Science Fair In A Box SQL Injection / Cross Site Scripting

🗓️ 12 Jun 2010 00:00:00Reported by L0rd CrusAd3rType

packetstorm🔗 packetstormsecurity.com👁 17 Views

Science Fair In A Box provides web-based application for science fairs with SQL Injection and Cross Site Scripting vulnerabilitie

`Author: L0rd CrusAd3r aka VSN [[email protected]]  
Exploit Title: Science Fair In A Box SQLi & XSS Vulnerability  
Version:2.0.6  
Price:Free  
Vendor url:http://www.sfiab.ca/  
Published: 2010-06-09  
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue®, S1ayer,d3c0d3r and to all ICW members  
###############################################################################################################################################################################################  
  
Science Fair In A Box SQLi & XSS Vulnerability  
Author: L0rd CrusAd3r aka VSN [[email protected]]  
  
#####################################################################################################################################################################################################  
  
Description:  
  
The "Science Fair in a Box" (SFIAB) project provides regions hosting a science fair with a complete and comprehensive package that can be used to assist in the implementation and running of the fair.   
The SFIAB provides a web based application to facilitate all areas of running a science fair such as online registration for the participants, judges, sponsor management, judge scheduling and awards management.   
The SFIAB is implemented using open-source tools wherever possible, creating a truly open and customizable product that fairs can modify to suit their needs.   
However, SFIAB contain enough configuration options to allow fairs to use the system without any modifications to the underlying codebase. SFIAB is developed using PHP, with MySQL as the backend database.   
Other database backends could be supported in the future. All reports are created in print-ready PDF format to ensure cross-platform compatibility where applicable and also available to export as a CSV to external applications.   
All text in SFIAB is internationalized to allow the use of the system in any language. 'Language Packs' will be available in other language once translations are complete. (If you'd like to assist in translation, contact us!)   
SFIAB is the most advanced, most comprehensive Science Fair Software in the world, and is used by many science fairs spread across many different countries!   
#######################################################################################################################################################################################################  
  
Vulnerability:  
  
*SQLi Vulnerability  
  
DEMO URL :http://www.sfiab.ca/sfiab/winners.php?year=2008&type=Special'  
  
*XSS Vulnerability  
  
DEMO URL :http://www.sfiab.ca/sfiab/winners.php?year=2008&type=Special [xss]  
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
# 0day n0 m0re #  
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
  
  
##########################################################################################################################################################################################  
`

12 Jun 2010 00:00Current

0.3Low risk

Vulners AI Score0.3