2daybiz custom T-shirt SQL Injection and Cross Site Scripting Vulnerabilities

2010.07.13
Credit: Sangteamtham
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-2691 | CVE-2010-2692
CWE: CWE-89
CWE-79

$------------------------------------------------------------------------------------------------------------------- $ 2daybiz custom T-shirt SQL Injection and Cross Site Scripting Vulnerabilities $ Author : Sangteamtham $ Home : Hcegroup.net $ Download :http://www.2daybiz.com/customt-shirt_designscript.html $ Date :06/24/2010 $ $****************************************************************************************** $Exploit: $ $ 1.SQL injection: $ $ http://server/products_details.php?sbid=[id number] $ http://server/products/products.php?pid=[id number] $ http://server/designview.php?designid=[id number] $ $ 2.XSS $ When you login, attackers can write a review, there they insert javascript code to deface website $ or redirect website to the virus-contained website. $ $ Demo deface: $ http://www.2daybiz.com/products/tshirt/ $ $ $****************************************************************************************** $ Greetz to: All Vietnamese hackers and Hackers out there researching for more security $ $ $--------------------------------------------------------------------------------------------------------------------

References:

http://xforce.iss.net/xforce/xfdb/59791
http://www.packetstormsecurity.com/1006-exploits/2daybiztshirt-sql.txt
http://secunia.com/advisories/40362
http://osvdb.org/65827


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top