• info
• discussion
• exploit
• solution
• references

News Script PHP Multiple Cross Site Scripting and SQL Injection Vulnerabilities

An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.

The following example URIs are available:

http://www.example.com/news/preview.php?id=[SQL-INJECTION]
http://www.example.com/news/preview.php?p=[SQL-INJECTION]
http://www.example.com/news/admin.php?act=news&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
http://www.example.com/news/preview.php?id=`14&p=`&search=[CROSS SITE SCRIPTING]
http://www.example.com/news/admin.php?act=news&orderType=`[CROSS SITE SCRIPTING]
http://www.example.com/news/admin.php?act=news&orderType=[CROSS SITE SCRIPTING]]&search=&orderBy=[CROSS SITE SCRIPTING]
http://www.example.com/news/preview.php?act=news&orderType=[CROSS SITE SCRIPTING]