• info
• discussion
• exploit
• solution
• references

Xt-News Multiple Input Validation Vulnerabilities

An attacker can exploit the cross-site scripting issues by enticing an unsuspecting user to follow a malicious URI. An attacker can exploit the SQL-injection issue through a web-client.

The following proof-of-concept URIs are available:

http://www.example.com/show_news.php?id_news=[SQL INJECTION]
http://www.example.com/add_comment.php?id_news=[XSS]
http://www.example.com/show_news.php?id_news=[XSS]