DIY Web CMS SQL Injection / Cross Site Scripting

2011-02-22T00:00:00
ID PACKETSTORM:98638
Type packetstorm
Reporter p0pc0rn
Modified 2011-02-22T00:00:00

Description

                                        
                                            `SQL and XSS in DIY Web CMS  
found by : p0pc0rn 22/2/2011  
web : http://www.mydiyweb.com.my  
dork : intext:"powered by DiyWeb"  
  
SQL - Microsoft JET Database Engine error  
-----------------------------------------  
  
http://site.com/template.asp?menuid=[SQL]  
http://site.com/viewcatalog.asp?id=[SQL]  
http://site.com/xxx.asp?id=[SQL]  
  
XSS  
---  
http://site.com/diyweb/login.asp?msg=[XSS] -- login page  
  
`