Virtual War v1.5.0 SQL injection and XSS

2006-08-21 / 2006-08-22

Credit: vampire_chiristof

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2006-4225 | CVE-2006-4224

CWE: CWE-89

Virtual War v1.5.0 SQL injection and XSS
http://[host]/vwar/war.php?s=[SQL]
http://[host]/vwar/war.php?page=[SQL]or[xss]
http://[host]/vwar/war.php?showgame=[SQL]
http://[host]/vwar/war.php?sortby=[sql]
http://[host]/vwar/war.php?sortorder=[sql]
http://host]/vwar/calendar.php?year=[xss]
vendor: www.vwar.de
google:"Powered by: Virtual War v1.5.0"
Discovered by Vampire
Connect Me : Vampire_chiristof (at) yahoo (dot) com [email concealed]

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Virtual War v1.5.0 SQL injection and XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.