PHPDomainRegister Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Bugtraq ID:	51425
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 16 2012 12:00AM
Updated:	Jan 16 2012 12:00AM
Credit:	Or4nG.M4N
Vulnerable:	PHPDomainRegister PHPDomainRegister 0.4a-RC2-dev
Not Vulnerable:

PHPDomainRegister Multiple Cross Site Scripting and SQL Injection Vulnerabilities

PHPDomainRegister is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

PHPDomainRegister 0.4a-RC2-dev is vulnerable; prior versions may also be affected.

PHPDomainRegister Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

The following example URIs and data are available:

Cross-site scripting:

http://www.example.com/index.php?usetype=domainauswahl&pid=%[xss]%&use=Details
http://www.example.com/admin/index.php?show=showPacket&pid=%[xss]% Sql to xss to get cookie
http://www.example.com/admin/index.php?show=domains&do=delFirmadomains&domain=[xss]

SQL-injection

login as = > admin ' or 1=1 #

• /data/vulnerabilities/exploits/51130.txt

PHPDomainRegister Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Solution:
Updates are available. Please see the references for more details.

PHPDomainRegister Multiple Cross Site Scripting and SQL Injection Vulnerabilities

References:

• phpDomainRegister Homepage (phpDomainRegister)