All Enthusiast PhotoPost Classifieds Multiple Input Validation Vulnerabilities
BID:12156
Info
All Enthusiast PhotoPost Classifieds Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 12156 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 03 2005 12:00AM |
| Updated: | Jan 03 2005 12:00AM |
| Credit: | Discovery is credited to James Bercegay of the GulfTech Security Research Team. |
| Vulnerable: |
All Enthusiast Inc PhotoPost Classifieds 2.0 |
| Not Vulnerable: | |
Discussion
All Enthusiast PhotoPost Classifieds Multiple Input Validation Vulnerabilities
PhotoPost Classifieds is reported to be prone to multiple vulnerabilities resulting from improper input validation. Remote attacks can carry out SQL injection, cross-site scripting attacks as well as upload arbitrary files to a vulnerable server.
All versions of PhotoPost Classifieds are reported prone to these issues.
PhotoPost Classifieds is reported to be prone to multiple vulnerabilities resulting from improper input validation. Remote attacks can carry out SQL injection, cross-site scripting attacks as well as upload arbitrary files to a vulnerable server.
All versions of PhotoPost Classifieds are reported prone to these issues.
Exploit / POC
All Enthusiast PhotoPost Classifieds Multiple Input Validation Vulnerabilities
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/showcat.php?si=[XSS]
http://www.example.com/reportproduct.php?report=[XSS]
http://www.example.com/contact.php?contact=[INT]&productid=[INT][XSS]
http://www.example.com/showproduct.php?product=[INT][SQL]
http://www.example.com/contact.php?contact=[INT]&productid=[INT][SQL]
http://www.example.com/addfav.php?product=[INT][SQL]&do=add
http://www.example.com/showproduct.php?product=[INT]&sort=[INT][SQL]&cat=[INT]
http://www.example.com/showcat.php?cat=[INT][SQL]
http://www.example.com/index.php?cat=[INT][SQL]
http://www.example.com/comments.php?product=[INT]&cedit=[INT][SQL]
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/showcat.php?si=[XSS]
http://www.example.com/reportproduct.php?report=[XSS]
http://www.example.com/contact.php?contact=[INT]&productid=[INT][XSS]
http://www.example.com/showproduct.php?product=[INT][SQL]
http://www.example.com/contact.php?contact=[INT]&productid=[INT][SQL]
http://www.example.com/addfav.php?product=[INT][SQL]&do=add
http://www.example.com/showproduct.php?product=[INT]&sort=[INT][SQL]&cat=[INT]
http://www.example.com/showcat.php?cat=[INT][SQL]
http://www.example.com/index.php?cat=[INT][SQL]
http://www.example.com/comments.php?product=[INT]&cedit=[INT][SQL]
Solution / Fix
All Enthusiast PhotoPost Classifieds Multiple Input Validation Vulnerabilities
Solution:
It is reported that PhotoPost Classifieds 2.02 has been released to address these issues. Please contact the vendor for more information and to obtain the fixed version.
Solution:
It is reported that PhotoPost Classifieds 2.02 has been released to address these issues. Please contact the vendor for more information and to obtain the fixed version.
References
All Enthusiast PhotoPost Classifieds Multiple Input Validation Vulnerabilities
References:
References:
- PhotoPost Classifieds Product Page (All Enthusiast Inc)