Re: [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)

deluxe_at_security-project.org
Date: 05/19/05

  • Next message: Ricky Latt: "JavaMail Information Disclosure (msgno)"
    Date: 19 May 2005 11:57:11 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <200505172151.j4HLpThM004829@linus.mitre.org>

    >>Cross Site Scripting:
    >>-------------------------
    >>You can abuse the SQL-Injections for XSS attacks.
    >
    >Does this occur because the XSS-style attacks are being injected into
    >SQL queries, which then generate errors because the queries are
    >malformed, and then PHP blindly reflects the malformed query back to
    >the user without quoting XSS-relevant characters? That would seem to
    >be more of a problem with the application's runtime environment
    >(i.e. PHP) than JGS-Portal itself.

    Try the following link:
    /jgs_portal_statistik.php?meinaction=mitglieder&month=1&year=1&lt;script&gt;alert(document.cookie);&lt;/script&gt;

    JGS-Portal doesn't report an error and the year parameter is passed unfiltered. This is definitively the problem of JGS-Portal.

    If a SQL-error occurs and the error message contains Cross Site Scripting code, than you're completely right.

    Regards,
    deluxe


  • Next message: Ricky Latt: "JavaMail Information Disclosure (msgno)"