1e08cb156e
7 new exploits BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String BolinTech DreamFTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Dream FTP Server 1.0.2 - (PORT) Remote Denial of Service BolinTech DreamFTP Server 1.0.2 - (PORT) Remote Denial of Service BolinTech DreamFTP - 'USER' Remote Buffer Overflow (PoC) BolinTech DreamFTP Server - 'USER' Remote Buffer Overflow (PoC) Dream FTP Server 1.02 - (users.dat) Arbitrary File Disclosure BolinTech DreamFTP Server 1.02 - 'users.dat' Arbitrary File Disclosure Joomla! Component com_menu - SQL Injection Joomla! Component 'com_menu' - SQL Injection Joomla! Component com_jp_jobs - SQL Injection Joomla! Component 'com_jp_jobs' 1.4.1 - SQL Injection Joomla! Component redSHOP - Local File Inclusion Joomla! Component redTWITTER - Local File Inclusion Joomla! Component WISro Yahoo Quotes - Local File Inclusion Joomla! Component com_press - SQL Injection Joomla! Component Picasa 2.0 - Local File Inclusion Joomla! Component 'com_redshop' 1.0 - Local File Inclusion Joomla! Component 'com_redtwitter' 1.0 - Local File Inclusion Joomla! Component 'com_wisroyq' 1.1 - Local File Inclusion Joomla! Component 'com_press' - SQL Injection Joomla! Component 'com_joomlapicasa' 2.0 - Local File Inclusion Joomla! Component com_serie - SQL Injection Joomla! Component 'com_serie' - SQL Injection Joomla! Component com_ranking - SQL Injection Joomla! Component JInventory - Local File Inclusion Joomla! Component com_svmap 1.1.1 - Local File Inclusion Joomla! Component com_shoutbox - Local File Inclusion Joomla! Component com_loginbox - Local File Inclusion Joomla! Component com_bca-rss-syndicator - Local File Inclusion Joomla! Component Magic Updater (com_Joomlaupdater) - Local File Inclusion Joomla! Component 'com_ranking' - SQL Injection Joomla! Component 'com_jinventory' - Local File Inclusion Joomla! Component 'com_svmap' 1.1.1 - Local File Inclusion Joomla! Component 'com_shoutbox' - Local File Inclusion Joomla! Component 'com_loginbox' - Local File Inclusion Joomla! Component 'com_bca-rss-syndicator' - Local File Inclusion Joomla! Component 'com_Joomlaupdater' - Local File Inclusion Joomla! Component News Portal com_news - Local File Inclusion Joomla! Component FreeStyle FAQ Lite 1.3 com_fss (faqid) - SQL Injection Joomla! Component 'com_news_portal' 1.5.x - Local File Inclusion Joomla! Component 'com_fss' 1.3 - 'faqid' Parameter SQL Injection Joomla! Component Saber Cart com_sebercart - Local File Inclusion Joomla! Component J!WHMCS Integrator com_jwhmcs - Local File Inclusion Joomla! Component Juke Box com_jukebox - Local File Inclusion Joomla! Component Joomla! Flickr com_Joomlaflickr - Local File Inclusion Joomla! Component Highslide JS com_hsconfig - Local File Inclusion Joomla! Component Fabrik com_fabrik - Local File Inclusion Joomla! Component Affiliate Feeds com_datafeeds - Local File Inclusion Joomla! Component Appointment com_appointment - Local File Inclusion Joomla! Component 'com_sebercart' 1.0.0.12 - Local File Inclusion Joomla! Component 'com_jwhmcs' 1.5.0 - Local File Inclusion Joomla! Component 'com_jukebox' 1.7 - Local File Inclusion Joomla! Component 'com_Joomlaflickr' 1.0 - Local File Inclusion Joomla! Component 'com_hsconfig' 1.5 - Local File Inclusion Joomla! Component 'com_fabrik' 2.0 - Local File Inclusion Joomla! Component 'com_datafeeds' 880 - Local File Inclusion Joomla! Component 'com_appointment' 1.5 - Local File Inclusion Joomla! Component XOBBIX - prodid SQL Injection Joomla! Component 'com_xobbix' 1.0 - 'prodid' Parameter SQL Injection Joomla! Component aWiki com_awiki - Local File Inclusion Joomla! Component VJDEO com_vjdeo 1.0 - Local File Inclusion Joomla! Component 'com_awiki' - Local File Inclusion Joomla! Component 'com_vjdeo' 1.0 - Local File Inclusion Joomla! Component com_articles - SQL Injection Joomla! Component 'com_articles' - SQL Injection Joomla! Component Webee Comments - Local File Inclusion Joomla! Component Realtyna Translator - Local File Inclusion Joomla! Component AWDwall-Joomla! - (cbuser) Local File Inclusion / SQL Injection Joomla! Component 'com_webeecomment' 2.0 - Local File Inclusion Joomla! Component 'com_realtyna' 1.0.15 - Local File Inclusion Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection Joomla! Component PowerMail Pro com_powermail - Local File Inclusion Joomla! Component 'com_powermail' 1.5.3 - Local File Inclusion Joomla! Component Foobla Suggestions com_foobla - Local File Inclusion Joomla! Component JA Voice com_javoice - Local File Inclusion Joomla! Component 'com_foobla_suggestions' 1.5.1.2 - Local File Inclusion Joomla! Component 'com_javoice' - Local File Inclusion Joomla! Component com_pcchess - Local File Inclusion Joomla! Component huruhelpdesk - SQL Injection Joomla! Component 'com_pcchess' - Local File Inclusion Joomla! Component 'com_huruhelpdesk' - SQL Injection Joomla! Component com_agenda 1.0.1 - 'id' SQL Injection Joomla! Component 'com_agenda' 1.0.1 - 'id' Parameter SQL Injection Joomla! Component com_properties[aid] - SQL Injection Joomla! Component allvideos - Blind SQL Injection Joomla! Component com_Ca - SQL Injection Joomla! Component 'com_properties' - 'aid' Parameter SQL Injection Joomla! Component 'com_allvideos' - Blind SQL Injection Joomla! Component 'com_ca' - SQL Injection Joomla! Component TweetLA! - Local File Inclusion Joomla! Component Ticketbook - Local File Inclusion Joomla! Component JA Job Board - Multiple Local File Inclusion Joomla! Component Jfeedback! - Local File Inclusion Joomla! Component JProject Manager - Local File Inclusion Joomla! Component Preventive And Reservation - Local File Inclusion Joomla! Component RokModule - 'moduleid' Blind SQL Injection Joomla! Component spsNewsletter - Local File Inclusion Joomla! Component AlphaUserPoints - Local File Inclusion Joomla! Component TRAVELbook - Local File Inclusion Joomla! Component 'com_tweetla' - Local File Inclusion Joomla! Component 'com_ticketbook' - Local File Inclusion Joomla! Component 'com_jajobboard' - Multiple Local File Inclusion Joomla! Component 'com_jfeedback' - Local File Inclusion Joomla! Component 'com_jprojectmanager' - Local File Inclusion Joomla! Component 'com_preventive' - Local File Inclusion Joomla! Component 'com_rokmodule' - 'moduleid' Parameter Blind SQL Injection Joomla! Component 'com_spsnewsletter' - Local File Inclusion Joomla! Component 'com_alphauserpoints' 1.5.5 - Local File Inclusion Joomla! Component 'com_travelbook' 1.0.1 - Local File Inclusion Joomla! Component education - SQL Injection Joomla! Component 'com_education_classess' - SQL Injection Joomla! Component Multi-Venue Restaurant Menu Manager - SQL Injection Joomla! Component 'com_mv_restaurantmenumanager' 1.5.2 - SQL Injection Joomla! Component mv_restaurantmenumanager - SQL Injection Joomla! Component 'mv_restaurantmenumanager' - SQL Injection Joomla! Component Web TV com_webtv - Local File Inclusion Joomla! Component Horoscope com_horoscope - Local File Inclusion Joomla! Component Arcade Games com_arcadegames - Local File Inclusion Joomla! Component Flashgames com_Flashgames - Local File Inclusion Joomla! Component AddressBook com_AddressBook - Local File Inclusion Joomla! Component Easy Ad Banner com_advertising - Local File Inclusion Joomla! Component CV Maker com_cvmaker - Local File Inclusion Joomla! Component My Files com_myfiles - Local File Inclusion Joomla! Component Online Exam com_onlineexam - Local File Inclusion Joomla! Component JoomMail com_joommail - Local File Inclusion Joomla! Component Memory Book com_memory - Local File Inclusion Joomla! Component Online Market com_market - Local File Inclusion Joomla! Component Digital Diary com_diary - Local File Inclusion Joomla! Component 'com_webtv' - Local File Inclusion Joomla! Component 'com_horoscope' - Local File Inclusion Joomla! Component 'com_arcadegames' - Local File Inclusion Joomla! Component 'com_Flashgames' - Local File Inclusion Joomla! Component 'com_AddressBook' - Local File Inclusion Joomla! Component 'com_advertising' - Local File Inclusion Joomla! Component 'com_cvmaker' - Local File Inclusion Joomla! Component 'com_myfiles' - Local File Inclusion Joomla! Component 'com_onlineexam' - Local File Inclusion Joomla! Component 'com_joommail' - Local File Inclusion Joomla! Component 'com_memory' - Local File Inclusion Joomla! Component 'com_market' - Local File Inclusion Joomla! Component 'com_diary' - Local File Inclusion Joomla! Component com_worldrates - Local File Inclusion Joomla! Component com_record - Local File Inclusion Joomla! Component com_sweetykeeper - Local File Inclusion Joomla! Component com_jdrugstopics - SQL Injection Joomla! Component com_sermonspeaker - SQL Injection Joomla! Component com_flexicontent - Local File Joomla! Component 'com_worldrates' - Local File Inclusion Joomla! Component 'com_record' - Local File Inclusion Joomla! Component 'com_sweetykeeper' - Local File Inclusion Joomla! Component 'com_jdrugstopics' - SQL Injection Joomla! Component 'com_sermonspeaker' - SQL Injection Joomla! Component 'com_flexicontent' - Local File Joomla! Component Jvehicles - (aid) SQL Injection Joomla! Component com_jp_jobs 1.2.0 - 'id' SQL Injection Joomla! Component 'com_jvehicles' - 'aid' Parameter SQL Injection Joomla! Component 'com_jp_jobs' 1.2.0 - 'id' Parameter SQL Injection Joomla! Component com_QPersonel - SQL Injection Joomla! Component 'com_QPersonel' - SQL Injection Joomla! Component wgPicasa com_wgpicasa - Local File Inclusion Joomla! Component S5 Clan Roster com_s5clanroster - Local File Inclusion Joomla! Component Photo Battle com_photobattle - Local File Inclusion Joomla! Component MT Fire Eagle com_mtfireeagle - Local File Inclusion Joomla! Component Media Mall Factory com_mediamall - Blind SQL Injection Joomla! Component Love Factory com_lovefactory - Local File Inclusion Joomla! Component JA Comment com_jacomment - Local File Inclusion Joomla! Component Delicious BookMarks com_delicious - Local File Inclusion Joomla! Component Deluxe Blog Factory com_blogfactory - Local File Inclusion Joomla! Component BeeHeard Lite com_beeheard - Local File Inclusion Joomla! Component 'com_wgpicasa' - Local File Inclusion Joomla! Component 'com_s5clanroster' - Local File Inclusion Joomla! Component 'com_photobattle' - Local File Inclusion Joomla! Component 'com_mtfireeagle' - Local File Inclusion Joomla! Component 'com_mediamall' - Blind SQL Injection Joomla! Component 'com_lovefactory' - Local File Inclusion Joomla! Component 'com_jacomment' - Local File Inclusion Joomla! Component 'com_delicious' - Local File Inclusion Joomla! Component 'com_blogfactory' - Local File Inclusion Joomla! Component 'com_beeheard' - Local File Inclusion Joomla! Component com_iproperty 1.5.3 - 'id' SQL Injection Joomla! Component 'com_iproperty' 1.5.3 - 'id' Parameter SQL Injection Joomla! Component com_manager 1.5.3 - 'id' SQL Injection Joomla! Component 'com_manager' 1.5.3 - 'id' Parameter SQL Injection Joomla! Component com_joltcard - SQL Injection Joomla! Component com_pandafminigames - SQL Injection Joomla! Component 'com_joltcard' - SQL Injection Joomla! Component 'com_pandafminigames' - SQL Injection Joomla! Component Archery Scores (com_archeryscores) 1.0.6 - Local File Inclusion Joomla! Component ZiMB Comment com_zimbcomment - Local File Inclusion Joomla! Component ZiMB Manager com_zimbcore - Local File Inclusion Joomla! Component Gadget Factory com_gadgetfactory - Local File Inclusion Joomla! Component Matamko com_matamko - Local File Inclusion Joomla! Component Multiple Root com_multiroot - Local File Inclusion Joomla! Component Multiple Map com_multimap - Local File Inclusion Joomla! Component Contact Us Draw Root Map com_drawroot - Local File Inclusion Joomla! Component Contact Us Google Map com_google - Local File Inclusion Joomla! Component iF surfALERT com_if_surfalert - Local File Inclusion Joomla! Component 'com_archeryscores' 1.0.6 - Local File Inclusion Joomla! Component 'com_zimbcomment' - Local File Inclusion Joomla! Component 'com_zimbcore' - Local File Inclusion Joomla! Component 'com_gadgetfactory' - Local File Inclusion Joomla! Component 'com_matamko' - Local File Inclusion Joomla! Component 'com_multiroot' - Local File Inclusion Joomla! Component 'com_multimap' - Local File Inclusion Joomla! Component 'com_drawroot' - Local File Inclusion Joomla! Component 'com_google' - Local File Inclusion Joomla! Component 'com_if_surfalert' - Local File Inclusion Joomla! Component GBU FACEBOOK 1.0.5 - SQL Injection Joomla! Component 'com_gbufacebook' 1.0.5 - SQL Injection Joomla! Component com_jnewspaper - 'cid' SQL Injection Joomla! Component JTM Reseller 1.9 Beta - SQL Injection Joomla! Component 'com_jnewspaper' - 'cid' Parameter SQL Injection Joomla! Component 'com_jtm' 1.9 Beta - SQL Injection Joomla! Component wmi (com_wmi) - Local File Inclusion Joomla! Component OrgChart com_orgchart - Local File Inclusion Joomla! Component Mms Blog com_mmsblog - Local File Inclusion Joomla! Component 'com_wmi' - Local File Inclusion Joomla! Component 'com_orgchart' - Local File Inclusion Joomla! Component 'com_mmsblog' - Local File Inclusion Joomla! Component com_portfolio - Local File Disclosure Joomla! Component 'com_portfolio' - Local File Disclosure Joomla! Component com_caddy - Exploit Joomla! Component 'com_caddy' - Exploit Joomla! Component com_joomradio - SQL Injection Joomla! Component 'com_joomradio' - SQL Injection Joomla! Component Ultimate Portfolio com_ultimateportfolio - Local File Inclusion Joomla! Component NoticeBoard com_noticeboard - Local File Inclusion Joomla! Component SmartSite com_smartsite - Local File Inclusion Joomla! Extension ABC com_abc - SQL Injection Joomla! Component graphics (com_graphics) 1.0.6 - Local File Inclusion Joomla! Component 'com_ultimateportfolio' - Local File Inclusion Joomla! Component 'com_noticeboard' - Local File Inclusion Joomla! Component 'com_smartsite' - Local File Inclusion Joomla! Component 'com_abc' - SQL Injection Joomla! Component 'com_graphics' 1.0.6 - Local File Inclusion Joomla! Component JE Property Finder - Arbitrary File Upload Joomla! Component 'com_jesectionfinder' - Arbitrary File Upload Joomla! Component Wap4Joomla! - 'wapmain.php' SQL Injection Joomla! Component 'Wap4Joomla' - 'wapmain.php' SQL Injection Joomla! Component com_newsfeeds - SQL Injection Joomla! Component 'com_newsfeeds' - SQL Injection Joomla! Component Table JX - Cross-Site Scripting Vulnerabilities Joomla! Component Card View JX - Cross-Site Scripting Joomla! Component 'Table JX' - Cross-Site Scripting Joomla! Component 'Card View JX' - Cross-Site Scripting Joomla! Extension DJ-Classifieds com_djClassifieds - Arbitrary File Upload Joomla! 'com_djClassifieds' 0.9.1 - Arbitrary File Upload Joomla! Component com_articleman - Arbitrary File Upload Joomla! Component 'com_articleman' - Arbitrary File Upload Joomla! Component Module Camp26 Visitor Data 1.1 - Remote code Execution Joomla! Component 'mod_VisitorData' 1.1 - Remote code Execution Joomla! Component Custom PHP Pages com_PHP - Local File Inclusion Joomla! Component 'com_PHP' 0.1 - Local File Inclusion Joomla! Component com_konsultasi - 'sid' SQL Injection Joomla! Component 'com_konsultasi' - 'sid' Parameter SQL Injection Joomla! Component Advertising (com_aardvertiser) 2.0 - Local File Inclusion Joomla! Component 'com_aardvertiser' 2.0 - Local File Inclusion Joomla! Component Seber Cart - 'getPic.php' Local File Disclosure Joomla! Component FDione Form Wizard - Local File Inclusion Joomla! Component 'com_sebercart' - 'getPic.php' Local File Disclosure Joomla! Component 'com_dioneformwizard' - Local File Inclusion Joomla! Component com_jejob JE Job 1.0 - Local File Inclusion Joomla! Component 'com_jejob' 1.0 - Local File Inclusion Joomla! Component com_jequoteform - Local File Inclusion Joomla! Component 'com_jequoteform' - Local File Inclusion Joomla! Component MS Comment 0.8.0b - Local File Inclusion Joomla! Component 'com_mscomment' 0.8.0b - Local File Inclusion Joomla! Component com_camp - SQL Injection Joomla! Component 'com_camp' - SQL Injection Joomla! Component simpledownload 0.9.5 - Local File Inclusion Joomla! Component 'com_simpledownload' 0.9.5 - Local File Inclusion Joomla! Component simpledownload 0.9.5 - Local File Disclosure Joomla! Component 'com_simpledownload' 0.9.5 - Local File Disclosure Joomla! Component com_crowdsource - SQL Injection Joomla! Component com_event - Multiple Vulnerabilities Joomla! Component 'com_crowdsource' - SQL Injection Joomla! Component 'com_event' - Multiple Vulnerabilities Joomla! Component com_event - SQL Injection Joomla! Component 'com_event' - SQL Injection Joomla! Component com_packages - SQL Injection Joomla! Component 'com_packages' - SQL Injection Joomla! Component com_qpersonel - SQL Injection Remote Exploit Joomla! Component 'com_qpersonel' 1.0 - SQL Injection BolinTech Dream FTP Server 1.02 - Format String (Metasploit) BolinTech DreamFTP Server 1.02 - Format String (Metasploit) PHP 5.4.3 (Windows x86) - Code Execution PHP 5.4.3 (Windows x86 Polish) - Code Execution Schoolhos CMS Beta 2.29 - (index.php id Parameter) SQL Injection Schoolhos CMS Beta 2.29 - 'id' Parameter SQL Injection BolinTech Dream FTP Server 1.0 - User Name Format String (1) BolinTech DreamFTP Server 1.0 - User Name Format String (1) Joomla! Component JoomlaTune JComments 2.1 - 'ComntrNam' Parameter Cross-Site Scripting Joomla! Component 'com_jcomments' 2.1 - 'ComntrNam' Parameter Cross-Site Scripting Joomla! Component Percha Image Attach 1.1 - 'index.php' Controller Parameter Traversal Arbitrary File Access Joomla! Component Percha Fields Attach 1.0 - 'index.php' Controller Parameter Traversal Arbitrary File Access Joomla! Component 'com_perchaimageattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access Joomla! Component 'com_perchafieldsattach' 1.0 - 'index.php' Controller Parameter Traversal Arbitrary File Access Joomla! Component Percha Multicategory Article 0.6 - 'index.php' Controller Parameter Arbitrary File Access Joomla! Component 'com_perchacategoriestree' 0.6 - 'Controller' Parameter Arbitrary File Access Joomla! Component com_horses - 'id' Parameter SQL Injection Joomla! Component 'com_horses' - 'id' Parameter SQL Injection FreePBX 10.13.66 - Remote Command Execution / Privilege Escalation FreePBX 13 - Remote Command Execution / Privilege Escalation BolinTech DreamFTP 1.02 - 'RETR' Command Remote Buffer Overflow BolinTech DreamFTP Server 1.02 - 'RETR' Command Remote Buffer Overflow Schoolhos CMS 2.29 - 'kelas' Parameter SQL Injection Acoem 01dB CUBE/DUO Smart Noise Monitor - Password Change Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080 / MS14-084) Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read NodCMS - PHP Code Execution Piwik 2.16.0 - 'layout' PHP Object Injection Sophos Web Appliance 4.2.1.3 - Remote Code Execution
77 lines
No EOL
2.7 KiB
Text
Executable file
77 lines
No EOL
2.7 KiB
Text
Executable file
---------------------------------------------------------------
|
|
Piwik <= 2.16.0 (saveLayout) PHP Object Injection Vulnerability
|
|
---------------------------------------------------------------
|
|
|
|
|
|
[-] Software Link:
|
|
|
|
https://piwik.org/
|
|
|
|
|
|
[-] Affected Versions:
|
|
|
|
Version 2.16.0 and prior versions.
|
|
|
|
|
|
[-] Vulnerability Description:
|
|
|
|
The vulnerability can be triggered through the saveLayout() method defined in /plugins/Dashboard/Controller.php:
|
|
|
|
210. public function saveLayout()
|
|
211. {
|
|
212. $this->checkTokenInUrl();
|
|
213.
|
|
214. $layout = Common::unsanitizeInputValue(Common::getRequestVar('layout'));
|
|
215. $layout = strip_tags($layout);
|
|
216. $idDashboard = Common::getRequestVar('idDashboard', 1, 'int');
|
|
217. $name = Common::getRequestVar('name', '', 'string');
|
|
218.
|
|
219. if (Piwik::isUserIsAnonymous()) {
|
|
220. $session = new SessionNamespace("Dashboard");
|
|
221. $session->dashboardLayout = $layout;
|
|
222. $session->setExpirationSeconds(1800);
|
|
|
|
User input passed by anonymous users through the "layout" request parameter is being stored into
|
|
a session variable at line 221, and this is possible by invoking an URL like this:
|
|
|
|
http://[piwik]/index.php?module=Dashboard&action=saveLayout&token_auth=anonymous&layout=[injection]%26%2365536;
|
|
|
|
Since Piwik is not using "utf8mb4" collations for its database, this can be exploited in combination with a MySQL
|
|
UTF8 truncation issue in order to corrupt the session array, allowing unauthenticated attackers to inject arbitrary
|
|
PHP objects into the application scope and carry out Server-Side Request Forgery (SSRF) attacks, delete arbitrary
|
|
files, execute arbitrary PHP code, and possibly other attacks. Successful exploitation of this vulnerability
|
|
requires Piwik to use the database to store session data (dbtable option) and the application running on
|
|
PHP before version 5.4.45, 5.5.29, or 5.6.13.
|
|
|
|
|
|
[-] Solution:
|
|
|
|
Update to version 2.16.1 or later.
|
|
|
|
|
|
[-] Disclosure Timeline:
|
|
|
|
[08/02/2016] - Vendor notified
|
|
[09/02/2016] - Vendor replied not to be able to reproduce the issue
|
|
[11/02/2016] - Proof of concept tested on demo.piwik.org sent to the vendor
|
|
[11/02/2016] - Vendor response stating the issue will be fixed in 2.16.1 release
|
|
[17/02/2016] - Bug bounty received
|
|
[11/04/2016] - Version 2.16.1 released: http://piwik.org/changelog/piwik-2-16-1/
|
|
[16/06/2016] - CVE number requested
|
|
[07/11/2016] - Public disclosure
|
|
|
|
|
|
[-] CVE Reference:
|
|
|
|
The Common Vulnerabilities and Exposures project (cve.mitre.org)
|
|
has not assigned a CVE identifier for this vulnerability.
|
|
|
|
|
|
[-] Credits:
|
|
|
|
Vulnerability discovered by Egidio Romano.
|
|
|
|
|
|
[-] Original Advisory:
|
|
|
|
http://karmainsecurity.com/KIS-2016-13 |