|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3950 CVE : CVE-2008-2756 CVE : CVE-2008-2757 CVE : CVE-2008-2758 CVE : CVE-2008-2759 CVE : CVE-2008-2760 CVE : CVE-2008-2761 CVE : CVE-2008-2762 CVE : CVE-2008-2763 CVE : CVE-2008-2764 CVE : CVE-2008-2765 CVE : CVE-2008-2766 CVE : CVE-2008-2767 CVE : CVE-2008-2768 CWE : CWE-79 CWE : CWE-89 CWE : CWE-79 CWE : CWE-79 CWE : CWE-89 CWE : CWE-79 CWE : CWE-89 CWE : CWE-89 CWE : CWE-79 CWE : CWE-89 CWE : CWE-79 CWE : CWE-89 CWE : CWE-79 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : Yes Exploit Available : Yes Credit : AmnPardaz Published : 22.06.2008
Advisory Content : ########################## www.BugReport.ir ####################################### # # AmnPardaz Security Research Team # # Title: Xigla Multiple Products - Multiple Vulnerabilities # Vendor: http://www.xigla.com/ # Exploit: N/A # Impact: Medium # Fix: N/A # Original Advisory: http://bugreport.ir/index.php?/41 ########################################################################### ######## #################### 1. Description: #################### Xigla company has several web based products (From content management systems tolive help solutions) to enhance the websites. 1.1. Absolute Live Support XE: Absolute Live Support is a live customer support software for your web site thatenables visitors to instantaneously communicate with your customer service personnel.1.2. Absolute News Manager XE: Absolute News Manager is a powerful web site newsand article content management system. 1.3. Absolute Banner Manager XE: AbsoluteBanner Manager is the most complete, robust and easy to use web based bannermanagement and ad tracking software. 1.4. Absolute Form Processor XE: The AbsoluteForm Processor is a powerful tool for processing your web based HTML forms. You don�thave to waste time developing server code, validation rules , form mailers or autoresponders for your web forms, this application does all this for you. 1.5. AbsoluteImage Gallery XE: The complete and powerful media gallery software that makescreating and maintaining images and multimedia galleries a snap. The code resides onyour web server and searches your web site for new images and files to add to yourgallery. 1.6. Absolute Poll Manager XE: Absolute Poll Manager is a complete andeasy-to-use survey software for dynamically adding polls and surveys to your sitewhile creating interest among your site visitors and gathering valuable informationabout what they think. 1.7. Absolute Control Panel XE: Absolute Control Panel is aweb based interfacing system specially designed to provide centralized access to yourweb based applications and Xigla application modules. It has been developed as apractical access point to our web based suite of solutions on your web sites. #################### 2. Vulnerabilities: #################### 2.1. Absolute Live Support XE (ASP version 5.1) (admin) 2.1.1. SQL Injection in "search.asp" by "orderby" parameter. POC: http://[URL]/xlaabsolutels/search.asp?orderby=[SQL INJECTION] 2.1.2. XSS in "search.asp" (all fields are vulnerable). POC: http://[URL]/xlaabsolutels/admin/search.asp 2.2. Absolute News Manager XE (ASP version 3.2) (admin) 2.2.1 SQL Injection in "search.asp". POC: http://[URL]/xlaabsolutenm/search.asp?orderby=[SQL INJECTION] 2.2.1. XSS in "anmviewer.asp", "search.asp","editarticleX.asp","publishers.asp"(all fields are vulnerable). POC: http://[URL]/xlaabsolutenm/admin/anmviewer.asp http://[URL]/xlaabsolutenm/admin/search.asp http://[URL]/xlaabsolutenm/admin/editarticleX.asp http://[URL]/xlaabsolutenm/admin/publishers.asp 2.3. Absolute Banner Manager XE (ASP version) (admin) 2.3.1. SQL Injection in "searchbanners.asp". POC: http://[URL]/xlaabsolutebm/searchbanners.asp?orderby=[SQL INJECTION] 2.3.2. XSS in "searchbanners.asp","listadvertisers.asp" (all fields arevulnerable). POC: http://[URL]/xlaabsolutebm/admin/searchbanners.asp http://[URL]/xlaabsolutebm/admin/listadvertisers.asp 2.4. Absolute Form Processor XE (ASP version 4.0) (admin) 2.4.1. SQL Injection in "search.asp". POC: http://[URL]/absolutefp/search.asp?orderby=[SQL INJECTION] 2.4.2. XSS in "search.asp", "users.asp" (all fields are vulnerable). POC: http://[URL]/absolutefp/admin/search.asp http://[URL]/absolutefp/admin/users.asp 2.5. Absolute Image Gallery XE 2.5.1. SQL Injection in "gallery.asp". POC: http://[URL]/xlaabsoluteig/gallery.asp?action=viewimage&categoryid=[SQL INJECTION] 2.5.2. XSS in "gallery.asp", "search.asp" (all fields are vulnerable). POC: http://[URL]/xlaabsoluteig/admin/search.asp 2.6. Absolute Poll Manager XE (admin) 2.6.1. SQL Injection in "search.asp". POC: http://[URL]/xlaabsolutepm/search.asp?orderby=[SQL INJECTION] 2.6.2. XSS in "search.asp" (all fields are vulnerable). POC: http://[URL]/xlaabsolutepm/admin/search.asp 2.7. Absolute Control Panel XE 2.7.1 XSS in "admin/users.asp" (all fields are vulnerable). POC: http://[URL]/xlaabsolutecp/users.asp #################### 3. Solution: #################### Edit the source code to ensure that all inputs are properly sanitised. #################### 4. Credit : #################### AmnPardaz Security Research Team Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com References : http://www.securityfocus.com/bid/29672
http://secunia.com/advisories/30609
http://marc.info/?l=bugtraq&m=121322052622903&w=2
http://bugreport.ir/index.php?/41  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |