From a327467416955bfc6a6cc031d2468aefb61a9e3b Mon Sep 17 00:00:00 2001
From: Offensive Security
Date: Sun, 30 Mar 2014 04:31:18 +0000
Subject: [PATCH] Updated 03_30_2014
---
files.csv | 19 ++
platforms/asp/webapps/32577.txt | 7 +
platforms/asp/webapps/32580.txt | 15 ++
platforms/hardware/webapps/32569.txt | 368 +++++++++++++++++++++++++++
platforms/java/webapps/32574.txt | 9 +
platforms/jsp/webapps/32579.html | 18 ++
platforms/multiple/remote/32564.txt | 11 +
platforms/multiple/remote/32565.txt | 11 +
platforms/multiple/webapps/32576.txt | 11 +
platforms/php/webapps/32562.txt | 34 +++
platforms/php/webapps/32563.txt | 7 +
platforms/php/webapps/32566.txt | 9 +
platforms/php/webapps/32567.txt | 12 +
platforms/php/webapps/32570.txt | 9 +
platforms/php/webapps/32571.txt | 10 +
platforms/php/webapps/32575.txt | 9 +
platforms/windows/dos/32572.txt | 13 +
platforms/windows/dos/32573.txt | 9 +
platforms/windows/remote/32568.rb | 172 +++++++++++++
platforms/windows/remote/32578.py | 161 ++++++++++++
20 files changed, 914 insertions(+)
create mode 100755 platforms/asp/webapps/32577.txt
create mode 100755 platforms/asp/webapps/32580.txt
create mode 100755 platforms/hardware/webapps/32569.txt
create mode 100755 platforms/java/webapps/32574.txt
create mode 100755 platforms/jsp/webapps/32579.html
create mode 100755 platforms/multiple/remote/32564.txt
create mode 100755 platforms/multiple/remote/32565.txt
create mode 100755 platforms/multiple/webapps/32576.txt
create mode 100755 platforms/php/webapps/32562.txt
create mode 100755 platforms/php/webapps/32563.txt
create mode 100755 platforms/php/webapps/32566.txt
create mode 100755 platforms/php/webapps/32567.txt
create mode 100755 platforms/php/webapps/32570.txt
create mode 100755 platforms/php/webapps/32571.txt
create mode 100755 platforms/php/webapps/32575.txt
create mode 100755 platforms/windows/dos/32572.txt
create mode 100755 platforms/windows/dos/32573.txt
create mode 100755 platforms/windows/remote/32568.rb
create mode 100755 platforms/windows/remote/32578.py
diff --git a/files.csv b/files.csv
index b1944fdf6..75e06fba7 100755
--- a/files.csv
+++ b/files.csv
@@ -29324,3 +29324,22 @@ id,file,description,date,author,platform,type,port
32559,platforms/hardware/webapps/32559.txt,"Easy FileManager 1.1 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
32560,platforms/hardware/webapps/32560.txt,"ePhone Disk 1.0.2 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
32561,platforms/php/webapps/32561.txt,"LinEx - Password Reset Vulnerability",2014-03-27,"N B Sri Harsha",php,webapps,80
+32562,platforms/php/webapps/32562.txt,"Joomla Kunena Component 3.0.4 - Persistent XSS",2014-03-27,Qoppa,php,webapps,80
+32563,platforms/php/webapps/32563.txt,"YourFreeWorld Downline Builder Pro 'id' Parameter SQL Injection Vulnerability",2008-11-02,"Hussin X",php,webapps,0
+32564,platforms/multiple/remote/32564.txt,"XWork 2.0.x 'ParameterInterceptor' Class OGNL Security Bypass Vulnerability",2008-11-04,"Meder Kydyraliev",multiple,remote,0
+32565,platforms/multiple/remote/32565.txt,"Struts <= 2.0.11 Multiple Directory Traversal Vulnerabilities",2008-11-04,"Csaba Barta",multiple,remote,0
+32566,platforms/php/webapps/32566.txt,"firmCHANNEL Indoor & Outdoor Digital Signage 3.24 Cross Site Scripting Vulnerability",2008-11-04,"Brad Antoniewicz",php,webapps,0
+32567,platforms/php/webapps/32567.txt,"DHCart 3.84 Multiple Cross Site Scripting And HTML Injection Vulnerabilities",2008-11-04,Lostmon,php,webapps,0
+32568,platforms/windows/remote/32568.rb,"Fitnesse Wiki Remote Command Execution Vulnerability",2014-03-28,"SecPod Research",windows,remote,80
+32569,platforms/hardware/webapps/32569.txt,"iStArtApp FileXChange 6.2 iOS - Multiple Vulnerabilities",2014-03-28,Vulnerability-Lab,hardware,webapps,8888
+32570,platforms/php/webapps/32570.txt,"CuteNews aj-fork 'path' Parameter Remote File Include Vulnerability",2008-11-06,DeltahackingTEAM,php,webapps,0
+32571,platforms/php/webapps/32571.txt,"TurnkeyForms Software Directory 1.0 SQL Injection and Cross Site Scripting Vulnerabilities",2008-11-07,G4N0K,php,webapps,0
+32572,platforms/windows/dos/32572.txt,"Anti-Trojan Elite 4.2.1 - Atepmon.sys IOCTL Request Local Overflow",2008-11-07,alex,windows,dos,0
+32573,platforms/windows/dos/32573.txt,"Microsoft Windows 2003/Vista - 'UnhookWindowsHookEx' Local Denial Of Service Vulnerability",2008-11-09,killprog.org,windows,dos,0
+32574,platforms/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 Cross-Site Scripting and Information Disclosure Vulnerabilities",2008-11-09,"Xia Shing Zee",java,webapps,0
+32575,platforms/php/webapps/32575.txt,"Zeeways SHAADICLONE 2.0 'admin/home.php' Authentication Bypass Vulnerability",2008-11-08,G4N0K,php,webapps,0
+32576,platforms/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager Cross Site Scripting And HTML Injection Vulnerabilities",2008-11-10,"Francesco Bianchino",multiple,webapps,0
+32577,platforms/asp/webapps/32577.txt,"Dizi Portali 'film.asp' SQL Injection Vulnerability",2008-11-10,"Kaan KAMIS",asp,webapps,0
+32578,platforms/windows/remote/32578.py,"Yosemite Backup 8.70 'DtbClsLogin()' Remote Buffer Overflow Vulnerability",2008-11-11,"Abdul-Aziz Hariri",windows,remote,0
+32579,platforms/jsp/webapps/32579.html,"Sun Java System Identity Manager 6.0/7.x Multiple Vulnerabilities",2008-11-11,"Richard Brain",jsp,webapps,0
+32580,platforms/asp/webapps/32580.txt,"ASP-Nuke 2.0.7 - 'gotourl.asp' Open Redirect Vulnerability",2014-03-29,"felipe andrian",asp,webapps,0
diff --git a/platforms/asp/webapps/32577.txt b/platforms/asp/webapps/32577.txt
new file mode 100755
index 000000000..249550a54
--- /dev/null
+++ b/platforms/asp/webapps/32577.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/32239/info
+
+Dizi Portali is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/film.asp?film=1+union+select+0,1,sifre,3,4,5+from+ayarlar
\ No newline at end of file
diff --git a/platforms/asp/webapps/32580.txt b/platforms/asp/webapps/32580.txt
new file mode 100755
index 000000000..5b9840c51
--- /dev/null
+++ b/platforms/asp/webapps/32580.txt
@@ -0,0 +1,15 @@
+[+] ASP-Nuke 2.0.7 - Open Redirect Vulnerability in gotourl
+[+] Date: 28/03/2014
+[+] Risk: Low
+[+] Remote: Yes
+[+] Author: Felipe Andrian Peixoto
+[+] Vendor Homepage: http://www.aspnuke.it/
+[+] Contact: felipe_andrian@hotmail.com
+[+] Tested on: Windows 7 and Linux
+[+] Vulnerable File: gotourl.asp
+[+] Version: ASP-Nuke 2.0.7
+[+] Exploit : http://host/gotoURL.asp?url=[ Open Redirect Vul ]&id=43569
+
+Note : An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation.
+This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
+Reference :https://www.owasp.org/index.php/Open_redirect
\ No newline at end of file
diff --git a/platforms/hardware/webapps/32569.txt b/platforms/hardware/webapps/32569.txt
new file mode 100755
index 000000000..da16832b5
--- /dev/null
+++ b/platforms/hardware/webapps/32569.txt
@@ -0,0 +1,368 @@
+Document Title:
+===============
+iStArtApp FileXChange v6.2 iOS - Multiple Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1237
+
+
+Release Date:
+=============
+2014-03-26
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1237
+
+
+Common Vulnerability Scoring System:
+====================================
+7.4
+
+
+Product & Service Introduction:
+===============================
+FileXChange is a handy file manager for iPhone, iPod Touch and iPad. With FileXChange, you can share files with Mac, Windows, Linux and other iOS devices,
+and use your iPhone, iPod Touch or iPad as a flash memory. With FileXChange, your iPhone, iPodTouch or iPad becomes a flash-memory drive. You can store files,
+open them on your device or on any MAC or PC, wirelessly, using a simple internet browser.
+
+(Copy of the Homepage: https://itunes.apple.com/us/app/filexchange/id428955307 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official iStArtApp FileXChange v6.2 iOS mobile application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-03-26: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+iStArtApp
+Product: FileXChange - iOS Mobile Web Application 6.2
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1
+A local file include web vulnerability has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
+commands to compromise the web-application or mobile device.
+
+The web vulnerability is located in the `filename` value of the `Upload a File` module. Remote attackers are able to inject own files with
+malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and
+the request method is POST. The local file/path include execution occcurs in the main index file dir list. The security risk of the local
+file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.5(+)|(-)7.6.
+
+Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with
+low user auth. Successful exploitation of the local file include web vulnerability results in mobile application or connected device
+component compromise.
+
+Request Method(s):
+ [+] [POST]
+
+Vulnerable Module(s):
+ [+] Upload a File > Submit
+
+Vulnerable Parameter(s):
+ [+] filename
+
+Affected Module(s):
+ [+] Index File Dir List (http://localhost:8888/)
+
+
+
+1.2
+An arbitrary file upload web vulnerability has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
+
+The vulnerability is located in the `Upload a File` module. Remote attackers are able to upload a php or js web-shells by renaming the file with
+multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
+`test.txt.html.php.js.aspx.txt`. After the upload the attacker needs to open the file with the path value in the web application. He deletes the
+.txt file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file upload web
+vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3.
+
+Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
+Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
+
+Request Method(s):
+ [+] [POST]
+
+Vulnerable Module(s):
+ [+] Select File > Upload
+
+Vulnerable Parameter(s):
+ [+] filename (multiple extensions)
+
+Affected Module(s):
+ [+] Index File Dir List (http://localhost:8888/)
+
+
+
+1.3
+A local command/path injection web vulnerabilities has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
+
+The vulnerability is located in the vulnerable `devicename` value of the wifi fapplication. Local attackers are able to inject own malicious
+system specific commands or path value requests via devicename value. The injection requires an active sync of the device information by new connections.
+The execution of the local command inject via devicename value on sync occurs in the header loction of all interface sites. The security risk of the local
+command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 5.7(+)|(-)5.8.
+
+Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
+Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
+compromise the mobile iOS application or the connected device components.
+
+Request Method(s):
+ [+] Sync
+
+Vulnerable Parameter(s):
+ [+] devicename
+
+Affected Module(s):
+ [+] Index File Dir List (http://localhost:8888/x)
+ [+] All Interface Header Sites (http://localhost:8888/)
+
+
+
+1.4
+A local command/path injection web vulnerabilities has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
+
+The vulnerability is located in the vulnerable `foldername` value of the wifi file dir list module. Local attackers are able to inject own malicious
+system specific commands or path value requests in the vulnerable foldername value. The injection requires an active sync with the wifi app stored folders.
+The execution of the local command inject via foldername value on sync occurs in the file dir index list of the main upload path. The security risk of
+the local command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7.
+
+Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
+Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
+compromise the mobile iOS application or the connected device components.
+
+Request Method(s):
+ [+] Sync
+
+Vulnerable Parameter(s):
+ [+] foldername (path value)
+
+Affected Module(s):
+ [+] Index File Dir List (http://localhost:8888/)
+ [+] Sub Folder/Category File Dir List (http://localhost:8888/)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The local file include web vulnerability can be exploited by local attacker without user interaction or privileged application user account.
+For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.
+
+PoC: Filename [Index]
+
+ ......
+./[LOCAL FILE INCLUDE VULNERABILITY!]>.png.png - 0.5 Kb, 2014-03-24 12:01:44
+
To upload a file, select it and then press 'Submit':
+To delete a file or a folder, select its checkbox and press 'Submit' Please note that you are allowed to delete one file at a time.