[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] SQL Buddy 1.3.3: XSS

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] SQL Buddy 1.3.3: XSS
From: "Curesec Research Team (CRT)" <crt@xxxxxxxxxxx>
Date: Fri, 30 Oct 2015 10:38:00 +0100

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    SQL Buddy 1.3.3
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Contact:      nom@xxxxxxxxxxxxxxxxxxx
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  08/18/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

There is an XSS vulnerability via the "requestKey" GET parameter in SQL Buddy
1.3.3. With this, it is possible to steal cookies or inject JavaScript
keyloggers.

Please note that the POC only works if the victim is not logged in.

3. Proof of Concept


http://localhost/sqlbuddy/index.php?ajaxRequest=1&requestKey=";></script><script>alert(1)</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

08/18/2015 Informed Vendor about Issue (no reply)
09/16/2015 Reminded Vendor of release date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/SQL-Buddy-133-XSS-60.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] SQL Buddy 1.3.3: CSRF
Next by Date: [FD] Chyrp CMS 2.5.2: XSS
Previous by thread: [FD] SQL Buddy 1.3.3: CSRF
Next by thread: [FD] Chyrp CMS 2.5.2: XSS
Index(es):
- Date
- Thread