[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Multiple vulnerabilities in chCounter <= 3.1.3
- To: Soporte CERT <soporte@xxxxxxxxxxxxxxxx>
- Subject: Re: Multiple vulnerabilities in chCounter <= 3.1.3
- From: security curmudgeon <jericho@xxxxxxxxxxxxx>
- Date: Tue, 5 Apr 2011 20:08:45 -0500 (CDT)
: Multiple vulnerabilities were found in web application chCounter <= 3.1.3.
:
: Author:
: - Matias Fontanini(mfontanini@xxxxxxxxxxxxxxxx).
:
: Requirements:
: - Downloads must be enabled(this is not default).
: - magic_quotes off.
: - Access to administration site
That is a lot of prerequisites..
: =SQLInjection=
: Location: administration/index.php?cat=downloads&edit=
: Affected parameters: anzahl
: Method: POST
: Severity: High
: Description: When accessing
: administration/index.php?cat=downloads&edit=VALID_ID
: and using a valid download id, an attacker is able to manipulate the
: "anzahl" parameter to perform queries which only involve returning an integer.
: The query output will be sent back to the client in the "anzahl" text input.
: Exploit: An attacker could perform repeated crafted requests to retrieve
: any database records for which the user has access.
"retrieve any database record for which the user has access"
This does not sound like it is crossing any privilege boundaries then. Can
you elaborate on how this is a vulnerability versus a clever / unintended
method for accessing the information? Could you then justify giving this a
"High" severity, especially after the requirements you list?