Date: Thu, 18 Nov 2010 10:19:06 -0300
From: Soporte CERT <soporte@...t.unlp.edu.ar>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in chCounter <= 3.1.3

Multiple vulnerabilities were found in web application chCounter <= 3.1.3.

Author:
- Matias Fontanini(mfontanini@...t.unlp.edu.ar).

Requirements:
- Downloads must be enabled(this is not default).
- magic_quotes off.
- Access to administration site

=SQLInjection=
Location: administration/index.php?cat=downloads&edit=
Affected parameters: anzahl
Method: POST
Severity: High
Description: When accessing
administration/index.php?cat=downloads&edit=VALID_ID
and using a valid download id, an attacker is able to manipulate the
"anzahl"
parameter to perform queries which only involve returning an integer.
The query
output will be sent back to the client in the "anzahl" text input.
Exploit: An attacker could perform repeated crafted requests to retrieve
any
database records for which the user has access.
Proof of concept: see attached file "chcounter.py"

=XSS=
Location: administration/index.php?cat=downloads&edit=
Affected parameters: anzahl and wert
Method: POST
Severity: Low
Description: When accessing
administration/index.php?cat=downloads&edit=VALID_ID
and using a valid download id, an attacker is able to insert html tags
in the "wert"
parameter. Once the attacker has done that, manupulating "anzahl"
parameter so that
the result sql query is malformed will result in the injected code being
parsed by the
web browser.
Proof of concept: use parameter wert=<script>alert(1);</script>. After
that, use
anzahl=XXX


View attachment "chcounter.py" of type "text/x-python" (9730 bytes)

Powered by blists - more mailing lists