I-Vision CMS – Cross-Site Scripting / SQL Injection

• Exploit Database
• 109 阅读

• 作者： Ariko-Security
  日期： 2010-05-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12630/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65

  # Title: [XSS, SQL injection vulnerability in I-Vision CMS] # Date: [17.05.2010] # Author: [Ariko-Security] # Software Link: [http://international-vision.com/inner.php?id=14&type=2] # Version: [ALL]     ============ { Ariko-Security - Advisory #2/5/2010 } =============   XSS, SQL injection vulnerability in I-Vision CMS       Vendor's Description of Software: # http://international-vision.com/inner.php?id=14&type=2   Dork: # n/a   Application Info: # Name: I-Vision CMS # ALL versions   Vulnerability Info: # Type: XSS # Type: SQL injection Vulnerability # Risk: HIGH (BANK SYSTEMS)   Fix: # N/A   Time Table: # 02/05/2010 - Vendor notified.     Input passed via the "type" parameter to inner.php is not properly   sanitised before being used in a SQL query.   Input passed to the "keys" parameter in search.php is not properly   sanitised before being returned to the user.     Solution: # Input validation of type parameter should be corrected. # Input validation of keys parameter should be corrected.     Vulnerability: # http://[site]/inner.php?id=14&type=2[SQLi] # http://[site]/search.php?Value=0&pages=1&keys=[XSS]   Credit: # Discoverd By: MG / Ariko-Security #Advisory: http://www.ariko-security.com/may2010/audyt_bezpieczenstwa_677.html # Website: http://Ariko-security.com # Contacts: support[-at-]ariko-security.com     Ariko-Security vuln@ariko-security.com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)