local File
Inclusion
# Google Dork: intitle:horde
# Date: 10-02-2011
# Author: skysbsb
# Software Link: http://www.horde.org/download/
# Version: Horde 3.3.2
# Tested on: linux
# CVE : CVE-2009-0932
The original disclosure was done by Gunnar Wrobel from Horde team.. it was
found in a code audit (january 2009).
It's an old vuln(2009) but still unpublished in exploit-db. There is a lot
of vulnerables sites out there. Just try google =)
Vuln description:
The version of Horde, Horde Groupware, or Horde Groupware Webmail Edition
installed on the remote host fails to filter input to the 'driver' argument
of the 'Horde_Image::factory' method before using it to inc
Exploit-DB
Look n stop - Local Denial of Service
exploitdb·2011-01-21
CVE-2011-0652 Look n stop - Local Denial of Service
Look n stop - Local Denial of Service
---
#include
#include
#include
#include
#include
/*
Program : Look 'n' Stop 2.06p4 / 2.07 (6.0.2900.5512)
Homepage : http://www.looknstop.com
Discovery : 2009/11/08
Author Contacted : 2010/07/15 ... no reply
Found by : Heurs
This Advisory : Heurs
Contact : [email protected]
//----- Application description
Look 'n' Stop Firewall 2.07 provides key features to protect your computer
against cyber threats. It prevents malicious programs from transmitting the
data of your computer to hacker's computers. Look 'n' Stop Firewall 2.07
also protects your computer from external intrusions.
//----- Description of vulnerability
lnsfw1.sys driver generate a BSOD with particular value of IOCTL. Kernel wait
an action with a kernel debugger.
//----- Credit
Exploit-DB
Worldweaver DX Studio Player 3.0.29 - 'shell.execute()' Command Execution (Metasploit)
exploitdb·2010-05-26
CVE-2009-2011 Worldweaver DX Studio Player 3.0.29 - 'shell.execute()' Command Execution (Metasploit)
Worldweaver DX Studio Player 3.0.29 - 'shell.execute()' Command Execution (Metasploit)
---
##
# $Id: dxstudio_player_exec.rb 9375 2010-05-26 22:39:56Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 'Worldweaver DX Studio Player %q{
This module exploits a command execution vulnerability within the
DX Studio Player from Worldweaver. The player is a browser plugin for
IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web
page referring to a specially crafted .dxstudio document, an attacker can
execute
Exploit-DB
Media Jukebox 8.0.400 - Local Buffer Overflow (SEH) (Metasploit)
exploitdb·2009-12-27
CVE-2009-2650 Media Jukebox 8.0.400 - Local Buffer Overflow (SEH) (Metasploit)
Media Jukebox 8.0.400 - Local Buffer Overflow (SEH) (Metasploit)
---
##
# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',
'Description' => %q{
This module exploits a stack buffer overflow in Media Jukebox 8.0.400
By creating a specially crafted m3u or pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ron Henry ',
'dijital1',
],
'Version' => '$Revision: 11516 $',
'References'
Exploit-DB
Piwik Open Flash Chart - Remote Code Execution
exploitdb·2009-12-17
CVE-2011-4275 Piwik Open Flash Chart - Remote Code Execution
Piwik Open Flash Chart - Remote Code Execution
---
Bugtraq ID: 37314
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Dec 14 2009 12:00AM
Updated: Dec 17 2009 06:03PM
Credit: Braeden Thomas
Vulnerable: Piwik Piwik 0.4.3
Piwik Piwik 0.4.2
Piwik Piwik 0.4.1
Piwik Piwik 0.4
Piwik Piwik 0.2.37
Piwik Piwik 0.2.36
Piwik Piwik 0.2.35
Open Web Analytics Open Web Analytics 1.2.0
Open Flash Chart Open Flash Chart 2.0
Open Flash Chart is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
Open Flash Chart 2 Beta 1 and Open Flash Chart 2 are vulnerable; other versions may also
Exploit-DB
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
exploitdb·2009-07-28
CVE-2011-4908 TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
---
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure
Advisory URL:
http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities
Date published: 2009-07-27
Severity: High
Vulnerability Class: Abuse of Functionality
Affected Products:
- TinyMCE editor with TinyBrowser plugin
- Any web sites/web applications that use TinyMCE editor with TinyBrowser plugin
Author: Bryn Jones (http://www.lunarvis.com)
Author Contacted: Yes
Reply: No reply
Product Overview
TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
file browser to view, upload, delete, renam
Exploit-DB
Worldweaver DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection
exploitdb·2009-06-10·CVSS 9.3
CVE-2009-2011 [CRITICAL] Worldweaver DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection
Worldweaver DX Studio Player
- -----------/
Note: The security vulnerability is also exploitable on the standalone
player, however, this functionality appears to be the expected behavior
and fully intended for the standalone player.
9. *Report Timeline*
. 2009-05-21:
Core Security Technologies notifies the Worldweaver Support Team (WST)
of the vulnerability and announces its initial plan to publish the
content on June 15th, 2009.
. 2009-05-26:
The WST asks Core for a technical description of the vulnerability.
. 2009-05-26:
Technical details sent to WST by Core.
. 2009-06-08:
Core asks WST for an estimated date to fix this issue.
. 2009-06-08:
WST notifies Core that a fix has already been produced and it is
available to the users.
. 2009-06-09:
The advisory CORE
Exploit-DB
Joomla! 1.5.x - Cross-Site Scripting / Information Disclosure
exploitdb·2009-06-01
CVE-2011-4909 Joomla! 1.5.x - Cross-Site Scripting / Information Disclosure
Joomla! 1.5.x - Cross-Site Scripting / Information Disclosure
---
source: https://www.securityfocus.com/bid/35544/info
Joomla! is prone to multiple cross-site scripting and information-disclosure vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information.
These issues affect versions prior to 1.5.12.
/* PoC: XSS Joomla 1.5.11 Juan Galiana Lara Internet Security Auditors Jun 2009 */ /* config */ $site='localhost'; $path='/joomla-1.5.11'; $cookname='d85558a8cf943386aaa374896bfd3d99'; $cookvalue='4ab56fdd83bcad86289726aead602699'; class cURL { var $headers; var $user_agent; var $compression; var $cookie_f
Exploit-DB
vidshare pro - SQL Injection / Cross-Site Scripting
exploitdb·2009-05-19
CVE-2009-1735 vidshare pro - SQL Injection / Cross-Site Scripting
vidshare pro - SQL Injection / Cross-Site Scripting
---
-------------------------AllaH AkbaR-------------------------------
VidShare Pro MULTIPLE REMOTE VULNERABILITIES
Discovered By: Snakespc ALGERIAN HaCkEr
Mail: [email protected]
Site:http://www.snakespc.com/sc/index.php
Chi3arona houa : Serra7 merra7 , koulchi mderra7>>>>
Aflawa Kamikaz Wa4rin Fi kol Bla4s
-------------------------SNAKES TEAM-------------------------------------
Script:VidShare Pro www.omnisoftsol.com
Demo:http://www.omnisoftsol.com/index.php?option=com_content&task=view&id=7&Itemid=28
(listing_video.php)
--------------------------SNAKES TEAM------------------------------------
Exploit:SQL
Demo:
http://demo.omnisoftsol.com/listing_video.php?catid=2+UNION%20SELECT%201,2,3,4,CHAR(83,%20110,%2097,%20107,%20101,%2011
Metasploit
Worldweaver DX Studio Player shell.execute() Command Execution
metasploit
Worldweaver DX Studio Player shell.execute() Command Execution
Worldweaver DX Studio Player shell.execute() Command Execution
This module exploits a command execution vulnerability within the DX Studio Player from Worldweaver for versions 3.0.29 and earlier. The player is a browser plugin for IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an attacker can execute arbitrary commands. Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow the plug-in to access local files. This prompt appears to occur only once per server host. NOTE: This exploit uses additionally dangerous script features to write to local files!
Bugzilla
CVE-2011-1830 ekiga: attempted to load a module from /tmp/ekiga_test.so
bugzilla·2019-04-23·CVSS 5.7
CVE-2011-1830 [MEDIUM] CVE-2011-1830 ekiga: attempted to load a module from /tmp/ekiga_test.so
CVE-2011-1830 ekiga: attempted to load a module from /tmp/ekiga_test.so
Ekiga versions before 3.3.0 attempted to load a module from /tmp/ekiga_test.so.
Upstream commit:
https://gitlab.gnome.org/GNOME/ekiga/commit/02654fc949722a78d41fcffac8687d73d8574647
Discussion:
Likely introduced via https://gitlab.gnome.org/GNOME/ekiga/commit/87d3a0824b373a3d16e9198540174ce16e4ab3db on Jun 24th, 2009. The fix was commited on Jul 1st, 2009.
---
Statement:
This issue did not affect the versions of ekiga as shipped with Red Hat Enterprise Linux 6 and 7.
---
All recent versions of Fedora have shipped with ekiga 4.0.1
Bugzilla
CVE-2009-5028 CVE-2011-4345 namazu various flaws [fedora-14]
bugzilla·2011-11-23·CVSS 7.5
CVE-2009-5028 [HIGH] CVE-2009-5028 CVE-2011-4345 namazu various flaws [fedora-14]
CVE-2009-5028 CVE-2011-4345 namazu various flaws [fedora-14]
fedora-14 tracking bug for namazu: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
Adding parent bug 756348
New bodhi update url:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=756341,756348
---
BTW f14 ended up EOL product some while ago and namazu isn't shipped in Fedora anymore. I'm not quite sure if we want to keep this open.
---
(In reply to comment #2)
Thank you for pointing this out, Akira.
> BTW f14 ended up EOL product some while ago and namazu isn't shipped in
> Fedora anymore. I'm not quite sure if we want to keep this
Bugzilla
CVE-2009-5064 glibc: ldd unexpected code execution issue [rhel-6.2]
bugzilla·2011-06-14·CVSS 6.9
CVE-2009-5064 [MEDIUM] CVE-2009-5064 glibc: ldd unexpected code execution issue [rhel-6.2]
CVE-2009-5064 glibc: ldd unexpected code execution issue [rhel-6.2]
Don't include me in crap like that. There is no problem. This is people making crap up.
Discussion:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHSA-2011-1526.html
Bugzilla
CVE-2011-2177 OpenOffice.org: InteVyDis Demo of OpenOffice 0day. Released with VulnDisco 8.8 pack (release date May,2009)
bugzilla·2011-06-01·CVSS 7.8
CVE-2011-2177 [HIGH] CVE-2011-2177 OpenOffice.org: InteVyDis Demo of OpenOffice 0day. Released with VulnDisco 8.8 pack (release date May,2009)
CVE-2011-2177 OpenOffice.org: InteVyDis Demo of OpenOffice 0day. Released with VulnDisco 8.8 pack (release date May,2009)
A new security flaw, potentially allowing execution of arbitrary code with
the privileges of the user running the OpenOffice.org suite tools has been
reported by the InteVyDis security researchers team:
[1] http://intevydis.com/oo_0day.html
[2] http://twitter.com/#!/legerov/status/75482755194032128
Note: Since no further detailed information is currently available about this
flaw, Red Hat Security Response Team is actively investigating the progress
done on this (at upstream and reporter side) and will update this record
with further information as soon as it is available.
Mitigation: Do not OpenOffice.org documents from untrusted sources.
Discussion:
This has been
Bugzilla
CVE-2009-5022 libtiff ojpeg buffer overflow
bugzilla·2011-04-12·CVSS 6.8
CVE-2009-5022 [MEDIUM] CVE-2009-5022 libtiff ojpeg buffer overflow
CVE-2009-5022 libtiff ojpeg buffer overflow
The libtiff OJPEG decoder contains a heap buffer overflow when decoding
certain malformed data.
This was made known via the upstream 3.9.5 announcement. The bug is quite
old.
upstream bug:
http://bugzilla.maptools.org/show_bug.cgi?id=1999
Discussion:
Statement:
This flaw did not affect libtiff as shipped in Red Hat Enterprise Linux 4 or 5. The OJPEG decoder is disabled in those distributions.
---
Created libtiff tracking bugs for this issue
Affects: fedora-all [bug 696204]
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0452 https://rhn.redhat.com/errata/RHSA-2011-0452.html
Bugzilla
libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)
bugzilla·2011-03-23·CVSS 5.0
CVE-2006-7244 [MEDIUM] libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)
libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)
A memory leak was found in the way libpng, PNG image format files
manipulating library, processed image files with negative length
of embedded International Color Consortium (ICC) profile chunk.
A remote attacker could provide a specially-crafted JPEG image
format file and trick the local user into opening it with an
application linked against libpng, which would result in
denial of service (excessive memory consumption or that particular
application crash).
References:
[1] http://www.openwall.com/lists/oss-security/2011/03/22/7 (CVE Request)
Discussion:
As noted in [1]:
i), the bug was introduced in 1.2.13beta1:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=l
Bugzilla
CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: multiple flaws corrected in version 5.0.1
bugzilla·2011-03-14·CVSS 4.3
CVE-2009-5065 [MEDIUM] CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: multiple flaws corrected in version 5.0.1
CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: multiple flaws corrected in version 5.0.1
The Python Feed Parser program (python-feedparser) recently released version 5.0.1 with the following fixes:
* Fix issue 91 (invalid text in XML declaration causes sanitizer to crash)
* Fix issue 254 (sanitization can be bypassed by malformed XML comments)
* Fix issue 255 (sanitizer doesn't strip unsafe URI schemes)
Giving the code a quick look, I don't believe the latter two issues affected 4.1 (possibly introduced in the 5.0 release). The first issue was reported against version 4.1 so would affect what we currently ship in Fedora and EPEL.
Version 5.0.1 corrects these flaws. It may be worthwhile to update to the latest version as the 5.0 release corrected a number of
Bugzilla
CVE-2009-3386 bugzilla hidden bug alias disclosure [F11]
bugzilla·2009-11-20·CVSS 5.0
CVE-2009-3386 [MEDIUM] CVE-2009-3386 bugzilla hidden bug alias disclosure [F11]
CVE-2009-3386 bugzilla hidden bug alias disclosure [F11]
F11 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
You can eventually use the following link to create the update request:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security&release=Fedora%2011&bugs=539599,
---
As noted in the tracker bug, F11 has Bugzilla 3.2.5, which is not affected.
Bugzilla
CVE-2009-0788 rhn_satellite: Incorrect mod_rewrite rules (information disclosure, abuse as distributed DoS tool)
bugzilla·2009-03-20·CVSS 6.4
CVE-2009-0788 [MEDIUM] CVE-2009-0788 rhn_satellite: Incorrect mod_rewrite rules (information disclosure, abuse as distributed DoS tool)
CVE-2009-0788 rhn_satellite: Incorrect mod_rewrite rules (information disclosure, abuse as distributed DoS tool)
A flaw was found in the way RHN Satellite rewrote certain URLs.
An unauthenticated user could use a specially-crafted HTTP
request to obtain sensitive information about the host system
RHN Satellite was running on. They could also use RHN Satellite
as a distributed denial of service tool, forcing it to connect
to an arbitrary service at an arbitrary IP address via a
specially-crafted HTTP request.
Discussion:
The preliminary embargo date for this issue has been set up to
Monday, 9-th of May, 2011.
---
(In reply to comment #25)
The preliminary embargo date for this issue has been moved to
earlier date, Monday, 11-th of April, 2011.
---
This issue has been addressed in foll
http://secunia.com/advisories/35402http://www.coresecurity.com/content/DXStudio-player-firefox-pluginhttp://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfdhttp://www.securityfocus.com/archive/1/504195/100/0/threadedhttp://www.securityfocus.com/bid/35273http://www.vupen.com/english/advisories/2009/1561https://exchange.xforce.ibmcloud.com/vulnerabilities/51035https://www.exploit-db.com/exploits/8922http://secunia.com/advisories/35402http://www.coresecurity.com/content/DXStudio-player-firefox-pluginhttp://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfdhttp://www.securityfocus.com/archive/1/504195/100/0/threadedhttp://www.securityfocus.com/bid/35273http://www.vupen.com/english/advisories/2009/1561https://exchange.xforce.ibmcloud.com/vulnerabilities/51035https://www.exploit-db.com/exploits/8922
2009-06-16
Published