When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP. Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
f20ed46e990bc49e51e4df52537ec564d571907ef6c1bab6631f3044e0db35c8This Metasploit module will extract Domain Controller credentials from vulnerable installations of HP SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability has been used to exploit remote file uploads. This vulnerability can be used to gather important information handled by the vulnerable application, like plain text domain controller credentials. This Metasploit module has been tested successfully with HP SNAC included with ProCurve Manager 4.0.
aed454bc14ce73f32076d32a64079806c8be0da490907a6f04fd8ad00e038838Water Billing Management System version 1.0 suffers from a cross site request forgery that enables an arbitrary file upload.
b2b6b9ccd306227cb678af1bbff8e4fca60932e849a1f798914a7c8e6a43a1deFile Management System version 1.0 suffers from an arbitrary file upload vulnerability.
d7190aeb73675b4c80d6ccca7878d2547c38a9ee67ce2c6eb9c502dbff60d004CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.
dc50ee27904a926af74bf8f7250aab4eeedc989557ba1792b18fa14c73568744Online Banking System version 1.0 suffers from an arbitrary file upload vulnerability.
21c5ff52ac4e90c5da3505e6a12e81117f3b56db76ac19fc375e8dd30243e7eeOnline Diagnostic Lab Management System version 1.0 suffers from an arbitrary file upload vulnerability.
978b02141f2137df791b40707a42365e446471161ea7eb4df651cfd5ff222dd8Biobook Social Networking Site version 1.0 suffers from an arbitrary file upload vulnerability.
eea7a63452086fbc6b26395926afd32c8db7ed26cb64e63041d07be948f52e93Job Castle version 1.0 suffers from an arbitrary file upload vulnerability.
f14162d4a77d52793d3dc53ca757b4ad8ff9f17c72b6660e345b95221d53f069Hotel Management System version 1.0 suffers from an arbitrary file upload vulnerability.
819229d02bda3fa9cbbbd2bfee66fb703e22843e42837d98eb5585d72f9f8570Exam Form Submission version 1.0 suffers from an arbitrary file upload vulnerability.
a048d71cbc65bedd52d863b70ef7a5bc25146a23473cd113bada7f23c4724417AccPack Khanepani version 1.0 suffers from an arbitrary file upload vulnerability.
7f16775768ccf1b0c70fe615a79c8c4ceb55b10aae6f67c634cf6177fd5b5fddAccPack Cop version 1.0 suffers from an arbitrary file upload vulnerability.
af527ad287b83f0334f0860648809791a2e32f674065e68516f6c5c957cb9e4dOpen WebUI version 0.1.105 suffers from arbitrary file upload and path traversal vulnerabilities.
ec5387176f30bac9fa4d3eadc1c952af22cf21e137493ca6d50297eda34a6c34AccPack Buzz version 1.0 suffers from an arbitrary file upload vulnerability.
26ba3578925635eec579c27afdcf5dfe641d09db3c89b0df1e695a98b9056176Edu-Sharing suffers from an arbitrary file upload vulnerability. Versions below 8.0.8-RC2, 8.1.4-RC0, and 9.0.0-RC19 are affected.
c90a369f9e92e190de24d8035bc4ae4e56c58d29c471e9653ffa0e568fcee57eCarbon Forum version 5.9.0 suffers from access control, cross site request forgery, file upload, outdated library, and remote SQL injection vulnerabilities.
cba504421b68519aaed702319b854c39235fc60743041d75670a496471266424Apache Solr versions 6.0.0 through 8.11.2 and versions 9.0.0 up to 9.4.1 are affected by an unrestricted file upload vulnerability which can result in remote code execution in the context of the user running Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load some classes from it. The backup function of the Collection can export malicious class files uploaded by attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.
982c87ed2032bff9e2a889f42db78ed065aa2707c068813f76b1c3875193d49dGUnet OpenEclass E-learning platform version 3.15 suffers from an unrestricted file upload vulnerability in certbadge.php that allows for remote command execution.
87510b61a4bcdb0fdc6c31f4148617866220f4cd5cc391960946f28d1c611747WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.
8c7f57a620a7f2e630146822105069ce7c8d705a9661a1a56006b6c19ee5ae88Lektor Static CMS version 3.3.10 suffers from an arbitrary file upload vulnerability that can be leveraged to achieve remote code execution.
12e46eeac4843dfaaf4f61083381648a44692cd6a4aade7ab73a5901f82f2336WordPress File Upload plugin versions prior to 4.23.3 suffer from a persistent cross site scripting vulnerability.
3b846687e4071f8314c772e2348dd5b6d4b6c50cc0acd6fd150c3ad212d8fb7fCMSMS version 2.2.19 suffers from an arbitrary file upload vulnerability.
10d444684a1178256d641dcf6a31e78bdb9b5db129a97ebd890d4e09119b515cHospital Management System versions 4.0 and below suffer from cross site scripting, remote shell upload, and remote SQL injection vulnerabilities.
4c4cb4162e1a493a04ab18896d55ef8649d628f41d3426944382f8e72a0ea4f9Apache Struts versions 2.0.0 through 2.3.37 (EOL), 2.5.0 through 2.5.32, and 6.0.0 through 6.3.0 suffer from an issues where an attacker can manipulate file upload parameters to enable a path traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution.
3eabd0d7746d3af616a6a03f2fad7d9609f5c2a795390784bc379146a76826ad
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed