11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
BID:52025
Info
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
| Bugtraq ID: | 52025 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-0996 CVE-2012-0997 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 15 2012 12:00AM |
| Updated: | Feb 15 2012 12:00AM |
| Credit: | High-Tech Bridge SA Security Research Lab |
| Vulnerable: |
11in1 11in1 1.2.1 |
| Not Vulnerable: | |
Discussion
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
11in1 is prone to a cross-site request-forgery and a local file include vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
11in1 1.2.1 is vulnerable; other versions may also be affected.
11in1 is prone to a cross-site request-forgery and a local file include vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
11in1 1.2.1 is vulnerable; other versions may also be affected.
Exploit / POC
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
The following example input and URIs are available:
An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
The following example input and URIs are available:
Solution / Fix
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
References:
References: