From 3df1ce2164ac4e2aee31b370e74c4a4743e5b886 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 31 Jan 2014 04:26:59 +0000 Subject: [PATCH] Updated 01_31_2014 --- files.csv | 29 +- platforms/asp/webapps/31275.txt | 10 + platforms/asp/webapps/31276.txt | 9 + platforms/asp/webapps/31286.txt | 7 + platforms/hardware/webapps/31258.txt | 384 +++++++++++++++++++++++++++ platforms/hardware/webapps/31261.txt | 68 +++++ platforms/jsp/remote/31253.rb | 128 +++++++++ platforms/multiple/remote/31279.txt | 9 + platforms/php/remote/31264.rb | 149 +++++++++++ platforms/php/webapps/31262.txt | 62 +++++ platforms/php/webapps/31263.txt | 223 ++++++++++++++++ platforms/php/webapps/31265.txt | 9 + platforms/php/webapps/31266.txt | 9 + platforms/php/webapps/31267.txt | 9 + platforms/php/webapps/31268.txt | 9 + platforms/php/webapps/31269.txt | 10 + platforms/php/webapps/31270.txt | 10 + platforms/php/webapps/31272.txt | 7 + platforms/php/webapps/31273.txt | 7 + platforms/php/webapps/31274.txt | 7 + platforms/php/webapps/31277.txt | 9 + platforms/php/webapps/31278.txt | 9 + platforms/php/webapps/31280.txt | 8 + platforms/php/webapps/31281.txt | 7 + platforms/php/webapps/31282.txt | 9 + platforms/php/webapps/31283.txt | 9 + platforms/php/webapps/31284.txt | 7 + platforms/php/webapps/31287.txt | 9 + 28 files changed, 1221 insertions(+), 1 deletion(-) create mode 100755 platforms/asp/webapps/31275.txt create mode 100755 platforms/asp/webapps/31276.txt create mode 100755 platforms/asp/webapps/31286.txt create mode 100755 platforms/hardware/webapps/31258.txt create mode 100755 platforms/hardware/webapps/31261.txt create mode 100755 platforms/jsp/remote/31253.rb create mode 100755 platforms/multiple/remote/31279.txt create mode 100755 platforms/php/remote/31264.rb create mode 100755 platforms/php/webapps/31262.txt create mode 100755 platforms/php/webapps/31263.txt create mode 100755 platforms/php/webapps/31265.txt create mode 100755 platforms/php/webapps/31266.txt create mode 100755 platforms/php/webapps/31267.txt create mode 100755 platforms/php/webapps/31268.txt create mode 100755 platforms/php/webapps/31269.txt create mode 100755 platforms/php/webapps/31270.txt create mode 100755 platforms/php/webapps/31272.txt create mode 100755 platforms/php/webapps/31273.txt create mode 100755 platforms/php/webapps/31274.txt create mode 100755 platforms/php/webapps/31277.txt create mode 100755 platforms/php/webapps/31278.txt create mode 100755 platforms/php/webapps/31280.txt create mode 100755 platforms/php/webapps/31281.txt create mode 100755 platforms/php/webapps/31282.txt create mode 100755 platforms/php/webapps/31283.txt create mode 100755 platforms/php/webapps/31284.txt create mode 100755 platforms/php/webapps/31287.txt diff --git a/files.csv b/files.csv index db1bbe2b6..62a7b5d5f 100755 --- a/files.csv +++ b/files.csv @@ -27304,7 +27304,7 @@ id,file,description,date,author,platform,type,port 30440,platforms/cgi/webapps/30440.txt,"WebEvent <= 4.03 Webevent.CGI Cross-Site Scripting Vulnerability",2007-07-31,d3hydr8,cgi,webapps,0 30441,platforms/windows/remote/30441.html,"BlueSkyChat ActiveX Control 8.1.2 Buffer Overflow Vulnerability",2007-07-31,"Code Audit Labs",windows,remote,0 30442,platforms/php/webapps/30442.txt,"WebDirector Index.PHP Cross Site Scripting Vulnerability",2007-08-01,r0t,php,webapps,0 -30443,platforms/php/webapps/30443.txt,"Wordpress Persuasion Theme - Arbitrary File Download and File Deletion Exploit",2013-12-23,"Interference Security",php,webapps,80 +30443,platforms/php/webapps/30443.txt,"Wordpress Persuasion Theme 2.x - Arbitrary File Download and File Deletion Exploit",2013-12-23,"Interference Security",php,webapps,80 30444,platforms/linux/dos/30444.txt,"KDE Konqueror <= 3.5.7 Assert Denial of Service Vulnerability",2007-03-05,"Thomas Waldegger",linux,dos,0 30445,platforms/php/webapps/30445.txt,"Joomla Tour de France Pool 1.0.1 Module mosConfig_absolute_path Remote File Include Vulnerability",2007-08-02,Yollubunlar.Org,php,webapps,0 30446,platforms/asp/webapps/30446.txt,"Hunkaray Okul Portali 1.1 Duyuruoku.ASP SQL Injection Vulnerability",2007-08-02,Yollubunlar.Org,asp,webapps,0 @@ -28067,3 +28067,30 @@ id,file,description,date,author,platform,type,port 31250,platforms/php/webapps/31250.txt,"XOOPS 'seminars' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0 31251,platforms/php/webapps/31251.txt,"XOOPS 'badliege' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0 31252,platforms/php/webapps/31252.txt,"PHP-Nuke Web_Links Module 'cid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0 +31253,platforms/jsp/remote/31253.rb,"Oracle Forms and Reports 11.1 - Remote Exploit",2014-01-29,Mekanismen,jsp,remote,80 +31258,platforms/hardware/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,hardware,webapps,0 +31261,platforms/hardware/webapps/31261.txt,"A10 Networks Loadbalancer - Directory Traversal",2014-01-29,xistence,hardware,webapps,443 +31262,platforms/php/webapps/31262.txt,"ManageEngine Support Center Plus 7916 - Directory Traversal",2014-01-29,xistence,php,webapps,80 +31263,platforms/php/webapps/31263.txt,"pfSense 2.1 build 20130911-1816 - Directory Traversal",2014-01-29,@u0x,php,webapps,0 +31264,platforms/php/remote/31264.rb,"Simple E-Document Arbitrary File Upload",2014-01-29,metasploit,php,remote,80 +31265,platforms/php/webapps/31265.txt,"Spyce 2.1.3 docs/examples/redirect.spy Multiple Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0 +31266,platforms/php/webapps/31266.txt,"Spyce 2.1.3 docs/examples/handlervalidate.spy x Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0 +31267,platforms/php/webapps/31267.txt,"Spyce 2.1.3 spyce/examples/request.spy name Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0 +31268,platforms/php/webapps/31268.txt,"Spyce 2.1.3 spyce/examples/getpost.spy Name Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0 +31269,platforms/php/webapps/31269.txt,"Spyce 2.1.3 spyce/examples/formtag.spy Multiple Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0 +31270,platforms/php/webapps/31270.txt,"Spyce 2.1.3 spyce/examples/automaton.spy Direct Request Error Message Information Disclosure",2007-02-19,"Richard Brain",php,webapps,0 +31272,platforms/php/webapps/31272.txt,"Joomla! and Mambo 'com_joomlavvz' Component 'id' Parameter SQL Injection Vulnerability",2008-02-20,S@BUN,php,webapps,0 +31273,platforms/php/webapps/31273.txt,"Joomla! and Mambo 'com_most' Component 'secid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 +31274,platforms/php/webapps/31274.txt,"Joomla! and Mambo 'com_asortyment' Component 'katid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 +31275,platforms/asp/webapps/31275.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 Comments.asp FC Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",asp,webapps,0 +31276,platforms/asp/webapps/31276.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 Labels.asp Term Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",asp,webapps,0 +31277,platforms/php/webapps/31277.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 ClassList.asp Term Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",php,webapps,0 +31278,platforms/php/webapps/31278.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 GradebookStuScores.asp GrdBk Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",php,webapps,0 +31279,platforms/multiple/remote/31279.txt,"IBM Lotus Quickr QuickPlace Server 8.0 Calendar 'Count' Parameter Cross-Site Scripting Vulnerability",2008-02-21,"Nir Goldshlager AVNE",multiple,remote,0 +31280,platforms/php/webapps/31280.txt,"Joomla! and Mambo Referenzen Component 'id' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 +31281,platforms/php/webapps/31281.txt,"PHP-Nuke Classifieds Module 'Details' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 +31282,platforms/php/webapps/31282.txt,"XOOPS Tiny Event 1.01 'print' Option SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 +31283,platforms/php/webapps/31283.txt,"PHP-Nuke Downloads Module 'sid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 +31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module 'cid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0 +31286,platforms/asp/webapps/31286.txt,"Citrix MetaFrame Web Manager 'login.asp' Cross-Site Scripting Vulnerability",2008-02-22,Handrix,asp,webapps,0 +31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 'recipeid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0 diff --git a/platforms/asp/webapps/31275.txt b/platforms/asp/webapps/31275.txt new file mode 100755 index 000000000..9d1a2aa86 --- /dev/null +++ b/platforms/asp/webapps/31275.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/27924/info + +Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected. + + +http://www.example.com/Comments.asp?&FC=SQL \ No newline at end of file diff --git a/platforms/asp/webapps/31276.txt b/platforms/asp/webapps/31276.txt new file mode 100755 index 000000000..bb0d5d557 --- /dev/null +++ b/platforms/asp/webapps/31276.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27924/info + +Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected. + +http://www.example.com/Labels.asp?&Term=SQL \ No newline at end of file diff --git a/platforms/asp/webapps/31286.txt b/platforms/asp/webapps/31286.txt new file mode 100755 index 000000000..8ad207f28 --- /dev/null +++ b/platforms/asp/webapps/31286.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27948/info + +Citrix MetaFrame Web Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/Citrix/MetaFrameXP/default/login.asp?NFuse_LogoutId=Off&NFuse_MessageType=warning&NFuse_Message=%3Cscript%3Ealert(document.cookie);%3C/script%3E \ No newline at end of file diff --git a/platforms/hardware/webapps/31258.txt b/platforms/hardware/webapps/31258.txt new file mode 100755 index 000000000..08e573846 --- /dev/null +++ b/platforms/hardware/webapps/31258.txt @@ -0,0 +1,384 @@ +Document Title: +=============== +SimplyShare v1.4 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1181 + + +Release Date: +============= +2014-01-28 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1181 + + +Common Vulnerability Scoring System: +==================================== +9.2 + + +Product & Service Introduction: +=============================== +SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other iPhone/iPod Touch/iPad +and computers wirelessly (without any iTunes Sync). Download or upload photos/videos/files directly from a computer. +Store, manage and view MS Office, iWork, PDF files and many more features + +Share Files, Photos or Videos: +- Transfer any number of files, photos or videos with any size to other iOS devices (iPhone, iPod Touch and iPad) via Wi-Fi +- Download files, photos or videos with any size to your computer via Wi-Fi +- Upload multiple files, photos or videos with any size from your computer to your device via WiFi +- Transfer your files via USB cable (iTunes sync) +- View all your photo albums, videos and files on your device from a computer +- Preserves all photos metadata after transfer +- Slideshow all the photos of an album on a computer (on web browser) +- Display your photos on other iOS devices without transfer/saving them +- Send a short/quick text message from your computer or other iOS devices to your own iDevice +- Email files or photos from your device + +Download Files from Internet: +- Download files browsing the Internet +- Tap & Hold on any link or photos to save them in SimpyShare app +- Any webpage you visit, SimplyShare automatically generates all the links to supported files (MS Office, +iWork, PDF documents etc). Then you can download them by just a single tap. +- Download images automatically by simply tapping on any image in the webpage + +File Manager: +- Open or Print Microsoft Office documents (Office ‘97 and newer) +- Open or Print iWork documents +- View or Print PDF files, Images, RTF documents, CSV, HTML and Text files +- Play Audio and Video files +- Move, Copy delete files/folder or create new folders +- Save images or videos to Photos Album +- Ability to create folders and organize the files within the folders +- iTunes USB sharing ... + +( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application. + + +Vulnerability Disclosure Timeline: +================================== +2013-01-28: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Apple AppStore +Product: Rambax, LLC - SimplyShare 1.4 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Critical + + +Technical Details & Description: +================================ +1.1 +A critical remote code execution web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application. +Remote attackers are able to execute own system specific codes to compromise the affected web-application or the connected mobile device. + +The remote vulnerability is located in the vulnerable `text` value of the `Send Text` module. Remote attackers can use the prompt send +text input to direct execute system codes or malicious application requests. The send text input field has no restrictions or secure +encoding to ensure direct code executes are prevented. After the inject the code execution occurs directly in the send text module +item list. The security risk of the remote code execution vulnerability is estimated as critical with a cvss (common vulnerability +scoring system) count of 9.2(+)|(-)9.3. + +Exploitation of the code execution vulnerability requires no user interaction or privileged web-application user account with password. +Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise. + + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Send Text + +Vulnerable Parameter(s): + [+] text + +Affected Module(s): + [+] Access from Computer (Send Text Index List - Text Name & Context) + + + +1.2 +A local file/path include web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system +specific path commands to compromise the web-application or mobile device. + +The local file include web vulnerability is located in the vulnerable `filename` value of the `upload files` module (web-interface). +Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is +persistent and the request method is POST. The local file/path include execute occcurs in the main file to path section after the +refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common +vulnerability scoring system) count of 7.7(+)|(-)7.8. + +Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. +Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized +local file include web attacks. + +Request Method(s): + [+] [POST] + +Vulnerable Input(s): + [+] Upload Files + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Access from Computer (File Dir Index List - Folder/Category to path=/) + + + +1.3 +A local command/path injection web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application. +The vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application. + +The vulnerability is located in the in the title value of the header area. Local attackers are able to inject own script codes +as iOS device name. The execute of the injected script code occurs with persistent attack vector in the header section of the +web interface. The security risk of the command/path inject vulnerabilities are estimated as high with a cvss (common vulnerability +scoring system) count of 6.2(+)|(-)6.3. + +Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access +and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific +commands or unauthorized path requests. + +Request Method(s): + [+] [GET] + +Vulnerable Value(s): + [+] devicename + +Vulnerable Parameter(s): + [+] value to title + +Affected Module(s): + [+] Access from Computer (File Dir Index List) - [Header] + + + + +1.4 +Multiple persistent input validation web vulnerabilities has been discovered in the official SimplyShare v1.4 iOS mobile web-application. +The bug allows remote attackers to implement/inject own malicious persistent script codes to the application-side of the vulnerable app. + +The vulnerability is located in the `name` value of the internal photo and video module. The vulnerability can be exploited by manipulation +of the local device album names. After the local attacker with physical access injected the code to the local device foto app menu, he is able +to execute the persistent script codes on the application-side of the mobile app device. The security risk of the persistent script code inject +web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9. + +Exploitation of the persistent web vulnerabilities requires low user interaction and no privileged web-application user account with a password. +Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, +persistent phishing or persistent manipulation of module context. + + +Vulnerable Module(s): + [+] Video Folder Name + [+] Photos Folder Name + +Vulnerable Parameter(s): + [+] album name values + +Affected Module(s): + [+] Access from Computer (Photos & Videos Module) + + +Proof of Concept (PoC): +======================= +1.1 +The remote code execution vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account. +For security demonstration or to reproduce the remote code execution vulnerability follow the provided steps and information below. + +PoC: Send Text + + + + + + + + + + + + + + + + + + +--- PoC Session Logs [GET] --- +14:13:14.499[93ms][total 1294ms] Status: 200[OK] +GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[6608] Mime Type[application/x-unknown-content-type] + Request Headers: + Host[192.168.2.109] + User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[en-US,en;q=0.5] + Accept-Encoding[gzip, deflate] + DNT[1] + Referer[http://192.168.2.109/] + Connection[keep-alive] + Cache-Control[max-age=0] + Response Headers: + Accept-Ranges[bytes] + Content-Length[6608] + Date[Do., 23 Jan. 2014 13:20:09 GMT] + + +14:13:14.612[33ms][total 33ms] Status: 200[OK] +GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css] + Request Headers: + Host[192.168.2.109] + User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0] + Accept[text/css,*/*;q=0.1] + Accept-Language[en-US,en;q=0.5] + Accept-Encoding[gzip, deflate] + DNT[1] + Referer[http://192.168.2.109/?path=/Texts] + Connection[keep-alive] + Cache-Control[max-age=0] + Response Headers: + Accept-Ranges[bytes] + Content-Length[22041] + Content-Type[text/css] + Date[Do., 23 Jan. 2014 13:20:09 GMT] + + + +1.2 +The file include web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account. +For security demonstration or to reproduce the file/path include web vulnerability follow the provided steps and information below. + +PoC: Upload Files - Filename + + + + + + + +1.3 +The local command inject web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account. +Physical device access or resource access is required to exploit the local command inject vulnerability. For security demonstration or to reproduce +the local command inject vulnerability follow the provided steps and information below. + + +PoC: Title - Header + + +
+ +
bkm¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE]
+
NameDateSize
..
"<<>"<">[REMOTE CODE EXECUTION VULNERABILITY!] s="" 137.txt"="" +filesize="550"> +"<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] 137.txtJan. 23, 2014 14:070.5 KB
+[FILE INCLUDE VULNERABILITY VIA FILENAME]Jan. 23, 2014 14:040.7 KB