Disclosed: July 14, 2014
The Wordpress WPTouch plugin contains an auhtenticated file upload
vulnerability. A wp-nonce (CSRF token) is created on the backend index
page and the same token is used on handling ajax file uploads through
the plugin. By sending the captured nonce with the upload, we can
upload arbitrary files to the upl...
Disclosed: July 08, 2014
A website that serves a JSONP endpoint that accepts a custom alphanumeric
callback of 1200 chars can be abused to serve an encoded swf payload that
steals the contents of a same-domain URL. Flash < 184.108.40.206 is required.
This module spins up a web server that, upon navigation from a user, attempts
to abuse the s...
Disclosed: July 01, 2014
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
functionality to upload a zip file containing the payload. The plugin uses the
admin_init hook, which is also executed for unauthenticated users when access...
Disclosed: June 30, 2014
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
crafted file name when trying to blame it.
Disclosed: June 19, 2014
This module abuses a file exposure vulnerability accessible through the web interface
on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker
to obtain detailed device information and download data files containing the clear-text
usernames and passwords for the controller. In May of 201...
Disclosed: June 07, 2014
This module can exploit NoSQL injections on MongoDB versions less than 2.4
and enumerate the collections available in the data via boolean injections.
Disclosed: June 05, 2014
This module checks for the OpenSSL ChageCipherSpec (CCS)
Injection vulnerability. The problem exists in the handling of early
CCS messages during session negotation. Vulnerable installations of OpenSSL accepts
them, while later implementations do not. If successful, an attacker can leverage this
vulnerability to p...
Disclosed: June 05, 2014
This module performs a Denial of Service Attack against Datagram TLS in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.
This occurs when a DTLS ClientHello message has multiple fragments and the
fragment lengths of later fragments are larger than that of the first, a
buffer overflow occurs, c...
Disclosed: June 02, 2014
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The
vulnerability is due to an insecure usage of vsprintf with user controlled data,
which can be triggered with a malformed HTTP request. This module has been tested
successfully with Ericom AccessNow Server 220.127.116.11 on Windows XP SP3 and Windo...
Disclosed: May 27, 2014
This module uses a dictionary to brute force valid usernames from
Cerberus FTP server via SFTP. This issue affects all versions of
the software older than 18.104.22.168 or 22.214.171.124 and is caused by a discrepancy
in the way the SSH service handles failed logins for valid and invalid
users. This issue was discovered by S...