Date: 21 Nov 2006 20:12:50 -0000
From: [email protected]
To: [email protected]Subject: JiRos Links Manager[injection sql & xss permanent]
X-Virus-Scanned: antivirus-gw at tyumen.ru
vendor site:http://www.jiros.net/
product:JiRos Links Manager
bug: injection sql & xss
risk : medium
injection sql:
/openlink.asp?LinkID='[sql]
/viewlinks.asp?CategoryID='[sql]
xss permanent (post):
in: /submitlink.asp
-Link Name:
-Link URL:
-Link Image:
-Link Description:
those xss are really dangerous , because an admin need to approuve the link
so he gone get his cookie stealed direcly when he log into the administration panel
laurent gaffiИ & benjamin mossИ
http://s-a-p.ca/
contact: [email protected]
