Science Fair In A Box SQL Injection / Cross Site Scripting

2011-11-08 / 2011-11-09
Credit: Sid3^effects
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-5026 | CVE-2010-5027
CWE: CWE-89
CWE-79

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com] Exploit Title: Science Fair In A Box SQLi & XSS Vulnerability Version:2.0.6 Price:Free Vendor url:http://www.sfiab.ca/ Published: 2010-06-09 Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue™®, S1ayer,d3c0d3r and to all ICW members ############################################################################################################################################################################################### Science Fair In A Box SQLi & XSS Vulnerability Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com] ##################################################################################################################################################################################################### Description: The "Science Fair in a Box" (SFIAB) project provides regions hosting a science fair with a complete and comprehensive package that can be used to assist in the implementation and running of the fair. The SFIAB provides a web based application to facilitate all areas of running a science fair such as online registration for the participants, judges, sponsor management, judge scheduling and awards management. The SFIAB is implemented using open-source tools wherever possible, creating a truly open and customizable product that fairs can modify to suit their needs. However, SFIAB contain enough configuration options to allow fairs to use the system without any modifications to the underlying codebase. SFIAB is developed using PHP, with MySQL as the backend database. Other database backends could be supported in the future. All reports are created in print-ready PDF format to ensure cross-platform compatibility where applicable and also available to export as a CSV to external applications. All text in SFIAB is internationalized to allow the use of the system in any language. 'Language Packs' will be available in other language once translations are complete. (If you'd like to assist in translation, contact us!) SFIAB is the most advanced, most comprehensive Science Fair Software in the world, and is used by many science fairs spread across many different countries! ####################################################################################################################################################################################################### Vulnerability: *SQLi Vulnerability DEMO URL :http://www.sfiab.ca/sfiab/winners.php?year=2008&type=Special' *XSS Vulnerability DEMO URL :http://www.sfiab.ca/sfiab/winners.php?year=2008&type=Special [xss] ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # 0day n0 m0re # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

References:

http://xforce.iss.net/xforce/xfdb/59283
http://www.securityfocus.com/bid/40743
http://www.osvdb.org/65419
http://www.exploit-db.com/exploits/13801
http://secunia.com/advisories/40170
http://packetstormsecurity.org/1006-exploits/fairinabox-sqlxss.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top