AnnonceScriptHP Multiple Input Validation Vulnerabilities

To exploit a cross-site scritping issue:

An attacker can exploit this issue by enticing an unsuspecting user into following a malicious URI.

The following proof-of-concept URIs are available:
http://www.example.com/[script_annonce_path]/erreurinscription.php?email=[XSS]
http://www.example.com/[script_annonce_path]/Templates/admin.dwt.php?email=[XSS]
http://www.example.com/[script_annonce_path]/Templates/commun.dwt.php?email=[XSS]
http://www.example.com/[script_annonce_path]/Templates/membre.dwt.php?email=[XSS]
http://www.example.com/[script_annonce_path]/admin/admin_config/Aide.php?email=[XSS]


To exploit an SQL-injection issue:

An attacker can exploit these issues via a web client.

The following proof-of-concept URIs are available:
http://www.example.com/[script_annonce_path]/email.php?id=[SQL INJECTION]
http://www.example.com/[script_annonce_path]/voirannonce.php?no=[SQL INJECTION]
http://www.example.com/[script_annonce_path]/admin/admin_membre/fiche_membre.php?idmembre=[SQL INJECTION]
http://www.example.com/[script_annonce_path]/admin/admin_annonce/okvalannonce.php?idannonce=[SQL INJECTION]
http://www.example.com/[script_annonce_path]/admin/admin_annonce/changeannonce.php?idannonce=[SQL INJECTION]


 

Privacy Statement
Copyright 2010, SecurityFocus