Dalogin 2.2 Cross Site Scripting / File Disclosure / SQL Injection

2011.11.09
Credit: hc0
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

dalogin 2.2 multiple vulnerabilites app desc: Configurable WebSite. PHP + Mysql: news zone with rss feed, private zone, languages, themes, administration panel app source: http://dalogin.sourceforge.net/ author: hc0 [1] config file disclosure you can access config.ini file from [path]/admin/include/config.ini this file contains mysql connection informations (user, pass, host etc..) its says "come here and ownz by box!!" [2] sql injection at line 115 requested http parameter id use in sql query without filtering. 114 - //LEER COMENTARIOS 115 - $Sql="SELECT * from news_comments WHERE id_new=".$_REQUEST['id']." AND state=1"; 116 - $result_comments = mysql_query($Sql); 117 - while ($row_comments=mysql_fetch_array($result_comments)) 118 - { 119 - echo '<table class="CommentTable">'; 120 - echo '<tr> 121 - <td width="100px">'.strftime(DATE_TIME_FORMAT,strtotime($row_comments['date_comment'])).' 122 - <br /><b>'.$row_comments['user_name'].'</b> 123 - </td> 124 - <td class="CommentTableImg"> 125 - '.$row_comments['comment'].' 126 - </td> 127 - </tr>'; 128 - echo '</table><br />'; 129 - } [3] xss 181 - function InsertComment() 182 - { 183 - global $link; 184 - $Sql="INSERT INTO news_comments (id_new,comment,date_comment,state,user_name) VALUES (".$_REQUEST['id'].",'".$_POST['comment_text']."',Now(),0,'".$_POST['comment_user']."')"; 185 - mysql_query($Sql); 186 - echo '<div class="CommentAlert" style=" background-color: #c5fbcd">'.COMMENT_SENT_LABEL.'</div>'; 187 - } you need post a comment that includes your xss attack payload and its saved database. its so simple :) [4] just for fun i'm so bored..................

References:

http://xforce.iss.net/xforce/xfdb/59390
http://www.securityfocus.com/bid/40810
http://www.exploit-db.com/exploits/13830/
http://secunia.com/advisories/40204
http://packetstormsecurity.org/1006-exploits/dalogin-sqlxssdisclose.txt
http://osvdb.org/65471


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top