Multiple XSS and SQL Injection in HB-NS
- Multiple XSS and SQL Injection in HB-NS
- Last Update
- 2006.05.09 Exploitation code published
- CVE-2006-2145 CVE-2006-2146
- Risk Level
- Multiple Vulnerabilities
- Unpatched. No reply from developer(s)
- Vulnerable Software
- HB-NS (http://www.haroldbakker.com/)
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Multiple Vulnerabilities found in HB-NS (http://www.haroldbakker.com/) script.
1. SQL Injection.
Vulnerable script: index.php
Parameters topic, id are not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
2. Cross-Site Scripting.
Vulnerable Script: index.php
Parameters poster_name, poster_email, poster_homepage, message are not properly sanitized. This can be used to post arbitrary HTML or web script code.
1. SQL Injection Example.
2. Cross-Site Scripting Example.
Your name (required): [XSS]
Your email: ">[XSS]<"
Comments (required): [XSS]
Solution for "Multiple XSS and SQL Injection in HB-NS" is not available. Check vendor's website for updates.