NConf Multiple Cross Site Scripting and SQL Injection Vulnerabilities
BID:58295
Info
NConf Multiple Cross Site Scripting and SQL Injection Vulnerabilities
| Bugtraq ID: | 58295 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 04 2013 12:00AM |
| Updated: | Mar 04 2013 12:00AM |
| Credit: | Saadat Ullah |
| Vulnerable: |
NConf NConf 1.3 |
| Not Vulnerable: | |
Discussion
NConf Multiple Cross Site Scripting and SQL Injection Vulnerabilities
Nconf is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
Nconf 1.3 is vulnerable; other versions may also be affected.
Nconf is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
Nconf 1.3 is vulnerable; other versions may also be affected.
Exploit / POC
NConf Multiple Cross Site Scripting and SQL Injection Vulnerabilities
An attacker can use a browser to exploit these issues. To exploit the cross-site scripting issue an attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.
The following example URI is available:
http://www.example.com/nconf/handle_item.php?item=<script>alert('Hi');</script>
An attacker can use a browser to exploit these issues. To exploit the cross-site scripting issue an attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.
The following example URI is available:
http://www.example.com/nconf/handle_item.php?item=<script>alert('Hi');</script>
Solution / Fix
NConf Multiple Cross Site Scripting and SQL Injection Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
NConf Multiple Cross Site Scripting and SQL Injection Vulnerabilities
References:
References:
- NConf - Enterprise Nagios configurator (SourceForge)
- Nconf HomePage (Nconf)