SQL Injection and XSS Vulnerabilities in MWNewsletter

Summary

Vulnerability
SQL Injection and XSS Vulnerabilities in MWNewsletter
Discovered
2006.04.06
Last Update
2006.04.16 Exploitation code published
ID
EV0123
CVE
CVE-2006-1690 CVE-2006-1691 CVE-2006-1692
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Unpatched. No reply from developer(s)
Vendor
Manic Web
Vulnerable Software
MWNewsletter (http://www.manicweb.co.uk/)
Version
1.0.0b
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in MWNewsletter (http://www.manicweb.co.uk/) script.

1. SQL Injection.

Vulnerable script: unsubscribe.php

Parameter user_name is not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off


2. Cross-Site Scripting.

Vulnerable Script: subscribe.php

Parameter user_name is not properly sanitized. This can be used to post arbitrary HTML or web script code.

PoC/Exploit

1. SQL Injection Example:

URL: http://[host]mwnewsletter/unsubscribe.php
Name: ' or 1/*


2. Cross-Site Scripting Example:

URL: http://[host]mwnewsletter/subscribe.php
Name: [XSS]

Solution.

Solution for "SQL Injection and XSS Vulnerabilities in MWNewsletter" is not available. Check Manic Web website for updates.