Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: b06-2908.htm

CS-Forum <= 0.81 Cross Site Scripting, SQL Injection, Full Path Disclosure



CS-Forum <= 0.81 Cross Site Scripting, SQL Injection, Full Path Disclosure
CS-Forum <= 0.81 Cross Site Scripting, SQL Injection, Full Path Disclosure



Cross Site Scripting=0D
********************=0D
http://[...]/read.php?msg_result=[XSS]=0D 
[XSS]=0D">http://[...]/read.php?rep_titre=">[XSS]=0D 
Cookies: CSForum_nom=">[XSS]; CSForum_mail=">[XSS]; CSForum_url=">[XSS]=0D
=0D
SQL Injection=0D
*************=0D
http://[...]/read.php?id=1'[SQL_SELECT]&debut=[SQL_LIMIT]=0D 
http://[...]/index.php?search=%'[SQL_SELECT]%23=0D 
http://[...]/index.php?debut=1[SQL] //Digit -> Without quote=0D 
=0D
Full Path Disclosure =0D
********************=0D
http://[...]/index.php?readall=&collapse[]= //setcookie()=0D 
=0D
=0D
Solution=0D
********=0D
SQL Injection => addslashes() / intval()=0D
Cross Site Scripting => htmlentities()=0D
Full Path Disclosure => is_string()=0D
=0D
=0D
Credits=0D
*******=0D
by DarkFig -- http://www.acid-root.new.fr/advisories/csforum081.txt=0D 
=0D
=0D
Changelog=0D
*********=0D
[06-06-11] -- Vendor contacted


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH