|
|
----------------------------------------------------------------
Script : DEV WMS
Type : Multiple Vulnerabilities ( Local file inclusion / Cross Site Scripting / SQL Injection )
Alert : High
----------------------------------------------------------------
Discovered by : Khashayar Fereidani Or Dr.Crash
My Website : HTTP://FEREIDANI.IR
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
----------------------------------------------------------------
Script Download : http://dev-wms.sourceforge.net/
----------------------------------------------------------------
XSS Vulnerability 1 :
Variable Sent Method : GET
Vulnerable Variable : session
Address : ><>>">http://Example.com/?session=">><>>
Solution : filter session variable with htmlspecialchars() function ...
----------------------------------------------------------------
Xss Vulnerability 2 :
Variable Sent Method : POST
Vulnerable Variable : kluc
Address : http://Example.com/index.php?session=0&action=search
change example.com to script address in a real site and save as ircrash.html , open file with browser and see your cookie .
Solution : filter kluc variable with htmlspecialchars() function ...
----------------------------------------------------------------
SQL Injection :
Method Of Send : GET
Vulnerable Variable : article
Address : http://Example.com/index.php?session=0&action=read&click=open&article=[SQL CODE]
Solution : Filter danger caracter for article variable ...
----------------------------------------------------------------
Local file inclusion :
Method Of Send : GET
Vulnerable Variable : step
Address : http://Example.com/admin/index.php?start=install&step=file.type%00
Solution : Filter step variable with if function ...
----------------------------------------------------------------
Tnx : God
HTTP://IRCRASH.COM
----------------------------------------------------------------