BookNux 0.2 Cross Site Scripting / SQL Injection

2012.07.10
Credit: Jean Pascal Pereira
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

################################################# BookNux 0.2 <= Multiple Vulnerabilities ################################################# Discovered by: Jean Pascal Pereira <pereira@secbiz.de> Vendor information: "This is an online bookmark manager. It's allow several user, share bookmark (private or public). It's use php and mysql." Vendor URI: http://developer.berlios.de/projects/booknux/ ################################################# Issues: SQL Injection, Cross Site Scripting Risk-level: High ------------------------------------- 1. SQL Injection: cat.php, line 70: $lnsql="SELECT NCategorie, LibCategorie, PriveCategorie, NCategorieMereCategorieX FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorie=".$_GET['CatMere']; cat.php, line 75: $lnsql="SELECT NCategorie,LibCategorie,NCategorieMereCategorieX, PriveCategorie FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorieMereCategorieX=".$_GET['CatMere']." ORDER BY LibCategorie"; cat.php, line 92: $lnsql="SELECT LibCategorie, NCategorieMereCategorieX, PriveCategorie FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorie=".$_GET['NCat']; cat.php, line 117: $lnsql="SELECT NCategorie, LibCategorie FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorie<>".$_GET['NCat']; compte.php, line 152: $lnsql="SELECT PseudoUtilisateur, MotDePasseUtilisateur, IdUtilisateur FROM utilisateur WHERE IdUtilisateur='".$_GET['Compte']."'"; liens.php, line 108: $lnsql="SELECT NLiens,LibLiens, UrlLiens, IdCategorieLiensX, CommentaireLiens, PriveLiens, LibCategorie, LangueLiens FROM liens, categorie WHERE IdCategorieLiensX=NCategorie AND NLiens=".$_GET['NLiens']; liens.php, line 110: $lnsql="SELECT NLiens,LibLiens, UrlLiens, IdCategorieLiensX, CommentaireLiens, PriveLiens, LibCategorie, LangueLiens FROM liens, categorie WHERE IdCategorieLiensX=NCategorie AND NLiens=".$_GET['NLiens']." AND IdUtilisateurLiensX='$utilisateurcourant'"; ouvrir.php, line 23: $lnsql="SELECT NLiens, UrlLiens FROM liens WHERE NLiens=".$_GET['NLiens']." AND IdUtilisateurLiensX='$utilisateurcourant'"; ouvrir.php, line 25: $lnsql="SELECT NLiens, UrlLiens FROM liens WHERE NLiens=".$_GET['NLiens']." AND PriveLiens='N'"; ------------------------------------- 2. Cross Site Scripting: cat.php, line 96: echo("<input type=\"hidden\" name=\"Act\" value=\"".$_GET['Act']."\">"); cat.php, line 102: echo("<input type=\"hidden\" name=\"CatMere\" value=\"".$_GET['CatMere']."\">"); cat.php, line 205: echo("<input type=\"hidden\" name=\"ncat\" value=\"".$_GET['NCat']."\">"); liens.php, line 80: echo("<input type=\"hidden\" name=\"Methode\" value=\"".$_GET['Methode']."\">"); liens.php, line 86: echo("<tr><td>".$texte['LibLiens']."</td><td><input name=\"libliens\" value=\"".utf8_encode(stripslashes($_GET['Lib']))."\"></td></tr>"); liens.php, line 91: echo("<tr><td>".$texte['UrlLiens']."</td><td><input name=\"urlliens\" value=\"".$_GET['Url']."\"></td></tr>"); liens.php, line 119: echo("<input type=\"hidden\" name=\"nliens\" value=\"".$_GET['NLiens']."\">"); parcourir.php, line 28: <input name="recherche" value="<?if(isset($_GET['recherche'])){echo(stripslashes($_GET['recherche']));}?>"> proposerliens.php, line 39: echo("<input type=\"hidden\" name=\"idcatliens\" value=\"".$_GET['NCat']."\">"); ------------------------------------- Solution: Do some input validation. ------------------------------------- #################################################

References:

http://developer.berlios.de/projects/booknux/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top