bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/43441.txt
Offensive Security 3d73ec60b6 DB: 2018-01-06 
23 changes to exploits/shellcodes

Emulive Server4 7560 - Remote Denial of Service
Emulive Server4 Build 7560 - Remote Denial of Service

ShareCenter D-Link DNS-320 - Remote reboot/shutdown/reset (Denial of Service)
D-Link DNS-320 ShareCenter - Remote Reboot/Shutdown/Reset (Denial of Service)

DNS4Me 3.0 - Denial of Service / Cross-Site Scripting

EmuLive Server4 - Authentication Bypass / Denial of Service
GetGo Download Manager 5.3.0.2712 - 'Proxy' Buffer Overflow
Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and CS_OWNDC Corrupts DC Cache

VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)
keene digital media server 1.0.2 - Directory Traversal variant
Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - Traversal Arbitrary File Access
Keene Digital Media Server 1.0.2 - Directory Traversal
Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - Traversal Arbitrary File Access
D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access
WDMyCloud < 2.30.165 - Multiple Vulnerabilities
Ayukov NFTP FTP Client 2.0 - Buffer Overflow (Metasploit)
Cisco IOS - Remote Code Execution

Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection

WordPress 1.5.1.2 - xmlrpc Interface SQL Injection
WordPress 1.5.1.2 - 'xmlrpc' Interface SQL Injection

MySQL Eventum 1.5.5 - 'login.php' SQL Injection

PHP live helper 2.0.1 - Multiple Vulnerabilities
PHP Live Helper 2.0.1 - Multiple Vulnerabilities

Zen Cart 1.3.9f (typefilter) - Local File Inclusion
Zen Cart 1.3.9f - 'typefilter' Local File Inclusion

phpWebSite 0.7.3/0.8.x/0.9.x - Comment Module CM_pid Cross-Site Scripting
phpWebSite 0.7.3/0.8.x/0.9.x Comment Module - 'CM_pid' Cross-Site Scripting

YaBB 1.x/9.1.2000 - YaBB.pl IMSend Cross-Site Scripting
YaBB 1.x/9.1.2000 - 'YaBB.pl IMSend' Cross-Site Scripting
SugarCRM 1.x/2.0 Module - 'record' SQL Injection
SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access
SugarCRM 1.x/2.0 Module - 'record' SQL Injection
SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access
phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection
phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections
phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection
phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections
Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting
Kayako eSupport 2.x - Ticket System Multiple SQL Injections
Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting
Kayako eSupport 2.x - Ticket System Multiple SQL Injections

Kayako ESupport 2.3 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities

Double Choco Latte 0.9.3/0.9.4 - 'main.php' Arbitrary PHP Code Execution

PHPCOIN 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access
phpCoin 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access
ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion
ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting
ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting
ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion
ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting
ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting
Yappa-ng 1.x/2.x - Remote File Inclusion
Yappa-ng 1.x/2.x - Cross-Site Scripting
Yappa-ng 1.x/2.x - Remote File Inclusion
Yappa-ng 1.x/2.x - Cross-Site Scripting

Notes Module for phpBB - SQL Injection
phpBB Notes Module - SQL Injection
osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities
SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities
osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities
SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities

Help Center Live 1.0/1.2.x - Multiple Input Validation Vulnerabilities
HelpCenter Live! 1.0/1.2.x - Multiple Input Validation Vulnerabilities

FusionBB 0.x - Multiple Input Validation Vulnerabilities
Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection
Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities
Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection
Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities

osCommerce 2.1/2.2 - Multiple HTTP Response Splitting Vulnerabilities

PAFaq - Question Cross-Site Scripting

PAFaq - Administrator 'Username' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections
UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections
UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection
Kayako LiveResponse 2.0 - 'index.php?Username' Cross-Site Scripting
Kayako LiveResponse 2.0 - 'index.php' Calendar Feature Multiple SQL Injections
Kayako Live Response 2.0 - 'index.php?Username' Cross-Site Scripting
Kayako Live Response 2.0 - 'index.php' Calendar Feature Multiple SQL Injections
MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting
MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting
MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting
MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting
MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting
MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting

RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection

EyeOS 0.8.x - Session Remote Command Execution
eyeOS 0.8.x - Session Remote Command Execution

CPAINT 1.3/2.0 - 'TYPE.php' Cross-Site Scripting
CPAINT 1.3/2.0.2 - 'TYPE.php' Cross-Site Scripting

XMB Forum 1.8/1.9 - 'u2u.php?Username' Cross-Site Scripting

Zen Cart Web Shopping Cart 1.x - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion
Zen Cart Web Shopping Cart 1.3.0.2 - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion

osCommerce 2.1/2.2 - 'product_info.php' SQL Injection

CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal

HAMweather 3.9.8 - 'template.php' Script Code Injection

Kayako SupportSuite 3.0.32 - PHP_SELF Trigger_Error Function Cross-Site Scripting
Kayako SupportSuite 3.0.32 - 'PHP_SELF Trigger_Error' Function Cross-Site Scripting

Jamroom 3.3.8 - Cookie Authentication Bypass
Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting
Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting
Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection
Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting
Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting
Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection

Vanilla 1.1.4 - HTML Injection / Cross-Site Scripting

UBBCentral UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection
gps-server.net GPS Tracking Software < 3.1 - Multiple Vulnerabilities
Zen Cart < 1.3.8a - SQL Injection
PHP Topsites < 2.2 - Multiple Vulnerabilities
phpLinks < 2.1.2 - Multiple Vulnerabilities
P-Synch < 6.2.5 - Multiple Vulnerabilities
WinMX < 2.6 - Design Error
FTP Service < 1.2 - Multiple Vulnerabilities
MegaBrowser < 0.71b - Multiple Vulnerabilities
Max Web Portal < 1.30 - Multiple Vulnerabilities
Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities
Gespage 7.4.8 - SQL Injection

Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)
2018-01-06 05:02:14 +00:00

29 lines
No EOL
1.9 KiB
Text
Raw Blame History

WinMX Design Error
Vendor: Frontcode Technologies
Product: WinMX
Version: <= 2.6
Website: http://www.winmx.com/
BID: 7771
Description:
WinMX 2.6 is an older version of the popular file sharing client WinMX. While the current version is 3.31, 2.6 still remains quite popular. Especially amongst users on private networks. I believe this is largely due to the fact that 2.6 does not have the option to output .wsx file (WinMX server list files) This helps keep the addresses for private OpenNap servers out of the hands of uninvited users (amongst other reasons).
Problem:
The problems with WinMX 2.6 is that it provides pretty much NO password protection. This can be exploited both locally and remotely. Again, I think all of us have seen the bad habit that most people have of using the same password for multiple accounts etc etc.
Local Exploitation:
There several ways to exploit this issue locally. One is to just edit a particular server, and upon doing so the username and pass are presented in plaintext, and the other way is to open the nservers.dat file in the WinMX directory.
Remote Exploitation:
Even though the passwords are encrypted by such servers as SlavaNap etc, they are passed to the server in plaintext, so any malicious server owner with a packet sniffer can exploit this vuln.
Conclusion:
I realized this issue back when 2.6 was the current release, but never reported it because VERY shortly thereafter a new version of WinMX was available. However with the substantial number of 2.6 users still around I felt it was best that this vulnerability become official, as there is nothing about it on google etc that i was able to find. So to anyone using 2.6 i offer this advice. Do not use a password for WinMX 2.6 that you use for other accounts at the very least. Hope this helps some of the 2.6 users out. Cheers
Solution:
Upgrade to the latest version of WinMX
Credits:
James Bercegay of the GulfTech Security Research Team.
Reference in a new issue View git blame Copy permalink