Description - XSS and PHP Code Insertion Vulnerabilities in QLnews
Multiple Vulnerabilities found in QLnews script.
- Exploit
- Available
- Solution
- Not available - check vendor's website
1. Cross-Site Scripting.
Vulnerable Script: news.php
Parameters autorx, newsx are not properly sanitized. This can be used to post arbitrary HTML or web script code.
2. PHP Code Insertion.
Administrator has an ability to edit variable values in config.php file. This can be used to insert arbitrary PHP code into config file which executes by every php-script.
System access is possible.
Condition: magic_quotes_gpc = off
Order Source Code Review made by eVuln team
Prevent hacking by PHP code analysis of your website or web application done by our team.The work will be done by experts in web security.