[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multiple vulnerabilities in chCounter <= 3.1.3



: Multiple vulnerabilities were found in web application chCounter <= 3.1.3.
: 
: Author:
: - Matias Fontanini(mfontanini@xxxxxxxxxxxxxxxx).
: 
: Requirements:
: - Downloads must be enabled(this is not default).
: - magic_quotes off.
: - Access to administration site

That is a lot of prerequisites..

: =SQLInjection=
: Location: administration/index.php?cat=downloads&edit=
: Affected parameters: anzahl
: Method: POST
: Severity: High
: Description: When accessing
: administration/index.php?cat=downloads&edit=VALID_ID
: and using a valid download id, an attacker is able to manipulate the
: "anzahl" parameter to perform queries which only involve returning an integer.
: The query output will be sent back to the client in the "anzahl" text input.
: Exploit: An attacker could perform repeated crafted requests to retrieve
: any database records for which the user has access.

"retrieve any database record for which the user has access"

This does not sound like it is crossing any privilege boundaries then. Can 
you elaborate on how this is a vulnerability versus a clever / unintended 
method for accessing the information? Could you then justify giving this a 
"High" severity, especially after the requirements you list?