Exploit Title: Esoftpro Online Contact Manager Multiple Vulnerability Vendor url:http://www.esoftpro.com/ Version:3 Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com] Published: 2010-07-4 Greetz to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic Bluehat, Sai, KD, M4n0j. Special Greetz: Topsecure.net, inj3ct0r Team ,Andhrahackers.com Shoutzz:- To all ICW members. ~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~ Description: Online Contact Manager (formerly known as EContact PRO) is an ultimate online database system that allows you to store and retrieve contact information anywhere - anytime! You'll also be able to easily send emails to contacts with the built-in email client. Online Contact Manager features Sorting, Mass Emails, Group Support, MS Outlook Synchronization, Birthday Reminder, Data Export (CSV/TAB/HTML), Preference Control, Full Data Manipulation Interfaces, 30+ Customizable Fields and much more. There is also specially designed PDA interface allows you to use Online Contact Manager through your PDA/Cell. With Online Contact Manager :- * Your company can store, share and retrieve all employees info in one centralized database * You can retrieve clients information while you are not in office * You will remember all your friends' birthday * Your organization or community members can retrieve other memebers' information. * You can send emails to your friends no matter what computer you are using. * You can export data into CSV (for opening with MS Excel), HTML (for publishing as web pages) and TXT (for importing to all kinds of databases) for other applications like Outlook Express, MS Excel and FileMaker etc. * You can send emails to All Contacts or to a Particular Group of Contacts with One Mouse Click. (Emails will be sent out separately for each recipient by the system automatically) ~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~ Vulnerability: *SQL Vulnerability DEMO URL: http://server/OCM/view.php?id=[sqli] *XSS Vulnerability DEMO URL : http://server/OCM/view.php?id=[xss] *HTML Injection DEMO URL: http://server/OCM/view.php?id=[html] # 0day n0 m0re # # L0rd CrusAd3r # -- With R3gards, L0rd CrusAd3r