Sphider 'admin.php' Multiple Input Validation Vulnerabilities
BID:68985
Info
Sphider 'admin.php' Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 68985 |
| Class: | Input Validation Error |
| CVE: |
CVE-2014-5192 CVE-2014-5193 CVE-2014-5194 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 28 2014 12:00AM |
| Updated: | Aug 11 2014 12:03AM |
| Credit: | Mike Manzotti |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
Sphider 'admin.php' Multiple Input Validation Vulnerabilities
Sphider is prone to a cross-site scripting vulnerability, an SQL injection vulnerability, and a PHP code-injection vulnerability because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to inject and execute arbitrary PHP code, run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Sphider 1.3.6 is vulnerable; other versions may be affected.
Sphider is prone to a cross-site scripting vulnerability, an SQL injection vulnerability, and a PHP code-injection vulnerability because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to inject and execute arbitrary PHP code, run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Sphider 1.3.6 is vulnerable; other versions may be affected.
Exploit / POC
Sphider 'admin.php' Multiple Input Validation Vulnerabilities
An attacker can exploit these issues through a browser. An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues.
The following proof-of-concept is available:
An attacker can exploit these issues through a browser. An attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issues.
The following proof-of-concept is available:
Solution / Fix
Sphider 'admin.php' Multiple Input Validation Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].