[NT] SiteEnable XSS and SQL injection

From: SecuriTeam (support_at_securiteam.com)
Date: 04/05/05

  • Next message: SecuriTeam: "[UNIX] phpMyAdmin convcharset Parameter Cross Site Scripting"
    To: list@securiteam.com
    Date: 5 Apr 2005 08:18:28 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SiteEnable XSS and SQL injection
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.siteenable.com/default.asp> SiteEnable is "a simple content
    management, combined with powerful functionality". Two types security
    vulnerabilities have been found in the SiteEnable, one allows injecting
    arbitrary HTML and/or JavaScript, while the other allows injecting
    arbitrary SQL statements.

    DETAILS

    Cross Site Scripting:
    Due to poor filtering of the 'contenttype' variable a remote user can
    inject arbitrary HTML and/or JavaScript into the content returned to the
    user:
    http://site/content.asp?contenttype=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    Another more severe script injection is in the Submit a Quote page in
    which neither title or description fields are filtered. This can affect
    all the visitors of the site. Anyone can inject a silent script and grab
    anyone's password or cookie.

    SQL Injection:
    The 'sortby' parameter is directly passed to the SQL string without any
    checks. The following URL can be used to determine whether you are
    vulnerable or not:
    http://site/content.asp?do_search=0&keywords=contact&page_no=2&sortby=;SELECT%20* FROM bla bla--

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:zinho@hackerscenter.com>
    Zinho.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] phpMyAdmin convcharset Parameter Cross Site Scripting"

    Relevant Pages

    • [EXPL] Ultimate PHP Board Multiple Vulnerabilities (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Traversals in Ultimate PHP Board. ... //The script is injecting user into the database; ...
      (Securiteam)
    • [TOOL] lorcon - Loss of Radio Connectivity
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... library for injecting 802.11 frames, ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [REVS] Lateral SQL Injection: a New Class of Vulnerability in Oracle
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lateral SQL Injection: a New Class of Vulnerability in Oracle ... How can an attacker exploit a PL/SQL procedure that doesn't even take user ... is then dynamically executed via the EXECUTE IMMEDIATE statement. ...
      (Securiteam)
    • [NT] Horde Multiple XSS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... based on PHP and the Horde Framework." ... Horde is subject to a client side script injection vulnerability in the ...
      (Securiteam)
    • [UNIX] Mantis Bug Tracker Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... any HTML or script code can be injected. ... * Another XSS vulnerability can be found in the signup.php script (ex.: ... there is also a remote PHP code execution in the system. ...
      (Securiteam)