Description - XSS and Multiple SQL Injection in CzarNews
Multiple Vulnerabilities found in CzarNews script.
- Exploit
- Available
- Solution
- Not available - check vendor's website
1. Cross-Site Scripting.
Vulnerable Script: news.php
Parameter email is not properly sanitized. This can be used to post arbitrary HTML or web script code.
Condition: magic_quotes_gpc = off
2. Multiple SQL Injections.
Vulnerable scripts: </p><p>cn_auth.php</p><p>news.php</p>
Parameters usern(cn_auth.php), passw(cn_auth.php), s(news.php), a(dpost.php) are not properly sanitized before being used in SQL queries. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
Order Source Code Review
Prevent attacks by source code testing of your website or web application made by eVuln team.The task will be done by experts in website security.