Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    SQL Buddy 1.3.3
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Contact:      nom@deliciousbrains.com
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  08/18/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

There is an XSS vulnerability via the "requestKey" GET parameter in SQL Buddy
1.3.3. With this, it is possible to steal cookies or inject JavaScript
keyloggers.

Please note that the POC only works if the victim is not logged in.

3. Proof of Concept


http://localhost/sqlbuddy/index.php?ajaxRequest=1&requestKey="></script><script>alert(1)</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

08/18/2015 Informed Vendor about Issue (no reply)
09/16/2015 Reminded Vendor of release date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/SQL-Buddy-133-XSS-60.html