[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050914173242.76917.qmail@web51011.mail.yahoo.com>
Date: Wed, 14 Sep 2005 10:32:41 -0700 (PDT)
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: SQL injection & XSS in phpoutsourcing Noah's classifieds
Software: phpoutsourcing Noah's classifieds
Vendor: http://classifieds.phpoutsourcing.com/
Version: all versions
Bug: SQL injection & XSS
Exploitation: Remote with browser
-------------------------------------------------------------------------------------
Introduction:
Noah' Classifieds is a general purpose application
that allows you to set up as many ad categories as you
want specifying custom fields for each of them.
vulnerability:
Several scripts do not properly validate user-supplied
input. A remote user can create specially crafted
parameter values that will execute SQL commands on the
underlying database.A remote user can create a
specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be
executed by the target user's browser. As a result,
the code will be able to access the target user's
cookies.
IN this cases, The rollid parameter is vulnerable.
-----------------------------
SQL Injection:
Demonstration exploit URL
http://localhost/classifieds/index.php?methode=showdetails&list=Advertisment&rollid=4'
The vulnerability is easy to exploit for example
"Search" & "forgotten password" pages might be used to
explot with simple ' (%27)
-All versions are vulnerable-
-------------------------------
XSS:
Demonstration exploit URL
http://localhost/classifieds/index.php?methode=showdetails&list=Advertisment&rollid=4'<script>alert(document.cookie)</script>
Username and hashed password set by cookie so Customer
cookies may be compromised. The attacker may be able
to pose as a legitimate user to view and alter user
records, and perform transactions as that user.
-Just tested on classified 1.3 (the last release)-
-------------------------------
Solution:
There is not any vendor-supplied patch at this time.
-------------------------------
Credits:
Discovered & released by trueend5
[ Security Researchers Institute Of Iran <KAPDA.ir> in
association with iraNNetjob.com]
Original advisory: http://www.irannetjob.com/index.php?option=com_content&task=view&id=122&Itemid=28
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Powered by blists - more mailing lists