Bugtraq mailing list archives
Multiple vulnerabilities in chCounter <= 3.1.3
From: Soporte CERT <soporte () cert unlp edu ar>
Date: Thu, 18 Nov 2010 10:19:06 -0300
Multiple vulnerabilities were found in web application chCounter <= 3.1.3. Author: - Matias Fontanini(mfontanini () cert unlp edu ar). Requirements: - Downloads must be enabled(this is not default). - magic_quotes off. - Access to administration site =SQLInjection= Location: administration/index.php?cat=downloads&edit= Affected parameters: anzahl Method: POST Severity: High Description: When accessing administration/index.php?cat=downloads&edit=VALID_ID and using a valid download id, an attacker is able to manipulate the "anzahl" parameter to perform queries which only involve returning an integer. The query output will be sent back to the client in the "anzahl" text input. Exploit: An attacker could perform repeated crafted requests to retrieve any database records for which the user has access. Proof of concept: see attached file "chcounter.py" =XSS= Location: administration/index.php?cat=downloads&edit= Affected parameters: anzahl and wert Method: POST Severity: Low Description: When accessing administration/index.php?cat=downloads&edit=VALID_ID and using a valid download id, an attacker is able to insert html tags in the "wert" parameter. Once the attacker has done that, manupulating "anzahl" parameter so that the result sql query is malformed will result in the injected code being parsed by the web browser. Proof of concept: use parameter wert=<script>alert(1);</script>. After that, use anzahl=XXX
Attachment:
chcounter.py
Description:
Current thread:
- Multiple vulnerabilities in chCounter <= 3.1.3 Soporte CERT (Nov 18)