Web Cookbook Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Bugtraq ID:	58441
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 12 2013 12:00AM
Updated:	Mar 12 2013 12:00AM
Credit:	Saadat Ullah
Vulnerable:
Not Vulnerable:

Web Cookbook Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Web Cookbook is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.

Web Cookbook Multiple Cross Site Scripting and SQL Injection Vulnerabilities

An attacker can use a browser to exploit these issues. An attacker must trick a victim into following a malicious URI to exploit cross-site scripting issue.

The following example URIs are available:

http://www.example.com/cook/searchrecipe.php?sstring=[SQLi]
http://www.example.com/cook/showtext.php?mode=[SQLi]
http://www.example.com/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&
http://www.example.com/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=

Web Cookbook Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Web Cookbook Multiple Cross Site Scripting and SQL Injection Vulnerabilities

References: