A Remote Code Execution (RCE) vulnerability has been found in filter/tex/texed.php. Due to the fact this file does not properly check the input parameters, it is possible to exploit this vulnerability in order to execute arbitrary commands on the target server. In order to exploit this vulnerability register_globals must be enabled (in PHP), magic_quotes must be disabled, and the TeX Notation filter in Moodle must be turned on.
This module exploits a vulnerability in MongoDB server. An arbitrary value passed as a parameter to the nativeHelper function in MongoDB server allows an attacker to control the execution flows to achieve remote code execution.
The mongo::mongoFind method in MongoDB makes use of uninitialized memory. A remote attacker can fill that memory address with controlled data and then call the vulnerable function in order to execute arbitrary code on the affected server.
This module exploits the following vulnerability, as described by the CVE database: "Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled, allows remote attackers to [...] execute arbitrary code via format string specifiers in the username parameter to the login form, which is ultimately used in a syslog call." The most common TCP ports used by vulnerable programs are 10000 for Webmin and 20000 for Usermin. This module will run 2 different phases: the first phase will bruteforce a return address location (retloc) and the second phase will bruteforce the address of the agent code (retaddr). NOTE: The first phase might create zombie processes that should be killed once the agent has been installed. The second phase might generate a few megabytes of traffic.
Multiple MicroWorld eScan products are vulnerable to a remote command-execution vulnerability because they fail to properly sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers. The issue affects the following products versions prior to 4.1.x: eScan for Linux Desktop, eScan for Linux File Servers, MailScan for Linux Mail servers, WebScan for Linux Proxy Servers.
MediaWiki with DjVU or PDF file upload allows a remote attackers to execute arbitrary commands by exploting a bug in the with parameter in thumb.php while previewing the uploaded file.
This exploit use a format string vulnerability via syslog(3) located in the rlprd msg() function to install an agent. rlprd versions 2.0 to 2.04 are vulnerable.
LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers.
This module exploits a header overflow vulnerability in lighttpd when using fast_cgi module in lighttpd before version 1.4.18. The vulnerability allows to modify PHP headers. This module modifies the SCRIPT_FILENAME PHP header to run arbitrary files in the PHP interpreter. This module will send a request to the server with a HTTP Referer header with PHP code that is written on the log file by the lighttpd server. Then the module searches for the lighttpd log file in the web server using the vulnerability. Then the module executes the lighttpd log file as a PHP script using the vulnerability, and installs a new agent in the server.
An input sanitization flaw exists in the way JBoss Seam processes certain parameterized JBoss Expression Language (EL) expressions. A remote unauthenticated attacker could use this flaw to execute arbitrary code via GET requests, containing specially-crafted expression language parameters, provided to web applications based on the JBoss Seam Framework. This module exploits the vulnerability in any web application based on vulnerable versions of the Seam 2 Framework.