Multiple Vulnerabilities in CLANSPHERE

2010-11-02T00:00:00
ID HTB22691
Type htbridge
Reporter High-Tech Bridge
Modified 2010-11-16T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in CLANSPHERE which could be exploited to perform cross-site scripting, script insertion and SQL injection attacks.

1) Cross-site scripting (XSS) vulnerability in CLANSPHERE
The vulnerability exists due to input sanitation error in the "pic" and "size" parameters in mods/gallery/print_now.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation examples:
http://[host]/mods/gallery/print_now.php?pic=%22%3E%3Cscript%3Ealert%28%22XS S%22%29;%3C/script%3E
h ttp://[host]/mods/gallery/print_now.php?pic=1&size=%22%3E%3Cscript%3Ealert%2 8%22XSS%22%29;%3C/script %3E

2) Script insertion vulnerability in CLANSPHERE
Input passed to the "url" BBCode tag is not properly sanitized. A remote attacker can insert arbitrary HTML and script code, which will be executed in user`s browser in context of the vulnerable website when user views the malicious data.
Exploitation example:
[img][url]onerror=javascript:alert(/XSS/);"'[/url][/img]

3) SQL injection vulnerability in CLANSPHERE
The vulnerability exists due to input sanitation errors in the "where" parameter via index.php within the "replays" module. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://[host]/index.php?mod=replays&action=list&where=123%27%20union%20selec t%201,2,@@version,4,5%20 --%20#