Home page logo
/

bugtraq logo Bugtraq mailing list archives

Multiple vulnerabilities in chCounter <= 3.1.3
From: Soporte CERT <soporte () cert unlp edu ar>
Date: Thu, 18 Nov 2010 10:19:06 -0300

Multiple vulnerabilities were found in web application chCounter <= 3.1.3.

Author:
- Matias Fontanini(mfontanini () cert unlp edu ar).

Requirements:
- Downloads must be enabled(this is not default).
- magic_quotes off.
- Access to administration site

=SQLInjection=
Location: administration/index.php?cat=downloads&edit=
Affected parameters: anzahl
Method: POST
Severity: High
Description: When accessing
administration/index.php?cat=downloads&edit=VALID_ID
and using a valid download id, an attacker is able to manipulate the
"anzahl"
parameter to perform queries which only involve returning an integer.
The query
output will be sent back to the client in the "anzahl" text input.
Exploit: An attacker could perform repeated crafted requests to retrieve
any
database records for which the user has access.
Proof of concept: see attached file "chcounter.py"

=XSS=
Location: administration/index.php?cat=downloads&edit=
Affected parameters: anzahl and wert
Method: POST
Severity: Low
Description: When accessing
administration/index.php?cat=downloads&edit=VALID_ID
and using a valid download id, an attacker is able to insert html tags
in the "wert"
parameter. Once the attacker has done that, manupulating "anzahl"
parameter so that
the result sql query is malformed will result in the injected code being
parsed by the
web browser.
Proof of concept: use parameter wert=<script>alert(1);</script>. After
that, use
anzahl=XXX

Attachment: chcounter.py
Description:


  By Date           By Thread  

Current thread:
  • Multiple vulnerabilities in chCounter <= 3.1.3 Soporte CERT (Nov 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault