Zeeways Adserver Multiple Vulnerabilities

vendor:

Zeeways Adserver

by:

Valentin Hoebel

7,5

CVSS

HIGH

SQL Injection, Cross-Site Request Forgery, Local Installation Path Disclosure

89,352,200

CWE

Product Name: Zeeways Adserver

Affected Version From: all

Affected Version To: all

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Zeeways Adserver Multiple Vulnerabilities

Multiple scripts with multiple parameters are affected from this vulnerability. Example #1: index.php?section=redir&affid=0&kid=0&zid=[SQL Injection]. Example #2: Visit the 'register' page index.php?section=user&action=register and enter your SQLi string into the email field. Fill out the other fields with some normal stuff (like test) and view your result. Visit the 'register' page index.php?section=user&action=register and enter your CSRF string into the email field. Fill out the other fields with some normal stuff (like test) and view your result. Visit index.php?section=doc&action= and fill out the action parameter. Example: index.php?section=doc&action=test. Visit index.php?section=doc&action=test and play around with both the section and action parameters. You will notice that a local file inclusion is not possible, but you will get an interesting error message.

Mitigation:

Ensure that all user input is properly validated and sanitized. Use parameterized queries to prevent SQL injection attacks. Use a web application firewall to detect and block malicious requests. Implement a secure authentication mechanism to prevent CSRF attacks. Ensure that the application does not disclose sensitive information.

Source

Zeeways Adserver Multiple Vulnerabilities

Mitigation:

Exploit-DB raw data: