Multiple vulnerabilities in chCounter <= 3.1.3 Nov 18 2010 01:19PM
Soporte CERT (soporte cert unlp edu ar) (1 replies)
Re: Multiple vulnerabilities in chCounter <= 3.1.3 Apr 06 2011 01:08AM
security curmudgeon (jericho attrition org)

: Multiple vulnerabilities were found in web application chCounter <= 3.1.3.
: Author:
: - Matias Fontanini(mfontanini (at) cert.unlp.edu (dot) ar [email concealed]).
: Requirements:
: - Downloads must be enabled(this is not default).
: - magic_quotes off.
: - Access to administration site

That is a lot of prerequisites..

: =SQLInjection=
: Location: administration/index.php?cat=downloads&edit=
: Affected parameters: anzahl
: Method: POST
: Severity: High
: Description: When accessing
: administration/index.php?cat=downloads&edit=VALID_ID
: and using a valid download id, an attacker is able to manipulate the
: "anzahl" parameter to perform queries which only involve returning an integer.
: The query output will be sent back to the client in the "anzahl" text input.
: Exploit: An attacker could perform repeated crafted requests to retrieve
: any database records for which the user has access.

"retrieve any database record for which the user has access"

This does not sound like it is crossing any privilege boundaries then. Can
you elaborate on how this is a vulnerability versus a clever / unintended
method for accessing the information? Could you then justify giving this a
"High" severity, especially after the requirements you list?

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus