#git

This Metasploit module exploits an unauthenticated remote command execution vulnerability in WordPress Backup Migration plugin versions 1.3.7 and below. The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution.

This exploit module creates an ansible module for deployment to nodes in the network. It creates a new yaml playbook which copies our payload, chmods it, then runs it on all targets which have been selected (default all).

In some specific instances, the SurrealQL parser will attempt to recursively parse nested statements or idioms (i.e. nested `IF` and `RELATE` statements, nested basic idioms and nested access to attributes) without checking if the depth limit established by default or in the `SURREAL_MAX_COMPUTATION_DEPTH` environment variable is exceeded. This can lead to the stack overflowing when the nesting surpasses certain levels of depth. ### Impact An attacker that is authorized to run queries on a SurrealDB server may be able to run a query using the affected statements and idioms with very deep nesting in order to crash the server, leading to denial of service. ### Patches - Version 1.1.0 and later are not affected by this issue. ### Workarounds Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to e...

The `ID`, `DB` and `NS` headers accepted by the SurrealDB HTTP REST API would fail to parse when containing some special characters. This would cause a panic which would crash the SurrealDB server, leading to denial of service. This issue only affects the SurrealDB binary; it does not affect the SurrealDB library. ### Impact An unauthenticated client may issue an HTTP request to the SurrealDB HTTP REST API containing one of the affected headers with values containing special characters in order to crash the SurrealDB server. This does not require the SurrealDB server to be running with any specific capabilities other than exposing the affected interface. ### Patches - Version 1.1.0 and later are not affected by this issue. ### Workarounds Concerned users unable to update may want to limit untrusted access to the SurrealDB HTTP REST API unless such access is required by the application. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure...

SpyCamLizard version 1.230 remote denial of service exploit.

An issue was discovered in Contiki-NG tinyDTLS versions through 2018-08-30. A buffer over-read exists in the dtls_sha256_update function. This bug allows remote attackers to cause a denial of service (crash) and possibly read sensitive information by sending a malformed packet with an over-large fragment length field, due to servers incorrectly handling malformed packets.

An issue was discovered in Contiki-NG tinyDTLS versions through 2018-08-30. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to obtain sensitive application (data of connected clients).

An issue was discovered in Contiki-NG tinyDTLS versions through 2018-08-30. An assertion failure in check_certificate_request() causes the server to exit unexpectedly, resulting in a denial of service.

An issue was discovered in Contiki-NG tinyDTLS versions through 2018-08-30. Incorrect handling of over-large packets in dtls_ccm_decrypt_message() causes a buffer over-read that can expose sensitive information.

An issue was discovered in Contiki-NG tinyDTLS versions through 2018-08-30. An infinite loop bug exists during the handling of a ClientHello handshake message. This bug allows remote attackers to cause a denial of service by sending a malformed ClientHello handshake message with an odd length of cipher suites, which triggers an infinite loop (consuming all resources) and a buffer over-read that can disclose sensitive information.