Home page logo
/

bugtraq logo Bugtraq mailing list archives

SQL injection & XSS in phpoutsourcing Noah's classifieds
From: alireza hassani <trueend5 () yahoo com>
Date: Wed, 14 Sep 2005 10:32:41 -0700 (PDT)

Software: phpoutsourcing Noah's classifieds
Vendor: http://classifieds.phpoutsourcing.com/
Version: all versions
Bug: SQL injection & XSS 
Exploitation: Remote with browser
-------------------------------------------------------------------------------------
Introduction:
 Noah' Classifieds is a general purpose application
that allows you to set up as many ad categories as you
want specifying custom fields for each of them.

vulnerability:

Several scripts do not properly validate user-supplied
input. A remote user can create specially crafted
parameter values that will execute SQL commands on the
underlying database.A remote user can create a
specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be
executed by the target user's browser. As a result,
the code will be able to access the target user's
cookies. 
IN this cases, The rollid parameter is vulnerable.
-----------------------------
SQL Injection:
Demonstration exploit URL
http://localhost/classifieds/index.php?methode=showdetails&list=Advertisment&rollid=4&apos;
The vulnerability is easy to exploit for example
"Search" & "forgotten password" pages might be used to
explot with simple ' (%27)
-All versions are vulnerable-
-------------------------------
XSS:
Demonstration exploit URL
http://localhost/classifieds/index.php?methode=showdetails&list=Advertisment&rollid=4&apos;<script>alert(document.cookie)</script>
Username and hashed password set by cookie so Customer
cookies may be compromised. The attacker may be able
to pose as a legitimate user to view and alter user
records, and perform transactions as that user.
-Just tested on classified 1.3 (the last release)-
-------------------------------
Solution: 
There is not any vendor-supplied patch at this time.
-------------------------------
Credits:
Discovered & released by trueend5
[ Security Researchers Institute Of Iran <KAPDA.ir> in
association with iraNNetjob.com]

Original advisory: http://www.irannetjob.com/index.php?option=com_content&task=view&id=122&Itemid=28

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


  By Date           By Thread  

Current thread:
  • SQL injection & XSS in phpoutsourcing Noah's classifieds alireza hassani (Sep 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]