PGAUTOPro - SQL Injection / Cross-Site Scripting (2)

EDB-ID:

34110

CVE:

N/A




Platform:

PHP

Date:

2010-06-09


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

source: https://www.securityfocus.com/bid/40664/info

PG Auto Pro is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

The following example URIs are available:

SQL Injection

http://www.example.com/vehicle/buy_do_search/?order_direction=DESC&&status=1&form_gid=vehicle_user_quick_search_new&back_module=vehicle%2Fbuy_do_search&page=[SQL Injection]

Cross Site Scripting

http://www.example.com/vehicle/buy_do_search/?order_direction=[XSS]