QwicsitePro 'pageid' Parameter SQL Injection and Cross-Site Scripting Vulnerabilities
BID:31016
Info
QwicsitePro 'pageid' Parameter SQL Injection and Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 31016 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 04 2008 12:00AM |
| Updated: | Sep 04 2008 07:54PM |
| Credit: | Cr@zy_King a.k.a t4cs1zkr4L |
| Vulnerable: |
Worknet Solutions QwiksitePro 0 |
| Not Vulnerable: | |
Discussion
QwicsitePro 'pageid' Parameter SQL Injection and Cross-Site Scripting Vulnerabilities
QwicsitePro is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
QwicsitePro is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Exploit / POC
QwicsitePro 'pageid' Parameter SQL Injection and Cross-Site Scripting Vulnerabilities
An attacker can exploit these issues with a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URI.
The following example URIs are available:
An attacker can exploit these issues with a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URI.
The following example URIs are available:
Solution / Fix
QwicsitePro 'pageid' Parameter SQL Injection and Cross-Site Scripting Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
QwicsitePro 'pageid' Parameter SQL Injection and Cross-Site Scripting Vulnerabilities
References:
References:
- QwicsitePro Homepage (Worknet Solutions)