Re: [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)
From: <deluxe@xxxxxxxxxxxxxxxxxxxx>
Date: 19 May 2005 11:57:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <200505172151.j4HLpThM004829@xxxxxxxxxxxxxxx>

>>Cross Site Scripting:
>>-------------------------
>>You can abuse the SQL-Injections for XSS attacks.
>
>Does this occur because the XSS-style attacks are being injected into
>SQL queries, which then generate errors because the queries are
>malformed, and then PHP blindly reflects the malformed query back to
>the user without quoting XSS-relevant characters?  That would seem to
>be more of a problem with the application's runtime environment
>(i.e. PHP) than JGS-Portal itself.

Try the following link:
/jgs_portal_statistik.php?meinaction=mitglieder&month=1&year=1&lt;script&gt;alert(document.cookie);&lt;/script&gt;

JGS-Portal doesn't report an error and the year parameter is passed unfiltered. 
This is definitively the problem of JGS-Portal.


If a SQL-error occurs and the error message contains Cross Site Scripting code, 
than you're completely right.


Regards,
deluxe

Prev by Date: [ GLSA 200505-14 ] Cheetah: Untrusted module search path
Next by Date: JavaMail Information Disclosure (msgno)
Previous by thread: [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)
Next by thread: cdrdao exploit for mandrake 10.2 ( Mandriva 2005)
Index(es):
- Date
- Thread