3d73ec60b6
23 changes to exploits/shellcodes Emulive Server4 7560 - Remote Denial of Service Emulive Server4 Build 7560 - Remote Denial of Service ShareCenter D-Link DNS-320 - Remote reboot/shutdown/reset (Denial of Service) D-Link DNS-320 ShareCenter - Remote Reboot/Shutdown/Reset (Denial of Service) DNS4Me 3.0 - Denial of Service / Cross-Site Scripting EmuLive Server4 - Authentication Bypass / Denial of Service GetGo Download Manager 5.3.0.2712 - 'Proxy' Buffer Overflow Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and CS_OWNDC Corrupts DC Cache VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit) keene digital media server 1.0.2 - Directory Traversal variant Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting Xedus Web Server 1.0 - Traversal Arbitrary File Access Keene Digital Media Server 1.0.2 - Directory Traversal Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting Xedus Web Server 1.0 - Traversal Arbitrary File Access D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access WDMyCloud < 2.30.165 - Multiple Vulnerabilities Ayukov NFTP FTP Client 2.0 - Buffer Overflow (Metasploit) Cisco IOS - Remote Code Execution Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection WordPress 1.5.1.2 - xmlrpc Interface SQL Injection WordPress 1.5.1.2 - 'xmlrpc' Interface SQL Injection MySQL Eventum 1.5.5 - 'login.php' SQL Injection PHP live helper 2.0.1 - Multiple Vulnerabilities PHP Live Helper 2.0.1 - Multiple Vulnerabilities Zen Cart 1.3.9f (typefilter) - Local File Inclusion Zen Cart 1.3.9f - 'typefilter' Local File Inclusion phpWebSite 0.7.3/0.8.x/0.9.x - Comment Module CM_pid Cross-Site Scripting phpWebSite 0.7.3/0.8.x/0.9.x Comment Module - 'CM_pid' Cross-Site Scripting YaBB 1.x/9.1.2000 - YaBB.pl IMSend Cross-Site Scripting YaBB 1.x/9.1.2000 - 'YaBB.pl IMSend' Cross-Site Scripting SugarCRM 1.x/2.0 Module - 'record' SQL Injection SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access SugarCRM 1.x/2.0 Module - 'record' SQL Injection SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting Kayako eSupport 2.x - Ticket System Multiple SQL Injections Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting Kayako eSupport 2.x - Ticket System Multiple SQL Injections Kayako ESupport 2.3 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities Double Choco Latte 0.9.3/0.9.4 - 'main.php' Arbitrary PHP Code Execution PHPCOIN 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access phpCoin 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting Yappa-ng 1.x/2.x - Remote File Inclusion Yappa-ng 1.x/2.x - Cross-Site Scripting Yappa-ng 1.x/2.x - Remote File Inclusion Yappa-ng 1.x/2.x - Cross-Site Scripting Notes Module for phpBB - SQL Injection phpBB Notes Module - SQL Injection osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities Help Center Live 1.0/1.2.x - Multiple Input Validation Vulnerabilities HelpCenter Live! 1.0/1.2.x - Multiple Input Validation Vulnerabilities FusionBB 0.x - Multiple Input Validation Vulnerabilities Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities osCommerce 2.1/2.2 - Multiple HTTP Response Splitting Vulnerabilities PAFaq - Question Cross-Site Scripting PAFaq - Administrator 'Username' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection Kayako LiveResponse 2.0 - 'index.php?Username' Cross-Site Scripting Kayako LiveResponse 2.0 - 'index.php' Calendar Feature Multiple SQL Injections Kayako Live Response 2.0 - 'index.php?Username' Cross-Site Scripting Kayako Live Response 2.0 - 'index.php' Calendar Feature Multiple SQL Injections MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection EyeOS 0.8.x - Session Remote Command Execution eyeOS 0.8.x - Session Remote Command Execution CPAINT 1.3/2.0 - 'TYPE.php' Cross-Site Scripting CPAINT 1.3/2.0.2 - 'TYPE.php' Cross-Site Scripting XMB Forum 1.8/1.9 - 'u2u.php?Username' Cross-Site Scripting Zen Cart Web Shopping Cart 1.x - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion Zen Cart Web Shopping Cart 1.3.0.2 - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion osCommerce 2.1/2.2 - 'product_info.php' SQL Injection CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal HAMweather 3.9.8 - 'template.php' Script Code Injection Kayako SupportSuite 3.0.32 - PHP_SELF Trigger_Error Function Cross-Site Scripting Kayako SupportSuite 3.0.32 - 'PHP_SELF Trigger_Error' Function Cross-Site Scripting Jamroom 3.3.8 - Cookie Authentication Bypass Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection Vanilla 1.1.4 - HTML Injection / Cross-Site Scripting UBBCentral UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection gps-server.net GPS Tracking Software < 3.1 - Multiple Vulnerabilities Zen Cart < 1.3.8a - SQL Injection PHP Topsites < 2.2 - Multiple Vulnerabilities phpLinks < 2.1.2 - Multiple Vulnerabilities P-Synch < 6.2.5 - Multiple Vulnerabilities WinMX < 2.6 - Design Error FTP Service < 1.2 - Multiple Vulnerabilities MegaBrowser < 0.71b - Multiple Vulnerabilities Max Web Portal < 1.30 - Multiple Vulnerabilities Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities Gespage 7.4.8 - SQL Injection Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)
29 lines
No EOL
1.1 KiB
Text
29 lines
No EOL
1.1 KiB
Text
FTP Service Multiple Vulnerabilities
|
|
|
|
Vendor: Pablo Software Solutions
|
|
Product: FTP Service
|
|
Version: <= 1.2
|
|
Website: http://www.pablovandermeer.nl/ftp_service.html
|
|
|
|
BID: 7799 7801
|
|
|
|
Description:
|
|
FTPService.exe is a service-version of Pablo's FTP Server. This service enables you to have the FTP server active even when you're not logged into Windows.
|
|
|
|
Anonymous Access
|
|
The anonymous account is by default set to have download access to anything in the C:\ directory. While this can be disabled by simply deleting the anonymous account, it poses a serious threat for anyone not aware of the problem.
|
|
|
|
ftp://somewhere/windows/repair/sam
|
|
|
|
In conclusion this application is totally open to complete compromise by default. Vendor was notified and plans on releasing a fix soon.
|
|
|
|
Plaintext Password Weakness:
|
|
User info is stored in users.dat in plaintext. If the anonymous account is present (it is by default) the entire FTP server can be compromised
|
|
|
|
ftp://somewhere/program files/pablo's ftp service/users.dat
|
|
|
|
Solution:
|
|
Upgrade your version of Pablo FTP Service.
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team. |