Description - Multiple XSS and SQL Injection in aWebNews

Multiple Vulnerabilities found in aWebNews script.

Exploit
Available
Solution
Not available - check vendor's website

1. Multiple Cross-Site Scripting Vulnerabilities.

Vulnerable Script: visview.php

Parameters yname, emailadd, subject, comment are not properly sanitized. This can be used to post arbitrary HTML or web script code.

2. Multiple SQL Injections.

Vulnerable scripts: login.php fpass.php visview.php

Variables $user123(login.php), $user123(fpass.php), $_GET['cid'](visview.php) are not properly sanitized before being used in SQL queries. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

Order PHP Code Analysis

Prevent hacking by source code audit of your site or web application done by eVuln team.The work will be done by experts in web application security.

Advisories by vuln type