Re: [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)

[<deluxe () security-project org>]

In-Reply-To: <200505172151.j4HLpThM004829 () linus mitre org>

> > Cross Site Scripting:
> > -------------------------
> > You can abuse the SQL-Injections for XSS attacks.
>
> Does this occur because the XSS-style attacks are being injected into
> SQL queries, which then generate errors because the queries are
> malformed, and then PHP blindly reflects the malformed query back to
> the user without quoting XSS-relevant characters?  That would seem to
> be more of a problem with the application's runtime environment
> (i.e. PHP) than JGS-Portal itself.

Try the following link:
/jgs_portal_statistik.php?meinaction=mitglieder&month=1&year=1&lt;script&gt;alert(document.cookie);&lt;/script&gt;

JGS-Portal doesn't report an error and the year parameter is passed unfiltered. This is definitively the problem of 
JGS-Portal.


If a SQL-error occurs and the error message contains Cross Site Scripting code, than you're completely right.


Regards,
deluxe