My Kazaam Notes Management System SQL Injection / Cross Site Scripting

2011.11.04
Risk: High
Local: No
Remote: Yes
CWE: CWE-89

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com] Exploit Title: My Kazaam Notes Management System Multiple Vulnerability Vendor url:http://www.mykazaam.com Version:1 Published: 2010-07-11 Greetz to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic Bluehat, Sai, KD, M4n0j. Special Greetz: Topsecure.net, inj3ct0r Team ,Andhrahackers.com Shoutzz:- To all ICW members. ~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~ Description: Use as an order tracking system with Message confirmed, as a progress chart or an online diary. Operates with file numbers to separate entries ~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~ Vulnerability: Enter the attack parameter on the "Enter Refernce Number Below" Text box *SQLi Vulnerability DEMO URL : http://server/path/notes.php[sqli] *XSS Vulnerability DEMO URL: http://server/path/notes.php[xss] *HTML Vulnerability DEMO URL: http://server/path/notes.php[html] # 0day n0 m0re # # L0rd CrusAd3r # -- With R3gards, L0rd CrusAd3r

References:

http://xforce.iss.net/xforce/xfdb/60254
http://www.securityfocus.com/bid/41542
http://www.exploit-db.com/exploits/14325
http://packetstormsecurity.org/1007-exploits/mykazaamnms-sqlxss.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top