BBCode img XSS and SQL-inj in discussion-xhawk.net
- BBCode img XSS and SQL-inj in discussion-xhawk.net
- Last Update
- 2006.03.14 Exploitation code published
- CVE-2006-1264 CVE-2006-1265
- Risk Level
- Multiple Vulnerabilities
- Unpatched. No reply from developer(s)
- xhawk.net (http://xhawk.net)
- Vulnerable Software
- discussion (http://xhawk.net/projects/discussion/)
- 2.0 beta2
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Multiple Vulnerabilities found in discussion (http://xhawk.net/projects/discussion/) script.1. 'img' BBCode Cross-Site Scripting Vulnerability
2. SQL Injection Vulnerability.
Vulnerable script: discussion.class..php
Variable $view isn't properly sanitized before being used in the SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
PoC/Exploit1. BBCode Cross-Site Scripting Example:
2. SQL Injection Example:
Solution for " BBCode img XSS and SQL-inj in discussion-xhawk.net" is not available. Check xhawk.net website for updates.
Order Source Code Review made by eVuln team
Protect a site by source code review of your site or web application made by our team.The work will be done by specialists in web application security.