XSS bugs and SQL injection in sNews

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS bugs and SQL injection in sNews
From: Alexander Hristov <joffer@xxxxxxxxx>
Date: Tue, 14 Feb 2006 18:25:13 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=kDdA4IqrmJoQwBZ4NZNcQlKqEL10kPBMU+s3L+ERLpn17BExM3YCVzixkRk0bpeExJOBITrlXTVp+lPXy6YSHM9qipDPdw48EJx4cLKkfWv4BqsL1SU+xv7BNWSvjWcGkgJl4zXQIf9zPhT5DGUWOuvoXGEI4TcyGu6asKZg9G4=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Official page : http://www.solucija.com/home/snews/

XSS in comments :

just post some comment with <script>alert('XSS TEST by
securitydot.net');</script>
                        
FIX : put this on 423 line
$r = str_replace ("<","&lt",$r);
                $r = str_replace (">","&lg",$r);

Injection through categories : index.php?category=1%20or%201=2

FIX : put this on 313 line
if (ereg('^[0-9]*$' , $category))

Injection through id : index.php?id=0%20or%201=2

FIX : put this on 175 line
if (ereg('^[0-9]*$' , $id)) {

--
Securitydot.net
joffer and DrFrancky

Prev by Date: [ GLSA 200602-06 ] ImageMagick: Format string vulnerability
Next by Date: memory leak in IE?
Previous by thread: [ GLSA 200602-06 ] ImageMagick: Format string vulnerability
Next by thread: memory leak in IE?
Index(es):
- Date
- Thread